原文发表于百度空间,2008-7-25
==========================================================================
忘了在哪儿看到的了,就是让pid从1开始使用OpenProcess来打开进程,然后根据得到的句柄获取进程名称.绝对的暴力方法,貌似比较有趣,因些写来一个玩玩.
实现比较简单,先提升SE_DEBUG_NAME,然后依次打开,获取进程名称就行了,不提升权限的话服务程序是打不开的,这可不太好.
关键代码如下(实在是很简单):
for (pid=0;pid<0xFFFF;pid++) { hProcess=OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ,0,pid); if (hProcess) { printf("Found:pid=%d\t0x%x\t",pid,pid); cnt++; //进程计数 ShowProcessPath(hProcess,szFilePath); //这个函数根据进程句柄输出进程名称 CloseHandle(hProcess); }
效果比较有意思:
Searching...
Found:pid=4 0x4
Found:pid=5 0x5
Found:pid=6 0x6
Found:pid=7 0x7
Found:pid=124 0x7c MDM.EXE
Found:pid=125 0x7d MDM.EXE
Found:pid=126 0x7e MDM.EXE
Found:pid=127 0x7f MDM.EXE
Found:pid=252 0xfc Explorer.EXE
Found:pid=253 0xfd Explorer.EXE
Found:pid=254 0xfe Explorer.EXE
Found:pid=255 0xff Explorer.EXE
Found:pid=368 0x170 nvsvc32.exe
Found:pid=369 0x171 nvsvc32.exe
Found:pid=370 0x172 nvsvc32.exe
Found:pid=371 0x173 nvsvc32.exe
Found:pid=412 0x19c runiep.exe
Found:pid=413 0x19d runiep.exe
Found:pid=414 0x19e runiep.exe
Found:pid=415 0x19f runiep.exe
Found:pid=420 0x1a4 RavTask.exe
Found:pid=421 0x1a5 RavTask.exe
Found:pid=422 0x1a6 RavTask.exe
Found:pid=423 0x1a7 RavTask.exe
Found:pid=428 0x1ac safeboxTray.exe
Found:pid=429 0x1ad safeboxTray.exe
Found:pid=430 0x1ae safeboxTray.exe
Found:pid=431 0x1af safeboxTray.exe
Found:pid=504 0x1f8 smss.exe
Found:pid=505 0x1f9 smss.exe
Found:pid=506 0x1fa smss.exe
Found:pid=507 0x1fb smss.exe
Found:pid=528 0x210 svchost.exe
Found:pid=529 0x211 svchost.exe
Found:pid=530 0x212 svchost.exe
Found:pid=531 0x213 svchost.exe
Found:pid=576 0x240 csrss.exe
Found:pid=577 0x241 csrss.exe
Found:pid=578 0x242 csrss.exe
Found:pid=579 0x243 csrss.exe
Found:pid=600 0x258 winlogon.exe
Found:pid=601 0x259 winlogon.exe
Found:pid=602 0x25a winlogon.exe
Found:pid=603 0x25b winlogon.exe
Found:pid=644 0x284 services.exe
Found:pid=645 0x285 services.exe
Found:pid=646 0x286 services.exe
Found:pid=647 0x287 services.exe
Found:pid=656 0x290 lsass.exe
Found:pid=657 0x291 lsass.exe
Found:pid=658 0x292 lsass.exe
Found:pid=659 0x293 lsass.exe
Found:pid=824 0x338 svchost.exe
Found:pid=825 0x339 svchost.exe
Found:pid=826 0x33a svchost.exe
Found:pid=827 0x33b svchost.exe
Found:pid=880 0x370 svchost.exe
Found:pid=881 0x371 svchost.exe
Found:pid=882 0x372 svchost.exe
Found:pid=883 0x373 svchost.exe
Found:pid=960 0x3c0 CCenter.exe
Found:pid=961 0x3c1 CCenter.exe
Found:pid=962 0x3c2 CCenter.exe
Found:pid=963 0x3c3 CCenter.exe
Found:pid=976 0x3d0 svchost.exe
Found:pid=977 0x3d1 svchost.exe
Found:pid=978 0x3d2 svchost.exe
Found:pid=979 0x3d3 svchost.exe
Found:pid=1012 0x3f4 Ravmon.exe
Found:pid=1013 0x3f5 Ravmon.exe
Found:pid=1014 0x3f6 Ravmon.exe
Found:pid=1015 0x3f7 Ravmon.exe
Found:pid=1016 0x3f8 svchost.exe
Found:pid=1017 0x3f9 svchost.exe
Found:pid=1018 0x3fa svchost.exe
Found:pid=1019 0x3fb svchost.exe
Found:pid=1112 0x458 racer.exe
Found:pid=1113 0x459 racer.exe
Found:pid=1114 0x45a racer.exe
Found:pid=1115 0x45b racer.exe
Found:pid=1136 0x470 360tray.exe
Found:pid=1137 0x471 360tray.exe
Found:pid=1138 0x472 360tray.exe
Found:pid=1139 0x473 360tray.exe
Found:pid=1140 0x474 ravmond.exe
Found:pid=1141 0x475 ravmond.exe
Found:pid=1142 0x476 ravmond.exe
Found:pid=1143 0x477 ravmond.exe
Found:pid=1364 0x554 RavStub.exe
Found:pid=1365 0x555 RavStub.exe
Found:pid=1366 0x556 RavStub.exe
Found:pid=1367 0x557 RavStub.exe
Found:pid=1380 0x564
Found:pid=1381 0x565
Found:pid=1382 0x566
Found:pid=1383 0x567
Found:pid=1492 0x5d4 SuperOpenProcess.exe
Found:pid=1493 0x5d5 SuperOpenProcess.exe
Found:pid=1494 0x5d6 SuperOpenProcess.exe
Found:pid=1495 0x5d7 SuperOpenProcess.exe
Found:pid=1500 0x5dc NetBox.exe
Found:pid=1501 0x5dd NetBox.exe
Found:pid=1502 0x5de NetBox.exe
Found:pid=1503 0x5df NetBox.exe
Found:pid=1544 0x608 spoolsv.exe
Found:pid=1545 0x609 spoolsv.exe
Found:pid=1546 0x60a spoolsv.exe
Found:pid=1547 0x60b spoolsv.exe
Found:pid=1700 0x6a4 ctfmon.exe
Found:pid=1701 0x6a5 ctfmon.exe
Found:pid=1702 0x6a6 ctfmon.exe
Found:pid=1703 0x6a7 ctfmon.exe
Found:pid=1944 0x798 RacerKp.exe
Found:pid=1945 0x799 RacerKp.exe
Found:pid=1946 0x79a RacerKp.exe
Found:pid=1947 0x79b RacerKp.exe
Found:pid=1976 0x7b8 svchost.exe
Found:pid=1977 0x7b9 svchost.exe
Found:pid=1978 0x7ba svchost.exe
Found:pid=1979 0x7bb svchost.exe
Found:pid=2020 0x7e4 stormliv.exe
Found:pid=2021 0x7e5 stormliv.exe
Found:pid=2022 0x7e6 stormliv.exe
Found:pid=2023 0x7e7 stormliv.exe
Found:pid=2136 0x858 conime.exe
Found:pid=2137 0x859 conime.exe
Found:pid=2138 0x85a conime.exe
Found:pid=2139 0x85b conime.exe
Found:pid=2140 0x85c
Found:pid=2141 0x85d
Found:pid=2142 0x85e
Found:pid=2143 0x85f
Found:pid=2304 0x900 TXPlatform.exe
Found:pid=2305 0x901 TXPlatform.exe
Found:pid=2306 0x902 TXPlatform.exe
Found:pid=2307 0x903 TXPlatform.exe
Found:pid=2380 0x94c cmd.exe
Found:pid=2381 0x94d cmd.exe
Found:pid=2382 0x94e cmd.exe
Found:pid=2383 0x94f cmd.exe
Found:pid=2416 0x970
Found:pid=2417 0x971
Found:pid=2418 0x972
Found:pid=2419 0x973
Found:pid=2420 0x974 QQ.exe
Found:pid=2421 0x975 QQ.exe
Found:pid=2422 0x976 QQ.exe
Found:pid=2423 0x977 QQ.exe
Found:pid=2780 0xadc windbg.exe
Found:pid=2781 0xadd windbg.exe
Found:pid=2782 0xade windbg.exe
Found:pid=2783 0xadf windbg.exe
Found:pid=2860 0xb2c MSDEV.EXE
Found:pid=2861 0xb2d MSDEV.EXE
Found:pid=2862 0xb2e MSDEV.EXE
Found:pid=2863 0xb2f MSDEV.EXE
Found:pid=3028 0xbd4
Found:pid=3029 0xbd5
Found:pid=3030 0xbd6
Found:pid=3031 0xbd7
Found:pid=3096 0xc18
Found:pid=3097 0xc19
Found:pid=3098 0xc1a
Found:pid=3099 0xc1b
Found:pid=3356 0xd1c
Found:pid=3357 0xd1d
Found:pid=3358 0xd1e
Found:pid=3359 0xd1f
Found:pid=3376 0xd30 Maxthon.exe
Found:pid=3377 0xd31 Maxthon.exe
Found:pid=3378 0xd32 Maxthon.exe
Found:pid=3379 0xd33 Maxthon.exe
Found:pid=3460 0xd84 Procexp.exe
Found:pid=3461 0xd85 Procexp.exe
Found:pid=3462 0xd86 Procexp.exe
Found:pid=3463 0xd87 Procexp.exe
Found:pid=3544 0xdd8 wmiprvse.exe
Found:pid=3545 0xdd9 wmiprvse.exe
Found:pid=3546 0xdda wmiprvse.exe
Found:pid=3547 0xddb wmiprvse.exe
Found:pid=3784 0xec8
Found:pid=3785 0xec9
Found:pid=3786 0xeca
Found:pid=3787 0xecb
Found:pid=3848 0xf08
Found:pid=3849 0xf09
Found:pid=3850 0xf0a
Found:pid=3851 0xf0b
Found:pid=3868 0xf1c
Found:pid=3869 0xf1d
Found:pid=3870 0xf1e
Found:pid=3871 0xf1f
Found:pid=3916 0xf4c
Found:pid=3917 0xf4d
Found:pid=3918 0xf4e
Found:pid=3919 0xf4f
Found:pid=4028 0xfbc
Found:pid=4029 0xfbd
Found:pid=4030 0xfbe
Found:pid=4031 0xfbf
Found:pid=4080 0xff0
Found:pid=4081 0xff1
Found:pid=4082 0xff2
Found:pid=4083 0xff3
Total=51
从左往右依次是pid,16进制的pid,进程名称
可以看到,有一些pid虽然可以打开,但是却不能获取到进程名称.
用Windbg查看一下,原来是这样的.
以Cid=0x564为例,结果如下:
lkd> !process 564
Searching for Process with Cid == 564
PROCESS 81728500 SessionId: 0 Cid: 0564 Peb: 7ffde000 ParentCid: 0bd4
DirBase: 064e4000 ObjectTable: 00000000 HandleCount: 0.
Image: GameApp.exe
VadRoot 00000000 Vads 0 Clone 0 Private 0. Modified 197. Locked 0.
DeviceMap e22b3e68
Token e123ad20
ElapsedTime 03:29:13.531
UserTime 00:00:01.515
KernelTime 00:00:01.171
QuotaPoolUsage[PagedPool] 0
QuotaPoolUsage[NonPagedPool] 0
Working Set Sizes (now,min,max) (25, 50, 345) (100KB, 200KB, 1380KB)
PeakWorkingSetSize 21815
VirtualSize 154 Mb
PeakVirtualSize 158 Mb
PageFaultCount 31904
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 0
No active threads
这个其实是已经退出的进程,但是其EPROCESS仍然存在,它的某些数据结构也没有销毁,因些还可以打开,其实就是僵尸进程了.这种暴力的结果好像和内核态用PsLookupProcessId暴力枚举EPROCESS的效果是一样的,据说狙剑就使用了这种方法.
至于pid到pid+3为什么都能打开一个进程,这个现在还不太清楚,等分析了OpenProcess的实现再说吧.
==========================================================================================================================================================
后记:
该方法针对断链隐藏的进程非常有效,但是对抹了PspCidTable的就没有用了,表里找不到自然打不开
至于pid到pid+3打开的是同一个进程的问题,是因为pid作为句柄,它的最低两位是作为标志位使用的,实际查找pid时需要把低两位掩去,所以pid到pid+3的结果都是一样的
但是,有可能存在一些傻傻的程序做自我保护时没有使用掩码对比,而是直接对比pid,这就导致使用pid+1到pid+3是有可能打开被保护进程的