Loading... ``` //遍历指定进程的线程 VOID EnumThread(DWORD32 PID) { PEPROCESS pEProc = NULL; PETHREAD pThread = NULL; //循环遍历线程 假设线程最大不超过0x2000个 ULONG id = 0; for (id = 4;id < 0x2000;id += 4) { pThread = LookupThread(ULongToHandle(id)); if (!pThread) { continue; } //获取线程所属的进程。如果相等就打印线程信息。 pEProc = IoThreadToProcess(pThread); if (NT_SUCCESS(PsLookupThreadByThreadId(ULongToHandle(id), &pThread)) && PID == PsGetProcessId(pEProc)) { DbgPrint("[THREAD]ETHREAD = %p TID=%ld\n", pThread, (ULONG)PsGetThreadId(pThread)); } //线程对象减1 ObDereferenceObject(pThread); } //KdBreakPoint(); } ``` ``` //遍历模块 BOOLEAN EnumModuleInfo(SIZE_T PID) { PVOID m_Peb = 0; PVOID m_Ldr = 0; LIST_ENTRY pLdrHeader; NTSTATUS status; PEPROCESS pProc; status = PsLookupProcessByProcessId((HANDLE)PID, &pProc); if (!NT_SUCCESS(status)) { return FALSE; } __try { //挂靠程序 KeAttachProcess(pProc); //获取LDR 链 //获取PEB m_Peb = *(PVOID*)((PUCHAR)pProc + 0x1a8); m_Ldr = *(PVOID*)((PUCHAR)m_Peb + 0xC); pLdrHeader = ((PEB_LDR_DATA)m_Ldr)->InLoadOrderModuleList;//InLoadOrderLinks //获取链表开始 LIST_ENTRY* pTemp = pLdrHeader.Flink; LIST_ENTRY* pNext = pLdrHeader.Flink; do { //获取模块信息 PLDR_DATA_TABLE_ENTRY pLdrTab = (PLDR_DATA_TABLE_ENTRY)(pNext->Flink); //获取模块信息 KdPrint(("ExeName=%wZ\n", &pLdrTab->BaseDllName)); KdPrint(("基址=0x%08X\n", &pLdrTab->DllBase)); pNext = pNext->Flink; } while (pNext != pTemp); } _except(EXCEPTION_EXECUTE_HANDLER) {}; //转回原来进程 KeDetachProcess(); //递减一次引用技术 ObDereferenceObject(pProc); return 0; } ``` 最后修改:2021 年 02 月 27 日 © 允许规范转载 赞 0 如果觉得我的文章对你有用,请随意赞赏