在 Ring0 中列举进程

/* 在 Ring0 中列举进程
by exchen
2009-10-10
*/
#include "ntddk.h"

typedef enum _SYSTEM_INFORMATION_CLASS { 
	SystemBasicInformation,                 // 0 
	SystemProcessorInformation,             // 1 
	SystemPerformanceInformation,             // 2
	SystemTimeOfDayInformation,             // 3
	SystemNotImplemented1,                 // 4
	SystemProcessesAndThreadsInformation,         // 5
	SystemCallCounts,                     // 6
	SystemConfigurationInformation,             // 7
	SystemProcessorTimes,                 // 8
	SystemGlobalFlag,                     // 9
	SystemNotImplemented2,                 // 10
	SystemModuleInformation,                 // 11
	SystemLockInformation,                 // 12
	SystemNotImplemented3,                 // 13
	SystemNotImplemented4,                 // 14
	SystemNotImplemented5,                 // 15
	SystemHandleInformation,                 // 16
	SystemObjectInformation,                 // 17
	SystemPagefileInformation,                 // 18
	SystemInstructionEmulationCounts,             // 19
	SystemInvalidInfoClass1,                 // 20
	SystemCacheInformation,                 // 21
	SystemPoolTagInformation,                 // 22
	SystemProcessorStatistics,                 // 23
	SystemDpcInformation,                 // 24
	SystemNotImplemented6,                 // 25
	SystemLoadImage,                     // 26
	SystemUnloadImage,                 // 27
	SystemTimeAdjustment,                 // 28
	SystemNotImplemented7,                 // 29
	SystemNotImplemented8,                 // 30
	SystemNotImplemented9,                 // 31
	SystemCrashDumpInformation,             // 32
	SystemExceptionInformation,             // 33
	SystemCrashDumpStateInformation,             // 34
	SystemKernelDebuggerInformation,             // 35
	SystemContextSwitchInformation,             // 36
	SystemRegistryQuotaInformation,             // 37
	SystemLoadAndCallImage,                 // 38
	SystemPrioritySeparation,                 // 39
	SystemNotImplemented10,                 // 40
	SystemNotImplemented11,                 // 41
	SystemInvalidInfoClass2,                 // 42
	SystemInvalidInfoClass3,                 // 43
	SystemTimeZoneInformation,                 // 44
	SystemLookasideInformation,             // 45
	SystemSetTimeSlipEvent,                 // 46
	SystemCreateSession,                 // 47
	SystemDeleteSession,                 // 48
	SystemInvalidInfoClass4,                 // 49
	SystemRangeStartInformation,             // 50
	SystemVerifierInformation,                 // 51
	SystemAddVerifier,                 // 52
	SystemSessionProcessesInformation             // 53
} SYSTEM_INFORMATION_CLASS;

typedef struct _SYSTEM_THREAD_INFORMATION {
	LARGE_INTEGER KernelTime;
	LARGE_INTEGER UserTime;
	LARGE_INTEGER CreateTime;
	ULONG WaitTime;
	PVOID StartAddress;
	CLIENT_ID ClientId;
	KPRIORITY Priority;
	KPRIORITY BasePriority;
	ULONG ContextSwitchCount;
	LONG State;
	LONG WaitReason;
} SYSTEM_THREAD_INFORMATION, * PSYSTEM_THREAD_INFORMATION;

typedef struct _SYSTEM_PROCESS_INFORMATION {
	ULONG NextEntryDelta;
	ULONG ThreadCount;
	ULONG Reserved1[6];
	LARGE_INTEGER CreateTime;
	LARGE_INTEGER UserTime;
	LARGE_INTEGER KernelTime;
	UNICODE_STRING ProcessName;
	KPRIORITY BasePriority;
	ULONG ProcessId;
	ULONG InheritedFromProcessId;
	ULONG HandleCount;
	ULONG Reserved2[2];
	VM_COUNTERS VmCounters;
	IO_COUNTERS IoCounters;
	SYSTEM_THREAD_INFORMATION Threads[1];
} SYSTEM_PROCESS_INFORMATION, * PSYSTEM_PROCESS_INFORMATION;

NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation( IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength OPTIONAL
);

NTSTATUS Ring0EnumProcess()
{
	ULONG cbBuffer = 0x8000; // 初始化缓冲大小 32kb
	PVOID pBuffer = NULL;
	NTSTATUS Status;
	PSYSTEM_PROCESS_INFORMATION pInfo;
	do
	{
		pBuffer = ExAllocatePool (NonPagedPool, cbBuffer); //分配内存缓冲区
		if (pBuffer == NULL) // 如果内存分配失败
		return 1;
		Status = ZwQuerySystemInformation(SystemProcessesAndThreadsInformation, pBuffer, cbBuffer, NULL);
		if (Status == STATUS_INFO_LENGTH_MISMATCH) //如果缓冲区太小
		{
			ExFreePool(pBuffer); // 释放缓冲区
			cbBuffer *= 2; // 增加缓冲区到原来的两倍大小 
		}
		else if (!NT_SUCCESS(Status)) // 如果执行失败
		{
			ExFreePool(pBuffer); // 释放分配的内存
			return 1; //返回1并拖出
		}
	}
	while (Status == STATUS_INFO_LENGTH_MISMATCH);

	pInfo = (PSYSTEM_PROCESS_INFORMATION)pBuffer;

	for (;;) 
	{
		LPWSTR pszProcessName = pInfo->ProcessName.Buffer; 
		if (pszProcessName == NULL) 
		pszProcessName = L"NULL"; // 如果获取文件名失败

		DbgPrint("pid %d 进程名: %S\n",pInfo->ProcessId,pInfo->ProcessName.Buffer);

		if (pInfo->NextEntryDelta == 0) 
		break; 

		pInfo = (PSYSTEM_PROCESS_INFORMATION)(((PUCHAR)pInfo)+ pInfo->NextEntryDelta); 
	}
	ExFreePool(pBuffer);
	return 0; 
}

VOID Unload(IN PDRIVER_OBJECT DriverObject)
{

}

NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath) 
{ 
	DriverObject->DriverUnload = Unload;
	Ring0EnumProcess();
	return STATUS_SUCCESS; 
}

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

/* 在 Ring0 中列举进程

by exchen

2009-10-10

#include "ntddk.h"

typedef enum _SYSTEM_INFORMATION_CLASS {

SystemBasicInformation, // 0

SystemProcessorInformation, // 1

SystemPerformanceInformation, // 2

SystemTimeOfDayInformation, // 3

SystemNotImplemented1, // 4

SystemProcessesAndThreadsInformation, // 5

SystemCallCounts, // 6

SystemConfigurationInformation, // 7

SystemProcessorTimes, // 8

SystemGlobalFlag, // 9

SystemNotImplemented2, // 10

SystemModuleInformation, // 11

SystemLockInformation, // 12

SystemNotImplemented3, // 13

SystemNotImplemented4, // 14

SystemNotImplemented5, // 15

SystemHandleInformation, // 16

SystemObjectInformation, // 17

SystemPagefileInformation, // 18

SystemInstructionEmulationCounts, // 19

SystemInvalidInfoClass1, // 20

SystemCacheInformation, // 21

SystemPoolTagInformation, // 22

SystemProcessorStatistics, // 23

SystemDpcInformation, // 24

SystemNotImplemented6, // 25

SystemLoadImage, // 26

SystemUnloadImage, // 27

SystemTimeAdjustment, // 28

SystemNotImplemented7, // 29

SystemNotImplemented8, // 30

SystemNotImplemented9, // 31

SystemCrashDumpInformation, // 32

SystemExceptionInformation, // 33

SystemCrashDumpStateInformation, // 34

SystemKernelDebuggerInformation, // 35

SystemContextSwitchInformation, // 36

SystemRegistryQuotaInformation, // 37

SystemLoadAndCallImage, // 38

SystemPrioritySeparation, // 39

SystemNotImplemented10, // 40

SystemNotImplemented11, // 41

SystemInvalidInfoClass2, // 42

SystemInvalidInfoClass3, // 43

SystemTimeZoneInformation, // 44

SystemLookasideInformation, // 45

SystemSetTimeSlipEvent, // 46

SystemCreateSession, // 47

SystemDeleteSession, // 48

SystemInvalidInfoClass4, // 49

SystemRangeStartInformation, // 50

SystemVerifierInformation, // 51

SystemAddVerifier, // 52

SystemSessionProcessesInformation // 53

} SYSTEM_INFORMATION_CLASS;

typedef struct _SYSTEM_THREAD_INFORMATION {

LARGE_INTEGER KernelTime;

LARGE_INTEGER UserTime;

LARGE_INTEGER CreateTime;

ULONG WaitTime;

PVOID StartAddress;

CLIENT_ID ClientId;

KPRIORITY Priority;

KPRIORITY BasePriority;

ULONG ContextSwitchCount;

LONG State;

LONG WaitReason;

} SYSTEM_THREAD_INFORMATION, * PSYSTEM_THREAD_INFORMATION;

typedef struct _SYSTEM_PROCESS_INFORMATION {

ULONG NextEntryDelta;

ULONG ThreadCount;

ULONG Reserved1[6];

LARGE_INTEGER CreateTime;

LARGE_INTEGER UserTime;

LARGE_INTEGER KernelTime;

UNICODE_STRING ProcessName;

KPRIORITY BasePriority;

ULONG ProcessId;

ULONG InheritedFromProcessId;

ULONG HandleCount;

ULONG Reserved2[2];

VM_COUNTERS VmCounters;

IO_COUNTERS IoCounters;

SYSTEM_THREAD_INFORMATION Threads[1];

} SYSTEM_PROCESS_INFORMATION, * PSYSTEM_PROCESS_INFORMATION;

NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation( IN SYSTEM_INFORMATION_CLASS SystemInformationClass,

OUT PVOID SystemInformation,

IN ULONG SystemInformationLength,

OUT PULONG ReturnLength OPTIONAL

);

NTSTATUS Ring0EnumProcess()

{

ULONG cbBuffer = 0x8000; // 初始化缓冲大小 32kb

PVOID pBuffer = NULL;

NTSTATUS Status;

PSYSTEM_PROCESS_INFORMATION pInfo;

{

pBuffer = ExAllocatePool (NonPagedPool, cbBuffer); //分配内存缓冲区

if (pBuffer == NULL) // 如果内存分配失败

return 1;

Status = ZwQuerySystemInformation(SystemProcessesAndThreadsInformation, pBuffer, cbBuffer, NULL);

if (Status == STATUS_INFO_LENGTH_MISMATCH) //如果缓冲区太小

{

ExFreePool(pBuffer); // 释放缓冲区

cbBuffer *= 2; // 增加缓冲区到原来的两倍大小

}

else if (!NT_SUCCESS(Status)) // 如果执行失败

{

ExFreePool(pBuffer); // 释放分配的内存

return 1; //返回1并拖出

}

while (Status == STATUS_INFO_LENGTH_MISMATCH);

pInfo = (PSYSTEM_PROCESS_INFORMATION)pBuffer;

for (;;)

{

LPWSTR pszProcessName = pInfo->ProcessName.Buffer;

if (pszProcessName == NULL)

pszProcessName = L"NULL"; // 如果获取文件名失败

DbgPrint("pid %d 进程名: %S\n",pInfo->ProcessId,pInfo->ProcessName.Buffer);

if (pInfo->NextEntryDelta == 0)

break;

pInfo = (PSYSTEM_PROCESS_INFORMATION)(((PUCHAR)pInfo)+ pInfo->NextEntryDelta);

}

ExFreePool(pBuffer);

return 0;

}

VOID Unload(IN PDRIVER_OBJECT DriverObject)

{

}

NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)

{

DriverObject->DriverUnload = Unload;

Ring0EnumProcess();

return STATUS_SUCCESS;

}

转载请注明：exchen's blog » 在 Ring0 中列举进程

在 Ring0 中列举进程

与本文相关的文章

Hi，您需要填写昵称和邮箱！