通过该NtQuerySystemInformation API能得到进程的信息但是该结构
typedef struct _SYSTEM_PROCESSES
{
ULONG NextEntryDelta; //构成结构序列的偏移量;
ULONG ThreadCount; //线程数目;
ULONG Reserved1[6];
LARGE_INTEGER CreateTime; //创建时间;
LARGE_INTEGER UserTime; //用户模式(Ring 3)的CPU时间;
LARGE_INTEGER KernelTime; //内核模式(Ring 0)的CPU时间;
UNICODE_STRING ProcessName; //进程名称;
KPRIORITY BasePriority; //进程优先权;
ULONG ProcessId; //进程标识符;
ULONG InheritedFromProcessId; //父进程的标识符;
ULONG HandleCount; //句柄数目;
ULONG Reserved2[2];
VM_COUNTERS VmCounters; //虚拟存储器的结构,见下;
IO_COUNTERS IoCounters; //IO计数结构,见下;
SYSTEM_THREADS Threads[1]; //进程相关线程的结构数组,见下;
}SYSTEM_PROCESSES,*PSYSTEM_PROCESSES;
Threads只包含主线程的信息那么如何得到辅助线程的信息呢?
用
for(int i=0;i<lpBuf->ThreadCount;i++)
{
ZeroMemory((void*)&lpThdTmp,sizeof(SYSTEM_THREADS));
lpThread = (PSYSTEM_THREADS)((char*)&lpBuf->Threads + i*sizeof(SYSTEM_THREADS));
char *pMem = (char*)&lpBuf->Threads[i];
memcpy((void*)&lpThdTmp,lpThread,sizeof(SYSTEM_THREADS));
}
该方法得到SYSTEM_THREADS貌似并不正确,还是说建立的辅助线程都是主线程的子线程而不是该进程的子线程。
望高手解答?
[课程]FART 脱壳王!加量不加价!FART作者讲授!