1
2 //
3 // ¹¦ÄÜÃèÊö: »ñȡϵͳÐÅÏ¢
4 // ÊäÈë²ÎÊý: Òª»ñȡϵͳÐÅÏ¢µÄÀàÐÍ
5 // Êä³ö²ÎÊý: ·µ»Ø´æ·Å»ñÈ¡µÄÐÅÏ¢µÄ»º³åÇøµÄÖ¸Õë
6 //
7 / /
8 PVOID
9 GetInfoTable( IN ULONG ATableType )
10 {
11 ULONG mSize = 0x4000 ;
12 PVOID mPtr = NULL;
13 NTSTATUS Status;
14
15 KdPrint(( " [GetInfoTable]»ñÈ¡¾ä±ú±íÐÅÏ¢\n " ));
16 do
17 {
18 mPtr = ExAllocatePool(PagedPool,mSize);
19 RtlZeroMemory(mPtr,mSize);
20 if (mPtr)
21 {
22 Status = ZwQuerySystemInformation(ATableType,(PVOID)mPtr,mSize,NULL);
23 }
24 else
25 {
26 return NULL;
27 }
28 if (Status == STATUS_INFO_LENGTH_MISMATCH)
29 {
30 ExFreePool(mPtr);
31 mSize = mSize * 2 ;
32 }
33 } while (Status == STATUS_INFO_LENGTH_MISMATCH);
34
35 if (Status == STATUS_SUCCESS)
36 {
37 KdPrint(( " [GetInfoTable]»ñÈ¡¾ä±ú±íÐÅÏ¢³É¹¦\n " ));
38 return mPtr;
39 }
40
41 KdPrint(( " [GetInfoTable] »ñÈ¡¾ä±ú±íÐÅϢʧ°Ü\n " ));
42 ExFreePool(mPtr);
43 return NULL;
44
45 }
46
47 /// //
48 //
49 // ¹¦ÄÜÃèÊö: ö¾ÙCSRSS.EXE½ø³ÌPID
50 // ÊäÈë²ÎÊý: ÎÞ
51 // Êä³ö²ÎÊý: ·µ»ØCSRSS.EXE½ø³ÌµÄPID
52 //
53 /// //
54 HANDLE
55 GetCsrPid()
56 {
57 HANDLE Process,hObject;
58 HANDLE CsrId = (HANDLE) 0 ;
59 OBJECT_ATTRIBUTES obj;
60 CLIENT_ID cid;
61 UCHAR Buff[ 0x100 ];
62 POBJECT_NAME_INFORMATION ObjName = (PVOID) & Buff;
63 PSYSTEM_HANDLE_INFORMATION_EX Handles;
64 ULONG r;
65
66 KdPrint(( " [GetCsrPid] ö¾ÙCsrss.exe½ø³ÌPID\n " ));
67 // »ñÈ¡¾ä±úÐÅÏ¢
68 Handles = GetInfoTable(SystemHandleInformation);
69
70 if ( ! Handles)
71 {
72 return CsrId;
73 }
74
75 for (r = 0 ; r < Handles -> NumberOfHandles;r ++ )
76 {
77 if (Handles -> Information[r].ObjectTypeNumber == 21 )
78 {
79 InitializeObjectAttributes( & obj,NULL,OBJ_KERNEL_HANDLE,NULL,NULL);
80
81 cid.UniqueProcess = (HANDLE)Handles -> Information[r].ProcessId;
82 cid.UniqueThread = 0 ;
83
84 if (NT_SUCCESS(NtOpenProcess( & Process,PROCESS_DUP_HANDLE, & obj, & cid)))
85 {
86 if (NT_SUCCESS(ZwDuplicateObject(Process,(HANDLE)Handles -> Information[r].Handle,NtCurrentProcess(), & hObject, 0 , 0 ,DUPLICATE_SAME_ACCESS)))
87 {
88 if (NT_SUCCESS(ZwQueryObject(hObject,ObjectNameInformation,ObjName, 0x100 ,NULL)))
89 {
90 if (ObjName -> Name.Buffer && ! wcsncmp(L " Name.Buffer,20 " _mce_href = " file://\\Windows\\ApiPort " ,ObjName -> Name.Buffer, 20 " >\\Windows\\ApiPort " ,ObjName -> Name.Buffer, 20 ))
91 {
92 CsrId = (HANDLE)Handles -> Information -> ProcessId;
93 }
94 }
95 ZwClose(hObject);
96 }
97 ZwClose(Process);
98 }
99 }
100 }
101 KdPrint(( " [GetCsrPid] ö¾ÙCSRSS.EXE½ø³ÌPID³É¹¦\n " ));
102 ExFreePool(Handles);
103 return CsrId;
104 }
105
2 //
3 // ¹¦ÄÜÃèÊö: »ñȡϵͳÐÅÏ¢
4 // ÊäÈë²ÎÊý: Òª»ñȡϵͳÐÅÏ¢µÄÀàÐÍ
5 // Êä³ö²ÎÊý: ·µ»Ø´æ·Å»ñÈ¡µÄÐÅÏ¢µÄ»º³åÇøµÄÖ¸Õë
6 //
7 / /
8 PVOID
9 GetInfoTable( IN ULONG ATableType )
10 {
11 ULONG mSize = 0x4000 ;
12 PVOID mPtr = NULL;
13 NTSTATUS Status;
14
15 KdPrint(( " [GetInfoTable]»ñÈ¡¾ä±ú±íÐÅÏ¢\n " ));
16 do
17 {
18 mPtr = ExAllocatePool(PagedPool,mSize);
19 RtlZeroMemory(mPtr,mSize);
20 if (mPtr)
21 {
22 Status = ZwQuerySystemInformation(ATableType,(PVOID)mPtr,mSize,NULL);
23 }
24 else
25 {
26 return NULL;
27 }
28 if (Status == STATUS_INFO_LENGTH_MISMATCH)
29 {
30 ExFreePool(mPtr);
31 mSize = mSize * 2 ;
32 }
33 } while (Status == STATUS_INFO_LENGTH_MISMATCH);
34
35 if (Status == STATUS_SUCCESS)
36 {
37 KdPrint(( " [GetInfoTable]»ñÈ¡¾ä±ú±íÐÅÏ¢³É¹¦\n " ));
38 return mPtr;
39 }
40
41 KdPrint(( " [GetInfoTable] »ñÈ¡¾ä±ú±íÐÅϢʧ°Ü\n " ));
42 ExFreePool(mPtr);
43 return NULL;
44
45 }
46
47 /// //
48 //
49 // ¹¦ÄÜÃèÊö: ö¾ÙCSRSS.EXE½ø³ÌPID
50 // ÊäÈë²ÎÊý: ÎÞ
51 // Êä³ö²ÎÊý: ·µ»ØCSRSS.EXE½ø³ÌµÄPID
52 //
53 /// //
54 HANDLE
55 GetCsrPid()
56 {
57 HANDLE Process,hObject;
58 HANDLE CsrId = (HANDLE) 0 ;
59 OBJECT_ATTRIBUTES obj;
60 CLIENT_ID cid;
61 UCHAR Buff[ 0x100 ];
62 POBJECT_NAME_INFORMATION ObjName = (PVOID) & Buff;
63 PSYSTEM_HANDLE_INFORMATION_EX Handles;
64 ULONG r;
65
66 KdPrint(( " [GetCsrPid] ö¾ÙCsrss.exe½ø³ÌPID\n " ));
67 // »ñÈ¡¾ä±úÐÅÏ¢
68 Handles = GetInfoTable(SystemHandleInformation);
69
70 if ( ! Handles)
71 {
72 return CsrId;
73 }
74
75 for (r = 0 ; r < Handles -> NumberOfHandles;r ++ )
76 {
77 if (Handles -> Information[r].ObjectTypeNumber == 21 )
78 {
79 InitializeObjectAttributes( & obj,NULL,OBJ_KERNEL_HANDLE,NULL,NULL);
80
81 cid.UniqueProcess = (HANDLE)Handles -> Information[r].ProcessId;
82 cid.UniqueThread = 0 ;
83
84 if (NT_SUCCESS(NtOpenProcess( & Process,PROCESS_DUP_HANDLE, & obj, & cid)))
85 {
86 if (NT_SUCCESS(ZwDuplicateObject(Process,(HANDLE)Handles -> Information[r].Handle,NtCurrentProcess(), & hObject, 0 , 0 ,DUPLICATE_SAME_ACCESS)))
87 {
88 if (NT_SUCCESS(ZwQueryObject(hObject,ObjectNameInformation,ObjName, 0x100 ,NULL)))
89 {
90 if (ObjName -> Name.Buffer && ! wcsncmp(L " Name.Buffer,20 " _mce_href = " file://\\Windows\\ApiPort " ,ObjName -> Name.Buffer, 20 " >\\Windows\\ApiPort " ,ObjName -> Name.Buffer, 20 ))
91 {
92 CsrId = (HANDLE)Handles -> Information -> ProcessId;
93 }
94 }
95 ZwClose(hObject);
96 }
97 ZwClose(Process);
98 }
99 }
100 }
101 KdPrint(( " [GetCsrPid] ö¾ÙCSRSS.EXE½ø³ÌPID³É¹¦\n " ));
102 ExFreePool(Handles);
103 return CsrId;
104 }
105