LordPE只显示60个进程 fix_安全中国_全球最大网络安全培训门户

LordPE只能显示60个进程

LoarPE是用psapi的EnumProcesses来枚举进程的
跟了一下发现是封装在procs.dll里的GetNumBerOfProcesses函数出了问题
代码如下:
20001200 >  A1 FC240020     mov     eax, dword ptr [200024FC]
20001205    81EC 1C020000   sub     esp, 21C  //在这里 $21c-$F0=$12c
  //增加一下内存改为支持256个的就是256*4=1024+300=1324即$52C 就是 sub esp, 52C
2000120B    85C0            test    eax, eax
2000120D    56              push    esi
2000120E    75 7D           jnz     short 2000128D
20001210    6A 00           push    0
20001212    6A 02           push    2
20001214    FF15 E8240020   call    dword ptr [200024E8]
2000121A    8BF0            mov     esi, eax
2000121C    83FE FF         cmp     esi, -1
2000121F    75 0A           jnz     short 2000122B
20001221    33C0            xor     eax, eax
20001223    5E              pop     esi
20001224    81C4 1C020000   add     esp, 21C  //这里也要改为 add esp, 52C
2000122A    C3              retn
2000122B    8D4424 08       lea     eax, dword ptr [esp+8]
2000122F    C74424 08 28010>mov     dword ptr [esp+8], 128
20001237    50              push    eax
20001238    56              push    esi
20001239    FF15 DC240020   call    dword ptr [200024DC]
2000123F    85C0            test    eax, eax
20001241    75 11           jnz     short 20001254
20001243    56              push    esi
20001244    FF15 08100020   call    dword ptr [<&KERNEL32.CloseHandle>]        ; kernel32.CloseHandle
2000124A    33C0            xor     eax, eax
2000124C    5E              pop     esi
2000124D    81C4 1C020000   add     esp, 21C  //这里也要改为 add esp, 52C
20001253    C3              retn
20001254    8D4C24 08       lea     ecx, dword ptr [esp+8]
20001258    57              push    edi
20001259    51              push    ecx
2000125A    56              push    esi
2000125B    BF 01000000     mov     edi, 1
20001260    FF15 E4240020   call    dword ptr [200024E4]
20001266    85C0            test    eax, eax
20001268    74 11           je      short 2000127B
2000126A    8D5424 0C       lea     edx, dword ptr [esp+C]
2000126E    47              inc     edi
2000126F    52              push    edx
20001270    56              push    esi
20001271    FF15 E4240020   call    dword ptr [200024E4]
20001277    85C0            test    eax, eax
20001279  ^ 75 EF           jnz     short 2000126A
2000127B    56              push    esi
2000127C    FF15 08100020   call    dword ptr [<&KERNEL32.CloseHandle>]        ; kernel32.CloseHandle
20001282    8BC7            mov     eax, edi
20001284    5F              pop     edi
20001285    5E              pop     esi
20001286    81C4 1C020000   add     esp, 21C  //这里也要改为 add esp, 52C
2000128C    C3              retn
主要问题出在这里,明显是申请的数组太小了见下面的Delphi代码
2000128D    8D4424 04       lea     eax, dword ptr [esp+4]
20001291    8D8C24 30010000 lea     ecx, dword ptr [esp+130]
20001298    50              push    eax    //返回的实际大小
20001299    68 F0000000     push    0F0    //数组大小这里硬性指定了为 240/4=60就是就最大是60了改为 push 0400 就是256*4=1024了
2000129E    51              push    ecx    //指针指向存放进程ID的数组
2000129F    FF15 EC240020   call    dword ptr [200024EC]                       ; psapi.EnumProcesses

200012A5    85C0            test    eax, eax
200012A7    75 08           jnz     short 200012B1
200012A9    5E              pop     esi
200012AA    81C4 1C020000   add     esp, 21C  //这里也要改为 add esp, 52C
200012B0    C3              retn
200012B1    8B4424 04       mov     eax, dword ptr [esp+4]
200012B5    5E              pop     esi
200012B6    C1E8 02         shr     eax, 2
200012B9    81C4 1C020000   add     esp, 21C  //这里也要改为 add esp, 52C
200012BF    C3              retn

对应的Delphi代码应是
var
    lProcess : array [0..239] of DWord;
    dwSize : DWord;
begin
    if not EnumProcesses(@lProcess, SizeOf(lProcess), dwSize) then Exit;
end;

1 2 下一页