能力值:
( LV9,RANK:610 )
2 楼
在什么情况下已知什么?问问题说清楚条件~
能力值:
( LV2,RANK:10 )
3 楼
在驱动里获取别的进程中的PID。
能力值:
( LV5,RANK:60 )
4 楼
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING str)
{
NTSTATUS ntStatus;
char ProcessName[256];
ULONG cbBuffer;
PSYSTEM_PROCESS_INFORMATION pInfo;
PSYSTEM_THREAD_INFORMATION pThread;
VOID* pBuffer = NULL;
ULONG i;
ULONG ThreadCount;
DriverObject->DriverUnload = Unload;
ZwQuerySystemInformation(5, &cbBuffer, 0, &cbBuffer);
pBuffer = ExAllocatePool (NonPagedPool, cbBuffer);
if (pBuffer == NULL)
{
return 1;
}
ntStatus = ZwQuerySystemInformation(5, pBuffer, cbBuffer, NULL);
if (!NT_SUCCESS(ntStatus))
{
ExFreePool(pBuffer);
return 1;
}
pInfo = (PSYSTEM_PROCESS_INFORMATION)pBuffer;
while(1){
LPWSTR pszProcessName = pInfo->ProcessName.Buffer;
if (pszProcessName == NULL)
pszProcessName = L"NULL";
wcstombs(ProcessName,pszProcessName,256);
if(_stricmp(MyProtectName,ProcessName)==0)
{
DbgPrint("the MyProtectPID is %d\n",pInfo->ProcessId);
MyProcessId=pInfo->ProcessId;
}
if (pInfo->NextEntryDelta == 0)
break;
pInfo = (PSYSTEM_PROCESS_INFORMATION)(((PUCHAR)pInfo)+ pInfo->NextEntryDelta);
}
ExFreePool(pBuffer);
if (MyProcessId!=0)
{
ntStatus = PsLookupProcessByProcessId(MyProcessId, &ProtectedProcess);
if(NT_SUCCESS(ntStatus))
{
ObDereferenceObject(ProtectedProcess);
}
StartHook();
return STATUS_SUCCESS;
}
return STATUS_ACCESS_DENIED;
} 以前测试代码,你提炼下吧
能力值:
( LV2,RANK:10 )
5 楼
[QUOTE=dayed;593441]NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING str)
{
NTSTATUS ntStatus;
char ProcessName[256];
ULONG cbBuffer;
PSYSTEM_P...[/QUOTE]
好的,太感谢了
能力值:
( LV12,RANK:420 )
6 楼
4楼的代码2000下会失败
能力值:
( LV2,RANK:10 )
7 楼
qihoocom有什么更好的办法?
不知道可否透露一下。
能力值:
( LV4,RANK:50 )
8 楼
#include <windows.h>
#include <ntsecapi.h>
#include <stdio.h>
#define SystemProcessesAndThreadsInformation 5
// 动态调用
typedef DWORD (WINAPI *ZWQUERYSYSTEMINFORMATION) (DWORD,
PVOID,
DWORD,
PDWORD);
// 结构定义
typedef struct _SYSTEM_PROCESS_INFORMATION{
DWORD NextEntryDelta;
DWORD ThreadCount;
DWORD Reserved1[6];
FILETIME ftCreateTime;
FILETIME ftUserTime;
FILETIME ftKernelTime;
UNICODE_STRING ProcessName;
DWORD BasePriority;
DWORD ProcessId;
DWORD InheritedFromProcessId;
DWORD HandleCount;
DWORD Reserved2[2];
DWORD VmCounters;
DWORD dCommitCharge;
PVOID ThreadInfos[1];
}SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION; int main()
{
// 导出函数
HMODULE hNtDll = GetModuleHandle("ntdll.dll");
ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation = (ZWQUERYSYSTEMINFORMATION)GetProcAddress(hNtDll,"ZwQuerySystemInformation");
ULONG cbBuffer = 0x10000;
LPVOID pBuffer = NULL;
PSYSTEM_PROCESS_INFORMATION pInfo;
pBuffer = malloc(cbBuffer);
if(pBuffer == NULL)
return -1;
// 获取进程信息
ZwQuerySystemInformation(SystemProcessesAndThreadsInformation,pBuffer,cbBuffer,NULL);
// 指针指向链表头部
pInfo= (PSYSTEM_PROCESS_INFORMATION)pBuffer;
// 输出结果
for(;;)
{
printf("PID:%d \t%ls\n",pInfo->ProcessId,pInfo->ProcessName.Buffer);
if(pInfo->NextEntryDelta == 0)
break;
// 读取下一个节点
pInfo = (PSYSTEM_PROCESS_INFORMATION)(((PUCHAR)pInfo)+pInfo->NextEntryDelta);
}
// 释放缓冲区
free(pBuffer);
return 0;
} 在VC++6.0编译通过
驱动中原理应该一样
能力值:
( LV12,RANK:420 )
9 楼
楼上的代码就更挫了,进线程稍微一多,他就失败了
不光失败了,还会把系统搞蓝屏
能力值:
( LV2,RANK:10 )
10 楼
这个问题MJ也指点过我,NtQuerySystemInformation在win2000下不会返回所需长度,即最后那个参数。需要设定初始大小,并根据返回值逐步累加大小,就是你的cbBuffer。
能力值:
( LV2,RANK:10 )
11 楼
能力值:
( LV4,RANK:50 )
12 楼
#include "ntddk.h"
#include <stdlib.h>
#define SystemProcessesAndThreadsInformation 5
//---------函数声明-------------
NTKERNELAPI
NTSTATUS ZwQuerySystemInformation(
IN ULONG SystemInformationClass,
IN OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength OPTIONAL
);
//------------------------------ //---------线程信息结构---------
typedef struct _SYSTEM_THREAD_INFORMATION {
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER CreateTime;
ULONG WaitTime;
PVOID StartAddress;
CLIENT_ID ClientId;
KPRIORITY Priority;
KPRIORITY BasePriority;
ULONG ContextSwitchCount;
LONG State;
LONG WaitReason;
} SYSTEM_THREAD_INFORMATION, * PSYSTEM_THREAD_INFORMATION;
//------------------------------
//---------进程信息结构---------
typedef struct _SYSTEM_PROCESS_INFORMATION {
ULONG NextEntryDelta;
ULONG ThreadCount;
ULONG Reserved1[6];
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ProcessName;
KPRIORITY BasePriority;
ULONG ProcessId;
ULONG InheritedFromProcessId;
ULONG HandleCount;
ULONG Reserved2[2];
VM_COUNTERS VmCounters;
IO_COUNTERS IoCounters;
SYSTEM_THREAD_INFORMATION Threads[1];
} SYSTEM_PROCESS_INFORMATION, * PSYSTEM_PROCESS_INFORMATION;
//------------------------------
//----------------DriverUnload------------------------------
VOID Unload(PDRIVER_OBJECT DriverObject)
{
DbgPrint("\nUnload Driver!\n");
}
//----------------------------------------------------------
//==================== DriverEntry =========================
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING str)
{
NTSTATUS ntStatus;
char ProcessName[256];
ULONG cbBuffer = 0x8000;
PSYSTEM_PROCESS_INFORMATION pInfo;
VOID* pBuffer = NULL;
DbgPrint("\nDriverEntry!\n");
DriverObject->DriverUnload = Unload;
pBuffer = ExAllocatePool (NonPagedPool, cbBuffer);
if (pBuffer == NULL)
{
return 1;
}
// 获取进程信息
ntStatus = ZwQuerySystemInformation(SystemProcessesAndThreadsInformation, pBuffer, cbBuffer, NULL);
// 指针指向链表头部
pInfo = (PSYSTEM_PROCESS_INFORMATION)pBuffer;
// 输出结果
while(1){
LPWSTR pszProcessName = pInfo->ProcessName.Buffer;
if (pszProcessName == NULL)
pszProcessName = L"NULL";
wcstombs(ProcessName,pszProcessName,256);
DbgPrint("%s\tPid=%d\n",ProcessName,pInfo->ProcessId);
if (pInfo->NextEntryDelta == 0)
break;
// 读取下一个节点
pInfo = (PSYSTEM_PROCESS_INFORMATION)(((PUCHAR)pInfo)+ pInfo->NextEntryDelta);
}
// 释放缓冲区
ExFreePool(pBuffer);
return STATUS_SUCCESS;
}
//==========================================================
能力值:
( LV2,RANK:10 )
13 楼
谢谢你
能力值:
( LV6,RANK:90 )
14 楼
都说了阿,你写的这种不负责任的代码,不光会失败,还会蓝屏阿~
能力值:
( LV2,RANK:10 )
15 楼
不知道从那里可以说是不负责任的代码
能力值:
( LV2,RANK:10 )
16 楼
是ULONG cbBuffer = 0x8000;这里吗?进程过多就不够用了是吗?