-
-
[原创]驱动遍历系统进程
-
发表于: 2020-12-4 15:27
-
使用EnumProccess获取指向接收进程标识符列表的数组的指针
遍历进程标识符数组,获取每一个的进程句柄
通过进程句柄 GetModuleBaseNameA 获取该句柄的名字
一共可以有两个方法实现
进程遍历思路:
在用户层,我们通过查看TEB结构体来实现进程遍历;但在内核层,我们使用_EPROCESS结构体来获取进程相关信息。
_EPROCESS 有几个比较重要的成员:
UniqueProcessId : Ptr32 Void ,指向PID的指针。(注意是指针,还要取值运算才能得到PID)
ActiveProcessLinks : _LIST_ENTRY , 进程链,我们通过这个获取获取其他进程。
ImageFileName : [15] UChar,指向进程的路径名称。
在驱动中通过 PsGetCurrentProcess(),来获取当前进程的EPROCESS结构体,然后通过链表遍历其余的EPROCESS,将关键信息输出出来
查看_EPROCESS结构
查看进程列表:!process 0 0
查看EPROCESS结构:dt _EPROCESS [address]
三个我们需要的:
+0x180 UniqueProcessId
+0x188 ActiveProcessLinks
+0x2e0 ImageFileName
编写代码:
测试结果:
结构体的时候踩了点坑:
https://www.cnblogs.com/hshy/p/12271820.html
nt!_EPROCESS +0x000 Pcb : _KPROCESS
+0x160 ProcessLock : _EX_PUSH_LOCK
+0x168 CreateTime : _LARGE_INTEGER 0x01d6c92c`68691f64
+0x170 ExitTime : _LARGE_INTEGER 0x0
+0x178 RundownProtect : _EX_RUNDOWN_REF
+0x180 UniqueProcessId : 0x00000000`00000004 Void
+0x188 ActiveProcessLinks : _LIST_ENTRY [ 0xfffffa80`1a4dd9a8 - 0xfffff800`04073b90 ]
+0x198 ProcessQuotaUsage : [2] 0
+0x1a8 ProcessQuotaPeak : [2] 0
+0x1b8 CommitCharge : 0x23
+0x1c0 QuotaBlock : 0xfffff800`04051c00 _EPROCESS_QUOTA_BLOCK
+0x1c8 CpuQuotaBlock : (null)
+0x1d0 PeakVirtualSize : 0xa04000
+0x1d8 VirtualSize : 0x48d000
+0x1e0 SessionProcessLinks : _LIST_ENTRY [ 0x00000000`00000000 - 0x00000000`00000000 ]
+0x1f0 DebugPort : (null)
+0x1f8 ExceptionPortData : (null)
+0x1f8 ExceptionPortValue : 0
+0x1f8 ExceptionPortState : 0y000
+0x200 ObjectTable : 0xfffff8a0`000017d0 _HANDLE_TABLE
+0x208 Token : _EX_FAST_REF
+0x210 WorkingSetPage : 0
+0x218 AddressCreationLock : _EX_PUSH_LOCK
+0x220 RotateInProgress : (null)
+0x228 ForkInProgress : (null)
+0x230 HardwareTrigger : 0
+0x238 PhysicalVadRoot : 0xfffffa80`18eae6b0 _MM_AVL_TABLE
+0x240 CloneRoot : (null)
+0x248 NumberOfPrivatePages : 0xc
+0x250 NumberOfLockedPages : 0x40
+0x258 Win32Process : (null)
+0x260 Job : (null)
+0x268 SectionObject : (null)
+0x270 SectionBaseAddress : (null)
+0x278 Cookie : 0
+0x27c UmsScheduledThreads : 0
+0x280 WorkingSetWatch : (null)
+0x288 Win32WindowStation : (null)
+0x290 InheritedFromUniqueProcessId : (null)
+0x298 LdtInformation : (null)
+0x2a0 Spare : (null)
+0x2a8 ConsoleHostProcess : 0
+0x2b0 DeviceMap : 0xfffff8a0`00008c10 Void
+0x2b8 EtwDataSource : (null)
+0x2c0 FreeTebHint : 0x000007ff`fffe0000 Void
+0x2c8 FreeUmsTebHint : 0x00000000`772b9000 Void
+0x2d0 PageDirectoryPte : _HARDWARE_PTE
+0x2d0 Filler : 0
+0x2d8 Session : (null)
+0x2e0 ImageFileName : [15] "System"
+0x2ef PriorityClass : 0x2 ''
+0x2f0 JobLinks : _LIST_ENTRY [ 0x00000000`00000000 - 0x00000000`00000000 ]
+0x300 LockedPagesList : (null)
+0x308 ThreadListHead : _LIST_ENTRY [ 0xfffffa80`18de5880 - 0xfffffa80`1b697f80 ]
+0x318 SecurityPort : (null)
+0x320 Wow64Process : (null)
+0x328 ActiveThreads : 0x61
+0x32c ImagePathHash : 0
+0x330 DefaultHardErrorProcessing : 5
+0x334 LastThreadExitStatus : 0n0
+0x338 Peb : (null)
+0x340 PrefetchTrace : _EX_FAST_REF
+0x348 ReadOperationCount : _LARGE_INTEGER 0x12
+0x350 WriteOperationCount : _LARGE_INTEGER 0x45
+0x358 OtherOperationCount : _LARGE_INTEGER 0x1fa
+0x360 ReadTransferCount : _LARGE_INTEGER 0x251bd90
+0x368 WriteTransferCount : _LARGE_INTEGER 0x9b8600
+0x370 OtherTransferCount : _LARGE_INTEGER 0x13cd
+0x378 CommitChargeLimit : 0
+0x380 CommitChargePeak : 0x4a
+0x388 AweInfo : (null)
+0x390 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
+0x398 Vm : _MMSUPPORT
+0x420 MmProcessLinks : _LIST_ENTRY [ 0xfffffa80`1a4ddc40 - 0xfffff800`0404d5e0 ]
+0x430 HighestUserAddress : (null)
+0x438 ModifiedPageCount : 0x7328
+0x43c Flags2 : 0x2d800
+0x43c JobNotReallyActive : 0y0
+0x43c AccountingFolded : 0y0
+0x43c NewProcessReported : 0y0
+0x43c ExitProcessReported : 0y0
+0x43c ReportCommitChanges : 0y0
+0x43c LastReportMemory : 0y0
+0x43c ReportPhysicalPageChanges : 0y0
+0x43c HandleTableRundown : 0y0
+0x43c NeedsHandleRundown : 0y0
+0x43c RefTraceEnabled : 0y0
+0x43c NumaAware : 0y0
+0x43c ProtectedProcess : 0y1
+0x43c DefaultPagePriority : 0y101
+0x43c PrimaryTokenFrozen : 0y1
+0x43c ProcessVerifierTarget : 0y0
+0x43c StackRandomizationDisabled : 0y1
+0x43c AffinityPermanent : 0y0
+0x43c AffinityUpdateEnable : 0y0
+0x43c PropagateNode : 0y0
+0x43c ExplicitAffinity : 0y0
+0x440 Flags : 0x14040800
+0x440 CreateReported : 0y0
+0x440 NoDebugInherit : 0y0
+0x440 ProcessExiting : 0y0
+0x440 ProcessDelete : 0y0
+0x440 Wow64SplitPages : 0y0
+0x440 VmDeleted : 0y0
+0x440 OutswapEnabled : 0y0
+0x440 Outswapped : 0y0
+0x440 ForkFailed : 0y0
+0x440 Wow64VaSpace4Gb : 0y0
+0x440 AddressSpaceInitialized : 0y10
+0x440 SetTimerResolution : 0y0
+0x440 BreakOnTermination : 0y0
+0x440 DeprioritizeViews : 0y0
+0x440 WriteWatch : 0y0
+0x440 ProcessInSession : 0y0
+0x440 OverrideAddressSpace : 0y0
+0x440 HasAddressSpace : 0y1
+0x440 LaunchPrefetched : 0y0
+0x440 InjectInpageErrors : 0y0
+0x440 VmTopDown : 0y0
+0x440 ImageNotifyDone : 0y0
+0x440 PdeUpdateNeeded : 0y0
+0x440 VdmAllowed : 0y0
+0x440 CrossSessionCreate : 0y0
+0x440 ProcessInserted : 0y1
+0x440 DefaultIoPriority : 0y010
+0x440 ProcessSelfDelete : 0y0
+0x440 SetTimerResolutionLink : 0y0
+0x444 ExitStatus : 0n259
+0x448 VadRoot : _MM_AVL_TABLE
+0x488 AlpcContext : _ALPC_PROCESS_CONTEXT
+0x4a8 TimerResolutionLink : _LIST_ENTRY [ 0x00000000`00000000 - 0x00000000`00000000 ]
+0x4b8 RequestedTimerResolution : 0
+0x4bc ActiveThreadsHighWatermark : 0x64
+0x4c0 SmallestTimerResolution : 0
+0x4c8 TimerResolutionStackRecord : (null)
nt!_EPROCESS +0x000 Pcb : _KPROCESS
+0x160 ProcessLock : _EX_PUSH_LOCK
+0x168 CreateTime : _LARGE_INTEGER 0x01d6c92c`68691f64
+0x170 ExitTime : _LARGE_INTEGER 0x0
+0x178 RundownProtect : _EX_RUNDOWN_REF
+0x180 UniqueProcessId : 0x00000000`00000004 Void
+0x188 ActiveProcessLinks : _LIST_ENTRY [ 0xfffffa80`1a4dd9a8 - 0xfffff800`04073b90 ]
+0x198 ProcessQuotaUsage : [2] 0
+0x1a8 ProcessQuotaPeak : [2] 0
+0x1b8 CommitCharge : 0x23
+0x1c0 QuotaBlock : 0xfffff800`04051c00 _EPROCESS_QUOTA_BLOCK
+0x1c8 CpuQuotaBlock : (null)
+0x1d0 PeakVirtualSize : 0xa04000
+0x1d8 VirtualSize : 0x48d000
+0x1e0 SessionProcessLinks : _LIST_ENTRY [ 0x00000000`00000000 - 0x00000000`00000000 ]
+0x1f0 DebugPort : (null)
+0x1f8 ExceptionPortData : (null)
+0x1f8 ExceptionPortValue : 0
+0x1f8 ExceptionPortState : 0y000
+0x200 ObjectTable : 0xfffff8a0`000017d0 _HANDLE_TABLE
+0x208 Token : _EX_FAST_REF
+0x210 WorkingSetPage : 0
+0x218 AddressCreationLock : _EX_PUSH_LOCK
+0x220 RotateInProgress : (null)
+0x228 ForkInProgress : (null)
+0x230 HardwareTrigger : 0
+0x238 PhysicalVadRoot : 0xfffffa80`18eae6b0 _MM_AVL_TABLE
+0x240 CloneRoot : (null)
+0x248 NumberOfPrivatePages : 0xc
+0x250 NumberOfLockedPages : 0x40
+0x258 Win32Process : (null)
+0x260 Job : (null)
+0x268 SectionObject : (null)
+0x270 SectionBaseAddress : (null)
+0x278 Cookie : 0
+0x27c UmsScheduledThreads : 0
+0x280 WorkingSetWatch : (null)
+0x288 Win32WindowStation : (null)
+0x290 InheritedFromUniqueProcessId : (null)
+0x298 LdtInformation : (null)
+0x2a0 Spare : (null)
+0x2a8 ConsoleHostProcess : 0
+0x2b0 DeviceMap : 0xfffff8a0`00008c10 Void
+0x2b8 EtwDataSource : (null)
+0x2c0 FreeTebHint : 0x000007ff`fffe0000 Void
+0x2c8 FreeUmsTebHint : 0x00000000`772b9000 Void
+0x2d0 PageDirectoryPte : _HARDWARE_PTE
+0x2d0 Filler : 0
+0x2d8 Session : (null)
+0x2e0 ImageFileName : [15] "System"
+0x2ef PriorityClass : 0x2 ''
+0x2f0 JobLinks : _LIST_ENTRY [ 0x00000000`00000000 - 0x00000000`00000000 ]
+0x300 LockedPagesList : (null)
+0x308 ThreadListHead : _LIST_ENTRY [ 0xfffffa80`18de5880 - 0xfffffa80`1b697f80 ]
+0x318 SecurityPort : (null)
+0x320 Wow64Process : (null)
+0x328 ActiveThreads : 0x61
+0x32c ImagePathHash : 0
+0x330 DefaultHardErrorProcessing : 5
+0x334 LastThreadExitStatus : 0n0
+0x338 Peb : (null)
+0x340 PrefetchTrace : _EX_FAST_REF
+0x348 ReadOperationCount : _LARGE_INTEGER 0x12
+0x350 WriteOperationCount : _LARGE_INTEGER 0x45
+0x358 OtherOperationCount : _LARGE_INTEGER 0x1fa
+0x360 ReadTransferCount : _LARGE_INTEGER 0x251bd90
+0x368 WriteTransferCount : _LARGE_INTEGER 0x9b8600
+0x370 OtherTransferCount : _LARGE_INTEGER 0x13cd
+0x378 CommitChargeLimit : 0
+0x380 CommitChargePeak : 0x4a
+0x388 AweInfo : (null)
+0x390 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
+0x398 Vm : _MMSUPPORT
+0x420 MmProcessLinks : _LIST_ENTRY [ 0xfffffa80`1a4ddc40 - 0xfffff800`0404d5e0 ]
+0x430 HighestUserAddress : (null)
+0x438 ModifiedPageCount : 0x7328
+0x43c Flags2 : 0x2d800
+0x43c JobNotReallyActive : 0y0
+0x43c AccountingFolded : 0y0
+0x43c NewProcessReported : 0y0
+0x43c ExitProcessReported : 0y0
+0x43c ReportCommitChanges : 0y0
+0x43c LastReportMemory : 0y0
+0x43c ReportPhysicalPageChanges : 0y0
+0x43c HandleTableRundown : 0y0
+0x43c NeedsHandleRundown : 0y0
+0x43c RefTraceEnabled : 0y0
+0x43c NumaAware : 0y0
+0x43c ProtectedProcess : 0y1
+0x43c DefaultPagePriority : 0y101
+0x43c PrimaryTokenFrozen : 0y1
+0x43c ProcessVerifierTarget : 0y0
+0x43c StackRandomizationDisabled : 0y1
+0x43c AffinityPermanent : 0y0
+0x43c AffinityUpdateEnable : 0y0
+0x43c PropagateNode : 0y0
+0x43c ExplicitAffinity : 0y0
+0x440 Flags : 0x14040800
+0x440 CreateReported : 0y0
+0x440 NoDebugInherit : 0y0
+0x440 ProcessExiting : 0y0
+0x440 ProcessDelete : 0y0
+0x440 Wow64SplitPages : 0y0
+0x440 VmDeleted : 0y0
+0x440 OutswapEnabled : 0y0
+0x440 Outswapped : 0y0
+0x440 ForkFailed : 0y0
+0x440 Wow64VaSpace4Gb : 0y0
+0x440 AddressSpaceInitialized : 0y10
+0x440 SetTimerResolution : 0y0
+0x440 BreakOnTermination : 0y0
+0x440 DeprioritizeViews : 0y0
+0x440 WriteWatch : 0y0
+0x440 ProcessInSession : 0y0
+0x440 OverrideAddressSpace : 0y0
+0x440 HasAddressSpace : 0y1
+0x440 LaunchPrefetched : 0y0
+0x440 InjectInpageErrors : 0y0
+0x440 VmTopDown : 0y0
+0x440 ImageNotifyDone : 0y0
+0x440 PdeUpdateNeeded : 0y0
+0x440 VdmAllowed : 0y0
+0x440 CrossSessionCreate : 0y0
+0x440 ProcessInserted : 0y1
+0x440 DefaultIoPriority : 0y010
+0x440 ProcessSelfDelete : 0y0
+0x440 SetTimerResolutionLink : 0y0
+0x444 ExitStatus : 0n259
+0x448 VadRoot : _MM_AVL_TABLE
+0x488 AlpcContext : _ALPC_PROCESS_CONTEXT
+0x4a8 TimerResolutionLink : _LIST_ENTRY [ 0x00000000`00000000 - 0x00000000`00000000 ]
+0x4b8 RequestedTimerResolution : 0
+0x4bc ActiveThreadsHighWatermark : 0x64
+0x4c0 SmallestTimerResolution : 0
+0x4c8 TimerResolutionStackRecord : (null)
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
|
|
|---|---|
