?? listprocess.c
字號:
//Author :n0bele
//Homepage: www.antiprotect.com
#include <ntddk.h>
#include <windef.h>
#include "ListProc.h"
WCHAR gDeviceName[]=L"\\Device\\proclistdrv";
WCHAR gDosDeviceName[]=L"\\??\\proclistdrv";
//_OBJECT_HEADER結構以及基于該結構實現從對象(體)指針獲得對象(頭)指針的宏
typedef struct _OBJECT_HEADER {
union {
struct {
LONG PointerCount;
LONG HandleCount;
};
LIST_ENTRY Entry;
};
POBJECT_TYPE Type;
UCHAR NameInfoOffset;
UCHAR HandleInfoOffset;
UCHAR QuotaInfoOffset;
UCHAR Flags;
union {
//POBJECT_CREATE_INFORMATION ObjectCreateInfo;
PVOID QuotaBlockCharged;
};
PSECURITY_DESCRIPTOR SecurityDescriptor;
QUAD Body;
} OBJECT_HEADER, *POBJECT_HEADER;
#define OBJECT_TO_OBJECT_HEADER(obj) CONTAINING_RECORD( (obj), OBJECT_HEADER, Body )
//系統偏移量(因系統而異,可使用Windbg查詢)
#define TYPE 0X08 //_OBJECT_HEADER中的偏移
#define NEXTFREETABLEENTRY 0X04 //_HANDLE_TABLE_ENTRY中的偏移
#define OFFSET_EPROCESS_IMAGENAME 0x0
#define OFFSET_EPROCESS_PID 0x1
#define OFFSET_EPROCESS_FLAGS 0x2
ProcessInfo *head,*p;
//聲明函數
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegistryPath);
// 啟用應用層訪問支持
NTSTATUS
ProcCreateClose (
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
);
// 接受來自應用層的控制
NTSTATUS
ProcDeviceControl (
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
);
VOID Unload(IN PDRIVER_OBJECT DriverObject);
ULONG GetCidAddr();
ULONG GetProcessType();
VOID IsValidProcess();
VOID RecordInfo(ULONG i);
DWORD GetPlantformDependentInfo(DWORD eprocessflag);
//DriverEntry函數定義
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegistryPath)
{
UNICODE_STRING DeviceName;
UNICODE_STRING DosDeviceName;
NTSTATUS Status;
PDEVICE_OBJECT pDeviceObject=NULL;
DriverObject->DriverUnload=Unload;
DriverObject->MajorFunction[IRP_MJ_CREATE] = ProcCreateClose;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = ProcCreateClose;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = ProcDeviceControl;
RtlInitUnicodeString(&DeviceName,gDeviceName);
RtlInitUnicodeString(&DosDeviceName,gDosDeviceName);
IoCreateDevice(DriverObject,0,&DeviceName,FILE_DEVICE_UNKNOWN,0,FALSE,&pDeviceObject);
pDeviceObject->Flags|=DO_BUFFERED_IO;
Status = IoCreateSymbolicLink(&DosDeviceName,&DeviceName);
if(Status)
DbgPrint("IoCreateSymbolicLink Return %0x\n",Status);
IsValidProcess();
return TRUE;
}
//Unload函數定義
VOID Unload(IN PDRIVER_OBJECT DriverObject)
{
DbgPrint("unload!");
}
//通過搜索PsLookupProcessByProcessId函數,獲取PspCidTable的地址
ULONG GetCidAddr()
{
PUCHAR addr;
PUCHAR p;
UNICODE_STRING pslookup;
ULONG cid;
RtlInitUnicodeString (&pslookup,
L"PsLookupProcessByProcessId");
addr = (PUCHAR) MmGetSystemRoutineAddress(&pslookup);//MmGetSystemRoutineAddress可以通過函數名獲得函數地址
for (p=addr;p<addr+PAGE_SIZE;p++)
{
if((*(PUSHORT)p==0x35ff)&&(*(p+6)==0xe8))
{
cid=*(PULONG)(p+2);
return cid;
break;
}
}
return 0;
}
//通過當前進程獲取進程對象的類型指針
ULONG GetProcessType()
{
ULONG eproc;
ULONG type;
ULONG total;
eproc=(ULONG)PsGetCurrentProcess();//PsGetCurrentProcess獲取當前活動進程的地址,實際上就是對象(體)指針
eproc=(ULONG)OBJECT_TO_OBJECT_HEADER(eproc);
type=*(PULONG)(eproc+TYPE);
return type;
}
//判斷是否是進程對象,是則記錄,不是則放棄
VOID IsValidProcess()
{
ULONG PspCidTable;
ULONG TableCode;
ULONG table1,table2;
ULONG object,objectheader;
ULONG NextFreeTableEntry;
ULONG processtype,type;
ULONG flags;
ULONG i;
PspCidTable=GetCidAddr();
processtype=GetProcessType();
if(PspCidTable==0)
{
return ;
}
else
{
//TableCode的最后兩位在XP中決定了句柄表的層數
TableCode=*(PULONG)(*(PULONG)PspCidTable);
if((TableCode&0x3)==0x0)
{
table1=TableCode;
table2=0x0;
}
if((TableCode&0x3)==0x1)
{
TableCode=TableCode&0xfffffffc;
table1=*(PULONG)TableCode;
table2=*(PULONG)(TableCode+0x4);
}
//對cid從0x0到0x4e1c進行遍歷
for(i=0x0;i<0x4e1c;i++)
{
if(i<=0x800)
{
if(MmIsAddressValid((PULONG)(table1+i*2)))
{
object=*(PULONG)(table1+i*2);
if(MmIsAddressValid((PULONG)(table1+i*2+NEXTFREETABLEENTRY)))
{
NextFreeTableEntry=*(PULONG)(table1+i*2+NEXTFREETABLEENTRY);
if(NextFreeTableEntry==0x0)//正常的_HANDLE_TABLE_ENTRY中NextFreeTableEntry為0x0
{
object=((object | 0x80000000)& 0xfffffff8);//轉換為對象(體)指針
objectheader=(ULONG)OBJECT_TO_OBJECT_HEADER(object);//獲取對象(頭)指針
if(MmIsAddressValid((PULONG)(objectheader+TYPE)))
{
type=*(PULONG)(objectheader+TYPE);
if(type==processtype)
{
flags=*(PULONG)((ULONG)object+GetPlantformDependentInfo(OFFSET_EPROCESS_FLAGS));
if((flags&0xc)!=0xc)
RecordInfo(object);//flags顯示進程沒有退出
}
}
}
}
}
}
else
{
if(table2!=0)
{
if(MmIsAddressValid((PULONG)(table2+(i-0x800)*2)))
{
object=*(PULONG)(table2+(i-0x800)*2);
if(MmIsAddressValid((PULONG)((table2+(i-0x800)*2)+NEXTFREETABLEENTRY)))
{
NextFreeTableEntry=*(PULONG)((table2+(i-0x800)*2)+NEXTFREETABLEENTRY);
if(NextFreeTableEntry==0x0)
{
object=((object | 0x80000000)& 0xfffffff8);
objectheader=(ULONG)OBJECT_TO_OBJECT_HEADER(object);
if(MmIsAddressValid((PULONG)(objectheader+TYPE)))
{
type=*(PULONG)(objectheader+TYPE);
if(type==processtype)
{
flags=*(PULONG)((ULONG)object+GetPlantformDependentInfo(OFFSET_EPROCESS_FLAGS));
if((flags&0xc)!=0xc)
RecordInfo(object);
}
}
}
}
}
}
}
}
}
}
//使用單向鏈表記錄進程信息
VOID RecordInfo(ULONG i)
{
ProcessInfo *r;
if(head==NULL)
{
if((head=(ProcessInfo *)ExAllocatePool(NonPagedPool,sizeof(ProcessInfo)))==NULL)
{
return;
}
head->addr=0x0;
}
if (head->addr==0x0)
{
head->addr=i;
p=head;
}
else
{
if((r=(ProcessInfo *)ExAllocatePool(NonPagedPool,sizeof(ProcessInfo)))==NULL)
{
return;
}
p->next=r;
r->addr=i;
r->next=NULL;
p=r;
}
}
///////////////////////////////////////////////////////////////////////////////
// ProcCreateClose
// 接受應用層調用
//
NTSTATUS
ProcCreateClose(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
)
{
DbgPrint(" Create or Close ok...\n");
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
IoCompleteRequest(Irp,IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
///////////////////////////////////////////////////////////////////////////////
// ProcDeviceControl
// 應用程序控制位置
//
NTSTATUS
ProcDeviceControl (
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
)
{
PIO_STACK_LOCATION io_stack;
NTSTATUS status;
io_stack = IoGetCurrentIrpStackLocation(Irp);
if (io_stack->MajorFunction==IRP_MJ_DEVICE_CONTROL)
{
switch (io_stack->Parameters.DeviceIoControl.IoControlCode)
{
case IOCTL_GETPROC_LIST:
{
ProcessInfo* pi = (ProcessInfo*) Irp->AssociatedIrp.SystemBuffer;
ProcessInfo* q;
int j = 0;
//獲取進程的ID和進程名
for (p=head;p;p=p->next)
{
p->pid=*(int *)(p->addr+GetPlantformDependentInfo(OFFSET_EPROCESS_PID));
strcpy(p->name,(UCHAR *)(p->addr+GetPlantformDependentInfo(OFFSET_EPROCESS_IMAGENAME)));
}
for(p=head;p;p=p->next)
{
ProcessInfo* pnext;
pi->addr = p->addr;
RtlCopyMemory(pi->name, p->name, 16);
pi->pid = p->pid;
if(p->next)
pnext = (++pi);
else
pnext = NULL;
pi->next = pnext;
pi = pnext;
}
//釋放鏈表
p=head;
q=p->next;
while(q!=NULL)
{
ExFreePool(p);
p=q;
q=p->next;
}
ExFreePool(p);
}
return STATUS_SUCCESS;
}
}
return STATUS_SUCCESS;
}
DWORD GetPlantformDependentInfo(DWORD eprocessflag)
{
DWORD current_build;
DWORD ans = 0;
PsGetVersion(NULL, NULL, ¤t_build, NULL);
switch(eprocessflag){
case OFFSET_EPROCESS_IMAGENAME:
if (current_build == 2195) //2000
{
ans = 0x1FC;
}
if (current_build == 2600) //XP
{
ans = 0x174;
}
if (current_build == 3790) //2003
{
ans = 0x164;
}
break;
case OFFSET_EPROCESS_PID:
if (current_build == 2195) //2000
{
ans = 0x09c;
}
if (current_build == 2600) //XP
{
ans = 0x084;
}
if (current_build == 3790) //2003
{
ans = 0x94;
}
break;
case OFFSET_EPROCESS_FLAGS:
// if (current_build == 2195) //2000
// {
//2000下貌似沒有這個標志,反正我是沒找到
// ans = 0x09c;
// }
if (current_build == 2600) //XP
{
ans = 0x248;
}
if (current_build == 3790) //2003
{
ans = 0x240;
}
break;
default:
break;
}
return ans;
}?? 快捷鍵說明
復制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -