Author:hatling
Code:
ULONG GetPspCidTable()
{
ULONG PspCidTable=0;
ULONG FuncAddr=NULL;
UNICODE_STRING FuncName={0};
RtlInitUnicodeString(&FuncName,L"PsLookupProcessByProcessId");
FuncAddr=(ULONG)MmGetSystemRoutineAddress(&FuncName);
for (;;FuncAddr++)
{
if ((0x35ff==(*(PUSHORT)FuncAddr)) && (0xe8==(*(PUCHAR)(FuncAddr+6))))
{
PspCidTable=*(PULONG)(FuncAddr+2);
break;
}
}
return PspCidTable;
}
#define OBJECT_BODY_TO_TYPE 0x10
//从3级表开始遍历
ULONG BrowseTableL3(ULONG TableAddr)
{
ULONG Object=0;
ULONG ItemCount=511;
do
{
TableAddr+=8;
Object=*(PULONG)TableAddr;
Object&=0xfffffff8;
if (Object==0)
{
continue;
}
if ((*PsProcessType)==(*(PULONG)(Object-OBJECT_BODY_TO_TYPE)))
{
KdPrint(("%s",PsGetProcessImageFileName((PEPROCESS)Object)));
}
} while (--ItemCount>0);
return 0;
}
//从二级表开始遍历
ULONG BrowseTableL2(ULONG TableAddr)
{
do
{
BrowseTableL3(*(PULONG)TableAddr);
TableAddr+=4;
} while ((*(PULONG)TableAddr)!=0);
return 0;
}
//从1级表开始遍历
ULONG BrowseTableL1(ULONG TableAddr)
{
do
{
BrowseTableL2(*(PULONG)TableAddr);
TableAddr+=4;
} while ((*(PULONG)TableAddr)!=0);
return 0;
}
VOID RefreshProcessByPspCidTable()
{
ULONG PspCidTable=0;
ULONG HandleTable=0;
ULONG TableCode=0;
ULONG flag=0;
PspCidTable=GetPspCidTable();
HandleTable=*(PULONG)PspCidTable;
TableCode=*(PULONG)HandleTable;
flag=TableCode&3;
TableCode&=0xfffffffc;
switch (flag)
{
case 0:
BrowseTableL3(TableCode);
break;
case 1:
BrowseTableL2(TableCode);
break;
case 2:
BrowseTableL1(TableCode);
break;
}
{
ULONG PspCidTable=0;
ULONG FuncAddr=NULL;
UNICODE_STRING FuncName={0};
RtlInitUnicodeString(&FuncName,L"PsLookupProcessByProcessId");
FuncAddr=(ULONG)MmGetSystemRoutineAddress(&FuncName);
for (;;FuncAddr++)
{
if ((0x35ff==(*(PUSHORT)FuncAddr)) && (0xe8==(*(PUCHAR)(FuncAddr+6))))
{
PspCidTable=*(PULONG)(FuncAddr+2);
break;
}
}
return PspCidTable;
}
#define OBJECT_BODY_TO_TYPE 0x10
//从3级表开始遍历
ULONG BrowseTableL3(ULONG TableAddr)
{
ULONG Object=0;
ULONG ItemCount=511;
do
{
TableAddr+=8;
Object=*(PULONG)TableAddr;
Object&=0xfffffff8;
if (Object==0)
{
continue;
}
if ((*PsProcessType)==(*(PULONG)(Object-OBJECT_BODY_TO_TYPE)))
{
KdPrint(("%s",PsGetProcessImageFileName((PEPROCESS)Object)));
}
} while (--ItemCount>0);
return 0;
}
//从二级表开始遍历
ULONG BrowseTableL2(ULONG TableAddr)
{
do
{
BrowseTableL3(*(PULONG)TableAddr);
TableAddr+=4;
} while ((*(PULONG)TableAddr)!=0);
return 0;
}
//从1级表开始遍历
ULONG BrowseTableL1(ULONG TableAddr)
{
do
{
BrowseTableL2(*(PULONG)TableAddr);
TableAddr+=4;
} while ((*(PULONG)TableAddr)!=0);
return 0;
}
VOID RefreshProcessByPspCidTable()
{
ULONG PspCidTable=0;
ULONG HandleTable=0;
ULONG TableCode=0;
ULONG flag=0;
PspCidTable=GetPspCidTable();
HandleTable=*(PULONG)PspCidTable;
TableCode=*(PULONG)HandleTable;
flag=TableCode&3;
TableCode&=0xfffffffc;
switch (flag)
{
case 0:
BrowseTableL3(TableCode);
break;
case 1:
BrowseTableL2(TableCode);
break;
case 2:
BrowseTableL1(TableCode);
break;
}
No comments:
Post a Comment