暴力枚举进程
進程是操作系統中的一個非常重要的概念,學習的初級階段可以先想辦法枚舉出它們,為以后的深入學習奠定基礎。
枚舉進程有許多方法,比較簡單的有快照CreateToolhelp32Snapshot,psapi.dll提供的EnumProcesses()等。我們還可以通過進程ID去暴力枚舉,只是可能權限不夠,有些得不到,就需要驅動的幫忙了。
?
應用層:
#include <Windows.h>
#include <iostream>
using namespace std;
#define MAX 64
#define CTL_GETPROCESSIMAGNAMEBYID CTL_CODE(FILE_DEVICE_UNKNOWN,0x830,METHOD_BUFFERED,FILE_ANY_ACCESS)
BOOL EnableDebugPrivilege(); ?//提權
VOID EnumProcessByForce(); ?//暴力枚舉
BOOL SendIoControl(int* InputData, ULONG InputSize, char* OutputData, DWORD* dwReturn); ?//發送請求
int main(int argc, char **argv)
{
if (EnableDebugPrivilege() == FALSE)
{
return 0;
}
EnumProcessByForce();
return 0;
}
VOID EnumProcessByForce()
{
int i = 0;
HANDLE hProcess = NULL;
DWORD dwReturn = 0;
char szProcessImageName[MAX] = { 0 };
for (i = 0; i < 10000000; i += 4) ?//進程ID一般是4的倍數
{
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, i);
if (hProcess == NULL)
{
continue;
}
else
{
//向驅動發送請求
if (SendIoControl(&i, sizeof(ULONG32), szProcessImageName, &dwReturn) == TRUE)
{
szProcessImageName[dwReturn] = '\0';
cout << "進程ID: " << i << " " << szProcessImageName << endl;
memset(szProcessImageName, 0, MAX);
}
}
}
}
BOOL SendIoControl(int* InputData, ULONG InputSize, char* OutputData, DWORD* dwReturn)
{
//打開設備
HANDLE hDevice = NULL;
BOOL bOk = FALSE;
hDevice = CreateFile(L"\\\\.\\EnumProcessByForceLinkName", ? //設備鏈接名
GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL);
if (hDevice == INVALID_HANDLE_VALUE)
{
return FALSE;
}
bOk = DeviceIoControl(hDevice,
CTL_GETPROCESSIMAGNAMEBYID,
InputData,
InputSize,
OutputData,
MAX,
dwReturn,
NULL);
if (bOk == FALSE)
{
CloseHandle(hDevice);
hDevice = NULL;
return FALSE;
}
CloseHandle(hDevice);
hDevice = NULL;
return TRUE;
}
BOOL EnableDebugPrivilege() //Debug
{
HANDLE hToken = NULL;
TOKEN_PRIVILEGES TokenPrivilege;
LUID uID;
//打開權限令牌
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
{
return FALSE;
}
if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &uID))
{
CloseHandle(hToken);
hToken = NULL;
return FALSE;
}
TokenPrivilege.PrivilegeCount = 1;
TokenPrivilege.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
TokenPrivilege.Privileges[0].Luid = uID;
//在這里我們進行調整權限
if (!AdjustTokenPrivileges(hToken, false, &TokenPrivilege, sizeof(TOKEN_PRIVILEGES), NULL, NULL))
{
CloseHandle(hToken);
hToken = NULL;
return FALSE;
}
CloseHandle(hToken);
return TRUE;
}
?
驅動層:
#include <ntifs.h>
#define MAX 64
#define DEVICE_NAME L"\\Device\\EnumProcessByForceDeviceName" //常量指針字符串
#define LINK_NAME L"\\DosDevices\\EnumProcessByForceLinkName"
extern char* PsGetProcessImageFileName(PEPROCESS EProcess); ? // 此函數已經實現,只需要申明出來
BOOLEAN GetProcessImageNameByProcessID(ULONG32 ulProcessID, char* szProcessImageName, ULONG32* ulProcessImageNameLength);
NTSTATUS DefaultPassDispatch(PDEVICE_OBJECT DeviceObject, PIRP Irp);
NTSTATUS ControlPassDispatch(PDEVICE_OBJECT DeviceObject, PIRP Irp);
#define CTL_GETPROCESSIMAGNAMEBYID \
CTL_CODE(FILE_DEVICE_UNKNOWN,0x830,METHOD_BUFFERED,FILE_ANY_ACCESS)
VOID DriverUnload(PDRIVER_OBJECT DriverObject);
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegisterPath)
{
NTSTATUS Status;
UNICODE_STRING uniDeviceName; //設備名
UNICODE_STRING uniLinkName; //鏈接名
int i = 0;
PDEVICE_OBJECT DeviceObject;
RtlInitUnicodeString(&uniDeviceName, DEVICE_NAME);
DbgPrint("Hello 10.8\r\n");
Status = IoCreateDevice(DriverObject, 0, &uniDeviceName, FILE_DEVICE_UNKNOWN, 0, FALSE, &DeviceObject);
if (!NT_SUCCESS(Status))
{
return STATUS_UNSUCCESSFUL;
}
//創建一個LinkName
RtlInitUnicodeString(&uniLinkName, LINK_NAME);
Status = IoCreateSymbolicLink(&uniLinkName, &uniDeviceName);
if (!NT_SUCCESS(Status))
{
IoDeleteDevice(DeviceObject);
DriverObject = NULL;
return STATUS_UNSUCCESSFUL;
}
DriverObject->DriverUnload = DriverUnload;
for (i = 0; i <= IRP_MJ_MAXIMUM_FUNCTION; i++)
{
DriverObject->MajorFunction[i] = DefaultPassDispatch;
}
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = ControlPassDispatch;
return STATUS_SUCCESS;
return Status;
}
VOID DriverUnload(PDRIVER_OBJECT DriverObject)
{
//銷毀鏈接名稱
UNICODE_STRING uniLinkName;
?
//銷毀所有DriverObject中的DeviceObject
PDEVICE_OBJECT CurrentDeviceObject = NULL;
PDEVICE_OBJECT NextDeviceObject = NULL;
RtlInitUnicodeString(&uniLinkName, LINK_NAME);
IoDeleteSymbolicLink(&uniLinkName);
if (DriverObject->DeviceObject != NULL)
{
CurrentDeviceObject = DriverObject->DeviceObject;
while (CurrentDeviceObject != NULL)
{
NextDeviceObject = CurrentDeviceObject->NextDevice;
IoDeleteDevice(CurrentDeviceObject);
CurrentDeviceObject = NextDeviceObject;
}
}
CurrentDeviceObject = NULL;
NextDeviceObject = NULL;
}
NTSTATUS ControlPassDispatch(PDEVICE_OBJECT DeviceObject, PIRP Irp)
{
PIO_STACK_LOCATION IrpSp = NULL;
ULONG_PTR ulIoControlCode = 0;
PVOID InputData = NULL;
PVOID OutputData = NULL;
ULONG_PTR ulInputSize = 0;
ULONG_PTR ulOutputSize = 0;
char szProcessImageName[MAX] = { 0 };
ULONG32 ulProcessImageNameLength = 0;
ULONG32 ulProcessID = 0;
IrpSp = IoGetCurrentIrpStackLocation(Irp);
ulIoControlCode = IrpSp->Parameters.DeviceIoControl.IoControlCode;
switch (ulIoControlCode)
{
case CTL_GETPROCESSIMAGNAMEBYID:
{
//InputData
//OutputData
InputData = OutputData = Irp->AssociatedIrp.SystemBuffer;
ulInputSize = IrpSp->Parameters.DeviceIoControl.InputBufferLength;
ulOutputSize = IrpSp->Parameters.DeviceIoControl.OutputBufferLength;
if (InputData != NULL&&ulInputSize == sizeof(ULONG32))
{
memcpy(&ulProcessID, InputData, sizeof(ULONG32));
if (GetProcessImageNameByProcessID(ulProcessID, szProcessImageName, &ulProcessImageNameLength) == TRUE)
{
memcpy(OutputData, szProcessImageName, ulProcessImageNameLength);
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = ulProcessImageNameLength;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
}
break;
}
}
Irp->IoStatus.Status = STATUS_UNSUCCESSFUL;
Irp->IoStatus.Information = 0;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
BOOLEAN GetProcessImageNameByProcessID(ULONG32 ulProcessID, char* szProcessImageName, ULONG32* ulProcessImageNameLength)
{
NTSTATUS Status;
PEPROCESS EProcess = NULL;
Status = PsLookupProcessByProcessId((HANDLE)ulProcessID, &EProcess);
if (!NT_SUCCESS(Status))
{
return FALSE;
}
if (EProcess == NULL)
{
return FALSE;
}
ObDereferenceObject(EProcess); //給定對象的引用計數和執行保留檢查
if (strlen(PsGetProcessImageFileName(EProcess)) > MAX)
{
*ulProcessImageNameLength = MAX - 1;
}
else
{
*ulProcessImageNameLength = strlen(PsGetProcessImageFileName(EProcess));
}
memcpy(szProcessImageName, PsGetProcessImageFileName(EProcess), *ulProcessImageNameLength);
return TRUE;
}
NTSTATUS DefaultPassDispatch(PDEVICE_OBJECT DeviceObject, PIRP Irp)
{
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
?
代碼親測在win10下也有效。
轉載于:https://www.cnblogs.com/kekoukele987/p/7371358.html
總結
- 上一篇: 类-封装
- 下一篇: Spring基础知识及入门