Enum Process Under Ring3
taskmgr.exe 就是通過以下方式 Enum Process 的
#include?<stdlib.h>
#include?<stdio.h>
#include?<windows.h>
typedef?long?NTSTATUS;
//
//?Unicode?strings?are?counted?16-bit?character?strings.?If?they?are
//?NULL?terminated,?Length?does?not?include?trailing?NULL.
//
typedef?struct?_UNICODE_STRING
{
????USHORT?Length;
????USHORT?MaximumLength;
????PWSTR??Buffer;
}?UNICODE_STRING,?*PUNICODE_STRING;
//
//?Thread?priority
//
typedef?LONG?KPRIORITY;
//-----------------------------------------------------------------------------
//?Query?system?information
typedef?enum?_SYSTEM_INFORMATION_CLASS
{
????SystemBasicInformation,?????????????????//?0x00?SYSTEM_BASIC_INFORMATION
????SystemProcessorInformation,?????????????//?0x01?SYSTEM_PROCESSOR_INFORMATION
????SystemPerformanceInformation,???????????//?0x02
????SystemTimeOfDayInformation,?????????????//?0x03
????SystemPathInformation,??????????????????//?0x04
????SystemProcessInformation,???????????????//?0x05
????SystemCallCountInformation,?????????????//?0x06
????SystemDeviceInformation,????????????????//?0x07
????SystemProcessorPerformanceInformation,??//?0x08
????SystemFlagsInformation,?????????????????//?0x09
????SystemCallTimeInformation,??????????????//?0x0A
????SystemModuleInformation,????????????????//?0x0B?SYSTEM_MODULE_INFORMATION
????SystemLocksInformation,?????????????????//?0x0C
????SystemStackTraceInformation,????????????//?0x0D
????SystemPagedPoolInformation,?????????????//?0x0E
????SystemNonPagedPoolInformation,??????????//?0x0F
????SystemHandleInformation,????????????????//?0x10
????SystemObjectInformation,????????????????//?0x11
????SystemPageFileInformation,??????????????//?0x12
????SystemVdmInstemulInformation,???????????//?0x13
????SystemVdmBopInformation,????????????????//?0x14
????SystemFileCacheInformation,?????????????//?0x15
????SystemPoolTagInformation,???????????????//?0x16
????SystemInterruptInformation,?????????????//?0x17
????SystemDpcBehaviorInformation,???????????//?0x18
????SystemFullMemoryInformation,????????????//?0x19
????SystemLoadGdiDriverInformation,?????????//?0x1A
????SystemUnloadGdiDriverInformation,???????//?0x1B
????SystemTimeAdjustmentInformation,????????//?0x1C
????SystemSummaryMemoryInformation,?????????//?0x1D
????SystemNextEventIdInformation,???????????//?0x1E
????SystemEventIdsInformation,??????????????//?0x1F
????SystemCrashDumpInformation,?????????????//?0x20
????SystemExceptionInformation,?????????????//?0x21
????SystemCrashDumpStateInformation,????????//?0x22
????SystemKernelDebuggerInformation,????????//?0x23
????SystemContextSwitchInformation,?????????//?0x24
????SystemRegistryQuotaInformation,?????????//?0x25
????SystemExtendServiceTableInformation,????//?0x26
????SystemPrioritySeperation,???????????????//?0x27
????SystemPlugPlayBusInformation,???????????//?0x28
????SystemDockInformation,??????????????????//?0x29
????//SystemPowerInformation,???????????????//?0x2A
????//SystemProcessorSpeedInformation,??????//?0x2B
????//SystemCurrentTimeZoneInformation,?????//?0x2C
????//SystemLookasideInformation????????????//?0x2D
}?SYSTEM_INFORMATION_CLASS,?*PSYSTEM_INFORMATION_CLASS;
//
//?Process?information
//?NtQuerySystemInformation?with?SystemProcessInformation
//
typedef?struct?_SYSTEM_PROCESS_INFORMATION?{
????ULONG?NextEntryOffset;
????ULONG?NumberOfThreads;
????LARGE_INTEGER?SpareLi1;
????LARGE_INTEGER?SpareLi2;
????LARGE_INTEGER?SpareLi3;
????LARGE_INTEGER?CreateTime;
????LARGE_INTEGER?UserTime;
????LARGE_INTEGER?KernelTime;
????UNICODE_STRING?ImageName;
????KPRIORITY?BasePriority;
????ULONG_PTR?UniqueProcessId;
????ULONG_PTR?InheritedFromUniqueProcessId;
????ULONG?HandleCount;
????//?Next?part?is?platform?dependent
}?SYSTEM_PROCESS_INFORMATION,?*PSYSTEM_PROCESS_INFORMATION;
typedef?NTSTATUS?(*PNFNtQuerySystemInformation)(
????IN?SYSTEM_INFORMATION_CLASS?SystemInformationClass,
????OUT?PVOID?SystemInformation,
????IN?ULONG?SystemInformationLength,
????OUT?PULONG?ReturnLength
????);
PNFNtQuerySystemInformation?pNtQuerySystemInformation;
BOOL?LoadNTDLL()
{
????HMODULE?hMod?=?GetModuleHandle("ntdll.dll");
????if?(hMod?==?NULL)
????{
????????hMod?=?LoadLibrary("ntdll.dll");
????????if?(hMod?==?NULL)
????????{
????????????printf("LoadLibrary?Error:?%d\n",?GetLastError());
????????????return?FALSE;
????????}
????}
????pNtQuerySystemInformation?=?(PNFNtQuerySystemInformation)GetProcAddress(hMod,?"NtQuerySystemInformation");
????if(?pNtQuerySystemInformation?==?NULL?)
????{
????????printf("GetProcAddress?for?NtQuerySystemInformation?Error:?%d\n",?GetLastError());
????????return?FALSE;
????}
????ULONG?dwNumberBytes?=?0x8000;
????char*?pBuf?=?(char*)malloc(dwNumberBytes);
????PSYSTEM_PROCESS_INFORMATION?pProcessInfo?=?(PSYSTEM_PROCESS_INFORMATION)pBuf;
????ULONG?dwReturn?=?0;
????pNtQuerySystemInformation(SystemProcessInformation,?pProcessInfo,?dwNumberBytes,?&dwReturn);
????return?TRUE;
}
int?main()
{
????if(?!LoadNTDLL()?)
????{
????????printf("LoadNTDLL?Error!\n");
????????return?0;
????}
????printf("test\n");
????return?0;
}
運行后,出現
Debug Error
File: chkesp.c
line: 42
出現這個錯誤通常有兩種情況
1. 參數個數錯
2. 函數的調用方式錯
詳細檢查之下
typedef NTSTATUS
?(*PNFNtQuerySystemInformation)(
??? IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
??? OUT PVOID SystemInformation,
??? IN ULONG SystemInformationLength,
??? OUT PULONG ReturnLength
??? );
這里的寫法有問題,少寫了 __stdcall 的調用方式
typedef NTSTATUS
?(NTAPI *PNFNtQuerySystemInformation)(
??? IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
??? OUT PVOID SystemInformation,
??? IN ULONG SystemInformationLength,
??? OUT PULONG ReturnLength
??? );
這樣的寫法就OK了