Windows驱动开发基础——进程遍历
在自己开发的驱动中进行进程遍历
在windows每个进程都有一个EPROCESS结构体,除了Idle空闲进程和system进程之外,其余的进程都在磁盘上有自己的可执行文件,而Idle进程和system进程的EPROCESS是由系统伪造的,结构体中对应的ImageFileName也不实际存在于磁盘上。
本次我们通过内核中的EPROCESS结构体来遍历进程,需要先了解EPROCESS结构体。
kd> dt _EPROCESS
ntdll!_EPROCESS
+0x000 Pcb : _KPROCESS
+0x098 ProcessLock : _EX_PUSH_LOCK
+0x0a0 CreateTime : _LARGE_INTEGER
+0x0a8 ExitTime : _LARGE_INTEGER
+0x0b0 RundownProtect : _EX_RUNDOWN_REF
+0x0b4 UniqueProcessId : Ptr32 Void //进程ID
+0x0b8 ActiveProcessLinks : _LIST_ENTRY //进程链表
~~~~
+0x16c ImageFileName : [15] "System" 进程名称
~~~~
这是在Windows 7 专业版 内部版本7601:Service Pack1 32位虚拟机上找到的结构。
可以看到偏移0x0b4 是当前进程ID 偏移0x0b8 是ActiveProcessLinks 是一个双向链表
kd> dt _LIST_ENTRY
ntdll!_LIST_ENTRY
+0x000 Flink : Ptr32 _LIST_ENTRY //前向链表
+0x004 Blink : Ptr32 _LIST_ENTRY //后向链表
需要注意的是 Flink 和 Blink 指向的是下一个节点EPROCESS结构体中Flink 和Blink 的地址。
接下来编写代码遍历进程,代码如下:
#include <ntddk.h>
VOID DriverUnload(PDRIVER_OBJECT DriverObject)
{
UNREFERENCED_PARAMETER(DriverObject);
return;
}
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegisterPayh)
{
if (DriverObject)
{
DriverObject->DriverUnload = DriverUnload;
}
UNREFERENCED_PARAMETER(RegisterPayh);
PEPROCESS currentProcess = PsGetCurrentProcess();
int iPocessId = 0xFFFFFFFF;
PEPROCESS next = currentProcess;
/*kd> dt _EPROCESS
ntdll!_EPROCESS
+ 0x0b4 UniqueProcessId : Ptr32 Void //进程ID
+ 0x0b8 ActiveProcessLinks : _LIST_ENTRY //进程链表
~~~~
+ 0x16c ImageFileName : [15] "System" 进程名称
~~~~*/
__asm int 3 手动插入int 3断点,如果没有内核调试器会蓝屏
do
{
int iNext = (int)next;
iPocessId = *(int*)(iNext + 0xb4);
PCSTR str = (PCSTR)(iNext + 0x16c);
KdPrint(("current:%x processId:%d processname:%s next:%x\r\n", next, iPocessId, str, *(int*)(iNext + 0x0b8) - 0x0b8));
iNext = *(int*)(iNext + 0x0b8) - 0x0b8;
next = (PEPROCESS)iNext;
} while ((NULL != next && next != currentProcess));
return STATUS_SUCCESS;
}
最终打印结果如下:
current:85be6658 processId:4 processname:System next:8671d900 第一个进程,当前system进程,PID为4
current:8671d900 processId:256 processname:smss.exe next:86e47988
current:86e47988 processId:352 processname:csrss.exe next:86e712c0
current:86e712c0 processId:404 processname:wininit.exe next:86e84a80
current:86e84a80 processId:412 processname:csrss.exe next:8701bd20
current:8701bd20 processId:448 processname:winlogon.exe next:8705b9d8
current:8705b9d8 processId:520 processname:services.exe next:8704b030
current:8704b030 processId:528 processname:lsass.exe next:870554d8
current:870554d8 processId:536 processname:lsm.exe next:8704b518
current:8704b518 processId:636 processname:svchost.exe next:87079598
current:87079598 processId:728 processname:svchost.exe next:870e8460
current:870e8460 processId:792 processname:svchost.exe next:87145658
current:87145658 processId:900 processname:svchost.exe next:8714b030
current:8714b030 processId:940 processname:svchost.exe next:871a1688
current:871a1688 processId:1064 processname:svchost.exe next:87179d20
current:87179d20 processId:1196 processname:svchost.exe next:85e0e490
current:85e0e490 processId:1352 processname:kxescore.exe next:87269510
current:87269510 processId:1516 processname:spoolsv.exe next:87294930
current:87294930 processId:1612 processname:svchost.exe next:872f8628
current:872f8628 processId:1888 processname:dgservice.exe next:873a5030
current:873a5030 processId:3388 processname:svchost.exe next:873d4030
current:873d4030 processId:3928 processname:VGAuthService. next:87334350
current:87334350 processId:3988 processname:vm3dservice.ex next:87434030
current:87434030 processId:4008 processname:vmtoolsd.exe next:874425e0
current:874425e0 processId:4016 processname:vm3dservice.ex next:87316600
current:87316600 processId:4048 processname:WifiAutoInstal next:874fad20
current:874fad20 processId:4124 processname:WmiPrvSE.exe next:874ec508
current:874ec508 processId:4224 processname:SearchIndexer. next:876417b0
current:876417b0 processId:5964 processname:dllhost.exe next:87a04030
current:87a04030 processId:6136 processname:msdtc.exe next:87353030
current:87353030 processId:6860 processname:sppsvc.exe next:87358030
current:87358030 processId:6912 processname:svchost.exe next:874b3be8
current:874b3be8 processId:6584 processname:taskhost.exe next:8737da28
current:8737da28 processId:4060 processname:taskeng.exe next:87624d20
current:87624d20 processId:1968 processname:360AP.exe next:876378f8
current:876378f8 processId:2800 processname:dwm.exe next:8739a030
current:8739a030 processId:2784 processname:explorer.exe next:8675a030
current:8675a030 processId:3008 processname:usbpnp.exe next:876339f0
current:876339f0 processId:2992 processname:dgutil.exe next:87b59638
current:87b59638 processId:3732 processname:dgprotect.exe next:87b95030
current:87b95030 processId:5196 processname:vmtoolsd.exe next:87be9030
current:87be9030 processId:5112 processname:ksoftlaunchpad next:89f38750
current:89f38750 processId:1932 processname:ksearchservice next:89e53a38
current:89e53a38 processId:7376 processname:alg.exe next:87b7bd20
current:87b7bd20 processId:2904 processname:kcddltool.exe next:89e2bd20
current:89e2bd20 processId:4960 processname:cmd.exe next:87a71d20
current:87a71d20 processId:4964 processname:conhost.exe next:89ecc270
current:89ecc270 processId:4864 processname:InstDrv.exe next:85df1790
current:85df1790 processId:6696 processname:updateprog.exe next:89e5f030
current:89e5f030 processId:2508 processname:SearchProtocol next:89f65030
current:89f65030 processId:5504 processname:dllhost.exe next:87b34d20
current:87b34d20 processId:3588 processname:SearchFilterHo next:83f4dcb8
current:83f4dcb8 processId:0 processname: next:85be6658 最后一个进程idle 为cpu的空闲进程,无任务时执行此进程,可以省电。可以看到当前id为0,next指向了第一个system,所以跳出了循环。
ImageFileName为数组长度为15的数组,如果exe名字过长,会截断,并以0结尾,所以输出时可以使用%s格式化字符串。
浙公网安备 33010602011771号