-
-
[旧帖] [原创]发一个超精简版枚举进程代码。 0.00雪花
-
2012-5-28 13:52
-
通过进程句柄表枚举进程。WinXP SP3测试通过。
#define HANDLE_TBL_OFF 0x0C4
#define IMAGE_NAME_OFF 0x174
#define HTBL_FLINK_OFF 0x01C
#define PID_OFF 0x084
#define HTBL_EPROC_OFF 0x004
VOID ListProcess()
{
ULONG currEPROC;
ULONG currHandleTbl;
currEPROC = (ULONG)PsGetCurrentProcess();
currHandleTbl = *(PULONG)(currEPROC + HANDLE_TBL_OFF);
while ( TRUE ){
//打印进程
DbgPrint( "PID:%4d ImageName:%s\r\n", *(PULONG)(currEPROC+PID_OFF), (PVOID)(currEPROC+IMAGE_NAME_OFF) );
//下一个进程
currHandleTbl = *(PULONG)(currHandleTbl + HTBL_FLINK_OFF) - HTBL_FLINK_OFF;
currEPROC = *(PULONG)(currHandleTbl + HTBL_EPROC_OFF);
//回到起始处则结束
if ( !currEPROC )
break;
}
}
[培训]二进制漏洞攻防(第3期);满10人开班;模糊测试与工具使用二次开发;网络协议漏洞挖掘;Linux内核漏洞挖掘与利用;AOSP漏洞挖掘与利用;代码审计。
|
|
|---|---|
|
|
|
|
|
 估计很多人看到既然枚举进程链已经是硬编码了,突然冒出个API不美观,所以继续硬编码保持队形吧。。。
|
|
|
你以为加个宏我就看不出是硬编码了么
|
|
|
|
