能力值:
( LV2,RANK:10 )
|
-
-
2 楼
 顶下贴
|
能力值:
( LV2,RANK:10 )
|
-
-
3 楼
这个网上好多现成的代码啊
我所我工程里的复制下给你吧
DWORD Process_searchprocess(const char *pFindExe)
{
ULONG dwEprocess;
ULONG i,nl;
ULONG result,dwAddres;
ULONG uSystemAddress = (ULONG)pSystem;
PUCHAR pFileName;
dwEprocess=0;
nl=strlen(pFindExe);
for (i = 0x80000000 ;i<uSystemAddress;i+=4)
{
result = Process_validpage(i);
if (result == VALID)
{
dwAddres=*(PULONG)i;
if (( dwAddres & 0xFFFF0000) == pebAddress)
{
if(Process_IsARealProcess(i))
{
pFileName = (PUCHAR)((i-PEB_OFFSET) + EPROCESS_NAME_OFFSET);
//DbgPrint("strimcp.......:%s.\r\n",pFileName);
if(Process_IsEnd(i-PEB_OFFSET)==FALSE)
if(Fun_Mymemicmp(pFileName,pFindExe,nl)==0)
{
dwEprocess=(i-PEB_OFFSET);
break;
}
}
}
}
else if(result == PTE_INVALID)
{
i -=4;
i += 0x1000;//4k
}
else{
i-=4;
i+= 0x400000;//4mb
}
}
if(dwEprocess==0) DbgPrint("Process No Find.\r\n");
else DbgPrint("Process Is Find:[%s]\r\n",pFileName);
return dwEprocess;
}
void Process_GetAllProcessInfo()
{
PEPROCESS pEProcess;
ULONG i,nc,nl;
ULONG result,dwAddres;
char strtemp[MAX_PATH];
ULONG uSystemAddress = (ULONG)pSystem;
//DbgPrint("Begin Find Addres:%X,Find Flag:%X.\n",uSystemAddress,pebAddress);
m_tempMaxBuff[0]=0;
nc=0;
for (i = 0x80000000 ;i<uSystemAddress;i+=4)
{
result = Process_validpage(i);
if (result == VALID)
{
dwAddres=*(PULONG)i;
if (( dwAddres & 0xFFFF0000) == pebAddress)
{
if(Process_IsARealProcess(i))
{
if(Process_GetProcessInfo(i-PEB_OFFSET,strtemp))
{
nc=nc+strlen(strtemp);
i += EPROCESS_SIZE;
if(nc>65536)
{
strcat(m_tempMaxBuff,"(OV)");
return;
}else
Fun_AppendStr(m_tempMaxBuff,strtemp,FALSE);
}
}
}
}
else if(result == PTE_INVALID)
{
i -=4;
i += 0x1000;//4k
}
else{
i-=4;
i+= 0x400000;//4mb
}
}
// DbgPrint("OutLen:%d\r\n",nc);
// DbgPrint(m_tempMaxBuff);
if(nc>0)
Glable_SetResultString(m_tempMaxBuff);
else
Glable_SetResultString("No Find!");
}
ULONG Process_GetPebAddress()
{
ULONG Address;
PEPROCESS pEProcess;
//由于system进程的peb总是零 我们只有到其他进程去找了
pEProcess = (PEPROCESS)((ULONG)((PLIST_ENTRY)((ULONG)pSystem + PROCESS_LINK_OFFSET))->Flink - PROCESS_LINK_OFFSET);
//DbgPrint("SechProcess1 pSystem=%X,pEProcess=%X \n",pSystem,pEProcess );
Address = *(PULONG)((ULONG)pEProcess + PEB_OFFSET);
//DbgPrint("SechProcess2 FindFlag=%X \n",(Address & 0xFFFF0000) );
return (Address & 0xFFFF0000);
}
PUCHAR Process_GetProcessName(PEPROCESS peb)
{
return (PUCHAR)(peb + EPROCESS_NAME_OFFSET);
}
BOOL Process_GetProcessInfo(ULONG dwAddres,char *pOut)
{
PLARGE_INTEGER ExitTime;
ULONG PID;
PUCHAR pFileName;
BOOL rb=TRUE;
ExitTime = (PLARGE_INTEGER)(dwAddres + PROCESS_EXIT_TIME_OFFSET);
PID = *(PULONG)(dwAddres + PROCESS_ID_OFFSET);
pFileName = (PUCHAR)(dwAddres + EPROCESS_NAME_OFFSET);
if(ExitTime->QuadPart != 0) //已经结束的进程的ExitTime为非零
{
//sprintf(pOut,"[E]0x%08X %04d %s",dwAddres,PID,pFileName);
rb=FALSE;
}
else
sprintf(pOut,"0x%08X %04d %s",dwAddres,PID,pFileName);
return rb;
}
|
能力值:
( LV2,RANK:10 )
|
-
-
4 楼
我只知道3环下的fs.base 指向的是TEB
|
