内核枚举进程总结_C/C++技术分享_看流星社区 www.kanliuxing.com

374919318 发表于 2017-6-1 13:32:52

内核枚举进程总结

我知道的有三种方法
这里的第三种和第二种是一样的隐藏进程也可以在这么做手脚
但需要注意多线程,在操作前,理应加锁
可以参考这篇文章
41813747

1.暴力枚举进程通过PsLookupProcessByProcessId获得EPROCESS
第一个参数我们使用循环填入0~65535
for (ULONG i = 0; i < 65535; i += 4)
{
SearchProcessPID(i);
}
return STATUS_SUCCESS;

2.通过ZwQuerySystemInformation

3.通过进程活动连来枚举

代码如下：

#include "ntddk.h"

typedef struct_PROCESS_INFO
{
ULONG_PTR eprocess;
ULONG pid;
ULONG ppid;
UNICODE_STRING pathName;
UNICODE_STRING ImageFileName;
}PROCESSINFO,*PPROCESSINFO;

typedef struct _SYSTEM_THREADS
{
LARGE_INTEGERKernelTime;
LARGE_INTEGERUserTime;
LARGE_INTEGERCreateTime;
ULONG WaitTime;
PVOID StartAddress;
CLIENT_ID ClientID;
KPRIORITY Priority;
KPRIORITY BasePriority;
ULONG ContextSwitchCount;
ULONG ThreadState;
KWAIT_REASONWaitReason;
ULONG Reserved; //Add
}SYSTEM_THREADS,*PSYSTEM_THREADS;

typedef struct _SYSTEM_PROCESS_INFORMATION {
ULONG                NextEntryOffset;
ULONG                NumberOfThreads;
LARGE_INTEGER       Reserved;
LARGE_INTEGER       CreateTime;
LARGE_INTEGER       UserTime;
LARGE_INTEGER       KernelTime;
UNICODE_STRING       ImageName;
KPRIORITY             BasePriority;
HANDLE                ProcessId;
HANDLE                InheritedFromProcessId;
ULONG                HandleCount;
ULONG                Reserved2;
ULONG                PrivatePageCount;
VM_COUNTERS          VirtualMemoryCounters;
IO_COUNTERS          IoCounters;
SYSTEM_THREADS       Threads;
} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;

typedef enum _SYSTEM_INFORMATION_CLASS
{
SystemBasicInformation,             //0 Y N
SystemProcessorInformation,          //1 Y N
SystemPerformanceInformation,       //2 Y N
SystemTimeOfDayInformation,          //3 Y N
SystemNotImplemented1,                //4 Y N
SystemProcessesAndThreadsInformation, //5 Y N
SystemCallCounts,                   //6 Y N
SystemConfigurationInformation,       //7 Y N
SystemProcessorTimes,                //8 Y N
SystemGlobalFlag,                   //9 Y Y
SystemNotImplemented2,                // 10 Y N
SystemModuleInformation,             // 11 Y N
SystemLockInformation,                // 12 Y N
SystemNotImplemented3,                // 13 Y N
SystemNotImplemented4,                // 14 Y N
SystemNotImplemented5,                // 15 Y N
SystemHandleInformation,             // 16 Y N
SystemObjectInformation,             // 17 Y N
SystemPagefileInformation,          // 18 Y N
SystemInstructionEmulationCounts,    // 19 Y N
SystemInvalidInfoClass1,             // 20
SystemCacheInformation,             // 21 Y Y
SystemPoolTagInformation,             // 22 Y N
SystemProcessorStatistics,          // 23 Y N
SystemDpcInformation,                // 24 Y Y
SystemNotImplemented6,                // 25 Y N
SystemLoadImage,                      // 26 N Y
SystemUnloadImage,                   // 27 N Y
SystemTimeAdjustment,                // 28 Y Y
SystemNotImplemented7,                // 29 Y N
SystemNotImplemented8,                // 30 Y N
SystemNotImplemented9,                // 31 Y N
SystemCrashDumpInformation,          // 32 Y N
SystemExceptionInformation,          // 33 Y N
SystemCrashDumpStateInformation,    // 34 Y Y/N
SystemKernelDebuggerInformation,    // 35 Y N
SystemContextSwitchInformation,       // 36 Y N
SystemRegistryQuotaInformation,       // 37 Y Y
SystemLoadAndCallImage,             // 38 N Y
SystemPrioritySeparation,             // 39 N Y
SystemNotImplemented10,             // 40 Y N
SystemNotImplemented11,             // 41 Y N
SystemInvalidInfoClass2,             // 42
SystemInvalidInfoClass3,             // 43
SystemTimeZoneInformation,          // 44 Y N
SystemLookasideInformation,          // 45 Y N
SystemSetTimeSlipEvent,             // 46 N Y
SystemCreateSession,                // 47 N Y
SystemDeleteSession,                // 48 N Y
SystemInvalidInfoClass4,             // 49
SystemRangeStartInformation,          // 50 Y N
SystemVerifierInformation,          // 51 Y Y
SystemAddVerifier,                   // 52 N Y
SystemSessionProcessesInformation    // 53 Y N
} SYSTEM_INFORMATION_CLASS;

typedefNTSTATUS (*ZWQUERYSYSTEMINFORMATION)(
_In_    SYSTEM_INFORMATION_CLASS SystemInformationClass,
_Inout_ PVOID                SystemInformation,
_In_    ULONG                SystemInformationLength,
_Out_opt_ PULONG                ReturnLength
);

NTSTATUS
PsLookupProcessByProcessId(
IN HANDLE ProcessId,
OUT PEPROCESS *Process
);

NTKERNELAPI UCHAR* PsGetProcessImageFileName(PEPROCESS Process);

void EnumProcessByZw()
{
NTSTATUS    status;
//ULONG i = 0;
ULONG retusize;
UNICODE_STRING ZwFunName;
PVOID AllSize=0;
ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation;
SYSTEM_PROCESS_INFORMATION* ProcessInfo;
RtlInitUnicodeString(&ZwFunName,L"ZwQuerySystemInformation");

ZwQuerySystemInformation = (ZWQUERYSYSTEMINFORMATION)MmGetSystemRoutineAddress(&ZwFunName);

if(ZwQuerySystemInformation==0)
{
KdPrint(("Get Fun Addr Faile!"));
return;
}

status = ZwQuerySystemInformation(SystemProcessesAndThreadsInformation,0,0,&retusize);

if(retusize==0)
{
KdPrint(("retu size is null"));
return;
}

AllSize = ExAllocatePool(NonPagedPool,retusize);
if(AllSize==0)
{
return;
}

status = ZwQuerySystemInformation(SystemProcessesAndThreadsInformation,AllSize,(ULONG)retusize,&retusize);

if(!NT_SUCCESS(status))
{
KdPrint(("ZwQuerySystemInformation is faild!"));
ExFreePool(AllSize);
return;
}

ProcessInfo = (SYSTEM_PROCESS_INFORMATION*)AllSize;
while (ProcessInfo->NextEntryOffset)
{
KdPrint(("ProcessId:%d------ProcessName:%wZ",ProcessInfo->ProcessId,&ProcessInfo->ImageName));
/*for (i = 0; i < ProcessInfo->NumberOfThreads;i++)
{
KdPrint(("    CliendId: %x-------StartAddress:0x%llx",ProcessInfo->Threads.ClientID.UniqueThread,ProcessInfo->Threads.StartAddress));
}*/
ProcessInfo = (SYSTEM_PROCESS_INFORMATION*)((ULONGLONG)ProcessInfo + ProcessInfo->NextEntryOffset);
}

ExFreePool(AllSize);
}

//暴力枚举PID，枚举进程
NTSTATUS SearchProcessPID(ULONG pid)
{
NTSTATUS status = STATUS_SUCCESS;
PEPROCESS process = NULL;
PUCHAR processName;
status = PsLookupProcessByProcessId((HANDLE)pid, &process);
processName = ExAllocatePool(NonPagedPool, sizeof(process));
if (NT_SUCCESS(status))
{
   processName = PsGetProcessImageFileName(process);
   DbgPrint("PID:%d,processName:%s\n", pid, processName);/*这里使用完后要ObdefObject,<span style="font-family: Arial, Helvetica, sans-serif;">PsLookupProcessByProcessId会增加引用计数这里的内存也没有释放*/</span>

}
}

void EnumProcessByLink()
{
ULONGLONG eprocess;
PLIST_ENTRY p_head,p_list;
ULONGLONG offset = 0x16f8;
ULONG processnum =1;
PPROCESSINFO pProcessInfo = {0};
eprocess = (ULONGLONG)PsGetCurrentProcess();
p_head = (PLIST_ENTRY)(eprocess+0x188);
p_list = p_head;
while (p_list->Flink!=p_head)
{
processnum++;
eprocess = (ULONGLONG)(p_list - 0x188)+offset;
KdPrint(("ProcessName:%s",eprocess+0x2e0));
p_list = p_list->Flink;
}
KdPrint(("ProcessNum:%d",processnum));
}

#define ACTIVE_PROCESS_LINK 0x188

//通过EPROCESS枚举进程
NTSTATUS SearchProcessEPROCESS()
{
PEPROCESS process=NULL,firstProcess=NULL;
NTSTATUS status = STATUS_SUCCESS;
PLIST_ENTRY plist;
process = firstProcess = PsGetCurrentProcess();
do
{
   PUCHAR ProcessNmae = NULL;
   ProcessNmae = PsGetProcessImageFileName(process);
   DbgPrint("PID:%d,ProcessName:%s\n", (HANDLE)PsGetProcessId(process), ProcessNmae);
   plist = (PLIST_ENTRY)((ULONG)process + ACTIVE_PROCESS_LINK);
   process = (PEPROCESS)((ULONG)plist->Flink - ACTIVE_PROCESS_LINK);
   if (process == firstProcess)
   {
         break;
   }
} while (process != NULL);

return status;
}

void DriverUnload(PDRIVER_OBJECT pDriverObject)
{
KdPrint(("DriverUnload"));
}

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject,PUNICODE_STRING pUnicodeString)
{
KdPrint(("DriverEntry"));
//EnumProcessByZw();
EnumProcessByLink();
pDriverObject->DriverUnload = DriverUnload;
return STATUS_SUCCESS;
}

测试平台：win7 x64 build 7601

页: [1]

看流星社区's Archiver

内核枚举进程总结