- 注册时间
- 2011-3-6
- 最后登录
- 1970-1-1
该用户从未签到
|
此方法硬编码很多!!!
EPROCESS下win32Process其实是一个tagPROCESSINFO 结构
- //#include <ntddk.h>
- #include <ntifs.h>
- NTKERNELAPI PVOID PsGetProcessWin32Process( IN PEPROCESS Process );
- NTKERNELAPI PEPROCESS IoThreadToProcess(IN PETHREAD Thread);
- NTKERNELAPI UCHAR* PsGetProcessImageFileName(PEPROCESS Process);
- //win7x64 通过win32Process枚举进程 传入explorer.exe的EPROCESS 必须是explorer.exe
- VOID EnumWindows(PEPROCESS explorer)
- {
- //NTSTATUS status;
- PEPROCESS gui_process;
- ULONG_PTR win32_process,tag_desk_top,tag_desk_info,tag_desk_wnd,tag_wnd;
- ULONG_PTR tag_thread_info,ethread;//eprocess;
- PEPROCESS tmp_process;
- ULONG_PTR strName = 0;
- ULONG_PTR h = 0;
- //ULONG_PTR pstrAppName = 0;
- ULONG_PTR ProcessID = 0;
- //_LARGE_UNICODE_STRING
-
- //status = PsLookupProcessByProcessId((HANDLE)1384,&gui_process);
- if(explorer == NULL)
- return;
- gui_process = explorer;
- KeAttachProcess(gui_process);
- do
- {
- //win32_process = *(ULONG_PTR*)((ULONG_PTR)gui_process + 0x258);//tagPROCESSINFO
- win32_process = (ULONG_PTR)PsGetProcessWin32Process(gui_process);
- if(win32_process == 0 )
- {
- DbgPrint("win32_process");
- break;
- }
- tag_desk_top = *(ULONG_PTR*)(win32_process+0x110);//tagDESKTOP
- if(tag_desk_top == 0)
- {
- DbgPrint("tag_desk_top");
- break;
- }
- tag_desk_info = *(ULONG_PTR*)(tag_desk_top+0x8);//tagDESKTOPINFO
- if(tag_desk_info == 0)
- {
- DbgPrint("tag_desk_info");
- break;
- }
- tag_desk_wnd = *(ULONG_PTR*)(tag_desk_info+0x10);//struct _tagWND* spwnd;
- if(tag_desk_wnd == 0)
- {
- DbgPrint("tag_desk_wnd");
- break;
- }
-
- tag_wnd = *(ULONG_PTR*)(tag_desk_wnd+0x60);///*0x060*/ struct _tagWND* spwndChild;
- if(tag_wnd == 0)
- {
- DbgPrint("tag_wnd");
- break;
- }
- while(tag_wnd)
- {
- h = *(ULONG_PTR*)tag_wnd;
- if(h != 0)
- {
- DbgPrint("hwnd:0x%llx----tag_wnd:0x%llx\n",h,tag_wnd);
- }
- tag_thread_info = *(ULONG_PTR*)(tag_wnd+0x10);
- if(tag_thread_info == 0)
- {
- tag_wnd = *(ULONG_PTR*)(tag_wnd+0x48);///*0x048*/ struct _tagWND* spwndNext;
- continue;
- }
- ///*0x1A0*/ struct _UNICODE_STRING* pstrAppName; 常年为NULL
- /*pstrAppName = tag_thread_info + 0x1a0;
- if(pstrAppName != 0)
- {
- DbgPrint("pstrAppName:%wZ\n",pstrAppName);
- }*/
- ethread = *(ULONG_PTR*)(tag_thread_info);
- if(ethread == 0)
- {
- tag_wnd = *(ULONG_PTR*)(tag_wnd+0x48);///*0x048*/ struct _tagWND* spwndNext;
- continue;
- }
- //eprocess = *(ULONG_PTR*)(ethread+0x210);//_KTHREAD +0x210 Process : Ptr64 _KPROCESS
- tmp_process = IoThreadToProcess((PETHREAD)ethread);
- if(tmp_process == NULL)
- {
- tag_wnd = *(ULONG_PTR*)(tag_wnd+0x48);///*0x048*/ struct _tagWND* spwndNext;
- continue;
- }
- ///*0x0D8*/ struct _LARGE_UNICODE_STRING strName;
- strName = *(ULONG_PTR*)(tag_wnd + 0xd8 +0x8);
- if(strName != 0)
- DbgPrint("strName:%S",strName);
- ProcessID = (ULONG_PTR)PsGetProcessId(tmp_process);
- DbgPrint("\nProcessID:%d\n",ProcessID);
- //DbgPrint("%s\n",eprocess+0x2e0);
- DbgPrint("ProcessName:%s\n",PsGetProcessImageFileName(tmp_process));
- tag_wnd = *(ULONG_PTR*)(tag_wnd+0x48);///*0x048*/ struct _tagWND* spwndNext;
- }
-
- }while(0);
- KeDetachProcess();
- // ObDereferenceObject(gui_process);
- }
- VOID DriverUnload(PDRIVER_OBJECT pDriverObject)
- {
- UNREFERENCED_PARAMETER(pDriverObject);
- DbgPrint("[kernel]88!\n");
- }
- NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegPath)
- {
- UNREFERENCED_PARAMETER(pRegPath);
- pDriverObject->DriverUnload = DriverUnload;
- EnumWindows((PEPROCESS)0xfffffa801a596b30);
- return STATUS_SUCCESS;
- }
复制代码
测试图:有一些是没有strName的
|
|