CN102902575A - Method and device used for enumerating system processes - Google Patents
Method and device used for enumerating system processes Download PDFInfo
- Publication number
- CN102902575A CN102902575A CN2012103630155A CN201210363015A CN102902575A CN 102902575 A CN102902575 A CN 102902575A CN 2012103630155 A CN2012103630155 A CN 2012103630155A CN 201210363015 A CN201210363015 A CN 201210363015A CN 102902575 A CN102902575 A CN 102902575A
- Authority
- CN
- China
- Prior art keywords
- handle
- data structure
- traversal
- handle table
- list item
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- User Interface Of Digital Computer (AREA)
Abstract
The invention discloses a method used for enumerating system processes. The method comprises the following steps: obtaining a data structure of a subsystem process object when a Microsoft client and a server run; obtaining a handle table pointed by an object table in the data structure; traversing all of handle table items of the handle table, obtaining the process object pointed by each handle table item and then obtaining a process corresponding to each process object; and gathering all of the obtained processes to form a system process set. The invention also discloses a device used for enumerating the system processes. By utilizing the method and the system, all of the processes including hidden processes of a system can be enumerated, malicious software or Rootkit has no place to hide, so the method is beneficial to reducing threat to the system by the malicious hidden processes.
Description
Technical field
The present invention relates to field of computer technology, particularly relate to a kind of method be used to enumerating system process.The invention still further relates to a kind of device be used to enumerating system process.
Background technology
The Windows task manager can enumerate the current process of system, and can select as required the termination process.For the management system process provides great convenience.
The Windows task manager is enumerated system's current process and is operated the Process Movement chained list by its Native api function ZwQuerySystemInfomation and realize.Concrete process is as follows:
At first, obtain the pointer of current arbitrary process, for example can obtain by PsGetCurrentProcess () the PEPROCESS pointer of current process.
Then navigate to the Activelist place of this current process of record and other process link information, concrete mode of operation is ActiveList=pCurrentEprocess+0x88, i.e. the certain step-length of current process pointer movement.Wherein 0x88 is the step-length of Activelist and pCurrentEprocess under the winxp sp3, and this step-length is not identical when different win operating system.
Then, the data structure so that the Activelist of the current process of being located travels through upper each process of whole Process Movement chained list (Activelistlink) can obtain current all processes that are present in the Process Movement chained list.
As mentioned above, because the windows task manager is based on ZwQuerySystemInformation and realizes, if so process object is removed from the Process Movement chained list, call so among the task manager TaskMgr.exe that NtQuerySystemInfomation enumerates process and just can not see target process.Simultaneously, the data structure of another that the task scheduling divider of Windows uses that is to say, process whether be scheduled carry out with the Process Movement chained list irrelevant, can be because of just not ignored by CPU from Process Movement chain list deletion, so process still can be performed.This is easy to by some Malwares or the utilization of RootKit program, on the Process Movement chained list, do not show its existence, but still be performed, this computing machine that may cause the user in infected virus unconsciously, implant wooden horse or stolen information, computing machine is caused threat potential or reality.Thereby be necessary to find out this being ignored by the Process Movement chained list and the hidden process that is being performed in fact.
Summary of the invention
In view of the above problems, the present invention has been proposed in order to a kind of method and corresponding device that is used for enumerating system process of being used for enumerating system process that overcomes the problems referred to above or address the above problem at least in part is provided.
According to one aspect of the present invention, a kind of method be used to enumerating system process is provided, comprising:
The data structure of subsystem process object when obtaining the operation of Microsoft's client and service end;
Obtain the handle table that the Object table in the described data structure is pointed to;
Travel through all handle list items of described handle table, obtain each handle list item process object pointed, and then obtain the corresponding process of each process object;
All processes that set obtains form the system process set.
Optionally, described when obtaining the operation of Microsoft's client and service end the data structure of subsystem process object comprise:
Obtain the privately owned handle table of current process;
Travel through the handle watch chain that the privately owned handle table of the privately owned handle table of this current process and other process forms, obtain the privately owned handle table of other process;
According to the privately owned handle table of other process of described acquisition, obtain the data structure of the corresponding process object of privately owned handle table; Until when obtaining the operation of described Microsoft client and service end till the data structure of subsystem process object.
Optionally, described when obtaining the operation of Microsoft's client and service end the data structure of subsystem process object comprise:
Obtain system process and thread object handle table;
Travel through the process object of process object body pointed in described system process and the thread object handle table, obtain the data structure of corresponding process object, until when obtaining the operation of described Microsoft client and service end till the data structure of subsystem process object.
Optionally, the handle table that points to of the described Object table of obtaining in the described data structure comprises:
In described data structure, obtain the handle table that the Object table in the described data structure is pointed to by the fixing step-length of reference position skew.
Optionally, all handle list items of the described handle table of described traversal obtain each handle list item process object pointed and comprise:
Obtain described handle top layer number;
If the handle top layer number that obtains is one deck, travels through each handle list item of this layer according to fixing step-length, and according to the pointer to member of the sensing process object in each handle list item, obtain its process object;
If the handle top layer number that obtains then at first points to the handle table top greater than one deck, travel through each handle list item of this layer by top according to fixed step size; And obtain the pointer to member of the adjacent lower floor of the sensing handle list item in each handle list item; Repeat the handle list item of the every one deck of traversal, until orlop; And by the pointer to member of the sensing process object in this undermost each handle list item, obtain its process object.
Optionally, the described described handle top layer number that obtains comprises:
Read TableCode value in the handle table rear two;
Judge handle top layer number according to described rear two.
Optionally, describedly point at first that the handle table is top to be comprised:
Obtain TableCode pointer in the handle table;
Described TableCode pointer is navigated to the handle table top.
Optionally, also comprise: at least one process in the process of described acquisition system, do again traversal according to the SessionProcessLinks chained list at this process place, and with the process collection merging with described acquisition system of the plan that obtains.
Optionally, also comprise: at least one process in the process of described acquisition system, do again traversal according to this process place Vm.WorkingSetExpansionLinks chained list, and with the process collection merging with described acquisition system of the plan that obtains.
Optionally, also comprise:
The process collection obtained and the plan of Windows task manager are compared;
Find out the process in the plan that is different from the Windows task manager;
Send prompting message or warning as content to user's transmission or to the user with the described process of finding out.
According to a further aspect in the invention, also provide a kind of device be used to enumerating system process, comprising:
Csrss process object acquiring unit, the data structure of subsystem process object when being used for obtaining Microsoft's client and service end operation;
Handle table acquiring unit is for the handle table of the Object table sensing of obtaining described data structure;
The traversal unit, all the handle list items for traveling through described handle table obtain each handle list item process object pointed, and then obtain the corresponding process of each process object;
Aggregation units is used for all processes that set obtains, and forms the system process set.
Optionally, described process object acquiring unit comprises:
Privately owned handle table acquiring unit is for the privately owned handle table that obtains current process;
The second traversal unit is used for the privately owned handle table of this current process of traversal and the handle watch chain of the privately owned handle table formation of other process, obtains the privately owned handle table of other process;
Performance element is used for the privately owned handle table according to other process of described acquisition, obtains the data structure of the corresponding process object of privately owned handle table; Until when obtaining the operation of described Microsoft client and service end till the data structure of subsystem process object.
Optionally, described process object acquiring unit comprises:
Process and thread object handle table acquiring unit are used for obtaining system process and thread object handle table;
The 3rd traversal unit, be used for traveling through the process object of described system process and thread object handle table process object body pointed, obtain the data structure of corresponding process object, until when obtaining the operation of described Microsoft client and service end till the data structure of subsystem process object.
Optionally, described traversal unit comprises:
Acquiring unit is counted on the handle top layer, is used for obtaining described handle top layer number;
The traversal performance element, be used for if the handle top layer number that obtains is one deck, traveling through this layer each handle list item according to fixing step-length according to handle top layer number traversal handle list item, and according to the pointer to member of the sensing process object in each handle list item, obtain its process object; If the handle top layer number that obtains then at first points to the handle table top greater than one deck, travel through each handle list item of this layer by top according to fixed step size; And obtain the pointer to member of the adjacent lower floor of the sensing handle list item in each handle list item; Repeat the handle list item of the every one deck of traversal, until orlop; And by the pointer to member of the sensing process object in this undermost each handle list item, obtain its process object.
Optionally, described handle top layer is counted acquiring unit and is comprised:
Reading unit is used for reading rear two of handle table TableCode value;
Judging unit is used for judging handle top layer number according to described rear two.
Optionally, described traversal performance element also comprises:
TableCode pointer acquiring unit is used for obtaining handle table TableCode pointer;
Positioning unit is used for that described TableCode pointer is navigated to the handle table top.
Optionally, also comprise:
The 4th traversal unit is used at least one process for the process of described acquisition system, does traversal according to the SessionProcessLinks chained list at this process place again, and with the process collection merging with described acquisition system of the plan that obtains.
Optionally, also comprise:
Traversal at least one process in the process of described acquisition system, is done again according to this process place Vm.WorkingSetExpansionLinks chained list in the 5th traversal unit, and with the process collection merging with described acquisition system of the plan that obtains.
Optionally, also comprise:
The contrast unit is compared for the process collection that will obtain and the plan of Windows task manager;
Extraction unit is for the process of finding out the plan that is different from the Windows task manager;
Alarm unit is used for sending prompting message or warning as content to user's transmission or to the user with the described process of finding out.
According to specific embodiment provided by the invention, the invention discloses following technique effect: in the method for the present invention, the data structure of subsystem process object when at first obtaining the operation of Microsoft's client and service end, and obtain this data item of Object table in its data structure, and then obtain the handle table that this Object table is pointed to, travel through this handle table and can obtain all current process of system that the handle list item points to; Because in the win system, process of every generation is in the time of all can being recorded to progress information the operation of described Microsoft client and service end in the data structure of subsystem process object; Concrete, the handle with process object is recorded in the described handle table exactly; Thereby, travel through this handle table, can obtain all processes of system; Also comprise the process that some are hidden; That is to say, even some process is deleted, still can enumerate this process by method of the present invention from the Process Movement chained list, so that some Malwares or Rootkit have no place to hide, be conducive to reduce the hidden process of some malice to the threat of system.
Above-mentioned explanation only is the general introduction of technical solution of the present invention, for can clearer understanding technological means of the present invention, and can be implemented according to the content of instructions, and for above and other objects of the present invention, feature and advantage can be become apparent, below especially exemplified by the specific embodiment of the present invention.
Description of drawings
By reading hereinafter detailed description of the preferred embodiment, various other advantage and benefits will become cheer and bright for those of ordinary skills.Accompanying drawing only is used for the purpose of preferred implementation is shown, and does not think limitation of the present invention.And in whole accompanying drawing, represent identical parts with identical reference symbol.In the accompanying drawings:
Fig. 1 is the process flow diagram of the embodiment be used to enumerating system process of the present invention;
Fig. 2 shows the schematic diagram that forms the handle watch chain according to the process structure body of a plurality of processes in the one embodiment of the invention by its privately owned handle table;
Fig. 3 is the schematic diagram of a kind of embodiment of a kind of device be used to enumerating system process of the present invention.
Embodiment
Exemplary embodiment of the present disclosure is described below with reference to accompanying drawings in more detail.Although shown exemplary embodiment of the present disclosure in the accompanying drawing, yet should be appreciated that and to realize the disclosure and the embodiment that should do not set forth limits here with various forms.On the contrary, it is in order to understand the disclosure more thoroughly that these embodiment are provided, and can with the scope of the present disclosure complete convey to those skilled in the art.
Please referring to Fig. 1, it is the process flow diagram of the embodiment be used to enumerating system process of the present invention.
Step 100, the data structure of subsystem process object when obtaining the operation of Microsoft's client and service end.
Subsystem when Microsoft's client and service end operation (Client/Server Runtime Server Subsystem is called for short Csrss.exe) belongs to system process.In described Csrss.exe process, the progress information of in store all Win32 subsystems, these information are stored in the handle table of this process with the chain sheet form.Under normal circumstances, the process of each new establishment can be notified the Csrss.exe process in the system, and the Csrss.exe process receives this notice, and the information of the process of described new establishment is saved in the handle table.Can obtain the progress information of all Win32 subsystems by the handle table of traversal Csrss.exe process.If will obtain by the handle table of described Csrss.exe process the progress information of all Win32 subsystems, then at first need to obtain described Csrss.exe process.It should be noted that in the Vista of Microsoft and Win7 operating system a more than Csrss.exe process may be arranged, obtain all Csrss.exe processes and travel through each handle table, could obtain all processes of system.Obtain the mode of Csrss.exe process and all can use the method described in the present embodiment to the traversal mode of each Csrss.exe process handle table.
The mode of obtaining described Csrss.exe process has a variety of, and the below enumerates wherein two kinds.
One of implementation method of the described data structure of obtaining the Csrss.exe process object is as described below.
A, obtain the privately owned handle table of current process; The handle watch chain that the privately owned handle table of B, the privately owned handle table that travels through this current process and other process forms obtains the privately owned handle table of other process; C. according to the privately owned handle table of other process of described acquisition, obtain the data structure of the corresponding process object of privately owned handle table; Until when obtaining the operation of described Microsoft client and service end till the data structure of subsystem process object.
Particularly, in the windows system, each process has a handle table (handletable), and this handle table is called the privately owned handle table of process.The privately owned handle table of described process is one _ HANDLE_TABLE structure, and the privately owned handle table of all processes links together with the form of doubly linked list in the system, and the Csrss.exe process is no exception.If therefore obtain the privately owned handle table of current process, and travel through described doubly linked list according to certain step-length, can find the Csrss.exe process.
A kind of specific implementation of the described privately owned handle table that obtains current process is as follows: a, obtain the pointer that points to current process; B is obtained the privately owned handle list index of current process by the pointer offset of described current process; C navigates to the privately owned handle table of this current process according to the privately owned handle list index of described current process.
Particularly, can obtain by PsGetCurrentProcess () or IoGetCurrentProcess () pointer of current process.In the windows system, owing to being subjected to the restriction of scheduling resource, same process also can be divided into the execution of different time period parts when carrying out, and different processes is interted together when carrying out, Gu in interval sometime, may have a plurality of processes to carry out at the same time.And on sometime, what carrying out in most cases is a process (certainly also being not precluded within the abundant situation such as the system resource that comprises CPU (central processing unit), internal memory two or more task parallelism operations).Can obtain constantly pointing at call function the pointer of the process of moving by described PsGetCurrentProcess () or IoGetCurrentProcess () function, namely point to the pointer pCurrentProcess of the process structure body _ EPROCESS of current process.Current process namely refers to call the process that described function is moving constantly in the present embodiment.The current process of described acquisition can be any process in the windows system,
After obtaining to point to the pointer pCurrentProcess of current arbitrary process, the step-length that described pointer offset is fixing, the privately owned handle table of arbitrary process before can obtaining deserving.Take windows XP as example, point to the pointer pCurrentProcess skew 0xc4 (sexadecimal) of current process, can obtain the privately owned handle table of described current process, namely
pHandleTable=pCurrentProcess+0xc4,
Need to prove, in windows XP, for any process, the skew step-length between pointer pCurrentProcess and the privately owned handle table is 0xc4 (sexadecimal).In the window of other different editions system, such as window2000, vista, win7 etc., the skew step-length is then different, and those skilled in the art can obtain according to the version of each windows corresponding step-length.
Can navigate to the privately owned handle table of this current process according to the privately owned handle list index of described current process.
As previously mentioned, in the windows system, the privately owned handle table of all processes links together with the form of doubly linked list in the system.As shown in Figure 2, it is that the process structure body of a plurality of processes is by the schematic diagram of its privately owned handle table formation handle watch chain.The privately owned handle table of process is _ the HANDLE_TABLE structure, for arbitrary handle table, can point to its type by pHandleTable skew 0x1c (sexadecimal) and be the member variable HandleTableList of _ LIST_ENTRY, i.e. handle watch chain.Each HandleTableList has Flink and two members of Blink, and Flink member is a forward link, points to next LIST_ENTRY structure; Blink member then is a back link, points to previous LIST_ENTRY structure.Whole chained list forms closed ring, that is to say, last Flink points to first LIST_ENTRY structure in the chained list, and first Blink then points to last.As seen from Figure 2, the handle table of all processes all is that doubly linked list by _ LIST_ENTRY type links in the system.Therefore travel through this doubly linked list according to certain step-length, can the acquisition system in the Csrss.exe process.
When the described doubly linked list of traversal, can be on the privately owned handle table basis of the current process of aforementioned acquisition, be offset forward or backward certain step-length (step-length of described skew is determined according to the version of win system) and obtain adjacent HandleTableList, and the address offset-0x1c (sexadecimal) that is offset each time the HandleTableList that obtains is namely obtained the pHandleTable of the privately owned handle table at its place; Namely obtained the privately owned handle table at HandleTableList place.
For arbitrary privately owned handle table, can obtain the address of its member variable HandleTableList by traversal.In the handle table, pHandleTable skew 0x04 place, the structure member is for pointing to the pointer of this handle table place process structure body, that is to say, behind the address that obtains HandleTableList, can find the pointer of its place process structure body by address offset, and then can access this process structure body, namely find this process.All processes of system all can obtain by aforesaid mode.Naturally also can obtain the Csrss.exe process of system.In the present embodiment, until till obtaining the data structure of described Csrss.exe process object and being EPROCESS.When the Win system has a plurality of Csrss.exe, then need to travel through whole privately owned handle watch chain, and find out all Csrss.exe processes.
The implementation method of the described data structure of obtaining the Csrss.exe process object two as described below:
I, obtain system process and thread object handle table; The process object of process object body pointed in II, the described system process of traversal and the thread object handle table, obtain the data structure of corresponding process object, until when obtaining the operation of described Microsoft client and service end till the data structure of subsystem process object.
Particularly, system process and thread object handle table (PspCidTable) are a kind of handle tables in the Windows system, wherein deposit to as if system in all inlet wire journey objects.As long as therefore can travel through this PspCidTable handle table, just can traverse all processes of system, comprise all hidden process, certainly, also can find described Csrss.exe process.Thereby, obtain the Csrss.exe process by PspCidTable in the manner.
Be understood that, if wish is obtained the Csrss.exe process by PspCidTable, then at first need to obtain PspCidTable, namely navigate to the first address of described PspCidTablede.The method of obtaining described PspCidTablede has a variety of, enumerates wherein a kind of here: by signature search positioning system process in the function of PspCidTable and thread object handle table.Wherein, the feature string of described signature search comprises 0x35ff and 0x8e.Certainly, can also obtain PspCidTable by alternate manner, enumerate no longer one by one here.It is emphasized that any method that can obtain PspCidTable all can be applicable to this, also unrestricted to this in the present embodiment.
PspCidtable is _ the Handle_Table structure, and in the windows2000 system, it is three layers of fixing list structure, and recording three layers of table among the TableCode is the base address of one-level table (the one-level table is also referred to as base table), secondary table and three grades of tables.In three layers of above-mentioned table, the address pointer of depositing in the upper level table points to next layer address that closes on it, the pointer that points to secondary table such as what deposit in three grades of tables, what deposit in the secondary table is the pointer that points to base table, the pointer that is only sensing process object or thread of depositing in base table.
And in windows xp and windows2003, in order to save system space, adopted dynamic extendible three layers of list structure, when the handle number is less, only adopt base table, just secondary table can be enabled by system when the handle number is larger, until three grades of tables.
No matter be above-mentioned three layers of list structure or the dynamic extendible three layers of list structure fixed, all need to travel through the address pointer that every one deck is deposited according to the base address of every one deck table according to fixing step-length, can obtain all handle list items in this handle table.Only in dynamic extendible three layers of list structure, need at first to judge how many its real handle top layer numbers is, and then carry out the traversal of corresponding layer according to this actual handle top layer number.Wherein, in dynamic extendible three layers of table, rear two of TableCode is the foundation of judging handle top layer number, and rear two to be 00 be one deck list structure, and rear two to be 01 be two-layer list structure, and rear two to be 10 be three layers of list structure.
As mentioned above, in PspCidTable handle table, what deposit is the object handle of system process and thread.Can obtain the point at objects pointer of record in basic unit's table by traversal, but this pointer is to point to subject, can't judge that it is process or thread.Therefore also need to obtain type by skew be _ pointer OBJECT_HEADER, the point at objects head, and by reading its pointer type in the object head pointer, what can determine pointed is process or thread.Selecting type is the object head pointer of process,, by described process object head pointer, both can obtain corresponding process.Travel through this PspCidTable handle table, until find described Csrss.exe process, namely obtain the data structure _ EPROCESS of Csrss.exe process object.Judge in the following way in the present embodiment that type is the pointer type information of process in the object head pointer, namely obtain current process by functions such as PsGetCurrentProcess () or IoGetCurrentProcess (), obtain its object head pointer by the subject pointer offset of this current process; In this object head pointer, read its pointer type information.Certainly, if the current process of obtaining Csrss.exe process exactly then need not be carried out the above-mentioned step of obtaining the Csrss.exe process by traversal again.
The above-mentioned wherein two kinds of methods of obtaining the Csrss.exe process of having enumerated, but and non exhaustive.Any method that can obtain the Csrss.exe process can both be applied in the present embodiment, for example the method that is used for the process of enumerating described in the background technology.
Please continue referring to Fig. 1.Step 110 is obtained the handle table that the Object table in the described data structure is pointed to.
Wherein, in the data structure _ EPROCESS of described Csrss.exe process object, obtain the handle table that the Object table in the described data structure is pointed to by the fixing step-length of reference position skew.Described fixing step-length is according to the difference of windows operating system and difference.
Step 120 travels through all handle list items of described handle table, obtains each handle list item process object pointed, and then obtains the corresponding process of each process object;
In the Csrss.exe process, handle table wherein is _ the Handle_Table structure, in the windows2000 system, it also is three layers of fixing list structure, and recording three layers of table among the TableCode is the base address of one-level table (the one-level table is also referred to as base table), secondary table and three grades of tables.In three layers of above-mentioned table, the address pointer of depositing in the upper level table points to next layer address that closes on it, be the pointer that points to secondary table such as what deposit in three grades of tables, what deposit in the secondary table is the pointer that points to base table, and that deposits in base table is only the pointer that points to process object.
And in windows xp and windows2003, in order to save system space, adopted dynamic extendible three layers of list structure, when the handle number is less, only adopt base table, just secondary table can be enabled by system when the handle number is larger, until three grades of tables.
No matter be above-mentioned three layers of list structure or the dynamic extendible three layers of list structure fixed, all need to travel through the address pointer that every one deck is deposited according to the base address of every one deck table according to fixing step-length, can obtain all handle list items in this handle table.Only in dynamic extendible three layers of list structure, need at first to judge how many its real handle top layer numbers is, and then carry out the traversal of corresponding layer according to this actual handle top layer number.Wherein, in dynamic extendible three layers of table, rear two of TableCode is the foundation of judging handle top layer number, and rear two to be 00 be one deck list structure, and rear two to be 01 be two-layer list structure, and rear two to be 10 be three layers of list structure.By reading and judging that rear two of TableCode in the handle table can obtain handle top layer number.
If the handle top layer number that obtains is one deck, then travels through each handle list item of this layer according to fixing step-length, and according to the pointer to member of the sensing process object in each handle list item, can obtain process object;
If the handle top layer number that obtains during greater than one deck, then needs to travel through in the following manner each layer: at first, obtain TableCode pointer in the handle table; Described TableCode pointer is navigated to the handle table top; Then travel through each handle list item of this layer by top according to fixed step size; And obtain the pointer to member of the adjacent lower floor of the sensing handle list item in each handle list item; Repeat the handle list item of the every one deck of traversal, until orlop; And by the pointer to member of the sensing process object in this undermost each handle list item, obtain process object.Wherein, the base address of every one deck can obtain in TableCode as mentioned above, repeats no more here.
By each handle list item of traversal Csrss handle table, can obtain handle and be recorded in all processes in the Csrss handle table.
Step 130, all processes that set obtains form system's current process table.
In the method for the above embodiment of the present invention, the data structure of subsystem process object when at first obtaining the operation of Microsoft's client and service end, and obtain this data item of Object table in its data structure, and then obtain the handle table that this Object table is pointed to, travel through this handle table and can obtain all current process of system that the handle list item points to; Because in the windows system, process of every generation is in the time of all can being recorded to progress information the operation of described Microsoft client and service end in the data structure of subsystem process object; Concrete, the handle with process object is recorded in the described handle table exactly; Thereby, travel through this handle table, can obtain all processes of system; Also comprise the process that some are hidden; That is to say, even some process is deleted, still can enumerate this process by method of the present invention from the Process Movement chained list, so that some Malwares or Rootkit have no place to hide, be conducive to reduce the hidden process of some malice to the threat of system.
For at least one process in the process of described acquisition system, can also do again traversal according to the SessionProcessLinks chained list at this process place, and with the process collection merging with described acquisition system of the plan that obtains.
Data structure is as follows among the WINDBG:
kd>dt_eprocess?81c2c6d8
nt!_EPROCESS
+0x0b0?VirtualSize:0x3933000
+0x0b4SessionProcessLinks:_LIST_ENTRY[0x81dfce54-0x81ec80d4]
By said structure as can be known, the SessionProcessLinks of process also is _ the annular doubly linked list of LIST_ENTRY structure, for each process, by traveling through this SessionProcessLinks, all can obtain the tabulation of a process.Method by above-described embodiment is obtained arbitrary or a plurality of process in the process list, travel through by SessionProcessLinks again, can obtain one or more plans, the plan that obtains in the plan that obtains and above-described embodiment is gathered, and the removal process repeats, can obtain more complete plan.
In addition, at least one process in the process of described acquisition system, do again traversal according to this process place Vm.WorkingSetExpansionLinks chained list, and with the process collection merging with described acquisition system of the plan that obtains.Wherein, the principle of Vm.WorkingSetExpansionLinks traversal travels through with SessionProcessLinks, repeats no more here.
In addition, obtain process list by above-described embodiment, can also continue to carry out following step:
I. the current process table that obtains and the plan of Windows task manager are compared; II. find out the process in the plan that is different from the Windows task manager; III. the described process of finding out is sent prompting message or sends to the user and report to the police.That is to say, compare with the plan that method obtains in the aforementioned background art by the plan that embodiments of the invention are obtained, and the method difference process that obtains in the plan of the method acquisition of embodiments of the invention and the background technology is found out also prompting user or sent warning.The user can or report to the police the different processes of finding out are further analyzed according to this prompting, judges whether malicious process.
The embodiment of a kind of method be used to enumerating system process of the present invention is more than disclosed, corresponding therewith, the invention also discloses a kind of device be used to enumerating system process.Please refer to Fig. 3, it is the schematic diagram of a kind of embodiment of a kind of device be used to enumerating system process of the present invention.Because the embodiment of this device and the embodiment of aforesaid method are basic identical, the below only simply describes the device in the present embodiment.
A kind of device be used to enumerating system process of the present embodiment comprises: Csrss process object acquiring unit 200, the data structure of subsystem process object when being used for obtaining Microsoft's client and service end operation; Handle table acquiring unit 210 is for the handle table of the Object table sensing of obtaining described data structure; Traversal unit 220, all the handle list items for traveling through described handle table obtain each handle list item process object pointed, and then obtain the corresponding process of each process object; Aggregation units 230 is used for all processes that set obtains, and forms system's current process table.
Optionally, described process object acquiring unit comprises:
Privately owned handle table acquiring unit is for the privately owned handle table that obtains current process;
The second traversal unit is used for the privately owned handle table of this current process of traversal and the handle watch chain of the privately owned handle table formation of other process, obtains the privately owned handle table of other process;
Performance element is used for the privately owned handle table according to other process of described acquisition, obtains the data structure of the corresponding process object of privately owned handle table; Until when obtaining the operation of described Microsoft client and service end till the data structure of subsystem process object.
Optionally, described process object acquiring unit comprises:
Process and thread object handle table acquiring unit are used for obtaining system process and thread object handle table;
The 3rd traversal unit, be used for traveling through the process object of described system process and thread object handle table process object body pointed, obtain the data structure of corresponding process object, until when obtaining the operation of described Microsoft client and service end till the data structure of subsystem process object.
Optionally, described traversal unit comprises:
Acquiring unit is counted on the handle top layer, is used for obtaining described handle top layer number;
The traversal performance element, be used for if the handle top layer number that obtains is one deck, traveling through this layer each handle list item according to fixing step-length according to handle top layer number traversal handle list item, and according to the pointer to member of the sensing process object in each handle list item, obtain its process object; If the handle top layer number that obtains then at first points to the handle table top greater than one deck, travel through each handle list item of this layer by top according to fixed step size; And obtain the pointer to member of the adjacent lower floor of the sensing handle list item in each handle list item; Repeat the handle list item of the every one deck of traversal, until orlop; And by the pointer to member of the sensing process object in this undermost each handle list item, obtain its process object.
Optionally, described handle top layer is counted acquiring unit and is comprised:
Reading unit is used for reading rear two of handle table TableCode value;
Judging unit is used for judging handle top layer number according to described rear two.
Optionally, described traversal performance element also comprises:
TableCode pointer acquiring unit is used for obtaining handle table TableCode pointer;
Positioning unit is used for that described TableCode pointer is navigated to the handle table top.
Optionally, the 4th traversal unit is used at least one process for the process of described acquisition system, does traversal according to the SessionProcessLinks chained list at this process place again, and with the process collection merging with described acquisition system of the plan that obtains.
Optionally, traversal at least one process in the process of described acquisition system, is done again according to this process place Vm.WorkingSetExpansionLinks chained list in the 5th traversal unit, and with the process collection merging with described acquisition system of the plan that obtains.
Optionally, the contrast unit is used for the current process set of obtaining is compared with the plan of Windows task manager;
Extraction unit is for the process of finding out the plan that is different from the Windows task manager;
Alarm unit is used for sending prompting message or warning as content to user's transmission or to the user with the described process of finding out.
The device of using the embodiment of the invention can obtain the technique effect identical with said method embodiment, repeats no more here.
Intrinsic not relevant with any certain computer, virtual system or miscellaneous equipment with demonstration at this algorithm that provides.Various general-purpose systems also can be with using based on the teaching at this.According to top description, it is apparent constructing the desired structure of this type systematic.In addition, the present invention is not also for any certain programmed language.Should be understood that and to utilize various programming languages to realize content of the present invention described here, and the top description that language-specific is done is in order to disclose preferred forms of the present invention.
In the instructions that provides herein, a large amount of details have been described.Yet, can understand, embodiments of the invention can be in the situation that there be these details to put into practice.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.
Similarly, be to be understood that, in order to simplify the disclosure and to help to understand one or more in each inventive aspect, in the description to exemplary embodiment of the present invention, each feature of the present invention is grouped together in single embodiment, figure or the description to it sometimes in the above.Yet the method for the disclosure should be construed to the following intention of reflection: namely the present invention for required protection requires the more feature of feature clearly put down in writing than institute in each claim.Or rather, as following claims reflected, inventive aspect was to be less than all features of the disclosed single embodiment in front.Therefore, follow claims of embodiment and incorporate clearly thus this embodiment into, wherein each claim itself is as independent embodiment of the present invention.
Those skilled in the art are appreciated that and can adaptively change and they are arranged in one or more equipment different from this embodiment the module in the equipment among the embodiment.Can be combined into a module or unit or assembly to the module among the embodiment or unit or assembly, and can be divided into a plurality of submodules or subelement or sub-component to them in addition.In such feature and/or process or unit at least some are mutually repelling, and can adopt any combination to disclosed all features in this instructions (comprising claim, summary and the accompanying drawing followed) and so all processes or the unit of disclosed any method or equipment make up.Unless in addition clearly statement, disclosed each feature can be by providing identical, being equal to or the alternative features of similar purpose replaces in this instructions (comprising claim, summary and the accompanying drawing followed).
In addition, those skilled in the art can understand, although embodiment more described herein comprise some feature rather than further feature included among other embodiment, the combination of the feature of different embodiment means and is within the scope of the present invention and forms different embodiment.For example, in the following claims, the one of any of embodiment required for protection can be used with array mode arbitrarily.
All parts embodiment of the present invention can realize with hardware, perhaps realizes with the software module of moving at one or more processor, and perhaps the combination with them realizes.It will be understood by those of skill in the art that and to use in practice microprocessor or digital signal processor (DSP) to realize some or all some or the repertoire of parts of device that is used for enumerating system process according to the embodiment of the invention.The present invention can also be embodied as be used to part or all equipment or the device program (for example, computer program and computer program) of carrying out method as described herein.Such realization program of the present invention can be stored on the computer-readable medium, perhaps can have the form of one or more signal.Such signal can be downloaded from internet website and obtain, and perhaps provides at carrier signal, perhaps provides with any other form.
It should be noted above-described embodiment the present invention will be described rather than limit the invention, and those skilled in the art can design alternative embodiment in the situation of the scope that does not break away from claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and is not listed in element or step in the claim.Being positioned at word " " before the element or " one " does not get rid of and has a plurality of such elements.The present invention can realize by means of the hardware that includes some different elements and by means of the computing machine of suitably programming.In having enumerated the unit claim of some devices, several in these devices can be to come imbody by same hardware branch.The use of word first, second and C grade does not represent any order.Can be title with these word explanations.
Claims (19)
1. a method that is used for enumerating system process is characterized in that, comprising:
The data structure of subsystem process object when obtaining the operation of Microsoft's client and service end;
Obtain the handle table that the Object table in the described data structure is pointed to;
Travel through all handle list items of described handle table, obtain each handle list item process object pointed, and then obtain the corresponding process of each process object;
All processes that set obtains form the system process set.
2. the method be used to enumerating system process according to claim 1 is characterized in that, described when obtaining the operation of Microsoft's client and service end the data structure of subsystem process object comprise:
Obtain the privately owned handle table of current process;
Travel through the handle watch chain that the privately owned handle table of the privately owned handle table of this current process and other process forms, obtain the privately owned handle table of other process;
According to the privately owned handle table of other process of described acquisition, obtain the data structure of the corresponding process object of privately owned handle table; Until when obtaining the operation of described Microsoft client and service end till the data structure of subsystem process object.
3. the method be used to enumerating system process according to claim 1 is characterized in that, described when obtaining the operation of Microsoft's client and service end the data structure of subsystem process object comprise:
Obtain system process and thread object handle table;
Travel through the process object of process object body pointed in described system process and the thread object handle table, obtain the data structure of corresponding process object, until when obtaining the operation of described Microsoft client and service end till the data structure of subsystem process object.
4. the method be used to enumerating system process according to claim 1 is characterized in that, the handle table that the described Object table of obtaining in the described data structure is pointed to comprises:
In described data structure, obtain the handle table that the Object table in the described data structure is pointed to by the fixing step-length of reference position skew.
5. the method be used to enumerating system process according to claim 1 is characterized in that, all handle list items of the described handle table of described traversal obtain each handle list item process object pointed and comprise:
Obtain described handle top layer number;
If the handle top layer number that obtains is one deck, travels through each handle list item of this layer according to fixing step-length, and according to the pointer to member of the sensing process object in each handle list item, obtain its process object;
If the handle top layer number that obtains then at first points to the handle table top greater than one deck, travel through each handle list item of this layer by top according to fixed step size; And obtain the pointer to member of the adjacent lower floor of the sensing handle list item in each handle list item; Repeat the handle list item of the every one deck of traversal, until orlop; And by the pointer to member of the sensing process object in this undermost each handle list item, obtain its process object.
6. the method be used to enumerating system process according to claim 5 is characterized in that, the described described handle top layer number that obtains comprises:
Read TableCode value in the handle table rear two;
Judge handle top layer number according to described rear two.
7. the method be used to enumerating system process according to claim 5 is characterized in that, describedly points at first that the handle table is top to be comprised:
Obtain TableCode pointer in the handle table;
Described TableCode pointer is navigated to the handle table top.
8. the method be used to enumerating system process according to claim 1, characterized by further comprising: at least one process in the process of described acquisition system, SessionProcessLinks chained list according to this process place is done traversal again, and with the process collection merging with described acquisition system of the plan that obtains.
9. the method be used to enumerating system process according to claim 1, characterized by further comprising: at least one process in the process of described acquisition system, do again traversal according to this process place Vm.WorkingSetExpansionLinks chained list, and with the process collection merging with described acquisition system of the plan that obtains.
10. the method be used to enumerating system process according to claim 1 is characterized in that, also comprises:
The process collection obtained and the plan of Windows task manager are compared;
Find out the process in the plan that is different from the Windows task manager;
Send prompting message or warning as content to user's transmission or to the user with the described process of finding out.
11. a device that is used for enumerating system process is characterized in that, comprising:
Csrss process object acquiring unit, the data structure of subsystem process object when being used for obtaining Microsoft's client and service end operation;
Handle table acquiring unit is for the handle table of the Object table sensing of obtaining described data structure;
The traversal unit, all the handle list items for traveling through described handle table obtain each handle list item process object pointed, and then obtain the corresponding process of each process object;
Aggregation units is used for all processes that set obtains, and forms the system process set.
12. the device be used to enumerating system process according to claim 11 is characterized in that, described process object acquiring unit comprises:
Privately owned handle table acquiring unit is for the privately owned handle table that obtains current process;
The second traversal unit is used for the privately owned handle table of this current process of traversal and the handle watch chain of the privately owned handle table formation of other process, obtains the privately owned handle table of other process;
Performance element is used for the privately owned handle table according to other process of described acquisition, obtains the data structure of the corresponding process object of privately owned handle table; Until when obtaining the operation of described Microsoft client and service end till the data structure of subsystem process object.
13. the device be used to enumerating system process according to claim 11 is characterized in that, described process object acquiring unit comprises:
Process and thread object handle table acquiring unit are used for obtaining system process and thread object handle table;
The 3rd traversal unit, be used for traveling through the process object of described system process and thread object handle table process object body pointed, obtain the data structure of corresponding process object, until when obtaining the operation of described Microsoft client and service end till the data structure of subsystem process object.
14. the device be used to enumerating system process according to claim 11 is characterized in that, described traversal unit comprises:
Acquiring unit is counted on the handle top layer, is used for obtaining described handle top layer number;
The traversal performance element, be used for if the handle top layer number that obtains is one deck, traveling through this layer each handle list item according to fixing step-length according to handle top layer number traversal handle list item, and according to the pointer to member of the sensing process object in each handle list item, obtain its process object; If the handle top layer number that obtains then at first points to the handle table top greater than one deck, travel through each handle list item of this layer by top according to fixed step size; And obtain the pointer to member of the adjacent lower floor of the sensing handle list item in each handle list item; Repeat the handle list item of the every one deck of traversal, until orlop; And by the pointer to member of the sensing process object in this undermost each handle list item, obtain its process object.
15. the device be used to enumerating system process according to claim 14 is characterized in that, described handle top layer is counted acquiring unit and is comprised:
Reading unit is used for reading rear two of handle table TableCode value;
Judging unit is used for judging handle top layer number according to described rear two.
16. the device be used to enumerating system process according to claim 14 is characterized in that, described traversal performance element also comprises:
TableCode pointer acquiring unit is used for obtaining handle table TableCode pointer;
Positioning unit is used for that described TableCode pointer is navigated to the handle table top.
17. the device be used to enumerating system process according to claim 11 characterized by further comprising:
The 4th traversal unit is used at least one process for the process of described acquisition system, does traversal according to the SessionProcessLinks chained list at this process place again, and with the process collection merging with described acquisition system of the plan that obtains.
18. the device be used to enumerating system process according to claim 11 characterized by further comprising:
Traversal at least one process in the process of described acquisition system, is done again according to this process place Vm.WorkingSetExpansionLinks chained list in the 5th traversal unit, and with the process collection merging with described acquisition system of the plan that obtains.
19. the device be used to enumerating system process according to claim 11 is characterized in that, also comprises:
The contrast unit is compared for the process collection that will obtain and the plan of Windows task manager;
Extraction unit is for the process of finding out the plan that is different from the Windows task manager;
Alarm unit is used for sending prompting message or warning as content to user's transmission or to the user with the described process of finding out.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210363015.5A CN102902575B (en) | 2012-09-25 | 2012-09-25 | A kind of method for enumerating system process and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210363015.5A CN102902575B (en) | 2012-09-25 | 2012-09-25 | A kind of method for enumerating system process and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102902575A true CN102902575A (en) | 2013-01-30 |
| CN102902575B CN102902575B (en) | 2015-10-14 |
Family
ID=47574821
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210363015.5A Active CN102902575B (en) | 2012-09-25 | 2012-09-25 | A kind of method for enumerating system process and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102902575B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105488415A (en) * | 2015-11-30 | 2016-04-13 | 福建天晴数码有限公司 | System process scanning method and apparatus |
| CN110691060A (en) * | 2018-07-06 | 2020-01-14 | 武汉信安珞珈科技有限公司 | Method and system for realizing remote equipment password service based on CSP interface |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101414304A (en) * | 2008-11-27 | 2009-04-22 | 山东省计算中心 | Method for analyzing Windows system physical internal memory based on K P C R structure |
| CN101770551A (en) * | 2008-12-30 | 2010-07-07 | 中国科学院软件研究所 | Method for processing hidden process based on hardware simulator |
-
2012
- 2012-09-25 CN CN201210363015.5A patent/CN102902575B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101414304A (en) * | 2008-11-27 | 2009-04-22 | 山东省计算中心 | Method for analyzing Windows system physical internal memory based on K P C R structure |
| CN101770551A (en) * | 2008-12-30 | 2010-07-07 | 中国科学院软件研究所 | Method for processing hidden process based on hardware simulator |
Non-Patent Citations (4)
| Title |
|---|
| 张登银等: "Windows平台下Rootkit进程检测", 《计算机技术与发展》 * |
| 李钢,孙虎,张仁斌: "内核Rootkit进程隐藏与检测技术研究", 《仪器仪表学报》 * |
| 杨平等: "基于句柄分析的Windows Rootkit检测技术研究", 《通信技术》 * |
| 王雷等: "Windows Rootkit进程隐藏与检测技术", 《计算机工程》 * |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105488415A (en) * | 2015-11-30 | 2016-04-13 | 福建天晴数码有限公司 | System process scanning method and apparatus |
| CN105488415B (en) * | 2015-11-30 | 2019-09-03 | 福建天晴数码有限公司 | The method and apparatus of scanning system process |
| CN110691060A (en) * | 2018-07-06 | 2020-01-14 | 武汉信安珞珈科技有限公司 | Method and system for realizing remote equipment password service based on CSP interface |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102902575B (en) | 2015-10-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Isah et al. | A survey of distributed data stream processing frameworks | |
| Interlandi et al. | Titian: Data provenance support in spark | |
| Addair et al. | Large-scale seismic signal analysis with Hadoop | |
| US10684832B2 (en) | Code placement using a dynamic call graph | |
| CN104598809B (en) | Program monitoring method and defending method thereof, as well as relevant device | |
| JP6378207B2 (en) | Efficient query processing using histograms in the columnar database | |
| Xu et al. | Software bloat analysis: Finding, removing, and preventing performance problems in modern large-scale object-oriented applications | |
| US8776014B2 (en) | Software build analysis | |
| CN104636409B (en) | Promote the method, equipment and the method for generating search result of the display of search result | |
| CN108140021A (en) | It is related to the hierarchical index of the priorization of interested data content | |
| US11210196B1 (en) | Systems and methods for locally streaming applications in a computing system | |
| CN102902765B (en) | A kind of for removing the method and device that file takies | |
| CN109471697A (en) | The method, apparatus and storage medium that system is called in a kind of monitoring virtual machine | |
| CN102279740A (en) | Reflection over objects | |
| CN104268473A (en) | Method and device for detecting application programs | |
| WO2007027211A3 (en) | System and method for scanning memory for pestware | |
| CN105653635A (en) | Database management method and apparatus | |
| CN102945343A (en) | Method and device for enumerating system process | |
| US9971831B2 (en) | Managing complex queries with predicates | |
| US20120158679A1 (en) | Controlling Database Trigger Execution with Trigger Return Data | |
| US20080201393A1 (en) | Identifying unnecessary synchronization objects in software applications | |
| CN107003897A (en) | Monitor the utilization rate of issued transaction resource | |
| KR20080096518A (en) | Analyzing interpretable code for harm potential | |
| CN103729166A (en) | Method, device and system for determining thread relation of program | |
| CN107992402A (en) | Blog management method and log management apparatus |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220712 Address after: Room 801, 8th floor, No. 104, floors 1-19, building 2, yard 6, Jiuxianqiao Road, Chaoyang District, Beijing 100015 Patentee after: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before: Qizhi software (Beijing) Co., Ltd |