未公开函数 NtQuerySystemInfoMation 遍历进程信息,获得进程的用户名
未公开函数 NtQuerySystemInfoMation 遍历进程信息,获得进程的用户名
IBinary
发布于 2019-05-25 16:12:39
发布于 2019-05-25 16:12:39
目录
- 遍历进程用户名
- 代码例子
遍历进程用户名
代码例子
#include <windows.h>
#include <iostream>
#include <COMDEF.H>
#include <stdio.h>
#include <Tlhelp32.h>
using namespace std;
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, * PUNICODE_STRING;
//SystemProcessInformation
typedef struct _SYSTEM_PROCESS_INFORMATION
{
DWORD dwNextEntryOffset;
DWORD dwNumberOfThreads;
LARGE_INTEGER qSpareLi1;
LARGE_INTEGER qSpareLi2;
LARGE_INTEGER qSpareLi3;
LARGE_INTEGER qCreateTime;
LARGE_INTEGER qUserTime;
LARGE_INTEGER qKernelTime;
UNICODE_STRING ImageName;
int nBasePriority;
DWORD dwProcessId;
DWORD dwInheritedFromUniqueProcessId;
DWORD dwHandleCount;
DWORD dwSessionId;
ULONG dwSpareUl3;
SIZE_T tPeakVirtualSize;
SIZE_T tVirtualSize;
DWORD dwPageFaultCount;
DWORD dwPeakWorkingSetSize;
DWORD dwWorkingSetSize;
SIZE_T tQuotaPeakPagedPoolUsage;
SIZE_T tQuotaPagedPoolUsage;
SIZE_T tQuotaPeakNonPagedPoolUsage;
SIZE_T tQuotaNonPagedPoolUsage;
SIZE_T tPagefileUsage;
SIZE_T tPeakPagefileUsage;
SIZE_T tPrivatePageCount;
LARGE_INTEGER qReadOperationCount;
LARGE_INTEGER qWriteOperationCount;
LARGE_INTEGER qOtherOperationCount;
LARGE_INTEGER qReadTransferCount;
LARGE_INTEGER qWriteTransferCount;
LARGE_INTEGER qOtherTransferCount;
}SYSTEM_PROCESS_INFORMATION;
/*----------------------------------------------------
函数说明: 动态加载动库文件
输入参数: pDllName 库文件名称,pProcName导出函数名字
输出参数: 无
返回值 : 返回函数的的地址
----------------------------------------------------*/
VOID* GetDllProc(const TCHAR* pDllName, const CHAR* pProcName)
{
HMODULE hMod;
hMod = LoadLibrary(pDllName);
if (hMod == NULL)
return NULL;
return GetProcAddress(hMod, pProcName);
}
//宏定义函数的指针
typedef LONG(WINAPI* Fun_NtQuerySystemInformation) (int SystemInformationClass,
OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT ULONG* pReturnLength OPTIONAL);
typedef BYTE(WINAPI* Fun_WinStationGetProcessSid)(HANDLE hServer, DWORD ProcessId,
FILETIME ProcessStartTime, PBYTE pProcessUserSid, PDWORD dwSidSize);
typedef VOID(WINAPI* Fun_CachedGetUserFromSid)(PSID pSid, PWCHAR pUserName, PULONG cbUserName);
#define STATUS_INFO_LENGTH_MISMATCH ((LONG)0xC0000004L)
#define SystemProcessInformation 5
/*------------------------------------------------------------------
函数说明: 获取系统进程的信息
输入参数: SYSTEM_PROCESS_INFORMATION
输出参数: 无
--------------------------------------------------------------------*/
BOOL GetSysProcInfo(SYSTEM_PROCESS_INFORMATION * *ppSysProcInfo)
{
Fun_NtQuerySystemInformation _NtQuerySystemInformation;
_NtQuerySystemInformation = (Fun_NtQuerySystemInformation)::GetDllProc(TEXT("NTDLL.DLL"), "NtQuerySystemInformation");
if (_NtQuerySystemInformation == NULL)
return FALSE;
DWORD dwSize = 1024 * 1024;
VOID* pBuf = NULL;
LONG lRetVal;
while(true)
{
if (pBuf)
free(pBuf);
pBuf = (VOID*)malloc(dwSize);
lRetVal = _NtQuerySystemInformation(SystemProcessInformation,pBuf, dwSize, NULL);
if (STATUS_INFO_LENGTH_MISMATCH != lRetVal)
break;
dwSize *= 2;
}
if (lRetVal == 0)
{
*ppSysProcInfo = (SYSTEM_PROCESS_INFORMATION*)pBuf;
return TRUE;
}
free(pBuf);
return FALSE;
}
BOOL GetProcessUser(DWORD dwPid, _bstr_t* pbStrUser)
{
Fun_WinStationGetProcessSid _WinStationGetProcessSid;
Fun_CachedGetUserFromSid _CachedGetUserFromSid;
_WinStationGetProcessSid = (Fun_WinStationGetProcessSid)
GetDllProc(TEXT("Winsta.dll"), "WinStationGetProcessSid");
_CachedGetUserFromSid = (Fun_CachedGetUserFromSid)
GetDllProc(TEXT("utildll.dll"), "CachedGetUserFromSid");
if (_WinStationGetProcessSid == NULL || _CachedGetUserFromSid == NULL)
return FALSE;
BYTE cRetVal;
FILETIME ftStartTime;
DWORD dwSize;
BYTE* pSid;
BOOL bRetVal, bFind;
SYSTEM_PROCESS_INFORMATION* pProcInfo, * pCurProcInfo;
bRetVal = GetSysProcInfo(&pProcInfo);
if (bRetVal == FALSE || pProcInfo == NULL)
return FALSE;
bFind = FALSE;
pCurProcInfo = pProcInfo;
for (;;)
{
if (pCurProcInfo->dwProcessId == dwPid)
{
memcpy(&ftStartTime, &pCurProcInfo->qCreateTime, sizeof(ftStartTime));
bFind = TRUE;
break;
}
if (pCurProcInfo->dwNextEntryOffset == 0)
break;
pCurProcInfo = (SYSTEM_PROCESS_INFORMATION*)((BYTE*)pCurProcInfo +
pCurProcInfo->dwNextEntryOffset);
}
if (bFind == FALSE)
{
free(pProcInfo);
return FALSE;
}
cRetVal = _WinStationGetProcessSid(NULL, dwPid, ftStartTime, NULL, &dwSize);
if (cRetVal != 0)
return FALSE;
pSid = new BYTE[dwSize];
cRetVal = _WinStationGetProcessSid(NULL, dwPid, ftStartTime, pSid, &dwSize);
if (cRetVal == 0)
{
delete[] pSid;
return FALSE;
}
WCHAR szUserName[1024];
_CachedGetUserFromSid(pSid, szUserName, &dwSize);
delete[] pSid;
if (dwSize == 0)
return FALSE;
*pbStrUser = szUserName;
return TRUE;
}
int main()
{
/*
1.遍历所有进程.
2.遍历这个进程下的所有模块.
3.读取模块特征.
4.结束掉这个进程.
*/
//services.exe conhost.exe
TCHAR szProcessName[] = TEXT("services.exe");
BOOL bFind = FALSE;
TCHAR ch[256] = { 0 };
_bstr_t bs;
memcpy(&bs, ch, sizeof(bs));
GetProcessUser(pi.th32ProcessID, &bs); //第一个参数写的是你的进程ID
}本文参与 腾讯云自媒体分享计划,分享自作者个人站点/博客。
原始发表:2019-05-05 ,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
目录