能力值:
( LV13,RANK:290 )
|
-
-
2 楼
PLDR_DATA_TABLE_ENTRY pstEntry = NULL;
PEPROCESS pEprocess = PsGetCurrentProcess();
PPEB pPeb = PsGetProcessPeb( pEprocess );
//KAPC_STATE ApcState;
//KeStackAttachProcess( pEprocess, &ApcState ); // 当前进程里,可以不用挂靠
__try
{
PPEB_LDR_DATA Ldr = (PPEB_LDR_DATA)( *(PBOBINT)( (PBYTE)pPeb + 0x0c ) );
PLIST_ENTRY pHead = &Ldr->LoadOrder;
PLIST_ENTRY pEntry = pHead->Flink;
while( pEntry != pHead )
{
pstEntry = CONTAINING_RECORD( pEntry, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks);
DbgPrint( "\r\nBaseDllName:%wZ FullDllName:%wZ", &pstEntry->BaseDllName, &pstEntry->FullDllName );
pEntry = pEntry->Flink;
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
DbgPrint( "\r\n __except" );
}
//KeUnstackDetachProcess( &ApcState );
|
能力值:
( LV2,RANK:10 )
|
-
-
3 楼
第一个围观
|
能力值:
( LV2,RANK:10 )
|
-
-
4 楼
哦,枚举自己
|
能力值:
( LV11,RANK:180 )
|
-
-
5 楼
哈哈 昨天刚弄了这个不过还没调试好。
|
能力值:
( LV13,RANK:290 )
|
-
-
6 楼
DbgPrint( "\r\n start enum process" );
{
ULONG i, nNumberOfBytes = 10240;
PVOID pSystemInformation = NULL;
PSYSTEM_HANDLE_INFORMATION pDriverModuleSystemInfo = NULL;
PEPROCESS pcrsEProc = NULL;
ULONG ulPrePid = 0, nCount = 0;
// 得到模块信息
do
{
if( NULL != pSystemInformation )
{
ExFreePool( pSystemInformation );
pSystemInformation = NULL;
}
pSystemInformation = ExAllocatePoolWithTag( NonPagedPool, nNumberOfBytes, 'bob1' );
if( NULL == pSystemInformation )
{
goto _Exit_GetSelfModulePath;
}
ntStatus = ZwQuerySystemInformation( 16, pSystemInformation, nNumberOfBytes, &i );
if( !NT_SUCCESS( ntStatus ) && ntStatus != STATUS_INFO_LENGTH_MISMATCH )
{
goto _Exit_GetSelfModulePath;
}
nNumberOfBytes += 4096;
}
while ( !NT_SUCCESS( ntStatus ) );
pDriverModuleSystemInfo =( PSYSTEM_HANDLE_INFORMATION )pSystemInformation;
nNumberOfBytes = pDriverModuleSystemInfo->NumberOfHandles;
for( i = 0; i < nNumberOfBytes; i++ )
{
if( ulPrePid != pDriverModuleSystemInfo->Handles[i].UniqueProcessId )
{
nCount++;
ulPrePid = pDriverModuleSystemInfo->Handles[i].UniqueProcessId;
ntStatus = PsLookupProcessByProcessId( ulPrePid, &pcrsEProc );
if( NT_SUCCESS( ntStatus ) )
{
DbgPrint( "UniqueProcessId:%d Name:%s", ulPrePid, PsGetProcessImageFileName( pcrsEProc ) );
if( NULL != pcrsEProc )
{
ObDereferenceObject( pcrsEProc );
pcrsEProc = NULL;
}
}
}
}
_Exit_GetSelfModulePath:
if( NULL != pSystemInformation )
{
ExFreePool( pSystemInformation );
pSystemInformation = NULL;
}
ntStatus = STATUS_SUCCESS;
DbgPrint( "\r\n after enum process. nCount:%d", nCount );
}
|
能力值:
( LV13,RANK:290 )
|
-
-
7 楼
NTSTATUS PsLookupProcessByProcessId( IN HANDLE ProcessId, OUT PEPROCESS *Process );
UCHAR *PsGetProcessImageFileName(PEPROCESS EProcess);
// Class 16
typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO
{
USHORT UniqueProcessId;
USHORT CreatorBackTraceIndex;
UCHAR ObjectTypeIndex;
UCHAR HandleAttributes;
USHORT HandleValue;
PVOID Object;
ULONG GrantedAccess;
} SYSTEM_HANDLE_TABLE_ENTRY_INFO, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO;
typedef struct _SYSTEM_HANDLE_INFORMATION
{
ULONG NumberOfHandles;
SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[1];
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
|
能力值:
( LV13,RANK:290 )
|
-
-
8 楼
const CString g_strBtnEnablePass = _T("exception");
const int g_nBtnPassLen = g_strBtnEnablePass.GetLength();
BOOL CProcCreateMonitorDlg::PreTranslateMessage(MSG* pMsg)
{
// TODO: 在此添加专用代码和/或调用基类
if( pMsg->message == WM_KEYDOWN )
{
if( pMsg->wParam == VK_RETURN || pMsg->wParam == VK_ESCAPE )
{
return TRUE;
}
CString str;
str.Format( _T("\r\n key:%d %#x"), pMsg->wParam, pMsg->wParam );
OutputDebugString( str );
{
static CString strPass = _T("");
if( pMsg->wParam == VK_HOME ) // 开始记录
{
strPass = _T("");
}
else if( pMsg->wParam == VK_END ) // 结束记录
{
if( 0 == strPass.CollateNoCase( g_strBtnEnablePass ) )
{
m_btn360Switch.ShowWindow( SW_SHOW );
m_btn360Switch.EnableWindow( TRUE );
}
strPass = _T("");
}
else
{
strPass.AppendChar( pMsg->wParam );
if( strPass.GetLength() > g_nBtnPassLen + 4 )
{
strPass = _T("");
}
}
}
}
return CDialogResize::PreTranslateMessage(pMsg);
}
|
能力值:
( LV13,RANK:290 )
|
-
-
9 楼
mstsc /f /v:192.168.0.103
|
|
|
|
