数学建模社区-数学中国

标题: 获得进程的EPROCESS [打印本页]
作者: 韩冰    时间: 2004-10-9 14:22
标题: 获得进程的EPROCESS
文摘内容:- r$ Z- N4 Q+ h0 c3 h: G1 ` -------------------------------------------------------------------------------- & x" n0 l q% c' v1 ?3 h% d7 Y文摘出处:http://www.xfocus.net/articles/200406/706.html 1 H" [# r9 e8 t3 `; G $ b9 n5 c3 q" F; D5 u+ |" ^" V; e6 l; e0 P创建时间:2004-06-01 % A9 E) p& M J, u& A( @文章属性:原创 / j0 n9 t# s9 M5 ~文章提交:MustBE (zf35_at_citiz.net) ! l* w- \+ }* l T. |% ]6 a! iBy [I.T.S]SystEm32! D( R- p( j! @- e 4 |. @; J, m2 B6 c8 i4 V& \" ^; FWelcome to our web site http://itaq.ynpc.com/itsbbs/ . B9 z. k7 }: _ 4 ^6 D) H9 A3 G1 Z& Z/ b; d! xthanks to SobeIt : P/ b3 v: w. F) O4 p6 U3 f --------------------------------------------------------------------------------------------- . _: G M7 N# l6 L 3 v: w+ |+ N: L% S# m每个Windows进程都有一个相对应的执行体进程(EPROCESS,也就是KTEB),EPROCESS不仅包括了进程的许多属性,还包扩了许多指向其他数据结构的指针,其中包含了大量有用的信息.本文仅讲述如何获得特定进程对应的EPROCESS,EPROCESS的作用及数据结构不在本文讨论范围之内." @8 J2 a& X6 ]7 m; I4 G5 l( s% }' G # a% s1 g3 j2 ~0 V6 [* ?0 y绿盟高手flier在他的文章中提到,使用ZwQuerySystemInformation函数获取所有核心句柄表,线性搜索到进程句柄,其指向的内核对象就是EPROCESS。 8 [' t( Y; d5 J# U0 V* g' Q 5 T I1 j0 ^6 d, v& w0 HZwQuerySystemInformation函数原形如下 1 C; g/ a. y/ K% G4 X! t1 G6 u3 C8 R7 _9 E7 m" }' z* U NTSYSAPI% J5 z+ i- _% ~+ V NTSTATUS7 ~5 ?* v: y1 |0 G9 I NTAPI + v* ] m7 I! n/ _, YZwQuerySystemInformation * T$ r# X3 p+ j; H( , Q C5 i* m3 e- H0 d' x1 VIN SYSTEM_INFORMATION_CLASS SystemInformationClass, " M. l" W- b! Z$ CIN OUT PVOID SystemInformation, * h' K/ F5 ]+ D% B1 D. R IN ULONG SystemInformationLength, " y! i- }9 a" A! A OUT PULONG ReturnLength OPTIONAL . K0 r0 w, {- N); * _; J: G( F% m9 P( h/ m& j 1 u, Q- C3 z! {, O& _7 y) {; e/ d参数意义如下 ( u$ ]8 J0 \ f7 i; h' d % _7 A9 f) s, g& x6 _' fSystemInformationClass:被查询的系统信息的类型,SYSTEM_INFORMATION_CLASS的枚举类型之一1 N* e1 r/ u4 S $ I( Z$ X: {! q1 R0 k SystemInformation:指向一个接受系统信息的缓冲区的指针 5 V; `" L3 a5 N" K" F, t! d2 W L: G& u: e- S; T SystemInformationLength:缓冲区长度 " j! { V5 O% c3 s; p- X0 h 0 D; Q& G, J+ y, G6 yReturnLength:指向一个接受实际返回字节数的变量,可以为0 8 C* h0 W0 ~1 w4 y7 W, Q5 ^: _ & N/ ~, ^3 J: O7 W& c7 \: {3 q+ _2 d% `% H3 _ 为了获取EPROCESS,我们使用SYSTEM_HANDLE_INFORMATION作为第一参数来调用 ZwQuerySystemInformation+ G( p* X' |% T( x$ C1 [ 5 g7 z- Q9 N) x& F: HSYSTEM_INFORMATION_CLASS的结构如下 % x8 `( S; j1 n% g# t # L: [: j1 l0 H0 _typedef struct _SYSTEM_HANDLE_INFORMATION8 Z9 X9 `- C: I+ ]& r' }5 v { 1 d7 w1 ^! ?9 G$ A- |2 L! L1 KULONG ProcessId;( V1 Q- s" `& e+ S( C. n" D UCHAR ObjectTypeNumber;* R9 G+ c- V( L- k; k4 e# A; F8 } UCHAR Flags;- X4 t! s" ?7 \: S1 ]1 P USHORT Handle;. r5 w& V, V2 J# b0 r PVOID Object;# Y4 N) y( |# B% C C* `/ Z$ l ACCESS_MASK GrantedAccess; : B4 R: @- R0 ~5 K2 f} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;/ T1 r/ ~1 v* t+ X1 Q, [ , k, U6 K( Q- fProcessId:进程标识符 8 L! V2 a6 d1 Z! o& S 9 K; t2 F$ {+ m; w6 XObjectTypeNumber;打开的对象的类型# [$ m X Y4 p& F. B# o" @ i% w. W( {1 {) Q4 _* x: O/ SFlags:句柄属性标志7 X! x' O9 W, q' U0 @% J 4 Y2 l' Z# U- f! c) f! W9 A% L Handle:句柄数值,在进程打开的句柄中唯一标识某个句柄" x9 k: G) G& V; j * J4 H$ c1 v* V1 U! W' PObject:这个就是句柄对应的EPROCESS的地址 7 X" C* j% X! f. `1 o. h i# x9 J8 i - O% R: ^2 b* NGrantedAccess:句柄对象的访问权限: Z) g5 `% j6 i& p/ r9 Y/ E; l , j) o! {4 N4 k ?6 l8 h ( t2 w6 K! N" w2 s" E$ z下面我写了一个小程序来获得EPROCESS( GetKTEB.cpp )/ J! X1 ^! [ n1 [/ h I6 J6 j 5 n* u8 H0 l* x1 e& [比较faint的是程序写好后发现并未如预期般获得EPROCESS,通过调试发现ZwQuerySystemInformation()返回的进程的句柄中并没有进程本身的句柄 0 ~" T' R: D1 y8 k4 I7 d" F 6 C) A( V5 l7 G% v, i# M怎么会这样?难道程序写错了?*_* 0 v4 E+ e* V2 G0 r5 M; d; ^( d 3 `4 e4 R% H$ K+ `, ?* Y8 r; l% `' W现在只好靠SoftICE给出答案了,CTRL+D唤出SoftICE,随便选了个进程--QQ,让我们来看看SoftICE的输出0 _$ C I3 |# E5 t4 S1 j0 h : S" Y6 B8 ~4 D( Y5 e) E1 b; D; ^:proc -o QQ ; r( U1 Y5 @; N; X$ a! hProcess KPEB PID Threads Pri User Time Krnl Time Status( P% b$ I2 ~5 |( |0 r9 P QQ 827CD520 11C 2A 8 00000B90 000008D4 Ready # m% |; s1 M. L/ O+ c0 t . V9 p1 L/ f2 U& A6 W, `9 J( Z' ^---- Handle Table Information ---- ( d$ H' |1 m1 d0 Y( f, F 3 ~+ o: ^8 v8 N; C* ?Handle Table: FFAD93C8 Handle Array: E2BEB000 Entries: 590( Q* w g4 l/ x7 }3 o 6 n7 o u( I% ^8 m7 t) ^Handle Ob Hdr * Object * Type2 g0 ~3 j1 U1 S0 t( C 0000 00000000 00000018 ? a& W1 B7 y6 {9 p+ o0004 E2DA5E58 E2DA5E70 Section ! t3 U# q' j, s0 V& D0008 FFAB35C8 FFAB35E0 Event _! ~5 z0 {8 N( K000C FFAB3B08 FFAB3B20 Event 6 m( s9 l! V3 t5 }+ p) z: g% y0010 85C70188 85C701A0 Event % z6 |: l) k! p' ]7 k+ w* |0014 81515778 81515790 Directory8 h1 k4 t# D$ o& M' f g* w 0018 FFAB7BB2 FFAB7BCA ? ! h1 L7 f8 M3 }- Z5 ^: ^7 y001C 814A1858 814A1870 Directory" n* C) n6 z- K- a2 Q 0020 80288C88 80288CA0 Event 8 S e- L; k1 B9 @3 n/ B! J0024 E2CFE7F9 E2CFE811 ?4 W: z2 m/ ?; n0 Q3 G% c 0028 842D7B08 842D7B20 Event- r' I* g6 G2 [! N1 C$ k 002C 80E9B989 80E9B9A1 ?5 s! Z& o$ }- [: ~' O! [; g% ~1 c+ A* A 0030 E1372198 E13721B0 Section + z$ M2 C/ A$ s. F* R0034 814602C0 814602D8 WindowStation4 D' ]9 S& G: |( V: j 0038 81455CE0 81455CF8 Desktop1 d3 l; N& J4 P4 b# v6 J 003C 814602C0 814602D8 WindowStation* W& O+ G; t' [ 0040 E2B3C1A8 E2B3C1C0 Key ! [6 e5 T$ [6 V* `6 s' p4 A0044 E286D6E8 E286D700 Key " H' D/ z7 T* ~0048 E2B3C0E8 E2B3C100 Key ( m; E) M7 V7 a1 a5 t) ` I$ ]004C E2B3C068 E2B3C080 Key5 |3 G4 q- j& i2 Y1 c- e 0050 E2BEE688 E2BEE6A0 Key + |. V* h6 t* Z9 W% _0054 8147C998 8147C9B0 Directory 5 ~4 S6 j* O- C3 E- H; m2 k7 w0058 829D1128 829D1140 Event7 g7 K" _' `, M8 o- B6 [" Y 005C 83F991E8 83F99200 Event. o9 W% M' }0 \ 0060 E2BEE608 E2BEE620 Key' M) W; M3 Q8 l- ~ 0064 FFB07568 FFB07580 Event, s1 ?7 T/ b- z+ `, g+ n1 T Q 0068 801747E8 80174800 Event& n) ]! p3 Y- }. U v 006C 80174828 80174840 Event 1 j6 C- |6 f1 k0070 845E8808 845E8820 Event- O- K" {5 O2 R( K; p) \. e* q9 F6 A 0074 81448798 814487B0 Event7 p3 Z+ O) w+ Q$ ]( N 0078 E2B9A888 E2B9A8A0 Key 5 `! n- n& J) r007C 845E8648 845E8660 Event2 U9 S8 I3 T+ b% u 0080 FF9E2DB8 FF9E2DD0 Mutant ) [6 u' r5 ^$ z0084 FF9E2D58 FF9E2D70 Mutant 1 E/ n2 @$ }+ |5 D+ J8 V; ~9 f0088 83CFC378 83CFC390 Mutant$ d) B! C2 ]: ]3 E1 Y 008C 801749B0 801749C8 File1 t" \6 A V r+ g5 e6 S6 m 0090 E2C48668 E2C48680 Section & V4 X5 c5 J4 Y" h# O, e* |0094 FF965168 FF965180 Event 3 s$ s' T1 z- t! Y4 ]0098 FF9E7D88 FF9E7DA0 Event + D9 Y) Z8 Z1 w: m( d B( E009C FFAD3DE8 FFAD3E00 Event/ H0 }, M, f( N) f0 g \ 00A0 80AD63C8 80AD63E0 Event! C1 I4 c0 H1 y% i/ V0 v 00A4 E28073A8 E28073C0 Key 3 ?( m) U& T( b3 n5 }. v00A8 FF955588 FF9555A0 Thread5 x% o! ^, f4 B: G1 R1 r: Y& X 00AC E2770728 E2770740 Key5 J9 u9 f, C9 ]& |. i1 L 00B0 FF923438 FF923450 Mutant8 ~' l4 o; h4 P1 d* z 00B4 FFAE3B38 FFAE3B50 Mutant# b0 A/ n+ A3 z0 U 00B8 83B80728 83B80740 Event ( u$ f! o; O( c8 X/ D, j00BC 83B80668 83B80680 Event + r2 J0 V; ~0 V$ b00C0 E2E3C448 E2E3C460 Section& t; K0 n+ x' W6 ?7 i. G) v3 K 00C4 83776A08 83776A20 Thread $ {5 ~ ]- Z* z0 z1 b00C8 81489E48 81489E60 Event , `1 L/ b. C# k S9 s00CC 83776CC8 83776CE0 Event / a" ?/ t5 P- j2 Z2 [) L# s00D0 83776C88 83776CA0 Event . j2 Z L, z/ \0 Q00D4 83776768 83776780 Event 9 ?& \! W$ V( k- i) S00D8 E2837D88 E2837DA0 Key / w$ P& k% [$ V8 x% o/ ]00DC 8146B3A8 8146B3C0 Event - w' K1 H8 n/ i2 F00E0 FF908308 FF908320 Event " s8 K! I; |" [" x2 {00E4 81494868 81494880 Event 8 l9 L) H5 q# R, V r- W00E8 FF9064C8 FF9064E0 Event ) K% P1 J% B' x0 \4 A00EC FF908FC8 FF908FE0 Event, F& x! y$ L I 00F0 FF908F88 FF908FA0 Event 9 A- K% s; ^: p: k% |! b00F4 FF955588 FF9555A0 Thread 0 @: o0 s4 I0 m: N5 A2 p" o R1 u00F8 FF908F48 FF908F60 Event % [7 J& Z' s) B+ w) d" `: a00FC E2CB1558 E2CB1570 Port p7 j5 @2 b# _5 [" I" |( s; | 0100 FF90A2C8 FF90A2E0 IoCompletion% d+ m7 s R9 `- L# N* O 0104 E2CFE708 E2CFE720 Port- S( O5 E% s- \0 q, _ 0108 FF90A2C8 FF90A2E0 IoCompletion1 T4 e& u" G) e1 U9 A0 u$ e 010C 837762A8 837762C0 Thread$ W5 B" _9 T) s7 `( Q 0110 8103BBC8 8103BBE0 Event4 n$ A. q$ t9 E* k8 c5 k5 | 0114 813DBDB8 813DBDD0 Event% ]1 ^; X, e! @ 0118 FF814788 FF8147A0 Event j4 p, K# E! R# R6 U3 i$ X 011C E1358DA8 E1358DC0 Key / E! ?: H' Z3 {, a% W- ?* J1 T- O0120 E2CFC428 E2CFC440 Key 2 D+ _- {" k- [1 U h9 W0124 8103B9C8 8103B9E0 Event % d5 i3 i ]4 t0128 E2C9A968 E2C9A980 Key ) E$ {( d7 b% ^ A012C 83B34E88 83B34EA0 Event' [1 S- I$ u% e- w 0130 E2CFD948 E2CFD960 Key1 o3 o% Z0 R5 B* S! { 0134 83B34E08 83B34E20 Event9 c5 o/ q% b: E! }3 I .... 3 \1 \2 \0 B! M8 D! F.....................省略: D3 `- h* I3 H7 r8 \ ! s2 V% `5 F; A! ^# ]) s3 G看了一阵,确实没有QQ本身进程的Handle,那么怎么办呢?1 Y3 [% A% Y( Y/ Q 8 K2 z9 p6 A I 想了一会儿...既然Win32子系统是由CSRSS.EXE来管理的,那么用户创建的进程的句柄应该在CSRSS.EXE里面找得到,用SoftICE验证后发现确实如此- L6 ~# ^! C U- C$ S 9 F3 H4 k" ?4 [可是这没办法得到指定进程的句柄,和我所需相去甚远,只有另选它路# ^7 r) z0 r: W, n) B% Y& W% g/ f/ w 7 [1 F1 S- f' ~8 s E; @: P* A后来总算想到解决办法,既然没有进程的句柄,那就创建一个吧,OpenProcess()这个函数可以打开一个进程的句柄,正合所需.8 h2 V; l( a t: a) i, ] + v* l# D5 w/ M3 t8 r. s% D 果然加上这么一句后,ZwQuerySystemInformation()获得了EPROCESS5 y1 L. L8 } @' v: Q+ [. [ ! q x# i' ]; I4 y8 g8 E+ ^3 z 修改好的程序代码如下,获得本身进程的EPROCESS地址,稍作修改可获取任意进程 & _+ d% `" Y3 V6 `/ w& R( L8 u5 k( C( r8 X, |0 o2 N #include 5 u0 p: g" ~. n# u. Z4 ^/ R, n #include : a6 Q- v0 G5 k( Q- N#include ! B5 n; J9 D2 s+ b! G- F7 c3 { #include % ~+ p/ a7 R; O- ?8 j1 j ) a; R2 Z* n9 V9 S) ~% q7 v/*2 k" q% j+ o* S c2 W& E * you''ll find a list of NTSTATUS status codes in the DDK header: i/ ]6 T8 \5 Z% q' b8 a * ntstatus.h (\WINDDK\2600.1106\inc\ddk\wxp\). x+ w% K! `5 O. l: b1 @" X8 G5 m8 J */ $ T7 s' P. [$ g#define NT_SUCCESS(status) ((NTSTATUS)(status)>=0)) ^0 v; B- Y6 u( n1 Y #define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)7 L9 O5 V. i) r' z: x6 \6 X: | #define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L) 7 I$ _3 S4 |, F8 q( l& [8 z0 T& {7 M @) c; M. _- _4 P% t /* $ e% x# H. U9 L9 t! [************************************************************************* + @% {6 g% y( k$ d8 X; ?8 M* ntddk.h 0 ^$ V9 [2 O# x& Q% e*/ - _2 @; G, M2 B4 f0 Btypedef LONG NTSTATUS; & m3 i, q& m5 t) d9 }typedef ULONG ACCESS_MASK;' E' Q) o9 J1 t. q. f0 F /* & p0 m/ e! X% F1 `3 I- n7 f1 X$ B* ntdef.h + A( g2 h2 B n2 _' G Y************************************************************************* 3 v3 q3 e2 h# _" y# C' [*/ ; i/ i" K3 v u7 k% k4 L( D ( Q6 k& T1 ]/ f k/ ? m- R/* 1 s c! P: ?2 d9 H! Q* {************************************************************************* 1 w8 p4 l9 _- n1 M. T- J; @* <> - Gary Nebbett & O0 x0 k. [5 n) \4 E; p*/ 0 d: ?6 L7 [, U7 `- M 1 B5 {- K0 |- h, P2 K, G3 Qtypedef enum _SYSTEM_INFORMATION_CLASS - P- }: ~" D. k& G% _{+ c) q S6 ^& e, e/ r+ z6 A2 p) a SystemHandleInformation = 16 ' I- R( u4 c: s! p} SYSTEM_INFORMATION_CLASS; ) W( D; p7 }# @, _: E1 K8 S' c/ D! Y3 u8 v4 W' X" g /*- m0 H W& E2 E5 H0 u( {1 e, c0 L *Information Class 16 & Z1 a6 G6 f3 d( H9 ^3 @3 V2 R2 X4 l$ c*/& k2 H5 U, M! u& |! | s2 N typedef struct _SYSTEM_HANDLE_INFORMATION5 r! d- P; N3 ~- G5 b { * D; u! u/ p% e) @% r! dULONG ProcessId; * P5 s$ h& t7 e: q, t, g1 c1 w, A6 z9 GUCHAR ObjectTypeNumber; ' r+ r7 }, N3 z2 g7 u" ^( mUCHAR Flags; ; F1 y# q( d2 C4 H! _* a* pUSHORT Handle;9 Q9 q( `0 i5 l5 I* b& x' d# \+ ~. k PVOID Object; # G0 u/ ~ D2 o' T. TACCESS_MASK GrantedAccess; 1 A$ B3 R3 J, Z2 [$ M) f} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;$ z# o4 x( N1 V, b 3 L0 Z4 G5 c1 w1 ~#define InitializeObjectAttributes( p, n, a, r, s ) { (p)->Length = sizeof( OBJECT_ATTRIBUTES ); (p)->RootDirectory = r; (p)->Attributes = a; (p)->ObjectName = n; (p)->SecurityDescriptor = s; (p)->SecurityQualityOfService = NULL; } ' H3 ]2 {7 q. E, }/* ! W, ]6 ]' r: {& W6 O************************************************************************* 7 b- L! ~: [6 y* <> - Gary Nebbett $ e2 R) @& k2 h V*************************************************************************1 a- }( k/ h$ M */1 l }/ E' Y+ S: n typedef ULONG ( __stdcall *RTLNTSTATUSTODOSERROR ) ( IN NTSTATUS Status ); . N; k& H# D3 t2 B) c5 vtypedef NTSTATUS ( __stdcall *ZWQUERYSYSTEMINFORMATION ) ( IN SYSTEM_INFORMATION_CLASS SystemInformationClass, IN OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength OPTIONAL );! R! F/ v2 F/ ^9 \ /************************************************************************$ ?5 V* E+ N9 y5 n- S * * ! V- \; F5 p- l" i2 V) l# U( U* Function Prototype *# T5 K7 X) z% H$ [" D/ f4 O' t8 z * * " N, E- N# c w3 e& Z5 c( I************************************************************************/- c1 x+ b! F' ?3 V0 o4 n% ~5 E ! T0 B1 q. ?% b4 h) A static DWORD GetEprocessFromPid ( ULONG PID );; U" f N: L. ` ` static BOOL LocateNtdllEntry ( void ); 3 ~0 `1 q5 l$ W; B* ^( W, z 5 a3 f3 v( n* l" d5 ?3 E- `+ Q5 x3 p9 {4 Y- a- t /************************************************************************5 }0 `9 L4 V9 U0 p- | d0 J; J * * $ U0 a' p* k( v; Y$ k: o* Static Global Var * . }, h* [. a; h* *( H( n8 `, U8 @! r% Q1 `* n ************************************************************************/ " Z' J( ]3 a" @$ _& q/ b: e* F1 D% f d, E8 o static RTLNTSTATUSTODOSERROR RtlNtStatusToDosError = NULL;6 O+ a# r6 v' m3 i& M* r static ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation = NULL; ' z3 @: U9 z) n- n# G9 v. ^ 4 D2 n0 g+ }/ Q% q& pstatic HMODULE hModule = NULL; * }( |* P2 o( E3 D) h$ ]* ]5 g/************************************************************************/ k6 |$ L. o0 e' e' e' E W6 k & C4 A; ~" O$ m% T+ \+ L9 O s" K* g static DWORD GetEprocessFromPid ( ULONG PID )! ]* ~5 y. [- V, G { : X& J3 @& t7 E, z# @9 `, ~NTSTATUS status; 4 V" _2 u9 s# @8 [( c9 RPVOID buf = NULL; ) W" V! V: z% H. b9 d$ s( H- oULONG size = 1;& L, W9 R9 ^1 o( [7 p- ^2 w ULONG NumOfHandle = 0; ' ?2 H; }% H3 [* JULONG i; , h8 I/ h. g! y2 u1 wPSYSTEM_HANDLE_INFORMATION h_info = NULL; 8 j! K- p- E, ?' F$ s0 |2 u - N! R7 O% {, V! k" v [for ( size = 1; ; size *= 2 ) 2 d$ Q( t8 k& ?{ 1 ^% W' C$ G( Q' `8 Cif ( NULL == ( buf = calloc( size, 1 ) ) ) " E. X9 g. G- m) z6 y2 {{& K+ }) L$ f/ F, Y' z' I0 [3 A; N fprintf( stderr, "calloc( %u, 1 ) failed\n", size );9 j3 v& C/ P. G$ G& B5 t( r6 C' I goto GetEprocessFromPid_exit;6 y$ Z( k" ^2 m }) C2 ?4 ]4 C+ A, a3 v4 s/ i' g) S status = ZwQuerySystemInformation( SystemHandleInformation, buf, size, NULL ); 7 I. g( n9 @0 h5 K. c" M7 a! N3 e3 `+ Y$ aif ( !NT_SUCCESS( status ) ) + @! S( ?0 P6 T{( b6 e9 d4 Z+ m& E if ( STATUS_INFO_LENGTH_MISMATCH == status )6 A# `/ o9 V4 E$ g% E7 P) k& H { ) M L7 m* \1 }% F8 u7 Z/ F! Gfree( buf );# m) R* R$ E9 k* Z# X# h buf = NULL;7 L8 l, w, ]" d& [) C- ~+ A4 @( S } 3 W: \7 {! B* X/ A3 Jelse & R; `6 J- Q' M6 E B{ 6 ?: ?& S% t: e0 R" o# D, ^ u) L% dprintf( "ZwQuerySystemInformation() failed"); d6 N2 T" V) N$ E; o$ v+ k; } goto GetEprocessFromPid_exit; ) U! b P" U9 H( x} 6 c3 z' }- O: F}( ]$ g7 |/ l* N* c else + k7 M( M7 W1 Y/ Z4 D q" J. U{ , ^& g. ]# [$ f0 P: F. q8 lbreak; ! L: a( P9 c& i} 8 X& t3 P) L5 C. n: S0 e" }} /* end of for */+ b6 u; \8 _, T" l W0 F0 p/ u : `/ q3 b6 }' [/ B" n7 T //返回到缓冲区的首先是一个ULONG类型的数据,表示有多少数组! {5 L6 O# Y- A0 h NumOfHandle = (ULONG)buf;7 D1 H% X5 v( ~ J * i5 ]4 {- f' ?6 vh_info = ( PSYSTEM_HANDLE_INFORMATION )((ULONG)buf+4); ' B. E. {, e& O" O, ^) c; P$ J4 }# y' a8 R. {- b for(i = 0; i {! V9 K3 x3 g/ n# ~1 C5 O# e if( ( h_info.ProcessId == PID )&&( h_info.ObjectTypeNumber == 5 ))//&&( h_info.Handle==0x3d8 ) )+ L% N6 o1 G# U/ [ {7 n( E- [0 c: P2 V4 ` printf("Handle:0x%x,OBJECT 0x%x\n\r",h_info.Handle,h_info.Object);4 j1 o& t* E7 u, S return((DWORD)(h_info.Object)); ; J6 a7 H5 @) k' c/ U Q+ X5 a} ( P! E, T1 O1 d! I3 O- W2 ~} 4 B2 |& _- H3 E3 G4 vGetEprocessFromPid_exit: 2 g5 d+ q) m, b" J R, C: yif ( buf != NULL )( C8 A8 u8 I3 ?0 T0 v7 }& m { & ?$ g$ n) ^/ |, Y2 }. W$ \4 yfree( buf ); . Y; v( E: ^/ ~7 vbuf = NULL;; a' k4 X4 p; h8 [ }, q! o- f. ?( g% T4 C return(FALSE);9 a' y4 y# p+ F6 u+ D# }8 W2 V }* N B, h* k" k0 u 2 u1 U$ X8 \# `5 l0 @" t 1 Q; V' G. s* V' u& K/ i/*$ w% v, O8 O; H: I+ y& D. w4 \ * ntdll.dll v$ k2 [; w" ~: x$ S */ 1 S* S( z( G' D B0 D. B- lstatic BOOL LocateNtdllEntry ( void )3 `5 `1 t; _+ H. e { g& k; B6 ~/ ]+ h6 ` BOOL ret = FALSE;$ C6 D2 G8 l9 @3 W$ h char NTDLL_DLL[] = "ntdll.dll";! y3 R4 X1 O' Z7 H7 h6 {# U' _$ ^9 E HMODULE ntdll_dll = NULL;! S* G% d- @8 ^+ b( w2 n' U$ g# b 0 n1 b1 a, f- _, m; o, t. `0 q% X5 j7 m; H' D, E2 H* f G, j if ( ( ntdll_dll = GetModuleHandle( NTDLL_DLL ) ) == NULL ) ; S0 y8 P( J/ T1 |+ J2 o{' M, k( w) f6 K4 x printf( "GetModuleHandle() failed"); - b) V7 } Q. Y& Jreturn( FALSE );4 ^ ^! ?0 K8 R4 x5 D8 ? } * T7 L% ]* n1 g6 v( w5 d6 d& lif ( !( ZwQuerySystemInformation = ( ZWQUERYSYSTEMINFORMATION )GetProcAddress( ntdll_dll, "ZwQuerySystemInformation" ) ) )& w4 s k6 k; S2 {+ f { ! |. w6 K6 I, H% kgoto LocateNtdllEntry_exit;3 k: `! A( Y) _& V# X } + P: M; c# E' gret = TRUE; : @: W% |. D1 i9 l3 q $ R5 S; t. o- y% A, c7 `0 y. T1 l1 j8 DLocateNtdllEntry_exit:; v4 O( q' F/ N) z 7 k! Y0 K% p6 s# T; O if ( FALSE == ret )3 E& S& k! Z" F( E$ q% z6 B; V" x { , r. M6 H c; A- e; ~. m; eprintf( "GetProcAddress() failed");* `! D L+ b, ?; y }1 b+ R' R! m, p* c ntdll_dll = NULL;$ ]: q( u Z* C) q8 N& A return( ret ); 6 R3 b) o- t' L4 m( m" l n3 L1 h} /* end of LocateNtdllEntry */ 4 ]/ \, [$ x4 } Q, ?8 d& X5 l5 z& \4 p' v3 k 6 k, }& ?1 X- _8 e" \( Yint main(int argc,char **argv) / @& k0 Y7 R" o, U2 E{7 @* Y h. L# h 9 |7 C$ E0 u) R; p6 J# k' z LocateNtdllEntry( ); + R. J- Z5 C. M4 A ^( t/ U% c5 F ( Z2 j+ p4 ^0 i) W V/ }; u//打开自身句柄,这样才能在handle列表中找到自己,PROCESS 对应 ObjectTypeNum 为50 `$ }0 l# L2 J OpenProcess( PROCESS_ALL_ACCESS,FALSE,GetCurrentProcessId() ); / b& t4 K/ N+ W$ Q' l! I9 Z& m 1 r: ~; \- p, ]% i! kDWORD Addr = GetEprocessFromPid( (DWORD)GetCurrentProcessId() ); 7 P) l) V2 D3 T# j( B7 j9 L$ S) x printf("result: Current EPROCESS''s Address is 0x%x \n\r",Addr); 3 p9 J4 C# @$ ]8 I: f# b- ~ 6 {: A- P# M. W+ Breturn TRUE;# P3 ~7 ]9 }* w5 G! o: b! X8 ~ }



欢迎光临 数学建模社区-数学中国 (http://www.madio.net/) Powered by Discuz! X2.5