📄 processenum.c
字号:
//
for( i = 0; i < 3*PAGE_SIZE; i++ ) {
if( !strncmp( SYSNAME, (PCHAR) curproc + i, strlen(SYSNAME) )) {
DbgPrint("%d\n", i);
return i;
}
}
//
// Name not found - oh, well
//
DbgPrint("0\n");
return 0;
}
//----------------------------------------------------------------------
//
// GetProcess
//
// Uses undocumented data structure offsets to obtain the name of the
// currently executing process.
//
//----------------------------------------------------------------------
BOOLEAN GetProcess( PCHAR Name )
{
PEPROCESS curproc;
char *nameptr;
ULONG i;
//
// We only try and get the name if we located the name offset
//
if( ProcessNameOffset ) {
curproc = PsGetCurrentProcess();
nameptr = (PCHAR) curproc + ProcessNameOffset;
strncpy( Name, nameptr, 16 );
return TRUE;
} else {
strcpy( Name, "???");
return FALSE;
}
}
////////////////////////////////////////////////////////////////////////
// EnumProcess2
#define BASE_PROCESS_PEB_OFFSET 0x01B0
#define BASE_PEB_PROCESS_PARAMETER_OFFSET 0x0010
#define BASE_PROCESS_PARAMETER_FULL_IMAGE_NAME 0x003C
#define W2003_BASE_PROCESS_PEB_OFFSET 0x0190
#define W2003_BASE_PROCESS_PEB_OFFSET_SP1 0x01A0
#define VISTA_BASE_PROCESS_PEB_OFFSET 0x0188
void EnumProcess2()
{
ULONG OsMajorVersion;
ULONG OsMinorVersion ;
DWORD dwAddress;
PCWSTR Temp=NULL;
ULONG uSystemAddress = (ULONG) pSystem;
DWORD i;
if (KeGetCurrentIrql() != PASSIVE_LEVEL) {
return ;
}
PsGetVersion( &OsMajorVersion,
&OsMinorVersion,
NULL,
NULL );
for(i = 0x80000000; i < uSystemAddress; i += 4) {//system进程的EPROCESS地址就是最大值了
try {
ULONG PID = 0;
if ( *(DWORD*)(i+GetPlantformDependentInfo(PROCESS_ID_OFFSET)) == PID)
continue;
if (!IsaRealProcess(i))
continue;
dwAddress = i;
if(dwAddress == 0 || dwAddress == 0xFFFFFFFF) {
return ;
}
//目前只支持Win 2000/xp/2003/VISTA
if (OsMajorVersion < 5 || OsMinorVersion > 2 ) {
return ;
}
//取得PEB,不同平台的位置是不同的。
//
//2000 0X0500 XP 0X0501
//
if( OsMajorVersion == 5 && OsMinorVersion < 2) {
dwAddress += BASE_PROCESS_PEB_OFFSET;
}
//
//2003 0X0502
//
if (OsMajorVersion == 5 && OsMinorVersion ==2) {
dwAddress += W2003_BASE_PROCESS_PEB_OFFSET;
}
//
//VISTA 0X0600
//
if (OsMajorVersion == 6 && OsMinorVersion ==0) {
dwAddress += VISTA_BASE_PROCESS_PEB_OFFSET;
}
if ((dwAddress = *(DWORD*)dwAddress) == 0) {
continue;
}
//
// 通过peb取得RTL_USER_PROCESS_PARAMETERS
//
dwAddress += BASE_PEB_PROCESS_PARAMETER_OFFSET;
if((dwAddress = *(DWORD*)dwAddress) == 0) {
continue;
}
//
// 在RTL_USER_PROCESS_PARAMETERS->ImagePathName保存了路径,偏移为38,
//
dwAddress += BASE_PROCESS_PARAMETER_FULL_IMAGE_NAME;
if ((dwAddress = *(DWORD*)dwAddress) == 0) {
continue;
}
// [10/14/2006]
Temp=(PCWSTR)dwAddress;
if (wcslen(Temp)>4) {
if (Temp[0]==L'\\'&&
Temp[1]==L'?'&&
Temp[2]==L'?'&&
Temp[3]==L'\\') {
dwAddress+=8;
}
if (Temp[0]==L'\\'&&
Temp[1]==L'\\'&&
Temp[2]==L'?'&&
Temp[3]==L'\\') {
dwAddress+=8;
}
DbgPrint("%ws\n", dwAddress);
i = dwAddress;
}
}
except (EXCEPTION_EXECUTE_HANDLER) {
try {
if(OsMajorVersion == 5 && OsMinorVersion ==2) {
dwAddress = (DWORD)PsGetCurrentProcess();
dwAddress += W2003_BASE_PROCESS_PEB_OFFSET_SP1;
if((dwAddress = *(DWORD*)dwAddress) == 0) {
continue;
}
//
// 通过peb取得RTL_USER_PROCESS_PARAMETERS
//
dwAddress += BASE_PEB_PROCESS_PARAMETER_OFFSET;
if((dwAddress = *(DWORD*)dwAddress) == 0) {
continue;
}
//
// 在RTL_USER_PROCESS_PARAMETERS->ImagePathName保存了路径,偏移为38,
//
dwAddress += BASE_PROCESS_PARAMETER_FULL_IMAGE_NAME;
if((dwAddress = *(DWORD*)dwAddress) == 0) {
continue;
}
// [10/14/2006]
Temp=(PCWSTR)dwAddress;
if (wcslen(Temp)>4) {
if (Temp[0]==L'\\'&&
Temp[1]==L'?'&&
Temp[2]==L'?'&&
Temp[3]==L'\\') {
dwAddress+=8;
}
if (Temp[0]==L'\\'&&
Temp[1]==L'\\'&&
Temp[2]==L'?'&&
Temp[3]==L'\\') {
dwAddress+=8;
}
}
DbgPrint("%ws\n", dwAddress);
i = dwAddress;
}
}
except (EXCEPTION_EXECUTE_HANDLER) {
}
}
}
}
DWORD GetPlantformDependentInfo(DWORD eprocessflag)
{
DWORD current_build;
DWORD ans = 0;
PsGetVersion(NULL, NULL, ¤t_build, NULL);
switch(eprocessflag){
case EPROCESS_SIZE:
if (current_build == 2195) //2000
{
ans = 0x1FC;
}
if (current_build == 2600) //XP
{
ans = 0x25C;
}
if (current_build == 3790) //2003
{
ans = 0x270;
}
break;
case PEB_OFFSET:
if (current_build == 2195) //2000
{
ans = 0x09c;
}
if (current_build == 2600) //XP
{
ans = 0x1b0;
}
if (current_build == 3790) //2003
{
ans = 0x1a0;
}
break;
case FILE_NAME_OFFSET:
if (current_build == 2195) //2000
{
ans = 0x09c;
}
if (current_build == 2600) //XP
{
ans = 0x174;
}
if (current_build == 3790) //2003
{
ans = 0x164;
}
break;
case PROCESS_LINK_OFFSET:
if (current_build == 2195) //2000
{
ans = 0x09c;
}
if (current_build == 2600) //XP
{
ans = 0x088;
}
if (current_build == 3790) //2003
{
ans = 0x098;
}
break;
case PROCESS_ID_OFFSET:
if (current_build == 2195) //2000
{
ans = 0x09c;
}
if (current_build == 2600) //XP
{
ans = 0x084;
}
if (current_build == 3790) //2003
{
ans = 0x094;
}
break;
case EXIT_TIME_OFFSET:
if (current_build == 2195) //2000
{
ans = 0x09c;
}
if (current_build == 2600) //XP
{
ans = 0x078;
}
if (current_build == 3790) //2003
{
ans = 0x088;
}
break;
default:
break;
}
return ans;
}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -