ProcessHacker实现原理(一)
凤高翰
枚举进程:调用NtQuerySystemInformation函数,第一个参数为SystemProcessInformation(枚举值 = 5),第二个参数返回类型SYSTEM_PROCESS_INFORMATION。原型如下:
typedef struct _SYSTEM_PROCESS_INFORMATION
{
ULONG NextEntryOffset;
ULONG NumberOfThreads;
LARGE_INTEGER WorkingSetPrivateSize; // since VISTA
ULONG HardFaultCount; // since WIN7
ULONG NumberOfThreadsHighWatermark; // since WIN7
ULONGLONG CycleTime; // since WIN7
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ImageName;
KPRIORITY BasePriority;
HANDLE UniqueProcessId;
HANDLE InheritedFromUniqueProcessId;
ULONG HandleCount;
ULONG SessionId;
ULONG_PTR UniqueProcessKey; // since VISTA (requires SystemExtendedProcessInformation)
SIZE_T PeakVirtualSize;
SIZE_T VirtualSize;
ULONG PageFaultCount;
SIZE_T PeakWorkingSetSize;
SIZE_T WorkingSetSize;
SIZE_T QuotaPeakPagedPoolUsage;
SIZE_T QuotaPagedPoolUsage;
SIZE_T QuotaPeakNonPagedPoolUsage;
SIZE_T QuotaNonPagedPoolUsage;
SIZE_T PagefileUsage;
SIZE_T PeakPagefileUsage;
SIZE_T PrivatePageCount;
LARGE_INTEGER ReadOperationCount;
LARGE_INTEGER WriteOperationCount;
LARGE_INTEGER OtherOperationCount;
LARGE_INTEGER ReadTransferCount;
LARGE_INTEGER WriteTransferCount;
LARGE_INTEGER OtherTransferCount;
SYSTEM_THREAD_INFORMATION Threads[1];
} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;
其中第一个字段NextEntryOffset代表指向下一个SYSTEM_PROCESS_INFORMATION结构的相对偏移,据此可以遍历出系统进程链
枚举模块:调用NtQueryInformationProcess,第二个参数传递ProcessBasicInformation,第三个参数返回类型为PROCESS_BASIC_INFORMATION的变量,其中的PebBaseAddress地址既是PEB的地址。
PEB中的PPEB_LDR_DATA中有三个链表,分别是InLoadOrderModuleList,InMemoryOrderModuleList,InInitializationOrderModuleList。遍历第一个链表InLoadOrderModuleList即可获取所有进程模块。
枚举线程:枚举进程得到SYSTEM_PROCESS_INFORMATION结构体之后,其第二个字段代表当前进程的线程数,最后一个成员表示所有线程的链表,循环遍历即可枚举该进程所有线程。
枚举服务:打开SCM管理器OpenSCManager,调用EnumServicesStatusEx枚举服务,返回服务数量和服务信息的数组如下,遍历即可。
typedef struct _ENUM_SERVICE_STATUS_PROCESS {
LPTSTR lpServiceName;
LPTSTR lpDisplayName;
SERVICE_STATUS_PROCESS ServiceStatusProcess;
} ENUM_SERVICE_STATUS_PROCESS, *LPENUM_SERVICE_STATUS_PROCESS;
枚举网络连接:从iphlpapi.dll获取导出函数GetExtendedTcpTable和GetExtendedUdpTable,分别调用获取到TCPV4和TCPV6以及UDPV4和UDPV6的网络信息结构。
typedef struct {
DWORD dwNumEntries;
MIB_TCPROW_OWNER_MODULE table[ANY_SIZE];
} MIB_TCPTABLE_OWNER_MODULE, *PMIB_TCPTABLE_OWNER_MODULE;
第一个成员表示服务个数,第二个参数包含详细网络信息。
typedef struct _MIB_TCPROW_OWNER_MODULE {
DWORD {
DWORD dwState;
} dwState;
DWORD dwLocalAddr;
DWORD dwLocalPort;
DWORD dwRemoteAddr;
DWORD dwRemotePort;
DWORD dwOwningPid;
LARGE_INTEGER liCreateTimestamp;
ULONGLONG OwningModuleInfo[TCPIP_OWNING_MODULE_SIZE];
} MIB_TCPROW_OWNER_MODULE, *PMIB_TCPROW_OWNER_MODULE;
字段dwOwningPid表示使用该网络连接的PID。。。
枚举句柄:调用NtQuerySystemInformation,参数一传递SystemHandleInformation,返回
typedef struct _SYSTEM_HANDLE_INFORMATION
{
ULONG NumberOfHandles;
SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[1];
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
NumberOfHandles代表句柄总数。字段二声明如下:
typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO
{
USHORT UniqueProcessId;
USHORT CreatorBackTraceIndex;
UCHAR ObjectTypeIndex;
UCHAR HandleAttributes;
USHORT HandleValue;
PVOID Object;
ULONG GrantedAccess;
} SYSTEM_HANDLE_TABLE_ENTRY_INFO, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO;
typedef struct _SYSTEM_PROCESS_INFORMATION
{
ULONG NextEntryOffset;
ULONG NumberOfThreads;
LARGE_INTEGER WorkingSetPrivateSize; // since VISTA
ULONG HardFaultCount; // since WIN7
ULONG NumberOfThreadsHighWatermark; // since WIN7
ULONGLONG CycleTime; // since WIN7
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ImageName;
KPRIORITY BasePriority;
HANDLE UniqueProcessId;
HANDLE InheritedFromUniqueProcessId;
ULONG HandleCount;
ULONG SessionId;
ULONG_PTR UniqueProcessKey; // since VISTA (requires SystemExtendedProcessInformation)
SIZE_T PeakVirtualSize;
SIZE_T VirtualSize;
ULONG PageFaultCount;
SIZE_T PeakWorkingSetSize;
SIZE_T WorkingSetSize;
SIZE_T QuotaPeakPagedPoolUsage;
SIZE_T QuotaPagedPoolUsage;
SIZE_T QuotaPeakNonPagedPoolUsage;
SIZE_T QuotaNonPagedPoolUsage;
SIZE_T PagefileUsage;
SIZE_T PeakPagefileUsage;
SIZE_T PrivatePageCount;
LARGE_INTEGER ReadOperationCount;
LARGE_INTEGER WriteOperationCount;
LARGE_INTEGER OtherOperationCount;
LARGE_INTEGER ReadTransferCount;
LARGE_INTEGER WriteTransferCount;
LARGE_INTEGER OtherTransferCount;
SYSTEM_THREAD_INFORMATION Threads[1];
} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;
其中第一个字段NextEntryOffset代表指向下一个SYSTEM_PROCESS_INFORMATION结构的相对偏移,据此可以遍历出系统进程链
枚举模块:调用NtQueryInformationProcess,第二个参数传递ProcessBasicInformation,第三个参数返回类型为PROCESS_BASIC_INFORMATION的变量,其中的PebBaseAddress地址既是PEB的地址。
PEB中的PPEB_LDR_DATA中有三个链表,分别是InLoadOrderModuleList,InMemoryOrderModuleList,InInitializationOrderModuleList。遍历第一个链表InLoadOrderModuleList即可获取所有进程模块。
枚举线程:枚举进程得到SYSTEM_PROCESS_INFORMATION结构体之后,其第二个字段代表当前进程的线程数,最后一个成员表示所有线程的链表,循环遍历即可枚举该进程所有线程。
枚举服务:打开SCM管理器OpenSCManager,调用EnumServicesStatusEx枚举服务,返回服务数量和服务信息的数组如下,遍历即可。
typedef struct _ENUM_SERVICE_STATUS_PROCESS {
LPTSTR lpServiceName;
LPTSTR lpDisplayName;
SERVICE_STATUS_PROCESS ServiceStatusProcess;
} ENUM_SERVICE_STATUS_PROCESS, *LPENUM_SERVICE_STATUS_PROCESS;
枚举网络连接:从iphlpapi.dll获取导出函数GetExtendedTcpTable和GetExtendedUdpTable,分别调用获取到TCPV4和TCPV6以及UDPV4和UDPV6的网络信息结构。
typedef struct {
DWORD dwNumEntries;
MIB_TCPROW_OWNER_MODULE table[ANY_SIZE];
} MIB_TCPTABLE_OWNER_MODULE, *PMIB_TCPTABLE_OWNER_MODULE;
第一个成员表示服务个数,第二个参数包含详细网络信息。
typedef struct _MIB_TCPROW_OWNER_MODULE {
DWORD {
DWORD dwState;
} dwState;
DWORD dwLocalAddr;
DWORD dwLocalPort;
DWORD dwRemoteAddr;
DWORD dwRemotePort;
DWORD dwOwningPid;
LARGE_INTEGER liCreateTimestamp;
ULONGLONG OwningModuleInfo[TCPIP_OWNING_MODULE_SIZE];
} MIB_TCPROW_OWNER_MODULE, *PMIB_TCPROW_OWNER_MODULE;
字段dwOwningPid表示使用该网络连接的PID。。。
枚举句柄:调用NtQuerySystemInformation,参数一传递SystemHandleInformation,返回
typedef struct _SYSTEM_HANDLE_INFORMATION
{
ULONG NumberOfHandles;
SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[1];
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
NumberOfHandles代表句柄总数。字段二声明如下:
typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO
{
USHORT UniqueProcessId;
USHORT CreatorBackTraceIndex;
UCHAR ObjectTypeIndex;
UCHAR HandleAttributes;
USHORT HandleValue;
PVOID Object;
ULONG GrantedAccess;
} SYSTEM_HANDLE_TABLE_ENTRY_INFO, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO;
类似资料: