编译的时候指定控制台模式/subsystem:CONSOLE
.586
.model flat, stdcall
option casemap:none
include windows.inc
include kernel32.inc
include user32.inc
include masm32.inc
include advapi32.inc
includelib kernel32.lib
includelib user32.lib
includelib advapi32.lib
includelib masm32.lib
UNICODE_STRING STRUCT
_Length WORD ? ; len of string in bytes (not chars)
MaximumLength WORD ? ; len of Buffer in bytes (not chars)
Buffer PWSTR ? ; pointer to string
UNICODE_STRING ENDS
SYSTEMTHREADS struct
KernelTime db 8 dup(?)
UserTime db 8 dup(?)
CreateTime db 8 dup(?)
WaitTime ULONG ?
StartAddress PVOID ?
ClientIs dd ?
Priority dd ?
BasePriority dd ?
ContextSwitchCount ULONG ?
ThreadState ULONG ?
WaitReason dd ? ;KWAIT_REASON
SYSTEMTHREADS ends
SYSTEMPROCESSES struct
NextEntryDelta ULONG ?
ThreadCount ULONG ?
Reserved1 dd 6 DUP(?)
CreateTime db 8 dup(?)
UserTime db 8 dup(?)
KernelTime db 8 dup(?)
ProcessName UNICODE_STRING <>
BasePriority dd ? ;变量类型KPRIORITY
ProcessId ULONG ?
InheritedFromProcessId ULONG ?
HandleCount ULONG ?
Reserved2 ULONG 2 DUP(?)
VmCounters dd ? ;VM_COUNTERS
IoCounters dd ? ;IO_COUNTERS
Threads SYSTEMTHREADS <>
SYSTEMPROCESSES ends
.const
NT_PROCESSTHREAD_INFO equ 5
STATUS_SUCCESS equ 0
.data
ZwQuerySystemInformation db "ZwQuerySystemInformation",0
Ntdll db "NTDLL.DLL",0
mytitle db "利用ZwQuerySystemInformation列进程",0
getsuccess db "Get original Data Success",13,10,0
apiaddr dd ?
Pprocessinfo dd ?
ReturnLength dd ?
ProcessIdFormat db "ID=%d ProcessName=%ws",13,10,0 ;进程名是UNICODE格式的要用ws%
buffer db 255 dup(?)
ProcessCount dd 0
ProcessCountFormat db "Total Process=%d",13,10,0
.data?
processinfo db 50000H dup(?)
.code
start proc
invoke LoadLibrary,offset Ntdll ;没什么好解释的,装载dll
invoke GetProcAddress,eax,offset ZwQuerySystemInformation;获取函数地址
mov apiaddr,eax
mov Pprocessinfo,offset processinfo
mov ecx,offset ReturnLength
push ecx
push 50000H
push Pprocessinfo
push NT_PROCESSTHREAD_INFO
call apiaddr ;调用函数,上面都是其参数
.if eax == STATUS_SUCCESS
invoke StdOut,offset getsuccess
.endif
;列举进程
mov edi,Pprocessinfo;保存到edi
assume edi: ptr SYSTEMPROCESSES;对应结构
.while [edi].NextEntryDelta!=0
invoke wsprintf,addr buffer, addr ProcessIdFormat,[edi].ProcessId,[edi].ProcessName.Buffer;打印输出结构成员
invoke StdOut,offset buffer
add edi,[edi].NextEntryDelta;恢复堆栈
inc ProcessCount;这里每循环一次其值就多一次,纪录进程个数
.endw
assume edi:nothing
invoke wsprintf,addr buffer, addr ProcessCountFormat,ProcessCount;进程个数
invoke StdOut,offset buffer;控制台下输出
ret
start endp
end start
.586
.model flat, stdcall
option casemap:none
include windows.inc
include kernel32.inc
include user32.inc
include masm32.inc
include advapi32.inc
includelib kernel32.lib
includelib user32.lib
includelib advapi32.lib
includelib masm32.lib
UNICODE_STRING STRUCT
_Length WORD ? ; len of string in bytes (not chars)
MaximumLength WORD ? ; len of Buffer in bytes (not chars)
Buffer PWSTR ? ; pointer to string
UNICODE_STRING ENDS
SYSTEMTHREADS struct
KernelTime db 8 dup(?)
UserTime db 8 dup(?)
CreateTime db 8 dup(?)
WaitTime ULONG ?
StartAddress PVOID ?
ClientIs dd ?
Priority dd ?
BasePriority dd ?
ContextSwitchCount ULONG ?
ThreadState ULONG ?
WaitReason dd ? ;KWAIT_REASON
SYSTEMTHREADS ends
SYSTEMPROCESSES struct
NextEntryDelta ULONG ?
ThreadCount ULONG ?
Reserved1 dd 6 DUP(?)
CreateTime db 8 dup(?)
UserTime db 8 dup(?)
KernelTime db 8 dup(?)
ProcessName UNICODE_STRING <>
BasePriority dd ? ;变量类型KPRIORITY
ProcessId ULONG ?
InheritedFromProcessId ULONG ?
HandleCount ULONG ?
Reserved2 ULONG 2 DUP(?)
VmCounters dd ? ;VM_COUNTERS
IoCounters dd ? ;IO_COUNTERS
Threads SYSTEMTHREADS <>
SYSTEMPROCESSES ends
.const
NT_PROCESSTHREAD_INFO equ 5
STATUS_SUCCESS equ 0
.data
ZwQuerySystemInformation db "ZwQuerySystemInformation",0
Ntdll db "NTDLL.DLL",0
mytitle db "利用ZwQuerySystemInformation列进程",0
getsuccess db "Get original Data Success",13,10,0
apiaddr dd ?
Pprocessinfo dd ?
ReturnLength dd ?
ProcessIdFormat db "ID=%d ProcessName=%ws",13,10,0 ;进程名是UNICODE格式的要用ws%
buffer db 255 dup(?)
ProcessCount dd 0
ProcessCountFormat db "Total Process=%d",13,10,0
.data?
processinfo db 50000H dup(?)
.code
start proc
invoke LoadLibrary,offset Ntdll ;没什么好解释的,装载dll
invoke GetProcAddress,eax,offset ZwQuerySystemInformation;获取函数地址
mov apiaddr,eax
mov Pprocessinfo,offset processinfo
mov ecx,offset ReturnLength
push ecx
push 50000H
push Pprocessinfo
push NT_PROCESSTHREAD_INFO
call apiaddr ;调用函数,上面都是其参数
.if eax == STATUS_SUCCESS
invoke StdOut,offset getsuccess
.endif
;列举进程
mov edi,Pprocessinfo;保存到edi
assume edi: ptr SYSTEMPROCESSES;对应结构
.while [edi].NextEntryDelta!=0
invoke wsprintf,addr buffer, addr ProcessIdFormat,[edi].ProcessId,[edi].ProcessName.Buffer;打印输出结构成员
invoke StdOut,offset buffer
add edi,[edi].NextEntryDelta;恢复堆栈
inc ProcessCount;这里每循环一次其值就多一次,纪录进程个数
.endw
assume edi:nothing
invoke wsprintf,addr buffer, addr ProcessCountFormat,ProcessCount;进程个数
invoke StdOut,offset buffer;控制台下输出
ret
start endp
end start
扫一扫
693
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
