進程是操作系統中的一個非常重要的概念，學習的初級階段可以先想辦法枚舉出它們，為以后的深入學習奠定基礎。

枚舉進程有許多方法，比較簡單的有快照CreateToolhelp32Snapshot，psapi.dll提供的EnumProcesses()等。我們還可以通過進程ID去暴力枚舉，只是可能權限不夠，有些得不到，就需要驅動的幫忙了。

?

應用層：

#include <Windows.h>
#include <iostream>
using namespace std;

#define MAX 64
#define CTL_GETPROCESSIMAGNAMEBYID CTL_CODE(FILE_DEVICE_UNKNOWN,0x830,METHOD_BUFFERED,FILE_ANY_ACCESS)

BOOL EnableDebugPrivilege(); ?//提權
VOID EnumProcessByForce(); ?//暴力枚舉
BOOL SendIoControl(int* InputData, ULONG InputSize, char* OutputData, DWORD* dwReturn); ?//發送請求

int main(int argc, char **argv)
{

if (EnableDebugPrivilege() == FALSE)
{
return 0;
}

EnumProcessByForce();

return 0;
}

VOID EnumProcessByForce()
{
int i = 0;
HANDLE hProcess = NULL;
DWORD dwReturn = 0;

char szProcessImageName[MAX] = { 0 };
for (i = 0; i < 10000000; i += 4) ?//進程ID一般是4的倍數
{
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, i);

if (hProcess == NULL)
{
continue;
}

else
{
//向驅動發送請求
if (SendIoControl(&i, sizeof(ULONG32), szProcessImageName, &dwReturn) == TRUE)
{
szProcessImageName[dwReturn] = '\0';
cout << "進程ID: " << i << " " << szProcessImageName << endl;
memset(szProcessImageName, 0, MAX);
}
}
}
}

BOOL SendIoControl(int* InputData, ULONG InputSize, char* OutputData, DWORD* dwReturn)
{
//打開設備

HANDLE hDevice = NULL;
BOOL bOk = FALSE;
hDevice = CreateFile(L"\\\\.\\EnumProcessByForceLinkName", ? //設備鏈接名
GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL);

if (hDevice == INVALID_HANDLE_VALUE)
{
return FALSE;
}

bOk = DeviceIoControl(hDevice,
CTL_GETPROCESSIMAGNAMEBYID,
InputData,
InputSize,
OutputData,
MAX,
dwReturn,
NULL);

if (bOk == FALSE)
{
CloseHandle(hDevice);
hDevice = NULL;

return FALSE;
}
CloseHandle(hDevice);
hDevice = NULL;
return TRUE;
}

BOOL EnableDebugPrivilege() //Debug
{

HANDLE hToken = NULL;
TOKEN_PRIVILEGES TokenPrivilege;
LUID uID;

//打開權限令牌
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
{
return FALSE;
}

if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &uID))
{

CloseHandle(hToken);
hToken = NULL;
return FALSE;
}

TokenPrivilege.PrivilegeCount = 1;
TokenPrivilege.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
TokenPrivilege.Privileges[0].Luid = uID;

//在這里我們進行調整權限
if (!AdjustTokenPrivileges(hToken, false, &TokenPrivilege, sizeof(TOKEN_PRIVILEGES), NULL, NULL))
{
CloseHandle(hToken);
hToken = NULL;
return FALSE;
}

CloseHandle(hToken);
return TRUE;

}

?

驅動層：

#include <ntifs.h>

#define MAX 64
#define DEVICE_NAME L"\\Device\\EnumProcessByForceDeviceName" //常量指針字符串
#define LINK_NAME L"\\DosDevices\\EnumProcessByForceLinkName"

extern char* PsGetProcessImageFileName(PEPROCESS EProcess); ? // 此函數已經實現，只需要申明出來

BOOLEAN GetProcessImageNameByProcessID(ULONG32 ulProcessID, char* szProcessImageName, ULONG32* ulProcessImageNameLength);
NTSTATUS DefaultPassDispatch(PDEVICE_OBJECT DeviceObject, PIRP Irp);
NTSTATUS ControlPassDispatch(PDEVICE_OBJECT DeviceObject, PIRP Irp);

#define CTL_GETPROCESSIMAGNAMEBYID \
CTL_CODE(FILE_DEVICE_UNKNOWN,0x830,METHOD_BUFFERED,FILE_ANY_ACCESS)

VOID DriverUnload(PDRIVER_OBJECT DriverObject);

NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegisterPath)
{
NTSTATUS Status;
UNICODE_STRING uniDeviceName; //設備名
UNICODE_STRING uniLinkName; //鏈接名
int i = 0;
PDEVICE_OBJECT DeviceObject;

RtlInitUnicodeString(&uniDeviceName, DEVICE_NAME);
DbgPrint("Hello 10.8\r\n");
Status = IoCreateDevice(DriverObject, 0, &uniDeviceName, FILE_DEVICE_UNKNOWN, 0, FALSE, &DeviceObject);
if (!NT_SUCCESS(Status))
{
return STATUS_UNSUCCESSFUL;
}

//創建一個LinkName
RtlInitUnicodeString(&uniLinkName, LINK_NAME);
Status = IoCreateSymbolicLink(&uniLinkName, &uniDeviceName);

if (!NT_SUCCESS(Status))
{

IoDeleteDevice(DeviceObject);
DriverObject = NULL;
return STATUS_UNSUCCESSFUL;
}
DriverObject->DriverUnload = DriverUnload;
for (i = 0; i <= IRP_MJ_MAXIMUM_FUNCTION; i++)
{
DriverObject->MajorFunction[i] = DefaultPassDispatch;
}

DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = ControlPassDispatch;
return STATUS_SUCCESS;

return Status;
}

VOID DriverUnload(PDRIVER_OBJECT DriverObject)
{

//銷毀鏈接名稱
UNICODE_STRING uniLinkName;

?

//銷毀所有DriverObject中的DeviceObject

PDEVICE_OBJECT CurrentDeviceObject = NULL;
PDEVICE_OBJECT NextDeviceObject = NULL;

RtlInitUnicodeString(&uniLinkName, LINK_NAME);
IoDeleteSymbolicLink(&uniLinkName);
if (DriverObject->DeviceObject != NULL)
{
CurrentDeviceObject = DriverObject->DeviceObject;
while (CurrentDeviceObject != NULL)
{
NextDeviceObject = CurrentDeviceObject->NextDevice;
IoDeleteDevice(CurrentDeviceObject);

CurrentDeviceObject = NextDeviceObject;
}
}

CurrentDeviceObject = NULL;
NextDeviceObject = NULL;
}

NTSTATUS ControlPassDispatch(PDEVICE_OBJECT DeviceObject, PIRP Irp)
{
PIO_STACK_LOCATION IrpSp = NULL;
ULONG_PTR ulIoControlCode = 0;
PVOID InputData = NULL;
PVOID OutputData = NULL;
ULONG_PTR ulInputSize = 0;
ULONG_PTR ulOutputSize = 0;
char szProcessImageName[MAX] = { 0 };
ULONG32 ulProcessImageNameLength = 0;
ULONG32 ulProcessID = 0;

IrpSp = IoGetCurrentIrpStackLocation(Irp);
ulIoControlCode = IrpSp->Parameters.DeviceIoControl.IoControlCode;

switch (ulIoControlCode)
{
case CTL_GETPROCESSIMAGNAMEBYID:
{
//InputData
//OutputData
InputData = OutputData = Irp->AssociatedIrp.SystemBuffer;
ulInputSize = IrpSp->Parameters.DeviceIoControl.InputBufferLength;
ulOutputSize = IrpSp->Parameters.DeviceIoControl.OutputBufferLength;

if (InputData != NULL&&ulInputSize == sizeof(ULONG32))
{
memcpy(&ulProcessID, InputData, sizeof(ULONG32));
if (GetProcessImageNameByProcessID(ulProcessID, szProcessImageName, &ulProcessImageNameLength) == TRUE)
{
memcpy(OutputData, szProcessImageName, ulProcessImageNameLength);

Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = ulProcessImageNameLength;

IoCompleteRequest(Irp, IO_NO_INCREMENT);

return STATUS_SUCCESS;
}
}

break;
}
}
Irp->IoStatus.Status = STATUS_UNSUCCESSFUL;
Irp->IoStatus.Information = 0;

IoCompleteRequest(Irp, IO_NO_INCREMENT);

return STATUS_SUCCESS;
}

BOOLEAN GetProcessImageNameByProcessID(ULONG32 ulProcessID, char* szProcessImageName, ULONG32* ulProcessImageNameLength)
{

NTSTATUS Status;
PEPROCESS EProcess = NULL;
Status = PsLookupProcessByProcessId((HANDLE)ulProcessID, &EProcess);

if (!NT_SUCCESS(Status))
{
return FALSE;
}

if (EProcess == NULL)
{
return FALSE;
}

ObDereferenceObject(EProcess); //給定對象的引用計數和執行保留檢查

if (strlen(PsGetProcessImageFileName(EProcess)) > MAX)
{
*ulProcessImageNameLength = MAX - 1;
}

else
{
*ulProcessImageNameLength = strlen(PsGetProcessImageFileName(EProcess));
}

memcpy(szProcessImageName, PsGetProcessImageFileName(EProcess), *ulProcessImageNameLength);

return TRUE;

}

NTSTATUS DefaultPassDispatch(PDEVICE_OBJECT DeviceObject, PIRP Irp)
{

Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
IoCompleteRequest(Irp, IO_NO_INCREMENT);

return STATUS_SUCCESS;
}

?

代碼親測在win10下也有效。

轉載于:https://www.cnblogs.com/kekoukele987/p/7371358.html

總結

以上是生活随笔為你收集整理的暴力枚举进程的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。