Process is a very important concept in the operating system, the primary stage of learning can first find a way to cite them, for further study lay the foundation.
There are many ways to enumerate the processes, and it is relatively simple to have snapshot Createtoolhelp32snapshot,psapi.dll provided by EnumProcesses (). We can also go through the process ID to brute-force enumeration, but may not have enough permissions, some do not get, you need to drive the help.
Application layer:
#include <Windows.h>
#include <iostream>
using namespace Std;
#define MAX 64
#define Ctl_getprocessimagnamebyid Ctl_code (file_device_unknown,0x830,method_buffered,file_any_access)
BOOL Enabledebugprivilege (); Right to withdraw
VOID Enumprocessbyforce (); Brute Force enumeration
BOOL Sendiocontrol (int* inputdata, ULONG inputsize, char* outputdata, dword* Dwreturn); Send Request
int main (int argc, char **argv)
{
if (enabledebugprivilege () = = FALSE)
{
return 0;
}
Enumprocessbyforce ();
return 0;
}
VOID Enumprocessbyforce ()
{
int i = 0;
HANDLE hprocess = NULL;
DWORD Dwreturn = 0;
Char Szprocessimagename[max] = {0};
for (i = 0; i < 10000000; i + = 4)//process ID is typically a multiple of 4
{
hprocess = OpenProcess (process_query_information, FALSE, i);
if (hprocess = = NULL)
{
Continue
}
Else
{
Send request to Driver
if (Sendiocontrol (&i, sizeof (ULONG32), szprocessimagename, &dwreturn) = = TRUE)
{
Szprocessimagename[dwreturn] = ' + ';
cout << "Process ID:" << i << "<< szprocessimagename << Endl;
memset (szprocessimagename, 0, MAX);
}
}
}
}
BOOL Sendiocontrol (int* inputdata, ULONG inputsize, char* outputdata, dword* Dwreturn)
{
Turn on the device
HANDLE hdevice = NULL;
BOOL bOk = FALSE;
Hdevice = CreateFile (L "\\\\.\\enumprocessbyforcelinkname",//Device link name
Generic_read | Generic_write,
File_share_read | File_share_write,
Null
Open_existing,
File_attribute_normal,
NULL);
if (Hdevice = = INVALID_HANDLE_VALUE)
{
return FALSE;
}
BOk = DeviceIoControl (Hdevice,
Ctl_getprocessimagnamebyid,
Inputdata,
Inputsize,
Outputdata,
MAX,
Dwreturn,
NULL);
if (bOk = = FALSE)
{
CloseHandle (Hdevice);
Hdevice = NULL;
return FALSE;
}
CloseHandle (Hdevice);
Hdevice = NULL;
return TRUE;
}
BOOL Enabledebugprivilege ()//debug
{
HANDLE htoken = NULL;
Token_privileges Tokenprivilege;
LUID UID;
To open a permission token
if (! OpenProcessToken (GetCurrentProcess (), Token_adjust_privileges | Token_query, &htoken))
{
return FALSE;
}
if (! Lookupprivilegevalue (NULL, Se_debug_name, &uid))
{
CloseHandle (Htoken);
Htoken = NULL;
return FALSE;
}
Tokenprivilege.privilegecount = 1;
Tokenprivilege.privileges[0]. Attributes = se_privilege_enabled;
Tokenprivilege.privileges[0]. Luid = UID;
Here we have to adjust permissions
if (! AdjustTokenPrivileges (Htoken, False, &tokenprivilege, sizeof (token_privileges), NULL, NULL))
{
CloseHandle (Htoken);
Htoken = NULL;
return FALSE;
}
CloseHandle (Htoken);
return TRUE;
}
Drive layer:
#include <ntifs.h>
#define MAX 64
#define DEVICE_NAME L "\\Device\\EnumProcessByForceDeviceName"//Constant pointer string
#define LINK_NAME L "\\DosDevices\\EnumProcessByForceLinkName"
extern char* Psgetprocessimagefilename (peprocess eprocess); This function has been implemented, just need to declare it
BOOLEAN Getprocessimagenamebyprocessid (ULONG32 ulprocessid, char* szprocessimagename, ulong32* Ulprocessimagenamelength);
NTSTATUS Defaultpassdispatch (pdevice_object deviceobject, pirp IRP);
NTSTATUS Controlpassdispatch (pdevice_object deviceobject, pirp IRP);
#define CTL_GETPROCESSIMAGNAMEBYID \
Ctl_code (file_device_unknown,0x830,method_buffered,file_any_access)
VOID driverunload (Pdriver_object driverobject);
NTSTATUS DriverEntry (Pdriver_object driverobject, punicode_string Registerpath)
{
NTSTATUS Status;
Unicode_string Unidevicename; Device Name
Unicode_string Unilinkname; Link name
int i = 0;
Pdevice_object DeviceObject;
Rtlinitunicodestring (&unidevicename, device_name);
Dbgprint ("Hello 10.8\r\n");
Status = IoCreateDevice (driverobject, 0, &unidevicename, file_device_unknown, 0, FALSE, &deviceobject);
if (! Nt_success (Status))
{
return status_unsuccessful;
}
Create a Linkname
Rtlinitunicodestring (&unilinkname, link_name);
Status = Iocreatesymboliclink (&unilinkname, &unidevicename);
if (! Nt_success (Status))
{
Iodeletedevice (DeviceObject);
DriverObject = NULL;
return status_unsuccessful;
}
Driverobject->driverunload = Driverunload;
for (i = 0; I <= irp_mj_maximum_function; i++)
{
Driverobject->majorfunction[i] = Defaultpassdispatch;
}
Driverobject->majorfunction[irp_mj_device_control] = Controlpassdispatch;
return status_success;
return Status;
}
VOID driverunload (Pdriver_object driverobject)
{
Destroy Link Name
Unicode_string Unilinkname;
Destroy all DeviceObject in the DriverObject
Pdevice_object currentdeviceobject = NULL;
Pdevice_object nextdeviceobject = NULL;
Rtlinitunicodestring (&unilinkname, link_name);
Iodeletesymboliclink (&unilinkname);
if (driverobject->deviceobject! = NULL)
{
Currentdeviceobject = driverobject->deviceobject;
while (currentdeviceobject! = NULL)
{
Nextdeviceobject = currentdeviceobject->nextdevice;
Iodeletedevice (Currentdeviceobject);
Currentdeviceobject = Nextdeviceobject;
}
}
Currentdeviceobject = NULL;
Nextdeviceobject = NULL;
}
NTSTATUS Controlpassdispatch (pdevice_object deviceobject, pirp Irp)
{
Pio_stack_location IRPSP = NULL;
Ulong_ptr Uliocontrolcode = 0;
PVOID inputdata = NULL;
PVOID outputdata = NULL;
Ulong_ptr ulinputsize = 0;
Ulong_ptr uloutputsize = 0;
Char Szprocessimagename[max] = {0};
ULONG32 ulprocessimagenamelength = 0;
ULONG32 ulprocessid = 0;
IRPSP = Iogetcurrentirpstacklocation (IRP);
Uliocontrolcode = irpsp->parameters.deviceiocontrol.iocontrolcode;
Switch (Uliocontrolcode)
{
Case Ctl_getprocessimagnamebyid:
{
Inputdata
Outputdata
Inputdata = Outputdata = irp->associatedirp.systembuffer;
Ulinputsize = irpsp->parameters.deviceiocontrol.inputbufferlength;
Uloutputsize = irpsp->parameters.deviceiocontrol.outputbufferlength;
if (inputdata! = Null&&ulinputsize = = sizeof (ULONG32))
{
memcpy (&ulprocessid, Inputdata, sizeof (ULONG32));
if (Getprocessimagenamebyprocessid (Ulprocessid, szprocessimagename, &ulprocessimagenamelength) = = TRUE)
{
memcpy (Outputdata, Szprocessimagename, ulprocessimagenamelength);
Irp->iostatus.status = status_success;
Irp->iostatus.information = Ulprocessimagenamelength;
IoCompleteRequest (IRP, io_no_increment);
return status_success;
}
}
Break
}
}
Irp->iostatus.status = status_unsuccessful;
irp->iostatus.information = 0;
IoCompleteRequest (IRP, io_no_increment);
return status_success;
}
BOOLEAN Getprocessimagenamebyprocessid (ULONG32 ulprocessid, char* szprocessimagename, ulong32* Ulprocessimagenamelength)
{
NTSTATUS Status;
Peprocess eprocess = NULL;
Status = Pslookupprocessbyprocessid ((HANDLE) Ulprocessid, &eprocess);
if (! Nt_success (Status))
{
return FALSE;
}
if (eprocess = = NULL)
{
return FALSE;
}
Obdereferenceobject (eprocess); Reference count and execution hold check for a given object
if (strlen (Psgetprocessimagefilename (eprocess)) > MAX)
{
*ulprocessimagenamelength = MAX-1;
}
Else
{
*ulprocessimagenamelength = strlen (Psgetprocessimagefilename (eprocess));
}
memcpy (Szprocessimagename, Psgetprocessimagefilename (eprocess), *ulprocessimagenamelength);
return TRUE;
}
NTSTATUS Defaultpassdispatch (pdevice_object deviceobject, pirp Irp)
{
Irp->iostatus.status = status_success;
irp->iostatus.information = 0;
IoCompleteRequest (IRP, io_no_increment);
return status_success;
}
Code Pro-Test under WIN10 also valid.
Brute Force enumeration process