admin管理员组文章数量:1621657
此方法硬编码很多!!!
EPROCESS下win32Process其实是一个tagPROCESSINFO 结构
typedef struct _tagPROCESSINFO // 55 elements, 0x300 bytes (sizeof)
{
/*0x000*/ struct _EPROCESS* Process;
/*0x008*/ ULONG32 RefCount;
/*0x00C*/ ULONG32 W32PF_Flags;
/*0x010*/ struct _KEVENT* InputIdleEvent;
/*0x018*/ ULONG32 StartCursorHideTime;
/*0x01C*/ UINT8 _PADDING0_[0x4];
/*0x020*/ struct _W32PROCESS* NextStart;
/*0x028*/ VOID* pDCAttrList;
/*0x030*/ VOID* pBrushAttrList;
/*0x038*/ ULONG32 W32Pid;
/*0x03C*/ LONG32 GDIHandleCount;
/*0x040*/ ULONG32 GDIHandleCountPeak;
/*0x044*/ LONG32 UserHandleCount;
/*0x048*/ ULONG32 UserHandleCountPeak;
/*0x04C*/ UINT8 _PADDING1_[0x4];
/*0x050*/ struct _EX_PUSH_LOCK GDIPushLock; // 7 elements, 0x8 bytes (sizeof)
/*0x058*/ struct _RTL_AVL_TABLE GDIEngUserMemAllocTable; // 11 elements, 0x68 bytes (sizeof)
/*0x0C0*/ struct _LIST_ENTRY GDIDcAttrFreeList; // 2 elements, 0x10 bytes (sizeof)
/*0x0D0*/ struct _LIST_ENTRY GDIBrushAttrFreeList; // 2 elements, 0x10 bytes (sizeof)
/*0x0E0*/ struct _LIST_ENTRY GDIW32PIDLockedBitmaps; // 2 elements, 0x10 bytes (sizeof)
/*0x0F0*/ VOID* hSecureGdiSharedHandleTable;
/*0x0F8*/ VOID* DxProcess;
/*0x100*/ struct _tagTHREADINFO* ptiList;
/*0x108*/ struct _tagTHREADINFO* ptiMainThread;
/*0x110*/ struct _tagDESKTOP* rpdeskStartup;
/*0x118*/ struct _tagCLS* pclsPrivateList;
/*0x120*/ struct _tagCLS* pclsPublicList;
/*0x128*/ struct _tagWOWPROCESSINFO* pwpi;
/*0x130*/ struct _tagPROCESSINFO* ppiNext;
/*0x138*/ struct _tagPROCESSINFO* ppiNextRunning;
/*0x140*/ UINT32 cThreads;
/*0x144*/ UINT8 _PADDING2_[0x4];
/*0x148*/ struct _HDESK__* hdeskStartup;
/*0x150*/ UINT32 cSysExpunge;
/*0x154*/ ULONG32 dwhmodLibLoadedMask;
/*0x158*/ VOID* ahmodLibLoaded[32];
/*0x258*/ struct _tagWINDOWSTATION* rpwinsta;
/*0x260*/ struct _HWINSTA__* hwinsta;
/*0x268*/ ULONG32 amwinsta;
/*0x26C*/ ULONG32 dwHotkey;
/*0x270*/ struct _HMONITOR__* hMonitor;
/*0x278*/ struct _tagDESKTOPVIEW* pdvList;
/*0x280*/ UINT32 iClipSerialNumber;
/*0x284*/ UINT8 _PADDING3_[0x4];
/*0x288*/ struct _RTL_BITMAP bmHandleFlags; // 2 elements, 0x10 bytes (sizeof)
/*0x298*/ struct _tagCURSOR* pCursorCache;
/*0x2A0*/ VOID* pClientBase;
/*0x2A8*/ ULONG32 dwLpkEntryPoints;
/*0x2AC*/ UINT8 _PADDING4_[0x4];
/*0x2B0*/ struct _tagW32JOB* pW32Job;
/*0x2B8*/ ULONG32 dwImeCompatFlags;
/*0x2BC*/ struct _LUID luidSession; // 2 elements, 0x8 bytes (sizeof)
/*0x2C4*/ struct _tagUSERSTARTUPINFO usi; // 8 elements, 0x1C bytes (sizeof)
union // 2 elements, 0x4 bytes (sizeof)
{
/*0x2E0*/ ULONG32 Flags;
struct // 2 elements, 0x4 bytes (sizeof)
{
/*0x2E0*/ UINT32 fHasMagContext : 1; // 0 BitPosition
/*0x2E0*/ UINT32 Unused : 31; // 1 BitPosition
};
};
/*0x2E4*/ ULONG32 dwLayout;
/*0x2E8*/ struct _tagPROCESS_HID_TABLE* pHidTable;
/*0x2F0*/ ULONG32 dwRegisteredClasses;
/*0x2F4*/ UINT8 _PADDING5_[0x4];
/*0x2F8*/ struct _VWPL* pvwplWndGCList;
}tagPROCESSINFO, *PtagPROCESSINFO;
tagPROCESSINFO 下有一个成员tagDESKTOP (offset 0x110)
typedef struct _tagDESKTOP // 25 elements, 0xE0 bytes (sizeof)
{
/*0x000*/ ULONG32 dwSessionId;
/*0x004*/ UINT8 _PADDING0_[0x4];
/*0x008*/ struct _tagDESKTOPINFO* pDeskInfo;
/*0x010*/ struct _tagDISPLAYINFO* pDispInfo;
/*0x018*/ struct _tagDESKTOP* rpdeskNext;
/*0x020*/ struct _tagWINDOWSTATION* rpwinstaParent;
/*0x028*/ ULONG32 dwDTFlags;
/*0x02C*/ UINT8 _PADDING1_[0x4];
/*0x030*/ UINT64 dwDesktopId;
/*0x038*/ struct _tagMENU* spmenuSys;
/*0x040*/ struct _tagMENU* spmenuDialogSys;
/*0x048*/ struct _tagMENU* spmenuHScroll;
/*0x050*/ struct _tagMENU* spmenuVScroll;
/*0x058*/ struct _tagWND* spwndForeground;
/*0x060*/ struct _tagWND* spwndTray;
/*0x068*/ struct _tagWND* spwndMessage;
/*0x070*/ struct _tagWND* spwndTooltip;
/*0x078*/ VOID* hsectionDesktop;
/*0x080*/ struct _tagWIN32HEAP* pheapDesktop;
/*0x088*/ ULONG32 ulHeapSize;
/*0x08C*/ UINT8 _PADDING2_[0x4];
/*0x090*/ struct _CONSOLE_CARET_INFO cciConsole; // 2 elements, 0x18 bytes (sizeof)
/*0x0A8*/ struct _LIST_ENTRY PtiList; // 2 elements, 0x10 bytes (sizeof)
/*0x0B8*/ struct _tagWND* spwndTrack;
/*0x0C0*/ INT32 htEx;
/*0x0C4*/ struct _tagRECT rcMouseHover; // 4 elements, 0x10 bytes (sizeof)
/*0x0D4*/ ULONG32 dwMouseHoverTime;
/*0x0D8*/ struct _MAGNIFICATION_INPUT_TRANSFORM* pMagInputTransform;
}tagDESKTOP, *PtagDESKTOP;
tagDESKTOP 下+0x8处_tagDESKTOPINFO结构
typedef struct _tagDESKTOPINFO // 16 elements, 0xF0 bytes (sizeof)
{
/*0x000*/ VOID* pvDesktopBase;
/*0x008*/ VOID* pvDesktopLimit;
/*0x010*/ struct _tagWND* spwnd;
/*0x018*/ ULONG32 fsHooks;
/*0x01C*/ UINT8 _PADDING0_[0x4];
/*0x020*/ struct _tagHOOK* aphkStart[16];
/*0x0A0*/ struct _tagWND* spwndShell;
/*0x0A8*/ struct _tagPROCESSINFO* ppiShellProcess;
/*0x0B0*/ struct _tagWND* spwndBkGnd;
/*0x0B8*/ struct _tagWND* spwndTaskman;
/*0x0C0*/ struct _tagWND* spwndProgman;
/*0x0C8*/ struct _VWPL* pvwplShellHook;
/*0x0D0*/ INT32 cntMBox;
/*0x0D4*/ UINT8 _PADDING1_[0x4];
/*0x0D8*/ struct _tagWND* spwndGestureEngine;
/*0x0E0*/ struct _VWPL* pvwplMessagePPHandler;
本文标签: 进程EPROCESSWin32Process
版权声明:本文标题:使用EPROCESS下Win32Process枚举进程 内容由热心网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:https://www.elefans.com/xitong/1728851413a1176720.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论