搜索 收起
您的位置 首页 > 腾讯云社区

Windows Kennel-通过名字查进程EPROCESS---franket

瞎采新闻 发布于 2020-05-10 评论() 阅读()

1.先通过ActiveProcessLinks遍历

2.设置桩点,保证循环一遍就结束

3.通过PsGetProcessImageFileName来获取名字

代码如下:

UCHAR *PsGetProcessImageFileName(__in PEPROCESS eprocess);//导出下使用. NTSTATUS LookupProcessByName(IN PCHAR pcProcessName, OUT PEPROCESS *pEprocess) { PEPROCESS pCurEprocess = NULL; PEPROCESS pNextEprocess = NULL;//做为一个标记,表示循环了一圈 PLIST_ENTRY pListActiveProcess = NULL; ULONG offset = 0;//ActiveProcessLinks的偏移值 ULONG uLoopNum = 0;//查找的循环次数 RTL_OSVERSIONINFOEXW osver = {sizeof(RTL_OSVERSIONINFOEXW)}; char *lpszAttackProName = NULL; if (!ARGUMENT_PRESENT(pcProcessName) ||!ARGUMENT_PRESENT(pEprocess)) { KdPrint(("[LookupProcessByName]--invalid paran")); return STATUS_INVALID_PARAMETER; } if (KeGetCurrentIrql()>PASSIVE_LEVEL) { KdPrint(("[LookupProcessByName]--invalid irqln")); return STATUS_UNSUCCESSFUL; } if (STATUS_SUCCESS != RtlGetVersion((PRTL_OSVERSIONINFOW)&osver)) { KdPrint(("[LookupProcessByName]--RtlGetVersion failn")); return STATUS_UNSUCCESSFUL; } // 仅对xp测试,自己扩展 if (5 == osver.dwMajorVersion &&1 == osver.dwMinorVersion) { offset = 0x88;//可通过windbg查看eprocess中的偏移 } if (0 == offset) { KdPrint(("[LookupProcessByName]--unknow osn")); return STATUS_UNSUCCESSFUL; } // 遍历链表查询 pCurEprocess = PsGetCurrentProcess(); pNextEprocess = pCurEprocess; __try { while (TRUE) { // TODO.做想做的事吧... lpszAttackProName = (char *)PsGetProcessImageFileName(pCurEprocess); if (lpszAttackProName && strlen(lpszAttackProName) == strlen(pcProcessName)) { if (0 == _stricmp(lpszAttackProName, pcProcessName)) { KdPrint(("[LookupProcessByName]--findn")); *pEprocess = pCurEprocess; return STATUS_SUCCESS; } } //出口 if (uLoopNum>=1 &&pNextEprocess == pCurEprocess) { KdPrint(("[LookupProcessByName]--loop endn")); *pEprocess = 0x00000000; return STATUS_NOT_FOUND; } pListActiveProcess = (PLIST_ENTRY)((ULONG)pCurEprocess+offset);//注意大括号,不用大括号会出错的 (ULONG)pCurEprocess = (ULONG)pListActiveProcess->Flink;//pCurEprocess临时表示了前一个Active process (ULONG)pCurEprocess = (ULONG)pCurEprocess - offset;//对应的Eprocess基址 KdPrint(("[LookupProcessByName]--pCurEprocess:%08xn", pCurEprocess)); uLoopNum ++;//循环次数+1 } } __except(EXCEPTION_EXECUTE_HANDLER) { KdPrint(("[LookupProcessByName]--execption:%08x--endn", GetExceptionCode())); *pEprocess = 0x00000000; return STATUS_NOT_FOUND; } } ---来自腾讯云社区的---franket
标签: Windows Kennel-通过名字查进程EPROCESS
打赏 点赞( ())

关于作者: 瞎采新闻

这里可以显示个人介绍!这里可以显示个人介绍!

相关文章

热门文章

1渗透利器 | 常见的WebShell管理工具---Bypass

点赞( 2 ) 阅读(339)

2美国新冠病毒确诊人数统计及预测---用户5908113

点赞( 1 ) 阅读(302)

3什么时候使用 useMemo 和 useCallback---Nealyang

点赞( 2 ) 阅读(301)

4Android开发 - NFC基础---zhangyunfeiVir

点赞( 0 ) 阅读(300)

5Gitlab配置Web Hook关联Jenkins实现push后自动部署---zhangyunfeiVir

点赞( 0 ) 阅读(300)
留言与评论(共有 0 条评论)
   
验证码: