来一份香香的过检测代码，有需要的自己补全吧。oh yeah.

猴岛论坛跑跑卡丁车来一份香香的过检测代码，有需要的自己补全吧。oh yeah.

倒序阅读最近浏览的帖子最近浏览的版块

« 返回列表

5个回复

来一份香香的过检测代码，有需要的自己补全吧。oh yeah.

楼层直达

小枫工作组

ZxID：17878826

等级: 上尉

举报只看楼主使用道具楼主发表于: 2012-12-09 0

1.#include <stdio.h>
2.#include <windows.h>
3.#include <string.h>
4.
5.typedef LONG NTSTATUS;
6.
7.#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
8.#define STATUS_UNSUCCESSFUL ((NTSTATUS)0xC0000001L)
9.#define STATUS_NOT_IMPLEMENTED ((NTSTATUS)0xC0000002L)
10.#define STATUS_INVALID_INFO_CLASS ((NTSTATUS)0xC0000003L)
11.#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
12.#define NT_SUCCESS(status) ((NTSTATUS)(status)>=0)
13.
14.
15.
16.typedef enum _SYSTEM_INFORMATION_CLASS
17.{
18. SystemBasicInformation, // 0 Y N
19. SystemProcessorInformation, // 1 Y N
20. SystemPerformanceInformation, // 2 Y N
21. SystemTimeOfDayInformation, // 3 Y N
22. SystemNotImplemented1, // 4 Y N
23. SystemProcessesAndThreadsInformation, // 5 Y N
24. SystemCallCounts, // 6 Y N
25. SystemConfigurationInformation, // 7 Y N
26. SystemProcessorTimes, // 8 Y N
27. SystemGlobalFlag, // 9 Y Y
28. SystemNotImplemented2, // 10 Y N
29. SystemModuleInformation, // 11 Y N
30. SystemLockInformation, // 12 Y N
31. SystemNotImplemented3, // 13 Y N
32. SystemNotImplemented4, // 14 Y N
33. SystemNotImplemented5, // 15 Y N
34. SystemHandleInformation, // 16 Y N
35. SystemObjectInformation, // 17 Y N
36. SystemPagefileInformation, // 18 Y N
37. SystemInstructionEmulationCounts, // 19 Y N
38. SystemInvalidInfoClass1, // 20
39. SystemCacheInformation, // 21 Y Y
40. SystemPoolTagInformation, // 22 Y N
41. SystemProcessorStatistics, // 23 Y N
42. SystemDpcInformation, // 24 Y Y
43. SystemNotImplemented6, // 25 Y N
44. SystemLoadImage, // 26 N Y
45. SystemUnloadImage, // 27 N Y
46. SystemTimeAdjustment, // 28 Y Y
47. SystemNotImplemented7, // 29 Y N
48. SystemNotImplemented8, // 30 Y N
49. SystemNotImplemented9, // 31 Y N
50. SystemCrashDumpInformation, // 32 Y N
51. SystemExceptionInformation, // 33 Y N
52. SystemCrashDumpStateInformation, // 34 Y Y/N
53. SystemKernelDebuggerInformation, // 35 Y N
54. SystemContextSwitchInformation, // 36 Y N
55. SystemRegistryQuotaInformation, // 37 Y Y
56. SystemLoadAndCallImage, // 38 N Y
57. SystemPrioritySeparation, // 39 N Y
58. SystemNotImplemented10, // 40 Y N
59. SystemNotImplemented11, // 41 Y N
60. SystemInvalidInfoClass2, // 42
61. SystemInvalidInfoClass3, // 43
62. SystemTimeZoneInformation, // 44 Y N
63. SystemLookasideInformation, // 45 Y N
64. SystemSetTimeSlipEvent, // 46 N Y
65. SystemCreateSession, // 47 N Y
66. SystemDeleteSession, // 48 N Y
67. SystemInvalidInfoClass4, // 49
68. SystemRangeStartInformation, // 50 Y N
69. SystemVerifierInformation, // 51 Y Y
70. SystemAddVerifier, // 52 N Y
71. SystemSessionProcessesInformation // 53 Y N
72.
73.} SYSTEM_INFORMATION_CLASS;
74.
75.typedef struct _LSA_UNICODE_STRING
76.{
77. USHORT Length;
78. USHORT MaximumLength;
79. PWSTR Buffer;
80.
81.} LSA_UNICODE_STRING, *PLSA_UNICODE_STRING, UNICODE_STRING, *PUNICODE_STRING;
82.
83.typedef struct _CLIENT_ID
84.{
85. HANDLE UniqueProcess;
86. HANDLE UniqueThread;
87.
88.} CLIENT_ID;
89.
90.typedef enum _THREAD_STATE
91.{
92. StateInitialized,
93. StateReady,
94. StateRunning,
95. StateStandby,
96. StateTerminated,
97. StateWait,
98. StateTransition,
99. StateUnknown
100.
101.} THREAD_STATE;
102.
103.typedef enum _KWAIT_REASON
104.{
105. Executive,
106. FreePage,
107. PageIn,
108. PoolAllocation,
109. DelayExecution,
110. Suspended,
111. UserRequest,
112. WrExecutive,
113. WrFreePage,
114. WrPageIn,
115. WrPoolAllocation,
116. WrDelayExecution,
117. WrSuspended,
118. WrUserRequest,
119. WrEventPair,
120. WrQueue,
121. WrLpcReceive,
122. WrLpcReply,
123. WrVirtualMemory,
124. WrPageOut,
125. WrRendezvous,
126. Spare2,
127. Spare3,
128. Spare4,
129. Spare5,
130. Spare6,
131. WrKernel
132.
133.} KWAIT_REASON;
134.
135./*typedef struct _IO_COUNTERS
136.{
137. LARGE_INTEGER ReadOperationCount; //I/O读操作数目
138. LARGE_INTEGER WriteOperationCount; //I/O写操作数目
139. LARGE_INTEGER OtherOperationCount; //I/O其他操作数目
140. LARGE_INTEGER ReadTransferCount; //I/O读数据数目
141. LARGE_INTEGER WriteTransferCount; //I/O写数据数目
142. LARGE_INTEGER OtherTransferCount; //I/O其他操作数据数目
143.
144.} IO_COUNTERS, *PIO_COUNTERS;
145. */
146.typedef struct _VM_COUNTERS
147.{
148. ULONG PeakVirtualSize; //虚拟存储峰值大小
149. ULONG VirtualSize; //虚拟存储大小
150. ULONG PageFaultCount; //页故障数目
151. ULONG PeakWorkingSetSize; //工作集峰值大小
152. ULONG WorkingSetSize; //工作集大小
153. ULONG QuotaPeakPagedPoolUsage; //分页池使用配额峰值
154. ULONG QuotaPagedPoolUsage; //分页池使用配额
155. ULONG QuotaPeakNonPagedPoolUsage; //非分页池使用配额峰值
156. ULONG QuotaNonPagedPoolUsage; //非分页池使用配额
157. ULONG PagefileUsage; //页文件使用情况
158. ULONG PeakPagefileUsage; //页文件使用峰值
159.
160.} VM_COUNTERS, *PVM_COUNTERS;
161.
162.typedef LONG KPRIORITY;
163.
164.typedef struct _SYSTEM_THREADS
165.{
166. LARGE_INTEGER KernelTime;
167. LARGE_INTEGER UserTime;
168. LARGE_INTEGER CreateTime;
169. ULONG WaitTime;
170. PVOID StartAddress;
171. CLIENT_ID ClientId;
172. KPRIORITY Priority;
173. KPRIORITY BasePriority;
174. ULONG ContextSwitchCount;
175. THREAD_STATE State;
176. KWAIT_REASON WaitReason;
177.
178.} SYSTEM_THREADS, *PSYSTEM_THREADS;
179.
180.typedef struct _SYSTEM_PROCESSES
181.{
182. ULONG NextEntryDelta;
183. ULONG ThreadCount;
184. ULONG Reserved1[6];
185. LARGE_INTEGER CreateTime;
186. LARGE_INTEGER UserTime;
187. LARGE_INTEGER KernelTime;
188. UNICODE_STRING ProcessName;
189. KPRIORITY BasePriority;
190. ULONG ProcessId;
191. ULONG InheritedFromProcessId;
192. ULONG HandleCount;
193. ULONG Reserved2[2];
194. VM_COUNTERS VmCounters;
195. IO_COUNTERS IoCounters;
196. SYSTEM_THREADS Threads[1];
197.
198.} SYSTEM_PROCESSES, *PSYSTEM_PROCESSES;
199.
200.typedef struct _THREAD_DATA
201.{
202. ULONG ProcessId;
203. ULONG ThreadAddr;
204. ULONG ThreadSize;
205.}THREAD_DATA,*PTHREAD_DATA;
206.
207.typedef struct _SYSTEM_BASIC_INFORMATION
208.{
209. BYTE Reserved1[24];
210. PVOID Reserved2[4];
211. CCHAR NumberOfProcessors;
212.
213.} SYSTEM_BASIC_INFORMATION;
214.
215.typedef struct tagSYSTEM_MODULE_INFORMATION {
216. ULONG Reserved[2];
217. PVOID Base;
218. ULONG Size;
219. ULONG Flags;
220. USHORT Index;
221. USHORT Unknown;
222. USHORT LoadCount;
223. USHORT ModuleNameOffset;
224. CHAR ImageName[256];
225.} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
226.
227.typedef struct _SYSTEM_HANDLE_INFORMATION
228.{
229. ULONG ProcessId;
230. UCHAR ObjectTypeNumber;
231. UCHAR Flags;
232. USHORT Handle;
233. PVOID Object;
234. ACCESS_MASK GrantedAccess;
235.} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
236.
237.typedef struct _MODULE_DATA
238.{
239. ULONG Base;
240. ULONG Size;
241. USHORT ModuleNameOffset;
242. CHAR ImageName[256];
243.}MODULE_DATA,*PMODULE_DATA;
244.
245.typedef NTSTATUS (WINAPI *NTQUERYSYSTEMINFORMATION)(IN SYSTEM_INFORMATION_CLASS, IN OUT PVOID, IN ULONG, OUT PULONG OPTIONAL);
246.
247./*inline void SleepFunc()
248.{
249. _asm
250. {
251. push 0x1000000
252. jmp Sleep
253. }
254.}*/
255.
256.static DWORD GetEprocessFromPid ( ULONG PID )
257.{
258. NTSTATUS status;
259. PVOID buf = NULL;
260. ULONG size = 1;
261. ULONG NumOfHandle = 0;
262. ULONG i;
263. PSYSTEM_HANDLE_INFORMATION h_info = NULL;
264. static NTQUERYSYSTEMINFORMATION NtQuerySystemInformation = NULL;
265. for ( size = 1; ; size *= 2 )
266. {
267. if ( NULL == ( buf = calloc( size, 1 ) ) )
268. {
269. fprintf( stderr, "calloc( %u, 1 ) failed/n", size );
270. goto GetEprocessFromPid_exit;
271. }
272. status = NtQuerySystemInformation( SystemHandleInformation, buf, size, NULL );
273. if ( !NT_SUCCESS( status ) )
274. {
275. if ( STATUS_INFO_LENGTH_MISMATCH == status )
276. {
277. free( buf );
278. buf = NULL;
279. }
280. else
281. {
282. printf( "NtQuerySystemInformation() failed");
283. goto GetEprocessFromPid_exit;
284. }
285. }
286. else
287. {
288. break;
289. }
290. } /* end of for */
291.
292. //返回到缓冲区的首先是一个ULONG类型的数据,表示有多少数组
293. NumOfHandle = (ULONG)buf;
294.
295. h_info = ( PSYSTEM_HANDLE_INFORMATION )((ULONG)buf+4);
296.
297. for(i = 0; i<NumOfHandle ;i++)
298. {
299. if( ( h_info[i].ProcessId == PID )&&( h_info[i].ObjectTypeNumber == 5 ))//&&( h_info[i].Handle==0x3d8 ) )
300. {
301. printf("Handle:0x%x,OBJECT 0x%x/n/r",h_info[i].Handle,h_info[i].Object);
302. return((DWORD)(h_info[i].Object));
303. }
304. }
305.GetEprocessFromPid_exit:
306. if ( buf != NULL )
307. {
308. free( buf );
309. buf = NULL;
310. }
311. return(FALSE);
312.}
313.
314.
315./*extern "C" NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation(
316. IN ULONG SystemInformationClass,
317. IN PVOID SystemInformation,
318. IN ULONG SystemInformationLength,
319. OUT PULONG ReturnLength); */
320.MODULE_DATA mda = {0,0,0,0};
321.THREAD_DATA tda[128] = {0,0,0};
322.int Count = 0;
323.
324.ULONG EnumData();
325.
326.ULONG SearchFeature(ULONG nAddr,BYTE* pFeature,ULONG nLeng)
327.{
328. char szStatus[256]="";
329. int i=5000;
330.
331. while(i--)
332. {
333. memcpy(szStatus,(BYTE*)nAddr,nLeng);
334.
335. if (memcmp(pFeature,szStatus,nLeng)==nLeng)
336. {
337. return nAddr+nLeng;
338. }
339. nAddr++;
340. }
341.
342. return 0;
343.}
344.
345.void ChangeThread(ULONG ThreadAddr,ULONG ThreadSize,HANDLE hProcess,ULONG VirtualBuffer)
346.{
347. // ff 15 地址
348. BYTE* ICS_Point = NULL;
349. ULONG ICS_Addr = 0;
350. ULONG migration = ThreadAddr;
351. BYTE Feature[2] = {0xff,0x15};
352. BYTE* lpBuffer = NULL;
353. lpBuffer = new BYTE[4];
354. ICS_Point = new BYTE[4];
355. *(ULONG*)lpBuffer = VirtualBuffer;
356. while(migration < ThreadAddr + ThreadSize)
357. {
358. migration = SearchFeature(ThreadAddr,(BYTE*)Feature,2);
359. //ICS_Point = (PVOID)(*(ULONG*)migration);
360. ReadProcessMemory(
361. hProcess,
362. (LPCVOID)migration,
363. ICS_Point,
364. (ULONG)4,
365. NULL
366. );
367. ICS_Addr = *(ULONG*)ICS_Point;
368. WriteProcessMemory(hProcess,(LPVOID)ICS_Addr,lpBuffer,(ULONG)4,NULL);
369. }
370. delete []ICS_Point;
371. delete []lpBuffer;
372.}
373.
374.ULONG GetThreadSize(ULONG MyThreadAddr,ULONG ProcessID)
375.{
376. ULONG ThreadSize = 0;
377. BYTE* ThreadAddr = NULL;
378. PVOID VirtualBuffer = NULL;
379. ThreadAddr = new BYTE[1024*4];
380. ULONG nSize = 1024*4;
381. //PDWORD lpflOldProtect = NULL;
382. ULONG lpNumberOfBytesRead = 0;
383. HANDLE ProcessHandle;
384. ProcessHandle=OpenProcess(PROCESS_ALL_ACCESS,false,ProcessID);
385. VirtualProtectEx(ProcessHandle, // 要修改内存的进程句柄　
386. (LPVOID)MyThreadAddr, // 要修改内存的起始地址　　
387. nSize, // 修改内存的字节　
388. PAGE_READWRITE, // 修改后的内存属性　　
389. NULL // 修改前的内存属性的地址
390. );
391. VirtualBuffer = (PVOID)VirtualAllocEx(ProcessHandle,NULL,4*1024,MEM_COMMIT,PAGE_READWRITE);
392. ULONG SleepAddr = (ULONG)Sleep+(ULONG)VirtualBuffer+10;
393. {
394. *(BYTE*)VirtualBuffer = 0x68;
395. *(ULONG*)((ULONG)VirtualBuffer+1) = 0x1000000;
396. *(BYTE*)((ULONG)VirtualBuffer+5) = 0xe9;
397. *(ULONG*)((ULONG)VirtualBuffer+9) = SleepAddr;
398. }
399. /*inline void SleepFunc()
400.{
401. _asm
402. {
403. push 0x1000000 68 00000001
404. jmp Sleep e9 SleepAddr+5+5+VirtualBuffer
405. }
406.}*/
407. ReadProcessMemory(
408. ProcessHandle,
409. (LPCVOID)MyThreadAddr,
410. ThreadAddr,
411. nSize,
412. (SIZE_T *)lpNumberOfBytesRead
413. );
414.
415. do
416. {
417. ThreadAddr++;
418. ThreadSize++;
419. if(ThreadSize > 1000*4)
420. {
421. break;
422. }
423. }while(!((*(BYTE*)ThreadAddr==0xc3)&&(*(BYTE*)(ThreadAddr+1)==0x0)&&(*(BYTE*)(ThreadAddr+2)==0x0)&&(*(BYTE*)(ThreadAddr+3)==0x0)&&
424. (*(BYTE*)(ThreadAddr+4)==0x0))&&!((*(char*)ThreadAddr==0xc2)&&(*(char*)(ThreadAddr+3)==0x0)&&
425. (*(char*)(ThreadAddr+4)==0x0)&&(*(char*)(ThreadAddr+5)==0x0)&&(*(char*)(ThreadAddr+6)==0x0))&&!((*(char*)ThreadAddr==0xc3)&&(*(char*)(ThreadAddr+1)==0xcc)&&
426. (*(char*)(ThreadAddr+2)==0xcc)&&(*(char*)(ThreadAddr+3)==0xcc)&&(*(char*)(ThreadAddr+4)==0xcc))&&!((*(char*)ThreadAddr==0xc2)&&(*(char*)(ThreadAddr+3)==0xcc)&&
427. (*(char*)(ThreadAddr+4)==0xcc)&&(*(char*)(ThreadAddr+5)==0xcc)&&(*(char*)(ThreadAddr+6)==0xcc)));
428. ChangeThread(MyThreadAddr,ThreadSize,ProcessHandle,(ULONG)VirtualBuffer);
429. delete []ThreadAddr;
430. CloseHandle(ProcessHandle);
431.
432. return ThreadSize;
433.}
434.
435.
436.ULONG EnumeData()
437.{
438. char* HsSrv = "ehsvc.dll";
439. NTSTATUS status;
440.
441. //extern MODULE_DATA mda ;
442. //extern THREAD_DATA tda[128] ;
443. //extern int Count;
444.
445. HINSTANCE ntdll_dll = GetModuleHandle("ntdll.dll");
446.
447. if (ntdll_dll == NULL) {
448. printf("load ntdll.dll failed.\n");
449. return -1;
450. }
451.
452. NTQUERYSYSTEMINFORMATION ZwQuerySystemInformation = NULL;
453.
454. ZwQuerySystemInformation = (NTQUERYSYSTEMINFORMATION)GetProcAddress(ntdll_dll, "ZwQuerySystemInformation");
455. if ( ZwQuerySystemInformation!=NULL )
456. {
457. DWORD dwNeedSize = 0;
458. BYTE *pBuffer = NULL;
459.
460. status = ZwQuerySystemInformation(SystemModuleInformation, NULL, 0, &dwNeedSize);
461. if (status == STATUS_INFO_LENGTH_MISMATCH) {
462. pBuffer = new BYTE[dwNeedSize];
463. status = ZwQuerySystemInformation(SystemModuleInformation, pBuffer, dwNeedSize, &dwNeedSize);
464. if (status == STATUS_SUCCESS) {
465. UINT count = *((UINT*)pBuffer);
466.
467. PSYSTEM_MODULE_INFORMATION pmi = (PSYSTEM_MODULE_INFORMATION)(pBuffer + sizeof(ULONG));
468. for (UINT i = 0; i < count; i++) {
469. if(!_strnicmp((CHAR*)(pmi->ImageName + pmi->ModuleNameOffset),HsSrv,sizeof(HsSrv)))
470. {
471. mda.Base = (ULONG)pmi->Base;
472. mda.Size = pmi->Size;
473. mda.ModuleNameOffset = pmi->ModuleNameOffset;
474. pmi++;
475. }
476. else
477. {
478. return -1;
479. }
480. }
481. }
482. delete []pBuffer;
483. }
484.
485.///////////// /////////////////////////////////////////////////////////////////////////////////////
486. //printf("---------------------所有进程信息----------------------------------------\n");
487. PSYSTEM_PROCESSES psp=NULL;
488. status = ZwQuerySystemInformation(SystemProcessesAndThreadsInformation, NULL, 0, &dwNeedSize);
489. if ( status == STATUS_INFO_LENGTH_MISMATCH ) {
490. pBuffer = new BYTE[dwNeedSize];
491. status = ZwQuerySystemInformation(SystemProcessesAndThreadsInformation, (PVOID)pBuffer, dwNeedSize, NULL);
492. if ( status == STATUS_SUCCESS )
493. {
494. psp = (PSYSTEM_PROCESSES)pBuffer;
495.
496. do {
497. //printf("%-4d", psp->ProcessId);
498. //printf(" %3d", psp->ThreadCount);
499.
500. //printf(" %8dKB", psp->VmCounters.WorkingSetSize/1024);
501. //wprintf(L" %s\n", psp->ProcessName.Buffer);
502. for(ULONG j = 0;j < psp->ThreadCount;j++)
503. {
504. if((ULONG)psp->Threads[j].StartAddress >=mda.Base && (ULONG)psp->Threads[j].StartAddress <=mda.Size && (ULONG)psp->Threads[j].StartAddress<0x80000000)
505. {
506. Count++;
507. tda[Count].ProcessId = (ULONG)psp->Threads[j].ClientId.UniqueProcess;
508. tda[Count].ThreadAddr = (ULONG)psp->Threads[j].StartAddress;
509. tda[Count].ThreadSize = GetThreadSize((ULONG)tda[Count].ThreadAddr,tda[Count].ProcessId);
510. }
511. }
512. psp = (PSYSTEM_PROCESSES)((ULONG)psp + psp->NextEntryDelta );
513. } while ( psp->NextEntryDelta != 0 );
514.
515. delete []pBuffer;
516. pBuffer = NULL;
517. dwNeedSize = 0;
518. }else if ( status == STATUS_UNSUCCESSFUL ) {
519. printf("\n STATUS_UNSUCCESSFUL");
520. } else if ( status == STATUS_NOT_IMPLEMENTED ) {
521. printf("\n STATUS_NOT_IMPLEMENTED");
522. } else if ( status == STATUS_INVALID_INFO_CLASS ) {
523. printf("\n STATUS_INVALID_INFO_CLASS");
524. } else if ( status == STATUS_INFO_LENGTH_MISMATCH ) {
525. printf("\n STATUS_INFO_LENGTH_MISMATCH");
526. }
527. }
528.
529. } else {
530. printf("Get ZwQuerySystemInformation address error!");
531. }
532.
533. FreeLibrary(ntdll_dll);
534.
535. return 0;
536.}

打赏收藏新鲜事

　

小枫工作组

ZxID：17878826

等级: 上尉

举报只看该作者沙发发表于: 2012-12-09 0

睡觉睡觉。bye。

际遇之神

奖励

被富婆包养，轻易就获得钱财无数，获得6ＤＢ

　

ZxID：17977556

等级: 上将

生亦何欢，死亦何苦？喜乐悲愁，皆归尘土。怜我世人，忧患实多！

鼎立支持奖

欢乐天使奖

灌水天才奖

魅力会员奖

财富大师奖

举报只看该作者板凳发表于: 2012-12-09 0

围观一下留给有需要的大婶们吧

　

∝睾端丸家丶XB

ZxID：21025201

等级: 中将

- - 。这个人很懒，什么都没留下。

举报只看该作者地板发表于: 2012-12-09 0

当我明白什么是机遇的时候，我也会说鲫鱼了

　

ZxID：15571682

等级: 新兵

举报只看该作者 4楼发表于: 2012-12-09 0

看不懂- -

际遇之神

奖励

买酱油，打开瓶盖，发现再来一瓶，得5ＤＢ

　

想你是一种习惯d423

ZxID：20202545

等级: 上尉

举报只看该作者 5楼发表于: 2013-03-04 0

看不懂

　

« 返回列表

手机版
举报邮箱：[email protected]

Copyright © houdao.com, All Rights Reserved.
Powered by PhPWind Total 0.019438(s) query 16, Time now is:07-01 07:37, Gzip disabled