本文介绍三种常见进程遍历的方式

基于CreateToolHelp32Snapshot基于EnumProcesses的和基于NtQuerySystemInformation的

前者在沙箱中爆可疑行为 后两者并不会

CreateToolHelp32Snapshot

指定参数TH32CS_SNAPPROCESS以获取快照中的所有进程

PROCESSENTRY32pe32={sizeof(PROCESSENTRY32)};HANDLEhSnapShot=NULL;hSnapShot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,NULL);if(Process32First(hSnapShot,&pe32)){do{wprintf(L"PID: %lunProcess Name: %sn",pe32.th32ProcessID,pe32.szExeFile);}while(Process32Next(hSnapShot,&pe32));}CloseHandle(hSnapShot);

EnumProcesses

三个参数

参数一 指向pid数组的指针

参数二 数组大小

参数三 实际写入数组的字节数

直接就能获取pid的数组 我们更希望匹配名称

DWORDprocessIds[1024];DWORDcbNeeded;DWORDprocessCount;if(EnumProcesses(processIds,sizeof(processIds),&cbNeeded)){processCount=cbNeeded/sizeof(DWORD);for(DWORDi=0;i<processCount;i++){printf("PID: %lun",processIds[i]);}}

可以通过GetModuleFileNameEx获取

GetModuleFileNameEx需要进程句柄 通过openProcess打开即可

DWORDprocessIds[1024];DWORDcbNeeded;DWORDprocessCount;if(EnumProcesses(processIds,sizeof(processIds),&cbNeeded)){processCount=cbNeeded/sizeof(DWORD);for(DWORDi=0;i<processCount;i++){DWORDpid=processIds[i];HANDLEhProcess=OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ,FALSE,pid);if(hProcess!=NULL){TCHARprocessPath[MAX_PATH]=TEXT("<unknown>");if(GetModuleFileNameEx(hProcess,NULL,processPath,sizeof(processPath)/sizeof(TCHAR))){TCHAR*processName=PathFindFileName(processPath);wprintf(L"PID: %lunProcess Name: %sn",pid,processName);}CloseHandle(hProcess);}}}

4e99710c8b31758be5ebd2008179dc505da8456db1ad2ab5fe26879048708cfe

NtQuerySystemInformation

NtQuerySystemInformation是nt api 用于检索指定的系统信息

需要传入一个SYSTEM_INFORMATION_CLASS枚举类型的值 在这需要获取进程相关信息是SystemProcessInformation

对应的结构体可以在msdn找到

typedefstruct_UNICODE_STRING{USHORTLength;USHORTMaximumLength;PWSTRBuffer;}UNICODE_STRING,*PUNICODE_STRING;typedefLONGKPRIORITY;typedefstruct_SYSTEM_PROCESS_INFORMATION{ULONGNextEntryOffset;ULONGNumberOfThreads;BYTEReserved1[48];UNICODE_STRINGImageName;KPRIORITYBasePriority;HANDLEUniqueProcessId;PVOIDReserved2;ULONGHandleCount;ULONGSessionId;PVOIDReserved3;SIZE_TPeakVirtualSize;SIZE_TVirtualSize;ULONGReserved4;SIZE_TPeakWorkingSetSize;SIZE_TWorkingSetSize;PVOIDReserved5;SIZE_TQuotaPagedPoolUsage;PVOIDReserved6;SIZE_TQuotaNonPagedPoolUsage;SIZE_TPagefileUsage;SIZE_TPeakPagefileUsage;SIZE_TPrivatePageCount;LARGE_INTEGERReserved7[6];}SYSTEM_PROCESS_INFORMATION,*PSYSTEM_PROCESS_INFORMATION;

获取NT api

先获取NtQuerySystemInformation 缺少的结构体可以在https://processhacker.sourceforge.io/doc/ntexapi_8h_source.html找到

typedefenum_SYSTEM_INFORMATION_CLASS{SystemBasicInformation,// q: SYSTEM_BASIC_INFORMATIONSystemProcessorInformation,// q: SYSTEM_PROCESSOR_INFORMATIONSystemPerformanceInformation,// q: SYSTEM_PERFORMANCE_INFORMATIONSystemTimeOfDayInformation,// q: SYSTEM_TIMEOFDAY_INFORMATIONSystemPathInformation,// not implementedSystemProcessInformation,// q: SYSTEM_PROCESS_INFORMATIONSystemCallCountInformation,// q: SYSTEM_CALL_COUNT_INFORMATIONSystemDeviceInformation,// q: SYSTEM_DEVICE_INFORMATIONSystemProcessorPerformanceInformation,// q: SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION (EX in: USHORT ProcessorGroup)SystemFlagsInformation,// q: SYSTEM_FLAGS_INFORMATIONSystemCallTimeInformation,// not implemented // SYSTEM_CALL_TIME_INFORMATION // 10SystemModuleInformation,// q: RTL_PROCESS_MODULESSystemLocksInformation,// q: RTL_PROCESS_LOCKSSystemStackTraceInformation,// q: RTL_PROCESS_BACKTRACESSystemPagedPoolInformation,// not implementedSystemNonPagedPoolInformation,// not implementedSystemHandleInformation,// q: SYSTEM_HANDLE_INFORMATIONSystemObjectInformation,// q: SYSTEM_OBJECTTYPE_INFORMATION mixed with SYSTEM_OBJECT_INFORMATIONSystemPageFileInformation,// q: SYSTEM_PAGEFILE_INFORMATIONSystemVdmInstemulInformation,// q: SYSTEM_VDM_INSTEMUL_INFOSystemVdmBopInformation,// not implemented // 20SystemFileCacheInformation,// q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypeSystemCache)SystemPoolTagInformation,// q: SYSTEM_POOLTAG_INFORMATIONSystemInterruptInformation,// q: SYSTEM_INTERRUPT_INFORMATION (EX in: USHORT ProcessorGroup)SystemDpcBehaviorInformation,// q: SYSTEM_DPC_BEHAVIOR_INFORMATION; s: SYSTEM_DPC_BEHAVIOR_INFORMATION (requires SeLoadDriverPrivilege)SystemFullMemoryInformation,// not implemented // SYSTEM_MEMORY_USAGE_INFORMATIONSystemLoadGdiDriverInformation,// s (kernel-mode only)SystemUnloadGdiDriverInformation,// s (kernel-mode only)SystemTimeAdjustmentInformation,// q: SYSTEM_QUERY_TIME_ADJUST_INFORMATION; s: SYSTEM_SET_TIME_ADJUST_INFORMATION (requires SeSystemtimePrivilege)SystemSummaryMemoryInformation,// not implemented // SYSTEM_MEMORY_USAGE_INFORMATIONSystemMirrorMemoryInformation,// s (requires license value "Kernel-MemoryMirroringSupported") (requires SeShutdownPrivilege) // 30SystemPerformanceTraceInformation,// q; s: (type depends on EVENT_TRACE_INFORMATION_CLASS)SystemObsolete0,// not implementedSystemExceptionInformation,// q: SYSTEM_EXCEPTION_INFORMATIONSystemCrashDumpStateInformation,// s: SYSTEM_CRASH_DUMP_STATE_INFORMATION (requires SeDebugPrivilege)SystemKernelDebuggerInformation,// q: SYSTEM_KERNEL_DEBUGGER_INFORMATIONSystemContextSwitchInformation,// q: SYSTEM_CONTEXT_SWITCH_INFORMATIONSystemRegistryQuotaInformation,// q: SYSTEM_REGISTRY_QUOTA_INFORMATION; s (requires SeIncreaseQuotaPrivilege)SystemExtendServiceTableInformation,// s (requires SeLoadDriverPrivilege) // loads win32k onlySystemPrioritySeperation,// s (requires SeTcbPrivilege)SystemVerifierAddDriverInformation,// s (requires SeDebugPrivilege) // 40SystemVerifierRemoveDriverInformation,// s (requires SeDebugPrivilege)SystemProcessorIdleInformation,// q: SYSTEM_PROCESSOR_IDLE_INFORMATION (EX in: USHORT ProcessorGroup)SystemLegacyDriverInformation,// q: SYSTEM_LEGACY_DRIVER_INFORMATIONSystemCurrentTimeZoneInformation,// q; s: RTL_TIME_ZONE_INFORMATIONSystemLookasideInformation,// q: SYSTEM_LOOKASIDE_INFORMATIONSystemTimeSlipNotification,// s: HANDLE (NtCreateEvent) (requires SeSystemtimePrivilege)SystemSessionCreate,// not implementedSystemSessionDetach,// not implementedSystemSessionInformation,// not implemented (SYSTEM_SESSION_INFORMATION)SystemRangeStartInformation,// q: SYSTEM_RANGE_START_INFORMATION // 50SystemVerifierInformation,// q: SYSTEM_VERIFIER_INFORMATION; s (requires SeDebugPrivilege)SystemVerifierThunkExtend,// s (kernel-mode only)SystemSessionProcessInformation,// q: SYSTEM_SESSION_PROCESS_INFORMATIONSystemLoadGdiDriverInSystemSpace,// s: SYSTEM_GDI_DRIVER_INFORMATION (kernel-mode only) (same as SystemLoadGdiDriverInformation)SystemNumaProcessorMap,// q: SYSTEM_NUMA_INFORMATIONSystemPrefetcherInformation,// q; s: PREFETCHER_INFORMATION // PfSnQueryPrefetcherInformationSystemExtendedProcessInformation,// q: SYSTEM_PROCESS_INFORMATIONSystemRecommendedSharedDataAlignment,// q: ULONG // KeGetRecommendedSharedDataAlignmentSystemComPlusPackage,// q; s: ULONGSystemNumaAvailableMemory,// q: SYSTEM_NUMA_INFORMATION // 60SystemProcessorPowerInformation,// q: SYSTEM_PROCESSOR_POWER_INFORMATION (EX in: USHORT ProcessorGroup)SystemEmulationBasicInformation,// q: SYSTEM_BASIC_INFORMATIONSystemEmulationProcessorInformation,// q: SYSTEM_PROCESSOR_INFORMATIONSystemExtendedHandleInformation,// q: SYSTEM_HANDLE_INFORMATION_EXSystemLostDelayedWriteInformation,// q: ULONGSystemBigPoolInformation,// q: SYSTEM_BIGPOOL_INFORMATIONSystemSessionPoolTagInformation,// q: SYSTEM_SESSION_POOLTAG_INFORMATIONSystemSessionMappedViewInformation,// q: SYSTEM_SESSION_MAPPED_VIEW_INFORMATIONSystemHotpatchInformation,// q; s: SYSTEM_HOTPATCH_CODE_INFORMATIONSystemObjectSecurityMode,// q: ULONG // 70SystemWatchdogTimerHandler,// s: SYSTEM_WATCHDOG_HANDLER_INFORMATION // (kernel-mode only)SystemWatchdogTimerInformation,// q: SYSTEM_WATCHDOG_TIMER_INFORMATION // (kernel-mode only)SystemLogicalProcessorInformation,// q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION (EX in: USHORT ProcessorGroup)SystemWow64SharedInformationObsolete,// not implementedSystemRegisterFirmwareTableInformationHandler,// s: SYSTEM_FIRMWARE_TABLE_HANDLER // (kernel-mode only)SystemFirmwareTableInformation,// SYSTEM_FIRMWARE_TABLE_INFORMATIONSystemModuleInformationEx,// q: RTL_PROCESS_MODULE_INFORMATION_EXSystemVerifierTriageInformation,// not implementedSystemSuperfetchInformation,// q; s: SUPERFETCH_INFORMATION // PfQuerySuperfetchInformationSystemMemoryListInformation,// q: SYSTEM_MEMORY_LIST_INFORMATION; s: SYSTEM_MEMORY_LIST_COMMAND (requires SeProfileSingleProcessPrivilege) // 80SystemFileCacheInformationEx,// q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (same as SystemFileCacheInformation)SystemThreadPriorityClientIdInformation,// s: SYSTEM_THREAD_CID_PRIORITY_INFORMATION (requires SeIncreaseBasePriorityPrivilege)SystemProcessorIdleCycleTimeInformation,// q: SYSTEM_PROCESSOR_IDLE_CYCLE_TIME_INFORMATION[] (EX in: USHORT ProcessorGroup)SystemVerifierCancellationInformation,// SYSTEM_VERIFIER_CANCELLATION_INFORMATION // name:wow64:whNT32QuerySystemVerifierCancellationInformationSystemProcessorPowerInformationEx,// not implementedSystemRefTraceInformation,// q; s: SYSTEM_REF_TRACE_INFORMATION // ObQueryRefTraceInformationSystemSpecialPoolInformation,// q; s: SYSTEM_SPECIAL_POOL_INFORMATION (requires SeDebugPrivilege) // MmSpecialPoolTag, then MmSpecialPoolCatchOverruns != 0SystemProcessIdInformation,// q: SYSTEM_PROCESS_ID_INFORMATIONSystemErrorPortInformation,// s (requires SeTcbPrivilege)SystemBootEnvironmentInformation,// q: SYSTEM_BOOT_ENVIRONMENT_INFORMATION // 90SystemHypervisorInformation,// q: SYSTEM_HYPERVISOR_QUERY_INFORMATIONSystemVerifierInformationEx,// q; s: SYSTEM_VERIFIER_INFORMATION_EXSystemTimeZoneInformation,// q; s: RTL_TIME_ZONE_INFORMATION (requires SeTimeZonePrivilege)SystemImageFileExecutionOptionsInformation,// s: SYSTEM_IMAGE_FILE_EXECUTION_OPTIONS_INFORMATION (requires SeTcbPrivilege)SystemCoverageInformation,// q: COVERAGE_MODULES s: COVERAGE_MODULE_REQUEST // ExpCovQueryInformation (requires SeDebugPrivilege)SystemPrefetchPatchInformation,// SYSTEM_PREFETCH_PATCH_INFORMATIONSystemVerifierFaultsInformation,// s: SYSTEM_VERIFIER_FAULTS_INFORMATION (requires SeDebugPrivilege)SystemSystemPartitionInformation,// q: SYSTEM_SYSTEM_PARTITION_INFORMATIONSystemSystemDiskInformation,// q: SYSTEM_SYSTEM_DISK_INFORMATIONSystemProcessorPerformanceDistribution,// q: SYSTEM_PROCESSOR_PERFORMANCE_DISTRIBUTION (EX in: USHORT ProcessorGroup) // 100SystemNumaProximityNodeInformation,// q; s: SYSTEM_NUMA_PROXIMITY_MAPSystemDynamicTimeZoneInformation,// q; s: RTL_DYNAMIC_TIME_ZONE_INFORMATION (requires SeTimeZonePrivilege)SystemCodeIntegrityInformation,// q: SYSTEM_CODEINTEGRITY_INFORMATION // SeCodeIntegrityQueryInformationSystemProcessorMicrocodeUpdateInformation,// s: SYSTEM_PROCESSOR_MICROCODE_UPDATE_INFORMATIONSystemProcessorBrandString,// q: CHAR[] // HaliQuerySystemInformation -> HalpGetProcessorBrandString, info class 23SystemVirtualAddressInformation,// q: SYSTEM_VA_LIST_INFORMATION[]; s: SYSTEM_VA_LIST_INFORMATION[] (requires SeIncreaseQuotaPrivilege) // MmQuerySystemVaInformationSystemLogicalProcessorAndGroupInformation,// q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION_EX (EX in: LOGICAL_PROCESSOR_RELATIONSHIP RelationshipType) // since WIN7 // KeQueryLogicalProcessorRelationshipSystemProcessorCycleTimeInformation,// q: SYSTEM_PROCESSOR_CYCLE_TIME_INFORMATION[] (EX in: USHORT ProcessorGroup)SystemStoreInformation,// q; s: SYSTEM_STORE_INFORMATION (requires SeProfileSingleProcessPrivilege) // SmQueryStoreInformationSystemRegistryAppendString,// s: SYSTEM_REGISTRY_APPEND_STRING_PARAMETERS // 110SystemAitSamplingValue,// s: ULONG (requires SeProfileSingleProcessPrivilege)SystemVhdBootInformation,// q: SYSTEM_VHD_BOOT_INFORMATIONSystemCpuQuotaInformation,// q; s: PS_CPU_QUOTA_QUERY_INFORMATIONSystemNativeBasicInformation,// q: SYSTEM_BASIC_INFORMATIONSystemErrorPortTimeouts,// SYSTEM_ERROR_PORT_TIMEOUTSSystemLowPriorityIoInformation,// q: SYSTEM_LOW_PRIORITY_IO_INFORMATIONSystemTpmBootEntropyInformation,// q: TPM_BOOT_ENTROPY_NT_RESULT // ExQueryTpmBootEntropyInformationSystemVerifierCountersInformation,// q: SYSTEM_VERIFIER_COUNTERS_INFORMATIONSystemPagedPoolInformationEx,// q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypePagedPool)SystemSystemPtesInformationEx,// q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypeSystemPtes) // 120SystemNodeDistanceInformation,// q: USHORT[4*NumaNodes] // (EX in: USHORT NodeNumber)SystemAcpiAuditInformation,// q: SYSTEM_ACPI_AUDIT_INFORMATION // HaliQuerySystemInformation -> HalpAuditQueryResults, info class 26SystemBasicPerformanceInformation,// q: SYSTEM_BASIC_PERFORMANCE_INFORMATION // name:wow64:whNtQuerySystemInformation_SystemBasicPerformanceInformationSystemQueryPerformanceCounterInformation,// q: SYSTEM_QUERY_PERFORMANCE_COUNTER_INFORMATION // since WIN7 SP1SystemSessionBigPoolInformation,// q: SYSTEM_SESSION_POOLTAG_INFORMATION // since WIN8SystemBootGraphicsInformation,// q; s: SYSTEM_BOOT_GRAPHICS_INFORMATION (kernel-mode only)SystemScrubPhysicalMemoryInformation,// q; s: MEMORY_SCRUB_INFORMATIONSystemBadPageInformation,// SYSTEM_BAD_PAGE_INFORMATIONSystemProcessorProfileControlArea,// q; s: SYSTEM_PROCESSOR_PROFILE_CONTROL_AREASystemCombinePhysicalMemoryInformation,// s: MEMORY_COMBINE_INFORMATION, MEMORY_COMBINE_INFORMATION_EX, MEMORY_COMBINE_INFORMATION_EX2 // 130SystemEntropyInterruptTimingInformation,// q; s: SYSTEM_ENTROPY_TIMING_INFORMATIONSystemConsoleInformation,// q; s: SYSTEM_CONSOLE_INFORMATIONSystemPlatformBinaryInformation,// q: SYSTEM_PLATFORM_BINARY_INFORMATION (requires SeTcbPrivilege)SystemPolicyInformation,// q: SYSTEM_POLICY_INFORMATION (Warbird/Encrypt/Decrypt/Execute)SystemHypervisorProcessorCountInformation,// q: SYSTEM_HYPERVISOR_PROCESSOR_COUNT_INFORMATIONSystemDeviceDataInformation,// q: SYSTEM_DEVICE_DATA_INFORMATIONSystemDeviceDataEnumerationInformation,// q: SYSTEM_DEVICE_DATA_INFORMATIONSystemMemoryTopologyInformation,// q: SYSTEM_MEMORY_TOPOLOGY_INFORMATIONSystemMemoryChannelInformation,// q: SYSTEM_MEMORY_CHANNEL_INFORMATIONSystemBootLogoInformation,// q: SYSTEM_BOOT_LOGO_INFORMATION // 140SystemProcessorPerformanceInformationEx,// q: SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION_EX // (EX in: USHORT ProcessorGroup) // since WINBLUESystemCriticalProcessErrorLogInformation,SystemSecureBootPolicyInformation,// q: SYSTEM_SECUREBOOT_POLICY_INFORMATIONSystemPageFileInformationEx,// q: SYSTEM_PAGEFILE_INFORMATION_EXSystemSecureBootInformation,// q: SYSTEM_SECUREBOOT_INFORMATIONSystemEntropyInterruptTimingRawInformation,SystemPortableWorkspaceEfiLauncherInformation,// q: SYSTEM_PORTABLE_WORKSPACE_EFI_LAUNCHER_INFORMATIONSystemFullProcessInformation,// q: SYSTEM_PROCESS_INFORMATION with SYSTEM_PROCESS_INFORMATION_EXTENSION (requires admin)SystemKernelDebuggerInformationEx,// q: SYSTEM_KERNEL_DEBUGGER_INFORMATION_EXSystemBootMetadataInformation,// 150SystemSoftRebootInformation,// q: ULONGSystemElamCertificateInformation,// s: SYSTEM_ELAM_CERTIFICATE_INFORMATIONSystemOfflineDumpConfigInformation,// q: OFFLINE_CRASHDUMP_CONFIGURATION_TABLE_V2SystemProcessorFeaturesInformation,// q: SYSTEM_PROCESSOR_FEATURES_INFORMATIONSystemRegistryReconciliationInformation,// s: NULL (requires admin) (flushes registry hives)SystemEdidInformation,// q: SYSTEM_EDID_INFORMATIONSystemManufacturingInformation,// q: SYSTEM_MANUFACTURING_INFORMATION // since THRESHOLDSystemEnergyEstimationConfigInformation,// q: SYSTEM_ENERGY_ESTIMATION_CONFIG_INFORMATIONSystemHypervisorDetailInformation,// q: SYSTEM_HYPERVISOR_DETAIL_INFORMATIONSystemProcessorCycleStatsInformation,// q: SYSTEM_PROCESSOR_CYCLE_STATS_INFORMATION (EX in: USHORT ProcessorGroup) // 160SystemVmGenerationCountInformation,SystemTrustedPlatformModuleInformation,// q: SYSTEM_TPM_INFORMATIONSystemKernelDebuggerFlags,// SYSTEM_KERNEL_DEBUGGER_FLAGSSystemCodeIntegrityPolicyInformation,// q; s: SYSTEM_CODEINTEGRITYPOLICY_INFORMATIONSystemIsolatedUserModeInformation,// q: SYSTEM_ISOLATED_USER_MODE_INFORMATIONSystemHardwareSecurityTestInterfaceResultsInformation,SystemSingleModuleInformation,// q: SYSTEM_SINGLE_MODULE_INFORMATIONSystemAllowedCpuSetsInformation,// s: SYSTEM_WORKLOAD_ALLOWED_CPU_SET_INFORMATIONSystemVsmProtectionInformation,// q: SYSTEM_VSM_PROTECTION_INFORMATION (previously SystemDmaProtectionInformation)SystemInterruptCpuSetsInformation,// q: SYSTEM_INTERRUPT_CPU_SET_INFORMATION // 170SystemSecureBootPolicyFullInformation,// q: SYSTEM_SECUREBOOT_POLICY_FULL_INFORMATIONSystemCodeIntegrityPolicyFullInformation,SystemAffinitizedInterruptProcessorInformation,// (requires SeIncreaseBasePriorityPrivilege)SystemRootSiloInformation,// q: SYSTEM_ROOT_SILO_INFORMATIONSystemCpuSetInformation,// q: SYSTEM_CPU_SET_INFORMATION // since THRESHOLD2SystemCpuSetTagInformation,// q: SYSTEM_CPU_SET_TAG_INFORMATIONSystemWin32WerStartCallout,SystemSecureKernelProfileInformation,// q: SYSTEM_SECURE_KERNEL_HYPERGUARD_PROFILE_INFORMATIONSystemCodeIntegrityPlatformManifestInformation,// q: SYSTEM_SECUREBOOT_PLATFORM_MANIFEST_INFORMATION // since REDSTONESystemInterruptSteeringInformation,// q: in: SYSTEM_INTERRUPT_STEERING_INFORMATION_INPUT, out: SYSTEM_INTERRUPT_STEERING_INFORMATION_OUTPUT // NtQuerySystemInformationEx // 180SystemSupportedProcessorArchitectures,// p: in opt: HANDLE, out: SYSTEM_SUPPORTED_PROCESSOR_ARCHITECTURES_INFORMATION[] // NtQuerySystemInformationExSystemMemoryUsageInformation,// q: SYSTEM_MEMORY_USAGE_INFORMATIONSystemCodeIntegrityCertificateInformation,// q: SYSTEM_CODEINTEGRITY_CERTIFICATE_INFORMATIONSystemPhysicalMemoryInformation,// q: SYSTEM_PHYSICAL_MEMORY_INFORMATION // since REDSTONE2SystemControlFlowTransition,// (Warbird/Encrypt/Decrypt/Execute)SystemKernelDebuggingAllowed,// s: ULONGSystemActivityModerationExeState,// SYSTEM_ACTIVITY_MODERATION_EXE_STATESystemActivityModerationUserSettings,// SYSTEM_ACTIVITY_MODERATION_USER_SETTINGSSystemCodeIntegrityPoliciesFullInformation,SystemCodeIntegrityUnlockInformation,// SYSTEM_CODEINTEGRITY_UNLOCK_INFORMATION // 190SystemIntegrityQuotaInformation,SystemFlushInformation,// q: SYSTEM_FLUSH_INFORMATIONSystemProcessorIdleMaskInformation,// q: ULONG_PTR[ActiveGroupCount] // since REDSTONE3SystemSecureDumpEncryptionInformation,SystemWriteConstraintInformation,// SYSTEM_WRITE_CONSTRAINT_INFORMATIONSystemKernelVaShadowInformation,// SYSTEM_KERNEL_VA_SHADOW_INFORMATIONSystemHypervisorSharedPageInformation,// SYSTEM_HYPERVISOR_SHARED_PAGE_INFORMATION // since REDSTONE4SystemFirmwareBootPerformanceInformation,SystemCodeIntegrityVerificationInformation,// SYSTEM_CODEINTEGRITYVERIFICATION_INFORMATIONSystemFirmwarePartitionInformation,// SYSTEM_FIRMWARE_PARTITION_INFORMATION // 200SystemSpeculationControlInformation,// SYSTEM_SPECULATION_CONTROL_INFORMATION // (CVE-2017-5715) REDSTONE3 and above.SystemDmaGuardPolicyInformation,// SYSTEM_DMA_GUARD_POLICY_INFORMATIONSystemEnclaveLaunchControlInformation,// SYSTEM_ENCLAVE_LAUNCH_CONTROL_INFORMATIONSystemWorkloadAllowedCpuSetsInformation,// SYSTEM_WORKLOAD_ALLOWED_CPU_SET_INFORMATION // since REDSTONE5SystemCodeIntegrityUnlockModeInformation,// SYSTEM_CODEINTEGRITY_UNLOCK_INFORMATIONSystemLeapSecondInformation,// SYSTEM_LEAP_SECOND_INFORMATIONSystemFlags2Information,// q: SYSTEM_FLAGS_INFORMATIONSystemSecurityModelInformation,// SYSTEM_SECURITY_MODEL_INFORMATION // since 19H1SystemCodeIntegritySyntheticCacheInformation,SystemFeatureConfigurationInformation,// q: in: SYSTEM_FEATURE_CONFIGURATION_QUERY, out: SYSTEM_FEATURE_CONFIGURATION_INFORMATION; s: SYSTEM_FEATURE_CONFIGURATION_UPDATE // NtQuerySystemInformationEx // since 20H1 // 210SystemFeatureConfigurationSectionInformation,// q: in: SYSTEM_FEATURE_CONFIGURATION_SECTIONS_REQUEST, out: SYSTEM_FEATURE_CONFIGURATION_SECTIONS_INFORMATION // NtQuerySystemInformationExSystemFeatureUsageSubscriptionInformation,// q: SYSTEM_FEATURE_USAGE_SUBSCRIPTION_DETAILS; s: SYSTEM_FEATURE_USAGE_SUBSCRIPTION_UPDATESystemSecureSpeculationControlInformation,// SECURE_SPECULATION_CONTROL_INFORMATIONSystemSpacesBootInformation,// since 20H2SystemFwRamdiskInformation,// SYSTEM_FIRMWARE_RAMDISK_INFORMATIONSystemWheaIpmiHardwareInformation,SystemDifSetRuleClassInformation,// SYSTEM_DIF_VOLATILE_INFORMATIONSystemDifClearRuleClassInformation,SystemDifApplyPluginVerificationOnDriver,// SYSTEM_DIF_PLUGIN_DRIVER_INFORMATIONSystemDifRemovePluginVerificationOnDriver,// SYSTEM_DIF_PLUGIN_DRIVER_INFORMATION // 220SystemShadowStackInformation,// SYSTEM_SHADOW_STACK_INFORMATIONSystemBuildVersionInformation,// q: in: ULONG (LayerNumber), out: SYSTEM_BUILD_VERSION_INFORMATION // NtQuerySystemInformationEx // 222SystemPoolLimitInformation,// SYSTEM_POOL_LIMIT_INFORMATION (requires SeIncreaseQuotaPrivilege)SystemCodeIntegrityAddDynamicStore,SystemCodeIntegrityClearDynamicStores,SystemDifPoolTrackingInformation,SystemPoolZeroingInformation,// q: SYSTEM_POOL_ZEROING_INFORMATIONSystemDpcWatchdogInformation,// q; s: SYSTEM_DPC_WATCHDOG_CONFIGURATION_INFORMATIONSystemDpcWatchdogInformation2,// q; s: SYSTEM_DPC_WATCHDOG_CONFIGURATION_INFORMATION_V2SystemSupportedProcessorArchitectures2,// q: in opt: HANDLE, out: SYSTEM_SUPPORTED_PROCESSOR_ARCHITECTURES_INFORMATION[] // NtQuerySystemInformationEx // 230SystemSingleProcessorRelationshipInformation,// q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION_EX // (EX in: PROCESSOR_NUMBER Processor)SystemXfgCheckFailureInformation,// q: SYSTEM_XFG_FAILURE_INFORMATIONSystemIommuStateInformation,// SYSTEM_IOMMU_STATE_INFORMATION // since 22H1SystemHypervisorMinrootInformation,// SYSTEM_HYPERVISOR_MINROOT_INFORMATIONSystemHypervisorBootPagesInformation,// SYSTEM_HYPERVISOR_BOOT_PAGES_INFORMATIONSystemPointerAuthInformation,// SYSTEM_POINTER_AUTH_INFORMATIONSystemSecureKernelDebuggerInformation,SystemOriginalImageFeatureInformation,// q: in: SYSTEM_ORIGINAL_IMAGE_FEATURE_INFORMATION_INPUT, out: SYSTEM_ORIGINAL_IMAGE_FEATURE_INFORMATION_OUTPUT // NtQuerySystemInformationExSystemMemoryNumaInformation,// SYSTEM_MEMORY_NUMA_INFORMATION_INPUT, SYSTEM_MEMORY_NUMA_INFORMATION_OUTPUTSystemMemoryNumaPerformanceInformation,// SYSTEM_MEMORY_NUMA_PERFORMANCE_INFORMATION_INPUTSYSTEM_MEMORY_NUMA_PERFORMANCE_INFORMATION_INPUT, SYSTEM_MEMORY_NUMA_PERFORMANCE_INFORMATION_OUTPUT // since 24H2 // 240SystemCodeIntegritySignedPoliciesFullInformation,SystemSecureSecretsInformation,SystemTrustedAppsRuntimeInformation,// SYSTEM_TRUSTEDAPPS_RUNTIME_INFORMATIONSystemBadPageInformationEx,// SYSTEM_BAD_PAGE_INFORMATIONSystemResourceDeadlockTimeout,// ULONGSystemBreakOnContextUnwindFailureInformation,// ULONG (requires SeDebugPrivilege)SystemOslRamdiskInformation,// SYSTEM_OSL_RAMDISK_INFORMATIONMaxSystemInfoClass}SYSTEM_INFORMATION_CLASS;typedefNTSTATUS(NTAPI*pNtQuerySystemInformation)(INSYSTEM_INFORMATION_CLASSSystemInformationClass,OUTPVOIDSystemInformation,INULONGSystemInformationLength,OUTPULONGReturnLengthOPTIONAL);pNtQuerySystemInformationNtQuerySystemInformation=(pNtQuerySystemInformation)GetProcAddress(LoadLibrary(L"ntdll.dll"),"NtQuerySystemInformation");

确定参数

参数一 上面说过了SystemProcessInformation

参数二 指向接收请求信息的缓冲区的指针

参数三 参数二指向缓冲区的大小

参数四 指向一个 ULONG 变量的指针 接收SystemInformation的实际大小

这里调用两次NtQuerySystemInformation 第一次获取实际大小 第二次将具体的进程信息写入systemInfo

ULONGlen1=0;ULONGlen2=0;ULONGsystemInfoLen=0;PSYSTEM_PROCESS_INFORMATIONsystemInfo=NULL;NtQuerySystemInformation(SystemProcessInformation,NULL,NULL,&len1);systemInfo=(PSYSTEM_PROCESS_INFORMATION)VirtualAlloc(NULL,len1,MEM_COMMIT|MEM_RESERVE,PAGE_READWRITE);NtQuerySystemInformation(SystemProcessInformation,systemInfo,len1,&len2);

遍历systemInfo

接下来遍历systemInfo即可

PSYSTEM_PROCESS_INFORMATIONcurrent=NULL;current=systemInfo;while(TRUE){if(current->ImageName.Buffer){wprintf(L"Process Name: %wZn",current->ImageName);}else{wprintf(L"Process Name: (null)n");}wprintf(L"PID: %un",(ULONG)(ULONG_PTR)current->UniqueProcessId);if(current->NextEntryOffset==0)break;current=(PSYSTEM_PROCESS_INFORMATION)((ULONG_PTR)current+current->NextEntryOffset);}VirtualFree(systemInfo,0,MEM_RELEASE);

0c5b2f6ff22bda5567d584d5f45dc990e7847fd000c8541654a9d06d5d46b19d

原文始发于微信公众号（船山信安）：免杀基础-进程遍历的方式