山寨冰刃的源码里的一个函数。。 获取进程的线程信息。。。
逻辑:
显示通过进程列表找到要枚举的进程,然后根据Eprocess的内容得到Ethread的偏移, Ethread进行遍历,便可得到所有的线程信息。。
(写的搓搓的 。。。思路不是太清晰。。)
1
PTHREAD_INFO GetThread(int Pid)
2
{
3
4 //全部定义为ULONG类型
5 ULONG pTargetProcess; //self explanatory
6 ULONG pTargetThread; //thread that can be either alerable or non-alertable
7 ULONG pNotAlertableThread; //non-alertable thread
8 ULONG pSystemProcess; //May not necessarily be the 'System' process
9 ULONG pTempThread;
10 ULONG pNextEntry, pListHead, pThNextEntry,pThListHead,pMyProcess;
11 PTHREAD_INFO PthreadInfo;
12 DWORD dwPidOffset = GetPlantformDependentInfo ( PROCESS_ID_OFFSET ) ;//0x084
13 DWORD dwPNameOffset = GetPlantformDependentInfo ( FILE_NAME_OFFSET ) ; //0x174
14 PTHREAD_INFO temp1,temp2,temp3,Infohead;
15 int bFindTid=0;
16 if (dwPidOffset==0||dwPNameOffset==0)
17
{
18 DbgPrint("Get Offset Fail !");
19 dwPidOffset=0x084;dwPNameOffset=0x174;
20
}
21 if (0==Pid)
22 {
23 return (PTHREAD_INFO)NULL;
24 }
25 Infohead=temp1=(PTHREAD_INFO)ExAllocatePool(NonPagedPool,sizeof(THREAD_INFO));
26 //获得系统进程
27 pMyProcess=pSystemProcess =(ULONG)PsGetCurrentProcess(); //make sure you are running at IRQL PASSIVE_LEVEL
28
29 if(!pSystemProcess)
30 {
31 DbgPrint("KernelExec -> Cannot find 'System' process!");
32 return NULL;
33 }
34 //获取进程列表头(+0x088 ActiveProcessLinks : _LIST_ENTRY)
35 pListHead=pSystemProcess+0x88;
36 //得到下一个EPROCESS结构的ActiveProcessLinks偏移地址
37 pNextEntry=*(ULONG*)pListHead;
38 if(!pNextEntry)
39 DbgPrint("KernelExec -> No processes found!");
40 else
41 {
42
43 while(pNextEntry != pListHead) //start looping through the available processes
44 { //得到EPROCESS的首地址
45 pSystemProcess =pNextEntry-0x88;
46 //进程名偏移
47 //+0x174 ImageFileName:[16] UChar
48 //DbgPrint("ProcessName %s PID:%x\n",(char*)pSystemProcess+dwPNameOffset,*(int*)((char*)pSystemProcess+dwPidOffset));
49
50 //Is this explorer.exe?
51 //DbgBreakPoint();
52
53 //if(_strnicmp((char*)pSystemProcess+dwPNameOffset,"explorer.exe",12)==0)
54 if (*(int*)((char*)pSystemProcess+dwPidOffset)==Pid)
55 { //得到进程的EPROCESS结构的地址
56 bFindTid=1;
57 pTargetProcess = pSystemProcess; //Yes,we have found it!
58 //DbgPrint("yes,we have found explorer.exe!");
59
60 pTargetThread = pNotAlertableThread = 0;
61 //获取线程列表头
62 //+0x050 ThreadListHead : _LIST_ENTRY
63 //也就是_KPROCESS(PCB)中ThreadListHead的偏移地址
64 pThListHead = pSystemProcess+0x50;
65 //得到ETHREAD结构中_KTHREAD(Tcb)的+0x1b0 ThreadListEntry : _LIST_ENTRY地址
66 pThNextEntry=*(ULONG *)pThListHead;
67 //Now we loop through it's threads, seeking an alertable thread
68 while(pThNextEntry != pThListHead)
69 { //所属ETHREAD的首地址
70 pTempThread =pThNextEntry-0x1b0;
71 //DbgPrint("ethread address is:0x%x\n",(ULONG *)pTempThread);
72 //DbgPrint("Start Address is:0x%x\n",*(DWORD *)(pTempThread+0x228));
73 //线程ID
74 //ETHREAD+0x1ec Cid : _CLIENT_ID为进程ID
75 //再向下+4为线程ID
76 //DbgPrint("thread Id is %d\n",*(ULONG *)(pTempThread+0x1f0));
77
78 temp2=(PTHREAD_INFO)ExAllocatePool(NonPagedPool,sizeof(THREAD_INFO));
79 temp2->dwThreadId =*(ULONG *)(pTempThread+0x1f0);
80 temp2->StartAddress=*(int *)(pTempThread+0x228);
81 temp2->pEThread=(ULONG *)pTempThread;
82
83 temp1->Next=temp2;
84 temp1=temp2;
85 pNotAlertableThread =pTempThread;
86
87 //下一个线程块
88 pThNextEntry = *(ULONG *)pThNextEntry; //check next thread
89 }
90 break;
91 }
92 //下一个进程块
93 pNextEntry = *(ULONG *)pNextEntry; //get next process
94 }
95 }
96 if (bFindTid==1)
97 {
98 temp2->Next=NULL;
99
100 temp3=Infohead;
101 Infohead=Infohead->Next;
102 ExFreePool(temp3);
103 //ObfDereferenceObject((PVOID)pMyProcess);
104 return Infohead;
105 }
106 return NULL;
107
108
109
}
PTHREAD_INFO GetThread(int Pid)2
{
3
4
//全部定义为ULONG类型5
ULONG pTargetProcess; //self explanatory6
ULONG pTargetThread; //thread that can be either alerable or non-alertable7
ULONG pNotAlertableThread; //non-alertable thread8
ULONG pSystemProcess; //May not necessarily be the 'System' process9
ULONG pTempThread;10
ULONG pNextEntry, pListHead, pThNextEntry,pThListHead,pMyProcess; 11
PTHREAD_INFO PthreadInfo;12
DWORD dwPidOffset = GetPlantformDependentInfo ( PROCESS_ID_OFFSET ) ;//0x08413
DWORD dwPNameOffset = GetPlantformDependentInfo ( FILE_NAME_OFFSET ) ; //0x174 14
PTHREAD_INFO temp1,temp2,temp3,Infohead;15
int bFindTid=0;16
if (dwPidOffset==0||dwPNameOffset==0)17
{
18
DbgPrint("Get Offset Fail !");19
dwPidOffset=0x084;dwPNameOffset=0x174;20
}21
if (0==Pid)22
{23
return (PTHREAD_INFO)NULL;24
}25
Infohead=temp1=(PTHREAD_INFO)ExAllocatePool(NonPagedPool,sizeof(THREAD_INFO));26
//获得系统进程27
pMyProcess=pSystemProcess =(ULONG)PsGetCurrentProcess(); //make sure you are running at IRQL PASSIVE_LEVEL28
29
if(!pSystemProcess) 30
{31
DbgPrint("KernelExec -> Cannot find 'System' process!");32
return NULL;33
}34
//获取进程列表头(+0x088 ActiveProcessLinks : _LIST_ENTRY)35
pListHead=pSystemProcess+0x88;36
//得到下一个EPROCESS结构的ActiveProcessLinks偏移地址37
pNextEntry=*(ULONG*)pListHead;38
if(!pNextEntry)39
DbgPrint("KernelExec -> No processes found!");40
else41
{42
43
while(pNextEntry != pListHead) //start looping through the available processes44
{ //得到EPROCESS的首地址45
pSystemProcess =pNextEntry-0x88;46
//进程名偏移47
//+0x174 ImageFileName:[16] UChar48
//DbgPrint("ProcessName %s PID:%x\n",(char*)pSystemProcess+dwPNameOffset,*(int*)((char*)pSystemProcess+dwPidOffset));49
50
//Is this explorer.exe? 51
//DbgBreakPoint();52
53
//if(_strnicmp((char*)pSystemProcess+dwPNameOffset,"explorer.exe",12)==0)54
if (*(int*)((char*)pSystemProcess+dwPidOffset)==Pid)55
{ //得到进程的EPROCESS结构的地址56
bFindTid=1;57
pTargetProcess = pSystemProcess; //Yes,we have found it!58
//DbgPrint("yes,we have found explorer.exe!");59
60
pTargetThread = pNotAlertableThread = 0;61
//获取线程列表头62
//+0x050 ThreadListHead : _LIST_ENTRY63
//也就是_KPROCESS(PCB)中ThreadListHead的偏移地址64
pThListHead = pSystemProcess+0x50;65
//得到ETHREAD结构中_KTHREAD(Tcb)的+0x1b0 ThreadListEntry : _LIST_ENTRY地址66
pThNextEntry=*(ULONG *)pThListHead;67
//Now we loop through it's threads, seeking an alertable thread68
while(pThNextEntry != pThListHead)69
{ //所属ETHREAD的首地址70
pTempThread =pThNextEntry-0x1b0;71
//DbgPrint("ethread address is:0x%x\n",(ULONG *)pTempThread);72
//DbgPrint("Start Address is:0x%x\n",*(DWORD *)(pTempThread+0x228));73
//线程ID74
//ETHREAD+0x1ec Cid : _CLIENT_ID为进程ID75
//再向下+4为线程ID76
//DbgPrint("thread Id is %d\n",*(ULONG *)(pTempThread+0x1f0));77
78
temp2=(PTHREAD_INFO)ExAllocatePool(NonPagedPool,sizeof(THREAD_INFO));79
temp2->dwThreadId =*(ULONG *)(pTempThread+0x1f0);80
temp2->StartAddress=*(int *)(pTempThread+0x228);81
temp2->pEThread=(ULONG *)pTempThread;82
83
temp1->Next=temp2;84
temp1=temp2;85
pNotAlertableThread =pTempThread;86
87
//下一个线程块88
pThNextEntry = *(ULONG *)pThNextEntry; //check next thread89
}90
break; 91
}92
//下一个进程块93
pNextEntry = *(ULONG *)pNextEntry; //get next process94
}95
}96
if (bFindTid==1)97
{ 98
temp2->Next=NULL;99
100
temp3=Infohead; 101
Infohead=Infohead->Next;102
ExFreePool(temp3);103
//ObfDereferenceObject((PVOID)pMyProcess);104
return Infohead;105
}106
return NULL;107
108
109
}今天找到一个 开放源码的 hips,没事研究下。。。。