1. nativeAPI.h 와 ntdll.lib 사용 ( 각 프로세스의 핸들카운트와 스레드시작주소 출력~ )
more..
#include <windows.h>
#include <stdio.h>
#include <conio.h>
#include "nativeAPI.h"
#pragma comment( lib, "ntdll.lib" )
// 쓰레드의 처음 시작하는 프로세스의 시작주소를 알려준다!!!
void main()
{
ULONG dwAllocedSize, dwNeeded;
PSYSTEM_PROCESSES pProcesses;
NTSTATUS Status;
int nThreadCount = 0;
//1. Get Buffer of information data
dwAllocedSize = 0x1000;
while(TRUE)
{
pProcesses = (PSYSTEM_PROCESSES)VirtualAlloc(NULL, dwAllocedSize, MEM_COMMIT, PAGE_READWRITE);
Status = ZwQuerySystemInformation(
SystemProcessesAndThreadsInformation,
pProcesses, // 버퍼
dwAllocedSize, // 버퍼크기
&dwNeeded); // 버퍼가 작으면 크기를 알려준다.
if(Status == STATUS_INFO_LENGTH_MISMATCH )
{
VirtualFree(pProcesses, dwAllocedSize, MEM_RELEASE);
if(dwNeeded > dwAllocedSize)
dwAllocedSize = dwNeeded;
else
dwAllocedSize += 0x500;
}
else if (NT_SUCCESS(Status))
{
break;
}
else
{
break;
}
}
while(pProcesses->NextEntryDelta != 0)
{
pProcesses = (PSYSTEM_PROCESSES)((char *)pProcesses +
pProcesses->NextEntryDelta);
//Print Process Information
printf("PID:%d - %.*ws- %d\n",
pProcesses->ProcessId,
pProcesses->ProcessName.Length / 2,
pProcesses->ProcessName.Buffer,
pProcesses->HandleCount );
//Print Thread
for(ULONG nIndex = 0 ; nIndex < pProcesses->ThreadCount ; nIndex ++)
{
printf(" [%d], StartAddress : 0x%08x\n",
pProcesses->Threads[nIndex].ClientId.UniqueThread,
pProcesses->Threads[nIndex].StartAddress);
}
getch();
}
}
Trackback Address :: 이 글에는 트랙백을 보낼 수 없습니다