方法1: ZwQuerySystemInformation
这个方法网上一搜一大堆,不举例了
方法2:暴力枚举PID枚举进程,代码:
- NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegStr)
- {
- pDriverObj->DriverUnload = MyUnload;
- DbgPrint("DriverEntry...\n");
- //1.暴力枚举PID,枚举进程
- for (ULONG i = 0; i < 65535; i += 4)
- {
- SearchProcessPID(i);
- }
- return STATUS_SUCCESS;
- }
- //暴力枚举PID,枚举进程
- NTSTATUS SearchProcessPID(ULONG pid)
- {
- NTSTATUS status = STATUS_SUCCESS;
- PEPROCESS process = NULL;
- PUCHAR processName;
- status = PsLookupProcessByProcessId((HANDLE)pid, &process);
- processName = ExAllocatePool(NonPagedPool, sizeof(process));
- if (NT_SUCCESS(status))
- {
- processName = PsGetProcessImageFileName(process);
- DbgPrint("PID:%d,processName:%s\n", pid, processName);
- }
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegStr)
{ pDriverObj->DriverUnload = MyUnload; DbgPrint("DriverEntry...\n"); //1.暴力枚举PID,枚举进程
for (ULONG i = 0; i < 65535; i += 4)
{
SearchProcessPID(i);
}
return STATUS_SUCCESS;
}
//暴力枚举PID,枚举进程
NTSTATUS SearchProcessPID(ULONG pid)
{
NTSTATUS status = STATUS_SUCCESS;
PEPROCESS process = NULL;
PUCHAR processName;
status = PsLookupProcessByProcessId((HANDLE)pid, &process);
processName = ExAllocatePool(NonPagedPool, sizeof(process));
if (NT_SUCCESS(status))
{
processName = PsGetProcessImageFileName(process);
DbgPrint("PID:%d,processName:%s\n", pid, processName);
}
方法3和方法1原理相同,枚举eprocess结构体的ActiveProcessLinks链表实现,代码如下
- //通过EPROCESS枚举进程
- NTSTATUS SearchProcessEPROCESS()
- {
- PEPROCESS process=NULL,firstProcess=NULL;
- NTSTATUS status = STATUS_SUCCESS;
- PLIST_ENTRY plist;
- process = firstProcess = PsGetCurrentProcess();
- do
- {
- PUCHAR ProcessNmae = NULL;
- ProcessNmae = PsGetProcessImageFileName(process);
- DbgPrint("PID:%d,ProcessName:%s\n", (HANDLE)PsGetProcessId(process), ProcessNmae);
- plist = (PLIST_ENTRY)((ULONG)process + ACTIVE_PROCESS_LINK);
- process = (PEPROCESS)((ULONG)plist->Flink - ACTIVE_PROCESS_LINK);
- if (process == firstProcess)
- {
- break;
- }
- } while (process != NULL);
- return status;
- }
//通过EPROCESS枚举进程
NTSTATUS SearchProcessEPROCESS()
{
PEPROCESS process=NULL,firstProcess=NULL;
NTSTATUS status = STATUS_SUCCESS;
PLIST_ENTRY plist;
process = firstProcess = PsGetCurrentProcess();
do
{
PUCHAR ProcessNmae = NULL;
ProcessNmae = PsGetProcessImageFileName(process);
DbgPrint("PID:%d,ProcessName:%s\n", (HANDLE)PsGetProcessId(process), ProcessNmae);
plist = (PLIST_ENTRY)((ULONG)process + ACTIVE_PROCESS_LINK);
process = (PEPROCESS)((ULONG)plist->Flink - ACTIVE_PROCESS_LINK);
if (process == firstProcess)
{
break;
}
} while (process != NULL); return status;
}
jpg 改 rar