来一份香香的过检测代码,有需要的自己补全吧。oh yeah.

社区服务
高级搜索
猴岛论坛跑跑卡丁车来一份香香的过检测代码,有需要的自己补全吧。oh yeah.
发帖 回复
正序阅读 最近浏览的帖子最近浏览的版块
5个回复

来一份香香的过检测代码,有需要的自己补全吧。oh yeah.

楼层直达
小枫工作组

ZxID:17878826

等级: 上尉
举报 只看楼主 使用道具 楼主   发表于: 2012-12-09 0
  1. 1.#include <stdio.h>  
  2. 2.#include <windows.h>  
  3. 3.#include <string.h>  
  4. 4.
  5. 5.typedef LONG NTSTATUS;  
  6. 6.  
  7. 7.#define STATUS_SUCCESS                  ((NTSTATUS)0x00000000L)  
  8. 8.#define STATUS_UNSUCCESSFUL             ((NTSTATUS)0xC0000001L)  
  9. 9.#define STATUS_NOT_IMPLEMENTED          ((NTSTATUS)0xC0000002L)  
  10. 10.#define STATUS_INVALID_INFO_CLASS       ((NTSTATUS)0xC0000003L)  
  11. 11.#define STATUS_INFO_LENGTH_MISMATCH     ((NTSTATUS)0xC0000004L)  
  12. 12.#define NT_SUCCESS(status)          ((NTSTATUS)(status)>=0)
  13. 13.
  14. 14.
  15. 15.
  16. 16.typedef enum _SYSTEM_INFORMATION_CLASS  
  17. 17.{  
  18. 18.    SystemBasicInformation,                 //  0 Y N  
  19. 19.    SystemProcessorInformation,             //  1 Y N  
  20. 20.    SystemPerformanceInformation,           //  2 Y N  
  21. 21.    SystemTimeOfDayInformation,             //  3 Y N  
  22. 22.    SystemNotImplemented1,                  //  4 Y N  
  23. 23.    SystemProcessesAndThreadsInformation,   //  5 Y N  
  24. 24.    SystemCallCounts,                       //  6 Y N  
  25. 25.    SystemConfigurationInformation,         //  7 Y N  
  26. 26.    SystemProcessorTimes,                   //  8 Y N  
  27. 27.    SystemGlobalFlag,                       //  9 Y Y  
  28. 28.    SystemNotImplemented2,                  // 10 Y N  
  29. 29.    SystemModuleInformation,                // 11 Y N  
  30. 30.    SystemLockInformation,                  // 12 Y N  
  31. 31.    SystemNotImplemented3,                  // 13 Y N  
  32. 32.    SystemNotImplemented4,                  // 14 Y N  
  33. 33.    SystemNotImplemented5,                  // 15 Y N  
  34. 34.    SystemHandleInformation,                // 16 Y N  
  35. 35.    SystemObjectInformation,                // 17 Y N  
  36. 36.    SystemPagefileInformation,              // 18 Y N  
  37. 37.    SystemInstructionEmulationCounts,       // 19 Y N  
  38. 38.    SystemInvalidInfoClass1,                // 20  
  39. 39.    SystemCacheInformation,                 // 21 Y Y  
  40. 40.    SystemPoolTagInformation,               // 22 Y N  
  41. 41.    SystemProcessorStatistics,              // 23 Y N  
  42. 42.    SystemDpcInformation,                   // 24 Y Y  
  43. 43.    SystemNotImplemented6,                  // 25 Y N  
  44. 44.    SystemLoadImage,                        // 26 N Y  
  45. 45.    SystemUnloadImage,                      // 27 N Y  
  46. 46.    SystemTimeAdjustment,                   // 28 Y Y  
  47. 47.    SystemNotImplemented7,                  // 29 Y N  
  48. 48.    SystemNotImplemented8,                  // 30 Y N  
  49. 49.    SystemNotImplemented9,                  // 31 Y N  
  50. 50.    SystemCrashDumpInformation,             // 32 Y N  
  51. 51.    SystemExceptionInformation,             // 33 Y N  
  52. 52.    SystemCrashDumpStateInformation,        // 34 Y Y/N  
  53. 53.    SystemKernelDebuggerInformation,        // 35 Y N  
  54. 54.    SystemContextSwitchInformation,         // 36 Y N  
  55. 55.    SystemRegistryQuotaInformation,         // 37 Y Y  
  56. 56.    SystemLoadAndCallImage,                 // 38 N Y  
  57. 57.    SystemPrioritySeparation,               // 39 N Y  
  58. 58.    SystemNotImplemented10,                 // 40 Y N  
  59. 59.    SystemNotImplemented11,                 // 41 Y N  
  60. 60.    SystemInvalidInfoClass2,                // 42  
  61. 61.    SystemInvalidInfoClass3,                // 43  
  62. 62.    SystemTimeZoneInformation,              // 44 Y N  
  63. 63.    SystemLookasideInformation,             // 45 Y N  
  64. 64.    SystemSetTimeSlipEvent,                 // 46 N Y  
  65. 65.    SystemCreateSession,                    // 47 N Y  
  66. 66.    SystemDeleteSession,                    // 48 N Y  
  67. 67.    SystemInvalidInfoClass4,                // 49  
  68. 68.    SystemRangeStartInformation,            // 50 Y N  
  69. 69.    SystemVerifierInformation,              // 51 Y Y  
  70. 70.    SystemAddVerifier,                      // 52 N Y  
  71. 71.    SystemSessionProcessesInformation       // 53 Y N  
  72. 72.  
  73. 73.} SYSTEM_INFORMATION_CLASS;  
  74. 74.  
  75. 75.typedef struct _LSA_UNICODE_STRING  
  76. 76.{  
  77. 77.    USHORT Length;  
  78. 78.    USHORT MaximumLength;  
  79. 79.    PWSTR Buffer;  
  80. 80.      
  81. 81.} LSA_UNICODE_STRING, *PLSA_UNICODE_STRING, UNICODE_STRING, *PUNICODE_STRING;  
  82. 82.  
  83. 83.typedef struct _CLIENT_ID  
  84. 84.{  
  85. 85.    HANDLE UniqueProcess;  
  86. 86.    HANDLE UniqueThread;  
  87. 87.  
  88. 88.} CLIENT_ID;  
  89. 89.  
  90. 90.typedef enum _THREAD_STATE  
  91. 91.{  
  92. 92.    StateInitialized,  
  93. 93.    StateReady,  
  94. 94.    StateRunning,  
  95. 95.    StateStandby,  
  96. 96.    StateTerminated,  
  97. 97.    StateWait,  
  98. 98.    StateTransition,  
  99. 99.    StateUnknown  
  100. 100.  
  101. 101.} THREAD_STATE;  
  102. 102.  
  103. 103.typedef enum _KWAIT_REASON  
  104. 104.{  
  105. 105.    Executive,  
  106. 106.    FreePage,  
  107. 107.    PageIn,  
  108. 108.    PoolAllocation,  
  109. 109.    DelayExecution,  
  110. 110.    Suspended,  
  111. 111.    UserRequest,  
  112. 112.    WrExecutive,  
  113. 113.    WrFreePage,  
  114. 114.    WrPageIn,  
  115. 115.    WrPoolAllocation,  
  116. 116.    WrDelayExecution,  
  117. 117.    WrSuspended,  
  118. 118.    WrUserRequest,  
  119. 119.    WrEventPair,  
  120. 120.    WrQueue,  
  121. 121.    WrLpcReceive,  
  122. 122.    WrLpcReply,  
  123. 123.    WrVirtualMemory,  
  124. 124.    WrPageOut,  
  125. 125.    WrRendezvous,  
  126. 126.    Spare2,  
  127. 127.    Spare3,  
  128. 128.    Spare4,  
  129. 129.    Spare5,  
  130. 130.    Spare6,  
  131. 131.    WrKernel  
  132. 132.  
  133. 133.} KWAIT_REASON;  
  134. 134.  
  135. 135./*typedef struct _IO_COUNTERS  
  136. 136.{  
  137. 137.    LARGE_INTEGER ReadOperationCount;   //I/O读操作数目  
  138. 138.    LARGE_INTEGER WriteOperationCount;  //I/O写操作数目  
  139. 139.    LARGE_INTEGER OtherOperationCount;  //I/O其他操作数目  
  140. 140.    LARGE_INTEGER ReadTransferCount;    //I/O读数据数目  
  141. 141.    LARGE_INTEGER WriteTransferCount;   //I/O写数据数目  
  142. 142.    LARGE_INTEGER OtherTransferCount;   //I/O其他操作数据数目  
  143. 143.  
  144. 144.} IO_COUNTERS, *PIO_COUNTERS;  
  145. 145.  */
  146. 146.typedef struct _VM_COUNTERS  
  147. 147.{  
  148. 148.    ULONG PeakVirtualSize;              //虚拟存储峰值大小  
  149. 149.    ULONG VirtualSize;                  //虚拟存储大小  
  150. 150.    ULONG PageFaultCount;               //页故障数目  
  151. 151.    ULONG PeakWorkingSetSize;           //工作集峰值大小  
  152. 152.    ULONG WorkingSetSize;               //工作集大小  
  153. 153.    ULONG QuotaPeakPagedPoolUsage;      //分页池使用配额峰值  
  154. 154.    ULONG QuotaPagedPoolUsage;          //分页池使用配额  
  155. 155.    ULONG QuotaPeakNonPagedPoolUsage;   //非分页池使用配额峰值  
  156. 156.    ULONG QuotaNonPagedPoolUsage;       //非分页池使用配额  
  157. 157.    ULONG PagefileUsage;                //页文件使用情况  
  158. 158.    ULONG PeakPagefileUsage;            //页文件使用峰值  
  159. 159.  
  160. 160.} VM_COUNTERS, *PVM_COUNTERS;  
  161. 161.  
  162. 162.typedef LONG KPRIORITY;  
  163. 163.  
  164. 164.typedef struct _SYSTEM_THREADS  
  165. 165.{  
  166. 166.    LARGE_INTEGER KernelTime;  
  167. 167.    LARGE_INTEGER UserTime;  
  168. 168.    LARGE_INTEGER CreateTime;  
  169. 169.    ULONG WaitTime;  
  170. 170.    PVOID StartAddress;  
  171. 171.    CLIENT_ID ClientId;  
  172. 172.    KPRIORITY Priority;  
  173. 173.    KPRIORITY BasePriority;  
  174. 174.    ULONG ContextSwitchCount;  
  175. 175.    THREAD_STATE State;  
  176. 176.    KWAIT_REASON WaitReason;  
  177. 177.  
  178. 178.} SYSTEM_THREADS, *PSYSTEM_THREADS;  
  179. 179.  
  180. 180.typedef struct _SYSTEM_PROCESSES  
  181. 181.{  
  182. 182.    ULONG NextEntryDelta;  
  183. 183.    ULONG ThreadCount;  
  184. 184.    ULONG Reserved1[6];  
  185. 185.    LARGE_INTEGER CreateTime;  
  186. 186.    LARGE_INTEGER UserTime;  
  187. 187.    LARGE_INTEGER KernelTime;  
  188. 188.    UNICODE_STRING ProcessName;  
  189. 189.    KPRIORITY BasePriority;  
  190. 190.    ULONG ProcessId;  
  191. 191.    ULONG InheritedFromProcessId;  
  192. 192.    ULONG HandleCount;  
  193. 193.    ULONG Reserved2[2];  
  194. 194.    VM_COUNTERS  VmCounters;  
  195. 195.    IO_COUNTERS IoCounters;  
  196. 196.    SYSTEM_THREADS Threads[1];  
  197. 197.  
  198. 198.} SYSTEM_PROCESSES, *PSYSTEM_PROCESSES;
  199. 199.
  200. 200.typedef struct _THREAD_DATA
  201. 201.{
  202. 202.    ULONG ProcessId;
  203. 203.    ULONG ThreadAddr;
  204. 204.    ULONG ThreadSize;
  205. 205.}THREAD_DATA,*PTHREAD_DATA;
  206. 206.  
  207. 207.typedef struct _SYSTEM_BASIC_INFORMATION  
  208. 208.{  
  209. 209.    BYTE Reserved1[24];  
  210. 210.    PVOID Reserved2[4];  
  211. 211.    CCHAR NumberOfProcessors;  
  212. 212.  
  213. 213.} SYSTEM_BASIC_INFORMATION;  
  214. 214.
  215. 215.typedef struct tagSYSTEM_MODULE_INFORMATION {
  216. 216.    ULONG Reserved[2];
  217. 217.    PVOID Base;
  218. 218.    ULONG Size;
  219. 219.    ULONG Flags;
  220. 220.    USHORT Index;
  221. 221.    USHORT Unknown;
  222. 222.    USHORT LoadCount;
  223. 223.    USHORT ModuleNameOffset;
  224. 224.    CHAR ImageName[256];
  225. 225.} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
  226. 226.
  227. 227.typedef struct _SYSTEM_HANDLE_INFORMATION
  228. 228.{
  229. 229.    ULONG            ProcessId;
  230. 230.    UCHAR            ObjectTypeNumber;
  231. 231.    UCHAR            Flags;
  232. 232.    USHORT            Handle;
  233. 233.    PVOID            Object;
  234. 234.    ACCESS_MASK        GrantedAccess;
  235. 235.} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
  236. 236.
  237. 237.typedef struct _MODULE_DATA
  238. 238.{
  239. 239.    ULONG Base;
  240. 240.    ULONG Size;
  241. 241.    USHORT ModuleNameOffset;
  242. 242.    CHAR ImageName[256];
  243. 243.}MODULE_DATA,*PMODULE_DATA;
  244. 244.
  245. 245.typedef  NTSTATUS (WINAPI *NTQUERYSYSTEMINFORMATION)(IN SYSTEM_INFORMATION_CLASS, IN OUT PVOID, IN ULONG, OUT PULONG OPTIONAL);  
  246. 246.
  247. 247./*inline void SleepFunc()
  248. 248.{
  249. 249.   _asm
  250. 250.   {
  251. 251.       push 0x1000000
  252. 252.       jmp Sleep
  253. 253.   }
  254. 254.}*/
  255. 255.
  256. 256.static DWORD GetEprocessFromPid ( ULONG    PID )
  257. 257.{
  258. 258.    NTSTATUS                    status;
  259. 259.    PVOID                        buf   = NULL;
  260. 260.    ULONG                        size  = 1;
  261. 261.    ULONG                        NumOfHandle = 0;
  262. 262.    ULONG                        i;
  263. 263.    PSYSTEM_HANDLE_INFORMATION    h_info  = NULL;
  264. 264.    static NTQUERYSYSTEMINFORMATION NtQuerySystemInformation = NULL;
  265. 265.    for ( size = 1; ; size *= 2 )
  266. 266.    {
  267. 267.        if ( NULL == ( buf = calloc( size, 1 ) ) )
  268. 268.        {
  269. 269.            fprintf( stderr, "calloc( %u, 1 ) failed/n", size );
  270. 270.            goto GetEprocessFromPid_exit;
  271. 271.        }
  272. 272.        status = NtQuerySystemInformation( SystemHandleInformation, buf, size, NULL );
  273. 273.        if ( !NT_SUCCESS( status ) )
  274. 274.        {
  275. 275.            if ( STATUS_INFO_LENGTH_MISMATCH == status )
  276. 276.            {
  277. 277.                free( buf );
  278. 278.                buf = NULL;
  279. 279.            }
  280. 280.            else
  281. 281.            {
  282. 282.                printf( "NtQuerySystemInformation() failed");
  283. 283.                goto GetEprocessFromPid_exit;
  284. 284.            }
  285. 285.        }
  286. 286.        else
  287. 287.        {
  288. 288.            break;
  289. 289.        }
  290. 290.    }  /* end of for */
  291. 291.
  292. 292.    //返回到缓冲区的首先是一个ULONG类型的数据,表示有多少数组
  293. 293.    NumOfHandle = (ULONG)buf;
  294. 294.
  295. 295.    h_info = ( PSYSTEM_HANDLE_INFORMATION )((ULONG)buf+4);
  296. 296.    
  297. 297.    for(i = 0; i<NumOfHandle ;i++)
  298. 298.    {
  299. 299.        if( ( h_info[i].ProcessId == PID )&&( h_info[i].ObjectTypeNumber == 5  ))//&&( h_info[i].Handle==0x3d8 ) )
  300. 300.        {
  301. 301.            printf("Handle:0x%x,OBJECT 0x%x/n/r",h_info[i].Handle,h_info[i].Object);
  302. 302.            return((DWORD)(h_info[i].Object));
  303. 303.        }
  304. 304.    }
  305. 305.GetEprocessFromPid_exit:
  306. 306.    if ( buf != NULL )
  307. 307.    {
  308. 308.        free( buf );
  309. 309.        buf = NULL;
  310. 310.    }
  311. 311.    return(FALSE);
  312. 312.}
  313. 313.
  314. 314.
  315. 315./*extern "C"  NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation(  
  316. 316.        IN ULONG SystemInformationClass,  
  317. 317.        IN PVOID SystemInformation,  
  318. 318.        IN ULONG SystemInformationLength,  
  319. 319.        OUT PULONG ReturnLength);  */
  320. 320.MODULE_DATA mda = {0,0,0,0};
  321. 321.THREAD_DATA tda[128] = {0,0,0};
  322. 322.int Count = 0;
  323. 323.
  324. 324.ULONG EnumData();
  325. 325.
  326. 326.ULONG SearchFeature(ULONG nAddr,BYTE* pFeature,ULONG nLeng)
  327. 327.{
  328. 328.    char szStatus[256]="";
  329. 329.    int i=5000;
  330. 330.    
  331. 331.    while(i--)
  332. 332.    {
  333. 333.        memcpy(szStatus,(BYTE*)nAddr,nLeng);
  334. 334.        
  335. 335.        if (memcmp(pFeature,szStatus,nLeng)==nLeng)
  336. 336.        {
  337. 337.            return nAddr+nLeng;
  338. 338.        }
  339. 339.        nAddr++;
  340. 340.    }
  341. 341.    
  342. 342.    return 0;
  343. 343.}
  344. 344.
  345. 345.void ChangeThread(ULONG ThreadAddr,ULONG ThreadSize,HANDLE hProcess,ULONG VirtualBuffer)
  346. 346.{
  347. 347.    // ff 15 地址
  348. 348.    BYTE* ICS_Point = NULL;
  349. 349.    ULONG ICS_Addr = 0;
  350. 350.    ULONG migration = ThreadAddr;
  351. 351.    BYTE Feature[2] = {0xff,0x15};
  352. 352.    BYTE* lpBuffer = NULL;
  353. 353.    lpBuffer = new BYTE[4];
  354. 354.    ICS_Point = new BYTE[4];
  355. 355.    *(ULONG*)lpBuffer = VirtualBuffer;
  356. 356.    while(migration < ThreadAddr + ThreadSize)
  357. 357.    {
  358. 358.         migration = SearchFeature(ThreadAddr,(BYTE*)Feature,2);
  359. 359.         //ICS_Point = (PVOID)(*(ULONG*)migration);
  360. 360.         ReadProcessMemory(
  361. 361.                       hProcess,
  362. 362.                       (LPCVOID)migration,
  363. 363.                       ICS_Point,
  364. 364.                       (ULONG)4,
  365. 365.                       NULL
  366. 366.                       );
  367. 367.         ICS_Addr = *(ULONG*)ICS_Point;
  368. 368.         WriteProcessMemory(hProcess,(LPVOID)ICS_Addr,lpBuffer,(ULONG)4,NULL);
  369. 369.    }
  370. 370.    delete []ICS_Point;
  371. 371.    delete []lpBuffer;
  372. 372.}
  373. 373.
  374. 374.ULONG GetThreadSize(ULONG MyThreadAddr,ULONG ProcessID)
  375. 375.{
  376. 376.    ULONG ThreadSize = 0;
  377. 377.    BYTE* ThreadAddr = NULL;
  378. 378.    PVOID VirtualBuffer = NULL;
  379. 379.    ThreadAddr = new BYTE[1024*4];
  380. 380.    ULONG nSize = 1024*4;
  381. 381.    //PDWORD lpflOldProtect = NULL;
  382. 382.    ULONG lpNumberOfBytesRead = 0;
  383. 383.    HANDLE ProcessHandle;
  384. 384.    ProcessHandle=OpenProcess(PROCESS_ALL_ACCESS,false,ProcessID);
  385. 385.    VirtualProtectEx(ProcessHandle, // 要修改内存的进程句柄  
  386. 386.          (LPVOID)MyThreadAddr, // 要修改内存的起始地址   
  387. 387.          nSize, // 修改内存的字节  
  388. 388.          PAGE_READWRITE, // 修改后的内存属性   
  389. 389.          NULL // 修改前的内存属性的地址
  390. 390.          );
  391. 391.    VirtualBuffer = (PVOID)VirtualAllocEx(ProcessHandle,NULL,4*1024,MEM_COMMIT,PAGE_READWRITE);
  392. 392.    ULONG SleepAddr = (ULONG)Sleep+(ULONG)VirtualBuffer+10;
  393. 393.    {
  394. 394.        *(BYTE*)VirtualBuffer = 0x68;
  395. 395.        *(ULONG*)((ULONG)VirtualBuffer+1) = 0x1000000;
  396. 396.        *(BYTE*)((ULONG)VirtualBuffer+5) = 0xe9;
  397. 397.        *(ULONG*)((ULONG)VirtualBuffer+9) = SleepAddr;
  398. 398.    }
  399. 399.    /*inline void SleepFunc()
  400. 400.{
  401. 401.   _asm
  402. 402.   {
  403. 403.       push 0x1000000     68 00000001
  404. 404.       jmp Sleep   e9 SleepAddr+5+5+VirtualBuffer
  405. 405.   }
  406. 406.}*/
  407. 407.    ReadProcessMemory(
  408. 408.                       ProcessHandle,
  409. 409.                       (LPCVOID)MyThreadAddr,
  410. 410.                       ThreadAddr,
  411. 411.                       nSize,
  412. 412.                       (SIZE_T *)lpNumberOfBytesRead
  413. 413.                       );
  414. 414.
  415. 415.    do
  416. 416.    {
  417. 417.        ThreadAddr++;
  418. 418.        ThreadSize++;
  419. 419.        if(ThreadSize > 1000*4)
  420. 420.        {
  421. 421.            break;
  422. 422.        }
  423. 423.    }while(!((*(BYTE*)ThreadAddr==0xc3)&&(*(BYTE*)(ThreadAddr+1)==0x0)&&(*(BYTE*)(ThreadAddr+2)==0x0)&&(*(BYTE*)(ThreadAddr+3)==0x0)&&
  424. 424.        (*(BYTE*)(ThreadAddr+4)==0x0))&&!((*(char*)ThreadAddr==0xc2)&&(*(char*)(ThreadAddr+3)==0x0)&&
  425. 425.        (*(char*)(ThreadAddr+4)==0x0)&&(*(char*)(ThreadAddr+5)==0x0)&&(*(char*)(ThreadAddr+6)==0x0))&&!((*(char*)ThreadAddr==0xc3)&&(*(char*)(ThreadAddr+1)==0xcc)&&
  426. 426.        (*(char*)(ThreadAddr+2)==0xcc)&&(*(char*)(ThreadAddr+3)==0xcc)&&(*(char*)(ThreadAddr+4)==0xcc))&&!((*(char*)ThreadAddr==0xc2)&&(*(char*)(ThreadAddr+3)==0xcc)&&
  427. 427.        (*(char*)(ThreadAddr+4)==0xcc)&&(*(char*)(ThreadAddr+5)==0xcc)&&(*(char*)(ThreadAddr+6)==0xcc)));
  428. 428.    ChangeThread(MyThreadAddr,ThreadSize,ProcessHandle,(ULONG)VirtualBuffer);
  429. 429.    delete []ThreadAddr;
  430. 430.    CloseHandle(ProcessHandle);
  431. 431.
  432. 432.    return ThreadSize;
  433. 433.}
  434. 434.
  435. 435.
  436. 436.ULONG EnumeData()
  437. 437.{
  438. 438.    char* HsSrv = "ehsvc.dll";
  439. 439.    NTSTATUS status;
  440. 440.    
  441. 441.    //extern MODULE_DATA mda ;
  442. 442.    //extern THREAD_DATA tda[128] ;
  443. 443.    //extern int Count;
  444. 444.
  445. 445.    HINSTANCE ntdll_dll = GetModuleHandle("ntdll.dll");
  446. 446.
  447. 447.    if (ntdll_dll == NULL) {
  448. 448.        printf("load ntdll.dll failed.\n");
  449. 449.        return -1;
  450. 450.    }  
  451. 451.
  452. 452.    NTQUERYSYSTEMINFORMATION ZwQuerySystemInformation = NULL;
  453. 453.    
  454. 454.    ZwQuerySystemInformation = (NTQUERYSYSTEMINFORMATION)GetProcAddress(ntdll_dll, "ZwQuerySystemInformation");  
  455. 455.    if ( ZwQuerySystemInformation!=NULL )  
  456. 456.    {            
  457. 457.        DWORD dwNeedSize = 0;
  458. 458.        BYTE *pBuffer = NULL;    
  459. 459.
  460. 460.        status = ZwQuerySystemInformation(SystemModuleInformation, NULL, 0, &dwNeedSize);
  461. 461.        if (status == STATUS_INFO_LENGTH_MISMATCH) {        
  462. 462.            pBuffer = new BYTE[dwNeedSize];
  463. 463.            status = ZwQuerySystemInformation(SystemModuleInformation, pBuffer, dwNeedSize, &dwNeedSize);
  464. 464.            if (status == STATUS_SUCCESS) {
  465. 465.                UINT count = *((UINT*)pBuffer);
  466. 466.            
  467. 467.                PSYSTEM_MODULE_INFORMATION pmi = (PSYSTEM_MODULE_INFORMATION)(pBuffer + sizeof(ULONG));
  468. 468.                for (UINT i = 0; i < count; i++) {
  469. 469.                    if(!_strnicmp((CHAR*)(pmi->ImageName + pmi->ModuleNameOffset),HsSrv,sizeof(HsSrv)))
  470. 470.                    {
  471. 471.                            mda.Base = (ULONG)pmi->Base;
  472. 472.                            mda.Size = pmi->Size;
  473. 473.                            mda.ModuleNameOffset = pmi->ModuleNameOffset;
  474. 474.                            pmi++;
  475. 475.                    }
  476. 476.                    else
  477. 477.                    {
  478. 478.                        return -1;
  479. 479.                    }
  480. 480.                }
  481. 481.            }
  482. 482.            delete []pBuffer;
  483. 483.        }
  484. 484.
  485. 485./////////////        /////////////////////////////////////////////////////////////////////////////////////
  486. 486.         //printf("---------------------所有进程信息----------------------------------------\n");  
  487. 487.        PSYSTEM_PROCESSES psp=NULL;
  488. 488.        status = ZwQuerySystemInformation(SystemProcessesAndThreadsInformation, NULL, 0, &dwNeedSize);  
  489. 489.        if ( status == STATUS_INFO_LENGTH_MISMATCH ) {  
  490. 490.            pBuffer = new BYTE[dwNeedSize];  
  491. 491.            status = ZwQuerySystemInformation(SystemProcessesAndThreadsInformation, (PVOID)pBuffer, dwNeedSize, NULL);  
  492. 492.            if ( status == STATUS_SUCCESS )  
  493. 493.            {  
  494. 494.                psp = (PSYSTEM_PROCESSES)pBuffer;
  495. 495.                
  496. 496.                do {  
  497. 497.                    //printf("%-4d", psp->ProcessId);
  498. 498.                    //printf(" %3d", psp->ThreadCount);
  499. 499.
  500. 500.                    //printf(" %8dKB", psp->VmCounters.WorkingSetSize/1024);
  501. 501.                    //wprintf(L" %s\n", psp->ProcessName.Buffer);
  502. 502.                    for(ULONG j = 0;j < psp->ThreadCount;j++)
  503. 503.                    {
  504. 504.                        if((ULONG)psp->Threads[j].StartAddress >=mda.Base && (ULONG)psp->Threads[j].StartAddress <=mda.Size && (ULONG)psp->Threads[j].StartAddress<0x80000000)
  505. 505.                        {
  506. 506.                            Count++;
  507. 507.                            tda[Count].ProcessId = (ULONG)psp->Threads[j].ClientId.UniqueProcess;
  508. 508.                            tda[Count].ThreadAddr = (ULONG)psp->Threads[j].StartAddress;
  509. 509.                            tda[Count].ThreadSize = GetThreadSize((ULONG)tda[Count].ThreadAddr,tda[Count].ProcessId);
  510. 510.                        }
  511. 511.                    }
  512. 512.                    psp = (PSYSTEM_PROCESSES)((ULONG)psp + psp->NextEntryDelta );  
  513. 513.                } while ( psp->NextEntryDelta != 0 );
  514. 514.                
  515. 515.                delete []pBuffer;  
  516. 516.                pBuffer = NULL;
  517. 517.                dwNeedSize = 0;
  518. 518.            }else if ( status == STATUS_UNSUCCESSFUL ) {  
  519. 519.                printf("\n STATUS_UNSUCCESSFUL");  
  520. 520.            } else if ( status == STATUS_NOT_IMPLEMENTED ) {
  521. 521.                printf("\n STATUS_NOT_IMPLEMENTED");
  522. 522.            } else if ( status == STATUS_INVALID_INFO_CLASS ) {  
  523. 523.                printf("\n STATUS_INVALID_INFO_CLASS");
  524. 524.            } else if ( status == STATUS_INFO_LENGTH_MISMATCH ) {  
  525. 525.                printf("\n STATUS_INFO_LENGTH_MISMATCH");
  526. 526.            }    
  527. 527.        }  
  528. 528.
  529. 529.    } else {  
  530. 530.        printf("Get ZwQuerySystemInformation address error!");
  531. 531.    }  
  532. 532.          
  533. 533.    FreeLibrary(ntdll_dll);  
  534. 534.      
  535. 535.    return 0;  
  536. 536.}
想你是一种习惯d423

ZxID:20202545

等级: 上尉
举报 只看该作者 5楼  发表于: 2013-03-04 0
看不懂
kokk000

ZxID:15571682

等级: 新兵
举报 只看该作者 4楼  发表于: 2012-12-09 0
看不懂- -

际遇之神

奖励

买酱油,打开瓶盖,发现再来一瓶,得5DB

∝睾端丸家丶XB

ZxID:21025201

等级: 中将
-   - 。   这个人很懒,什么都没留下。
举报 只看该作者 地板   发表于: 2012-12-09 0
当我明白什么是机遇的时候,我也会说鲫鱼了
童话vs传说

ZxID:17977556

等级: 上将
生亦何欢,死亦何苦?喜乐悲愁,皆归尘土。怜我世人,忧患实多!

举报 只看该作者 板凳   发表于: 2012-12-09 0
围观一下 留给有需要的大婶们吧
小枫工作组

ZxID:17878826

等级: 上尉
举报 只看该作者 沙发   发表于: 2012-12-09 0
睡觉睡觉。bye。

际遇之神

奖励

被富婆包养,轻易就获得钱财无数,获得6DB

« 返回列表
发帖 回复