首页
论坛
课程
招聘
[原创]驱动遍历系统进程
2020-12-4 15:27 1723

[原创]驱动遍历系统进程

2020-12-4 15:27
1723

驱动实现遍历系统进程 打印进程并打印进程名称

R3层的思路:

使用EnumProccess获取指向接收进程标识符列表的数组的指针

 

遍历进程标识符数组,获取每一个的进程句柄

 

通过进程句柄 GetModuleBaseNameA 获取该句柄的名字

R0

一共可以有两个方法实现

  • 用结构体的偏移实现
  • 使用API实现

结构体偏移实现:

进程遍历思路:

 

在用户层,我们通过查看TEB结构体来实现进程遍历;但在内核层,我们使用_EPROCESS结构体来获取进程相关信息。

 

_EPROCESS 有几个比较重要的成员:

 

UniqueProcessId : Ptr32 Void ,指向PID的指针。(注意是指针,还要取值运算才能得到PID)

 

ActiveProcessLinks : _LIST_ENTRY , 进程链,我们通过这个获取获取其他进程。

 

ImageFileName : [15] UChar,指向进程的路径名称。

 

在驱动中通过 PsGetCurrentProcess(),来获取当前进程的EPROCESS结构体,然后通过链表遍历其余的EPROCESS,将关键信息输出出来

 

查看_EPROCESS结构

 

查看进程列表:!process 0 0

 


查看EPROCESS结构:dt _EPROCESS [address]

 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
nt!_EPROCESS
   +0x000 Pcb              : _KPROCESS
   +0x160 ProcessLock      : _EX_PUSH_LOCK
   +0x168 CreateTime       : _LARGE_INTEGER 0x01d6c92c`68691f64
   +0x170 ExitTime         : _LARGE_INTEGER 0x0
   +0x178 RundownProtect   : _EX_RUNDOWN_REF
   +0x180 UniqueProcessId  : 0x00000000`00000004 Void
   +0x188 ActiveProcessLinks : _LIST_ENTRY [ 0xfffffa80`1a4dd9a8 - 0xfffff800`04073b90 ]
   +0x198 ProcessQuotaUsage : [2] 0
   +0x1a8 ProcessQuotaPeak : [2] 0
   +0x1b8 CommitCharge     : 0x23
   +0x1c0 QuotaBlock       : 0xfffff800`04051c00 _EPROCESS_QUOTA_BLOCK
   +0x1c8 CpuQuotaBlock    : (null)
   +0x1d0 PeakVirtualSize  : 0xa04000
   +0x1d8 VirtualSize      : 0x48d000
   +0x1e0 SessionProcessLinks : _LIST_ENTRY [ 0x00000000`00000000 - 0x00000000`00000000 ]
   +0x1f0 DebugPort        : (null)
   +0x1f8 ExceptionPortData : (null)
   +0x1f8 ExceptionPortValue : 0
   +0x1f8 ExceptionPortState : 0y000
   +0x200 ObjectTable      : 0xfffff8a0`000017d0 _HANDLE_TABLE
   +0x208 Token            : _EX_FAST_REF
   +0x210 WorkingSetPage   : 0
   +0x218 AddressCreationLock : _EX_PUSH_LOCK
   +0x220 RotateInProgress : (null)
   +0x228 ForkInProgress   : (null)
   +0x230 HardwareTrigger  : 0
   +0x238 PhysicalVadRoot  : 0xfffffa80`18eae6b0 _MM_AVL_TABLE
   +0x240 CloneRoot        : (null)
   +0x248 NumberOfPrivatePages : 0xc
   +0x250 NumberOfLockedPages : 0x40
   +0x258 Win32Process     : (null)
   +0x260 Job              : (null)
   +0x268 SectionObject    : (null)
   +0x270 SectionBaseAddress : (null)
   +0x278 Cookie           : 0
   +0x27c UmsScheduledThreads : 0
   +0x280 WorkingSetWatch  : (null)
   +0x288 Win32WindowStation : (null)
   +0x290 InheritedFromUniqueProcessId : (null)
   +0x298 LdtInformation   : (null)
   +0x2a0 Spare            : (null)
   +0x2a8 ConsoleHostProcess : 0
   +0x2b0 DeviceMap        : 0xfffff8a0`00008c10 Void
   +0x2b8 EtwDataSource    : (null)
   +0x2c0 FreeTebHint      : 0x000007ff`fffe0000 Void
   +0x2c8 FreeUmsTebHint   : 0x00000000`772b9000 Void
   +0x2d0 PageDirectoryPte : _HARDWARE_PTE
   +0x2d0 Filler           : 0
   +0x2d8 Session          : (null)
   +0x2e0 ImageFileName    : [15"System"
   +0x2ef PriorityClass    : 0x2 ''
   +0x2f0 JobLinks         : _LIST_ENTRY [ 0x00000000`00000000 - 0x00000000`00000000 ]
   +0x300 LockedPagesList  : (null)
   +0x308 ThreadListHead   : _LIST_ENTRY [ 0xfffffa80`18de5880 - 0xfffffa80`1b697f80 ]
   +0x318 SecurityPort     : (null)
   +0x320 Wow64Process     : (null)
   +0x328 ActiveThreads    : 0x61
   +0x32c ImagePathHash    : 0
   +0x330 DefaultHardErrorProcessing : 5
   +0x334 LastThreadExitStatus : 0n0
   +0x338 Peb              : (null)
   +0x340 PrefetchTrace    : _EX_FAST_REF
   +0x348 ReadOperationCount : _LARGE_INTEGER 0x12
   +0x350 WriteOperationCount : _LARGE_INTEGER 0x45
   +0x358 OtherOperationCount : _LARGE_INTEGER 0x1fa
   +0x360 ReadTransferCount : _LARGE_INTEGER 0x251bd90
   +0x368 WriteTransferCount : _LARGE_INTEGER 0x9b8600
   +0x370 OtherTransferCount : _LARGE_INTEGER 0x13cd
   +0x378 CommitChargeLimit : 0
   +0x380 CommitChargePeak : 0x4a
   +0x388 AweInfo          : (null)
   +0x390 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
   +0x398 Vm               : _MMSUPPORT
   +0x420 MmProcessLinks   : _LIST_ENTRY [ 0xfffffa80`1a4ddc40 - 0xfffff800`0404d5e0 ]
   +0x430 HighestUserAddress : (null)
   +0x438 ModifiedPageCount : 0x7328
   +0x43c Flags2           : 0x2d800
   +0x43c JobNotReallyActive : 0y0
   +0x43c AccountingFolded : 0y0
   +0x43c NewProcessReported : 0y0
   +0x43c ExitProcessReported : 0y0
   +0x43c ReportCommitChanges : 0y0
   +0x43c LastReportMemory : 0y0
   +0x43c ReportPhysicalPageChanges : 0y0
   +0x43c HandleTableRundown : 0y0
   +0x43c NeedsHandleRundown : 0y0
   +0x43c RefTraceEnabled  : 0y0
   +0x43c NumaAware        : 0y0
   +0x43c ProtectedProcess : 0y1
   +0x43c DefaultPagePriority : 0y101
   +0x43c PrimaryTokenFrozen : 0y1
   +0x43c ProcessVerifierTarget : 0y0
   +0x43c StackRandomizationDisabled : 0y1
   +0x43c AffinityPermanent : 0y0
   +0x43c AffinityUpdateEnable : 0y0
   +0x43c PropagateNode    : 0y0
   +0x43c ExplicitAffinity : 0y0
   +0x440 Flags            : 0x14040800
   +0x440 CreateReported   : 0y0
   +0x440 NoDebugInherit   : 0y0
   +0x440 ProcessExiting   : 0y0
   +0x440 ProcessDelete    : 0y0
   +0x440 Wow64SplitPages  : 0y0
   +0x440 VmDeleted        : 0y0
   +0x440 OutswapEnabled   : 0y0
   +0x440 Outswapped       : 0y0
   +0x440 ForkFailed       : 0y0
   +0x440 Wow64VaSpace4Gb  : 0y0
   +0x440 AddressSpaceInitialized : 0y10
   +0x440 SetTimerResolution : 0y0
   +0x440 BreakOnTermination : 0y0
   +0x440 DeprioritizeViews : 0y0
   +0x440 WriteWatch       : 0y0
   +0x440 ProcessInSession : 0y0
   +0x440 OverrideAddressSpace : 0y0
   +0x440 HasAddressSpace  : 0y1
   +0x440 LaunchPrefetched : 0y0
   +0x440 InjectInpageErrors : 0y0
   +0x440 VmTopDown        : 0y0
   +0x440 ImageNotifyDone  : 0y0
   +0x440 PdeUpdateNeeded  : 0y0
   +0x440 VdmAllowed       : 0y0
   +0x440 CrossSessionCreate : 0y0
   +0x440 ProcessInserted  : 0y1
   +0x440 DefaultIoPriority : 0y010
   +0x440 ProcessSelfDelete : 0y0
   +0x440 SetTimerResolutionLink : 0y0
   +0x444 ExitStatus       : 0n259
   +0x448 VadRoot          : _MM_AVL_TABLE
   +0x488 AlpcContext      : _ALPC_PROCESS_CONTEXT
   +0x4a8 TimerResolutionLink : _LIST_ENTRY [ 0x00000000`00000000 - 0x00000000`00000000 ]
   +0x4b8 RequestedTimerResolution : 0
   +0x4bc ActiveThreadsHighWatermark : 0x64
   +0x4c0 SmallestTimerResolution : 0
   +0x4c8 TimerResolutionStackRecord : (null)

三个我们需要的:

 

+0x180 UniqueProcessId
+0x188 ActiveProcessLinks
+0x2e0 ImageFileName

 

编写代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
#include <ntddk.h>
 
#define pid_offset  0x180
#define list_offset  0x188
#define name_offset  0x2e0
 
 
VOID DriverUnload(PDRIVER_OBJECT  DriverObject)
{
    UNREFERENCED_PARAMETER(DriverObject);
    DbgPrint("[%ws] Unload Successful \n", __FUNCTIONW__);
}
 
NTSTATUS Get_Name()
{
    UINT64 process_pid = 0;
    PUCHAR process_name = NULL;
    PLIST_ENTRY process_list = NULL;
    PEPROCESS process_first = NULL;
    PEPROCESS process_address = PsGetCurrentProcess();
    //因为双向链表 首节点的位置是0,所以我们要指向第一个节点之前
    process_list = (PLIST_ENTRY)((UINT64)process_address + list_offset);
    process_first = (PEPROCESS)((UINT64)(process_list->Blink) - list_offset);
    if (!process_address)
    {
        DbgPrint("[ERROR]: NOT ....\n");
        return STATUS_SEVERITY_ERROR;
    }
    while (process_address)
    {
        process_pid = *(UINT64*)((UINT64)process_address + pid_offset);
        process_name = (PUCHAR)((UINT64)process_address + name_offset);
        DbgPrint("pid = %ld  name = %s \n", process_pid, process_name);
        process_list = process_list->Flink;
        process_address = (PEPROCESS)((UINT64)(process_list) - list_offset);
        if (process_first == process_address)
        {
            DbgPrint("END!......\n");
            break;
        }
    }
    return STATUS_SUCCESS;
}
 
NTSTATUS DriverEntry(PDRIVER_OBJECT  DriverObject,PUNICODE_STRING RegistryPath)
{
    UNREFERENCED_PARAMETER(RegistryPath);
    DbgPrint("[%ws] [OK] \n",__FUNCTIONW__);
    Get_Name();
    DriverObject->DriverUnload = DriverUnload;
    return STATUS_SUCCESS;
}

测试结果:

 

API实现:

结构体的时候踩了点坑:

 

https://www.cnblogs.com/hshy/p/12271820.html

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
#include <ntddk.h>
 
#define SYSTEMPROCESSINFORMATION 5
//进程信息结构体 
typedef struct _SYSTEM_THREADS
{
    LARGE_INTEGER  KernelTime;
    LARGE_INTEGER  UserTime;
    LARGE_INTEGER  CreateTime;
    ULONG    WaitTime;
    PVOID    StartAddress;
    CLIENT_ID   ClientID;
    KPRIORITY   Priority;
    KPRIORITY   BasePriority;
    ULONG    ContextSwitchCount;
    ULONG    ThreadState;
    KWAIT_REASON  WaitReason;
    ULONG    Reserved; //Add
}SYSTEM_THREADS, * PSYSTEM_THREADS;
 
typedef struct _SYSTEM_PROCESSES
{
    ULONG    NextEntryDelta;
    ULONG    ThreadCount;
    ULONG    Reserved[6];
    LARGE_INTEGER  CreateTime;
    LARGE_INTEGER  UserTime;
    LARGE_INTEGER  KernelTime;
    UNICODE_STRING  ProcessName;
    KPRIORITY   BasePriority;
    HANDLE   ProcessId;  //Modify
    HANDLE   InheritedFromProcessId;//Modify
    ULONG    HandleCount;
    ULONG    SessionId;
    ULONG_PTR  PageDirectoryBase;
    VM_COUNTERS VmCounters;
    SIZE_T    PrivatePageCount;//Add
    IO_COUNTERS  IoCounters; //windows 2000 only
    struct _SYSTEM_THREADS Threads[1];
}SYSTEM_PROCESSES, * PSYSTEM_PROCESSES;
 
//声明ZqQueryAyatemInformation
NTSTATUS ZwQuerySystemInformation(
    IN ULONG SystemInformationClass,  //处理进程信息,只需要处理类别为5的即可
    OUT PVOID SystemInformation,
    IN ULONG SystemInformationLength,
    OUT PULONG ReturnLength
);
 
VOID DriverUnload(PDRIVER_OBJECT DriverObject)
{
    UNREFERENCED_PARAMETER(DriverObject);
    DbgPrint("[%ws] [UNLOAD]....\n",__FUNCTIONW__);
}
 
 
 
NTSTATUS APIPROCESS()
{
    NTSTATUS systeminformation;
    ULONG length;
    PSYSTEM_PROCESSES process;
    //因为还不知道缓冲区的大小所以我们需要获取大小之后再用一次这个api
    systeminformation = ZwQuerySystemInformation(SYSTEMPROCESSINFORMATION, NULL, 0, &length);
    if (!length)
    {
        DbgPrint("[Error] ZwQuerySystemInformation......\n");
        return systeminformation;
    }
    //ExAllocatePool分配指定类型的池内存,并返回指向已分配块的指针
    PVOID PMemory = ExAllocatePoolWithTag(NonPagedPool, length,'egaT');
    if (!PMemory)
    {
        DbgPrint("[Error] Memory flase......\n");
        return STATUS_UNSUCCESSFUL;
    }
    systeminformation = ZwQuerySystemInformation(SYSTEMPROCESSINFORMATION, PMemory, length, &length);
    if (NT_SUCCESS(systeminformation))
    {
        process = (PSYSTEM_PROCESSES)PMemory;
        if (process->ProcessId == 0)
            DbgPrint("PID 0 System\n");
        do
        {
            process = (PSYSTEM_PROCESSES)((UINT64)process + process->NextEntryDelta);
            DbgPrint("pid = %ld  name = %-20ws \n", process->ProcessId, process->ProcessName.Buffer);
        } while (process->NextEntryDelta != 0);
    }
    else
    {
        DbgPrint("[Error] .....\n");
    }
    ExFreePool(PMemory);
    return systeminformation;
}
 
 
 
NTSTATUS DriverEntry(PDRIVER_OBJECT  DriverObject,PUNICODE_STRING RegistryPath)
{   
    UNREFERENCED_PARAMETER(RegistryPath);
    DbgPrint("[%ws] [OK]....\n", __FUNCTIONW__);
    APIPROCESS();
    DriverObject->DriverUnload = DriverUnload;
 
    return STATUS_SUCCESS;
}


[注意] 欢迎加入看雪团队!base上海,招聘安全工程师、逆向工程师多个坑位等你投递!

收藏
点赞4
打赏
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回