2007年1月31日星期三

Enumerating processes in Windows XP kernel mode drivers

Enumerating processes in Windows XP kernel mode drivers

Every time the operation system executes a program, it in fact creates a new process for this program and starts it as this process. From that point there are no filenames exist for the system, only the process IDs. Sometimes we need to obtain the filename a process belongs to. There are several ways to implement that from the user mode, but in the kernel the best approach is to use undocumented functions of the system, just like the Task Manage does when displaying currently running processes. The basic idea behind this approach is to use the undocumented ZwQuerySystemInformation function. It has the following structure:

ZwQuerySystemInformation(
    IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
    OUT PVOID SystemInformation,
    IN ULONG SystemInformationLength,
    OUT PULONG ReturnLength OPTIONAL
);

Among many other quite useful things, this function can return detailed information about the processes, currently running by the system. The information class selector SystemInformationClass is used to set the function to output various kinds of information. In order to output information about processes and threads, SystemInformationClass has to be set to "5".

There are also several additional structures to declare, they might be put in a separate header file.

SYSTEM_INFORMATION_CLASS contains many control parameters, but we are only interested in SystemProcessAndThreadInformation:

// enumproc.h
#ifndef _ENUMPROC_
#define _ENUMPROC_

typedef enum _SYSTEM_INFORMATION_CLASS {
    SystemBasicInformation,                 // 0
    SystemProcessorInformation,             // 1
    SystemPerformanceInformation,             // 2
    SystemTimeOfDayInformation,             // 3
    SystemNotImplemented1,                 // 4
    SystemProcessesAndThreadsInformation,         // 5
    SystemCallCounts,                     // 6
    SystemConfigurationInformation,             // 7
    SystemProcessorTimes,                 // 8
    SystemGlobalFlag,                     // 9
    SystemNotImplemented2,                 // 10
    SystemModuleInformation,                 // 11
    SystemLockInformation,                 // 12
    SystemNotImplemented3,                 // 13
    SystemNotImplemented4,                 // 14
    SystemNotImplemented5,                 // 15
    SystemHandleInformation,                 // 16
    SystemObjectInformation,                 // 17
    SystemPagefileInformation,                 // 18
    SystemInstructionEmulationCounts,             // 19
    SystemInvalidInfoClass1,                 // 20
    SystemCacheInformation,                 // 21
    SystemPoolTagInformation,                 // 22
    SystemProcessorStatistics,                 // 23
    SystemDpcInformation,                 // 24
    SystemNotImplemented6,                 // 25
    SystemLoadImage,                     // 26
    SystemUnloadImage,                 // 27
    SystemTimeAdjustment,                 // 28
    SystemNotImplemented7,                 // 29
    SystemNotImplemented8,                 // 30
    SystemNotImplemented9,                 // 31
    SystemCrashDumpInformation,             // 32
    SystemExceptionInformation,             // 33
    SystemCrashDumpStateInformation,             // 34
    SystemKernelDebuggerInformation,             // 35
    SystemContextSwitchInformation,             // 36
    SystemRegistryQuotaInformation,             // 37
    SystemLoadAndCallImage,                 // 38
    SystemPrioritySeparation,                 // 39
    SystemNotImplemented10,                 // 40
    SystemNotImplemented11,                 // 41
    SystemInvalidInfoClass2,                 // 42
    SystemInvalidInfoClass3,                 // 43
    SystemTimeZoneInformation,                 // 44
    SystemLookasideInformation,             // 45
    SystemSetTimeSlipEvent,                 // 46
    SystemCreateSession,                 // 47
    SystemDeleteSession,                 // 48
    SystemInvalidInfoClass4,                 // 49
    SystemRangeStartInformation,             // 50
    SystemVerifierInformation,                 // 51
    SystemAddVerifier,                 // 52
    SystemSessionProcessesInformation             // 53
} SYSTEM_INFORMATION_CLASS;

typedef struct _SYSTEM_THREAD_INFORMATION {
    LARGE_INTEGER KernelTime;
    LARGE_INTEGER UserTime;
    LARGE_INTEGER CreateTime;
    ULONG WaitTime;
    PVOID StartAddress;
    CLIENT_ID ClientId;
    KPRIORITY Priority;
    KPRIORITY BasePriority;
    ULONG ContextSwitchCount;
    LONG State;
    LONG WaitReason;
} SYSTEM_THREAD_INFORMATION, * PSYSTEM_THREAD_INFORMATION;

typedef struct _SYSTEM_PROCESS_INFORMATION {
    ULONG NextEntryDelta;
    ULONG ThreadCount;
    ULONG Reserved1[6];
    LARGE_INTEGER CreateTime;
    LARGE_INTEGER UserTime;
    LARGE_INTEGER KernelTime;
    UNICODE_STRING ProcessName;
    KPRIORITY BasePriority;
    ULONG ProcessId;
    ULONG InheritedFromProcessId;
    ULONG HandleCount;
    ULONG Reserved2[2];
    VM_COUNTERS VmCounters;
    IO_COUNTERS IoCounters;
    SYSTEM_THREAD_INFORMATION Threads[1];
} SYSTEM_PROCESS_INFORMATION, * PSYSTEM_PROCESS_INFORMATION;

NTSYSAPI
NTSTATUS
NTAPI
ZwQuerySystemInformation(
    IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
    OUT PVOID SystemInformation,
    IN ULONG SystemInformationLength,
    OUT PULONG ReturnLength OPTIONAL
);

1 条评论:

匿名 说...

Ηі thеre, this ωeekend iѕ fastidious in suppоrt of mе, as this οccаsion i
am reaԁing this fantаstic informatіve
post hеre at my home.

my blog post ... CarbonPoker Offer