数学建模社区-数学中国
标题:
获得进程的EPROCESS
[打印本页]
作者:
韩冰
时间:
2004-10-9 14:22
标题:
获得进程的EPROCESS
文摘内容:
! ^+ t | @, n1 u
--------------------------------------------------------------------------------
! o" x( ]. H2 ]" X+ Y4 D% z
文摘出处:http://www.xfocus.net/articles/200406/706.html
0 o3 h1 @ x, ^! n
. N) a& G9 ^5 n/ Z
创建时间:2004-06-01
/ n. b5 ]7 D2 l) H5 P
文章属性:原创
; I ~' k8 N I* z+ P# s
文章提交:MustBE (zf35_at_citiz.net)
' g; ]! G% N6 _3 }6 E$ [# d. F
~( S5 T# x$ g" D: J
By [I.T.S]SystEm32
9 V7 h [8 F7 k# Q2 X+ d
1 ]" D: `8 r3 J( Z% E9 ]. M
Welcome to our web site http://itaq.ynpc.com/itsbbs/
2 Y* G Y( x+ M: C/ X0 G8 y
- Q* [ e! v, N8 w4 U9 _! m
thanks to SobeIt : P
* v$ R$ R/ J& }% H' L
---------------------------------------------------------------------------------------------
2 y: g8 P1 V% ^ k: C2 ~$ E: p
- \% [- |% Z0 _5 Q# f) h4 b
每个Windows进程都有一个相对应的执行体进程(EPROCESS,也就是KTEB),EPROCESS不仅包括了进程的许多属性,还包扩了许多指向其他数据结构的指针,其中包含了大量有用的信息.本文仅讲述如何获得特定进程对应的EPROCESS,EPROCESS的作用及数据结构不在本文讨论范围之内.
% H) i6 Y) T N! s) W
7 F2 |$ k1 `/ F l1 L" [
绿盟高手flier在他的文章中提到,使用ZwQuerySystemInformation函数获取所有核心句柄表,线性搜索到进程句柄,其指向的内核对象就是EPROCESS。
& v) r5 h, }+ \/ }6 a% t
+ V" z9 @' e% ?
ZwQuerySystemInformation函数原形如下
" p. e# i" l; o+ [
. j" w t& I! z$ f
NTSYSAPI
7 M" F/ N2 o% Q* P
NTSTATUS
4 ^, B- J1 h% J# K4 r( W& c. l
NTAPI
" [6 Z/ f8 @. c" |4 u' F# S; b
ZwQuerySystemInformation
$ F5 J8 u+ M: ^1 Y% J
(
- [, k+ U+ r; I' {
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
0 l5 R, T. X( I* @# O5 G
IN OUT PVOID SystemInformation,
' a- f, n! }+ u/ t- ~
IN ULONG SystemInformationLength,
8 E0 b# I9 u! X# G" h s2 o: |
OUT PULONG ReturnLength OPTIONAL
' H- U9 j1 l7 [. z0 ^; z
);
- r; T# r: {# ]+ ]. g& N! ]5 }
$ b/ [3 ]& I' E- R/ `
参数意义如下
9 {" }' Y9 C; ?3 Z, G9 s
: o& g Q# H0 B7 n3 p
SystemInformationClass:被查询的系统信息的类型,SYSTEM_INFORMATION_CLASS的枚举类型之一
' M2 }; o1 p9 C' A1 M+ `
9 W0 s# k3 ~6 o2 V1 ~, C! J, v, Q
SystemInformation:指向一个接受系统信息的缓冲区的指针
# u3 C' s( D0 f e$ z6 x
, ^0 C6 |" B/ {" t: Q! z, E, B
SystemInformationLength:缓冲区长度
) J- h$ n0 }$ v; k% L+ \
. w$ t) a9 d1 f
ReturnLength:指向一个接受实际返回字节数的变量,可以为0
! T6 |, F/ F1 X
% ]. T' X* q; m# c. v! y
0 H$ @$ v& I) [! y+ G
为了获取EPROCESS,我们使用SYSTEM_HANDLE_INFORMATION作为第一参数来调用 ZwQuerySystemInformation
0 N" s5 _1 N$ j
# ^' N! W; ~: z5 j0 Z$ d0 O
SYSTEM_INFORMATION_CLASS的结构如下
( B. I* H, R% L+ o( ^! P
9 p& V/ h; q* r- q1 n/ G
typedef struct _SYSTEM_HANDLE_INFORMATION
9 k3 y/ D" Q: X6 u; n
{
# b' l E0 y/ {6 _3 D' D. O
ULONG ProcessId;
8 j# g' U: G0 U% {$ `
UCHAR ObjectTypeNumber;
: N! F/ W) J0 o# c; F% [5 T
UCHAR Flags;
$ Q6 M7 ?' {8 l9 U! n
USHORT Handle;
3 @6 c' I% R A8 P. g
PVOID Object;
2 b4 ]& D- U0 C7 b$ j
ACCESS_MASK GrantedAccess;
( N7 `2 u' `2 x
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
) R& K; ]$ w" r: b, S7 P& `
. M- l2 F' T: _) v! @1 E" D( }! [
ProcessId:进程标识符
1 m8 M6 S6 L7 ^
- p& N. ?# p' I9 a" s; r
ObjectTypeNumber;打开的对象的类型
$ E8 m- }6 T. d+ p
9 {7 j/ d- K1 N, Z6 z
Flags:句柄属性标志
4 Z" S* k1 p2 ], p. l( c, K& t+ o8 s
7 y' Q7 E# D( z' c; x
Handle:句柄数值,在进程打开的句柄中唯一标识某个句柄
2 }/ @6 H1 `2 X- W
7 K" u5 l$ e; Q0 j; L A9 {
Object:这个就是句柄对应的EPROCESS的地址
9 \( ]" J! H6 Z3 J
+ y4 t: K. O: K. L
GrantedAccess:句柄对象的访问权限
/ A% `* X$ N6 ?1 Y2 R1 P
: W+ @; h# q+ ^# B, C9 y* M, x
. ^3 K7 j0 \0 p9 x# |( u9 b
下面我写了一个小程序来获得EPROCESS( GetKTEB.cpp )
) l6 i( _. n1 r, i3 c6 o# `
: E1 f/ B$ l' g, G. W
比较faint的是程序写好后发现并未如预期般获得EPROCESS,通过调试发现ZwQuerySystemInformation()返回的进程的句柄中并没有进程本身的句柄
. L) L8 p" b3 t) g" G! ^ p$ ]
9 s$ {9 q4 }/ }) z
怎么会这样?难道程序写错了?*_*
7 F; _' F r! X
( p# L a5 Y7 X7 |
现在只好靠SoftICE给出答案了,CTRL+D唤出SoftICE,随便选了个进程--QQ,让我们来看看SoftICE的输出
% X( q- e+ c; K( K8 H, C O
# X# U' `& ^: p4 S# W# G
:proc -o QQ
3 m! l: O8 M, n3 A! V7 C
Process KPEB PID Threads Pri User Time Krnl Time Status
1 g @: ?5 r( x- ~8 V
QQ 827CD520 11C 2A 8 00000B90 000008D4 Ready
" I7 B& j/ E: k
x J6 z5 j/ Q0 k- Y. Y
---- Handle Table Information ----
) [% t1 I# [0 X# k! X* n
- s7 w, c2 k7 D8 P$ t9 { \) {
Handle Table: FFAD93C8 Handle Array: E2BEB000 Entries: 590
+ w- |4 M2 @; b& i/ c0 n% f
' U( [) n8 M: i `1 {
Handle Ob Hdr * Object * Type
9 L9 o" Y9 x/ U8 x
0000 00000000 00000018 ?
- X. c/ H9 J$ J/ g
0004 E2DA5E58 E2DA5E70 Section
7 ?1 M7 e4 L- u! H! T- M/ W/ W$ V
0008 FFAB35C8 FFAB35E0 Event
* ^# @0 |1 H, I; v, _
000C FFAB3B08 FFAB3B20 Event
& Q; R' w6 i3 o6 F0 Q4 q( Q* O
0010 85C70188 85C701A0 Event
# H5 C& }% R2 Z4 ?2 a9 H7 `
0014 81515778 81515790 Directory
2 m+ X7 y" n# U4 {+ f& V* D. ~1 f
0018 FFAB7BB2 FFAB7BCA ?
6 P/ J9 V( K, p; @
001C 814A1858 814A1870 Directory
2 z! Y( ^1 V% T [1 w0 N
0020 80288C88 80288CA0 Event
3 C) H; G% \6 P3 V5 f
0024 E2CFE7F9 E2CFE811 ?
+ b: R: f }- K$ u% e5 \
0028 842D7B08 842D7B20 Event
0 P! N# p6 j' Q
002C 80E9B989 80E9B9A1 ?
: r* |3 B" D C! j4 ?
0030 E1372198 E13721B0 Section
( y, b% [ S; D0 [/ r8 t
0034 814602C0 814602D8 WindowStation
) V6 \ [! n: H3 z4 p, ~; ^- u
0038 81455CE0 81455CF8 Desktop
* h1 N) Q4 y% y5 O* c# P
003C 814602C0 814602D8 WindowStation
9 R2 y2 Y8 K( E$ ~
0040 E2B3C1A8 E2B3C1C0 Key
% y, O6 l) Q5 M4 I/ L
0044 E286D6E8 E286D700 Key
. [/ N$ o" j# z. e- z$ H
0048 E2B3C0E8 E2B3C100 Key
" f1 J# L, E0 ~! \3 V
004C E2B3C068 E2B3C080 Key
m! x5 T6 p# l! n$ R
0050 E2BEE688 E2BEE6A0 Key
( r4 T5 W) b' k. v. j! X! f
0054 8147C998 8147C9B0 Directory
; q: ~7 S( [* Y+ j! k; K: {3 z
0058 829D1128 829D1140 Event
4 V; H% j" z% o2 a
005C 83F991E8 83F99200 Event
1 U- ]8 w: W8 R* p3 H3 _$ b
0060 E2BEE608 E2BEE620 Key
/ j$ [( [$ \' H5 A
0064 FFB07568 FFB07580 Event
, v3 j" a0 D/ j; C5 o; g; J
0068 801747E8 80174800 Event
3 X4 D/ q% X3 Y- L& B3 |0 M
006C 80174828 80174840 Event
: P; A+ T. H8 x& T: p
0070 845E8808 845E8820 Event
( |7 B2 R, e+ r" ]7 s9 c( ~; O5 p
0074 81448798 814487B0 Event
. W; ` ?- j1 R) a7 j* A4 P
0078 E2B9A888 E2B9A8A0 Key
7 G7 w/ ^3 d6 M7 ~
007C 845E8648 845E8660 Event
, P/ h1 O0 J) e" R; H
0080 FF9E2DB8 FF9E2DD0 Mutant
1 E) y9 S0 j9 |- D/ h
0084 FF9E2D58 FF9E2D70 Mutant
- B5 v' @9 l7 b9 ^
0088 83CFC378 83CFC390 Mutant
, _4 U6 _( w. ~% {! F3 h
008C 801749B0 801749C8 File
T! F! ^, `& g4 t
0090 E2C48668 E2C48680 Section
" t5 X& T5 n! T9 }" W
0094 FF965168 FF965180 Event
0 g0 q1 P" y. o
0098 FF9E7D88 FF9E7DA0 Event
5 ^( _1 S0 J* H ]! |
009C FFAD3DE8 FFAD3E00 Event
3 k( f! D! }( X" [8 t( P1 T, G
00A0 80AD63C8 80AD63E0 Event
- y: i# \; W3 n+ }+ X4 J/ Z
00A4 E28073A8 E28073C0 Key
5 D: }- u4 f( e4 B. q; r# m
00A8 FF955588 FF9555A0 Thread
' s6 U0 s4 C# z$ A: |
00AC E2770728 E2770740 Key
) E/ ~9 f7 P9 a
00B0 FF923438 FF923450 Mutant
$ v5 ?9 Z% K, r" V. K2 n3 E, `$ T* d5 }) I
00B4 FFAE3B38 FFAE3B50 Mutant
! t u% P8 U" y
00B8 83B80728 83B80740 Event
8 Q* o7 r8 k& O) N: ]( T
00BC 83B80668 83B80680 Event
0 d" j* P- m) ]- R; ~. a2 X, D5 V- I
00C0 E2E3C448 E2E3C460 Section
9 y, N0 s- _8 D: z. Y1 ]
00C4 83776A08 83776A20 Thread
' {5 D' P$ Z$ h2 Q8 \/ Y7 ~7 [* \) y' {
00C8 81489E48 81489E60 Event
0 K/ z9 k( I% v! w) o9 p* _2 G5 I( v
00CC 83776CC8 83776CE0 Event
+ c, ?4 q6 n+ p2 U+ l
00D0 83776C88 83776CA0 Event
, u7 Y! f+ `2 K9 j8 I) y5 z
00D4 83776768 83776780 Event
( ^$ m. X9 m, K- }: b
00D8 E2837D88 E2837DA0 Key
, r8 N0 c- ~* H2 |% o0 ^. f
00DC 8146B3A8 8146B3C0 Event
- Z' k% a j! v" N
00E0 FF908308 FF908320 Event
6 w6 q2 u( J7 t2 Y# J3 P2 [
00E4 81494868 81494880 Event
% Z4 ~3 H( t/ V2 v$ c. {1 e
00E8 FF9064C8 FF9064E0 Event
# `2 X- \. }# S' y. W# o* m+ Y
00EC FF908FC8 FF908FE0 Event
$ p7 r9 O: i4 }
00F0 FF908F88 FF908FA0 Event
9 s; P6 \& X/ \* h- m- u$ @+ x0 E
00F4 FF955588 FF9555A0 Thread
. p3 E. u0 n# f# y, X
00F8 FF908F48 FF908F60 Event
, r% |, w3 Y, X; i
00FC E2CB1558 E2CB1570 Port
! K& V0 |3 s; H; M1 X
0100 FF90A2C8 FF90A2E0 IoCompletion
' l+ w% _# r$ F, ?; ]+ y
0104 E2CFE708 E2CFE720 Port
& V4 w; T- V: E+ X0 A
0108 FF90A2C8 FF90A2E0 IoCompletion
' G, Y0 {9 ?+ p' ^
010C 837762A8 837762C0 Thread
" R" |. K- V! b6 v+ m$ U- T) y$ h5 D
0110 8103BBC8 8103BBE0 Event
6 s6 ^1 f; E2 X$ x0 \4 P; V) V
0114 813DBDB8 813DBDD0 Event
: a1 e, Z% l ]# R+ W- o- Q
0118 FF814788 FF8147A0 Event
8 ]2 ]1 Q. N2 V1 B4 e6 Y- r
011C E1358DA8 E1358DC0 Key
- ]4 z3 Z1 S9 N* m4 d. G
0120 E2CFC428 E2CFC440 Key
: Y/ [4 Z: I- O6 i; e+ T$ w M
0124 8103B9C8 8103B9E0 Event
3 H9 n2 y$ _ H: n
0128 E2C9A968 E2C9A980 Key
# V( Y" \, m! K; p
012C 83B34E88 83B34EA0 Event
% x# Q& L1 w$ m
0130 E2CFD948 E2CFD960 Key
! g: M+ p5 d2 x w
0134 83B34E08 83B34E20 Event
( ?( ? P" q( s( ~! E
....
9 J$ o% h5 L9 C
.....................省略
* @4 m1 q, k/ e* i
- t3 }0 s8 e* B5 h
看了一阵,确实没有QQ本身进程的Handle,那么怎么办呢?
( l& y" L- m- ~* M* E
( {* [* g: D, \) F
想了一会儿...既然Win32子系统是由CSRSS.EXE来管理的,那么用户创建的进程的句柄应该在CSRSS.EXE里面找得到,用SoftICE验证后发现确实如此
5 f- [+ Y# _- N: Z0 C
4 E8 L* j, n/ z. Z% S8 p$ b
可是这没办法得到指定进程的句柄,和我所需相去甚远,只有另选它路
( h/ C" o. v* @6 ]5 X9 l6 F
7 M3 E% D1 p8 q3 V/ ]% G q
后来总算想到解决办法,既然没有进程的句柄,那就创建一个吧,OpenProcess()这个函数可以打开一个进程的句柄,正合所需.
1 J" W( ~# @5 {& I' q
3 Y9 T+ j' w) B% l
果然加上这么一句后,ZwQuerySystemInformation()获得了EPROCESS
' q0 |$ ?4 j' C6 f
0 G; }+ [5 ~: V: w* x
修改好的程序代码如下,获得本身进程的EPROCESS地址,稍作修改可获取任意进程
) j+ N T( D2 b+ e
" M' Z1 e. I6 Q
#include
8 I( b4 n3 Q6 ~6 f
#include
9 e2 w& Y |. ^ k# `
#include
3 a( q5 H% d0 X- [# E
#include
. S6 c. `" w' ^- H8 v9 L. j
+ `- [$ }* N) `6 T3 F& y
/*
0 q; B V# S1 P. d( C- N- X
* you''ll find a list of NTSTATUS status codes in the DDK header
2 G0 j6 ^) _' j4 u& J3 q2 L
* ntstatus.h (\WINDDK\2600.1106\inc\ddk\wxp\)
$ k# t. g" g% z$ }' ?
*/
, m& b6 j1 C; j: L
#define NT_SUCCESS(status) ((NTSTATUS)(status)>=0)
4 f* |6 F H; k
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
4 G4 H" N4 E8 m& ^7 ]
#define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L)
, H, k) W; S# N/ A
. ^4 l$ j5 Z6 r9 }, V: e/ m
/*
* E! y7 R" Q$ _
*************************************************************************
# ~" B( z; s% W* b
* ntddk.h
) v* ?! E! t! q2 s* Q
*/
& j0 ]% \/ e3 R. Z' y# f+ M6 R
typedef LONG NTSTATUS;
% c" z! x0 k/ I
typedef ULONG ACCESS_MASK;
+ _. i1 m7 k, \) G. ?9 h1 V
/*
4 ^; ?) s4 R" [/ L. F# X
* ntdef.h
8 F; ?) e [9 a) V# C3 s7 y7 t
*************************************************************************
7 ^9 P$ ?7 l4 m5 r3 g+ s
*/
& ?4 m" ~% n5 ?: _, \1 K
, }2 }( U0 b6 n
/*
' m* b4 J( L" @# l$ I. b
*************************************************************************
1 N' w8 }$ L* D. \& b
* <> - Gary Nebbett
! |# s9 r5 ?8 E1 x0 i8 q3 _, F4 |
*/
6 m* u# |. c0 b1 f
. D6 G3 C" p( y1 T; g
typedef enum _SYSTEM_INFORMATION_CLASS
! j5 J5 C- d, n* O# g
{
9 b9 ~. ^ w& v6 R( a
SystemHandleInformation = 16
( y& g0 I3 Z' E& ^7 p% V0 }
} SYSTEM_INFORMATION_CLASS;
, A6 n4 Y- b' ]1 F' R3 w
1 `, l8 F5 @+ C1 w8 L
/*
4 W( o3 u- {6 ^ X# j* C I* E
*Information Class 16
. q. z% p7 H, P1 m0 A
*/
1 [) T' B+ x! P* _5 n1 w
typedef struct _SYSTEM_HANDLE_INFORMATION
( s) x, ^+ s" h/ b
{
, E- _* @/ O+ C9 t
ULONG ProcessId;
3 k( k' l7 E3 Y' I8 |- c
UCHAR ObjectTypeNumber;
- {" Z6 m% [. b( h- |
UCHAR Flags;
5 G V+ u6 N$ F x
USHORT Handle;
* s$ p0 E6 ]1 a0 K! U3 m
PVOID Object;
" W2 i' _6 H4 }
ACCESS_MASK GrantedAccess;
! Z0 T+ X$ X! A
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
3 m. r: V; E4 J# |" E* ^
0 L) z* [. ~2 o! D* s: R, `4 R
#define InitializeObjectAttributes( p, n, a, r, s ) { (p)->Length = sizeof( OBJECT_ATTRIBUTES ); (p)->RootDirectory = r; (p)->Attributes = a; (p)->ObjectName = n; (p)->SecurityDescriptor = s; (p)->SecurityQualityOfService = NULL; }
7 V$ I4 \% K8 b( C. {' b
/*
3 A: D1 r* j! ^3 w0 t
*************************************************************************
1 Z' H; F' w; k# o, E: p/ A
* <> - Gary Nebbett
, z G! R8 S @: u/ L! @3 u
*************************************************************************
/ p1 s' Q, N, w( p, M3 \
*/
/ {9 B8 q( j/ z$ W4 x! N Y p
typedef ULONG ( __stdcall *RTLNTSTATUSTODOSERROR ) ( IN NTSTATUS Status );
0 l" R% k C" f3 I! A' H) h0 ]
typedef NTSTATUS ( __stdcall *ZWQUERYSYSTEMINFORMATION ) ( IN SYSTEM_INFORMATION_CLASS SystemInformationClass, IN OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength OPTIONAL );
# S, `( f9 ~( Y0 _! J8 E" Y
/************************************************************************
, l4 b; D) q6 d
* *
7 ~$ @0 h$ T: ?( B2 k W
* Function Prototype *
' {8 H5 |- q5 J& l
* *
- p Q9 e% c) n& d$ N+ ~
************************************************************************/
# ^' x" w" O3 N2 R1 ^) |
! @0 h5 o7 m7 N" L, h$ m
static DWORD GetEprocessFromPid ( ULONG PID );
" D; r) L2 v6 X% f
static BOOL LocateNtdllEntry ( void );
# o1 Q3 a3 X1 C
- z5 |& S+ w t
% P+ x( z/ y- S4 K( O+ x* R
/************************************************************************
$ \. k+ p& s3 t
* *
9 b. r$ s" V8 l* K6 [
* Static Global Var *
& V) w- s( n- u) [) {
* *
. {3 C( u9 ~; R1 @9 e8 n
************************************************************************/
( X5 w* u+ E( I
, `6 C( b. T) [/ ?- G5 G' v6 Q
static RTLNTSTATUSTODOSERROR RtlNtStatusToDosError = NULL;
7 G7 w" _( M5 [7 m1 a
static ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation = NULL;
2 D$ l1 R% G: g
$ ~ h$ J7 c1 O X
static HMODULE hModule = NULL;
1 X& A* Y9 K' ]$ G8 @
/************************************************************************/
1 }! z8 O0 Z; A+ ~1 f0 x
! I" c8 V# i, R
" N% t3 R: T. q, g5 C. }0 q
static DWORD GetEprocessFromPid ( ULONG PID )
! Z3 P/ W, e: B" @
{
0 Q& L* H. I9 V5 ?- T
NTSTATUS status;
* r0 P( u; T4 _% m
PVOID buf = NULL;
' D) E E1 [$ x% x# a
ULONG size = 1;
) J! }( V `$ y' V
ULONG NumOfHandle = 0;
Y) V( q: N: f# K) i% G- w
ULONG i;
+ j' k; ` U' _1 F5 s, Y$ J
PSYSTEM_HANDLE_INFORMATION h_info = NULL;
5 F- z; `" W9 z% T) g* t
h0 {0 V& O1 X8 O3 g! C3 z' Z- f" h
for ( size = 1; ; size *= 2 )
+ N3 L( ]2 Q; E+ R; x1 B/ I& C
{
) E% z+ M6 [" d5 t0 y
if ( NULL == ( buf = calloc( size, 1 ) ) )
: z9 Y. t G2 ~! t- t- Z: {
{
% O* \# U' b+ b7 |$ F
fprintf( stderr, "calloc( %u, 1 ) failed\n", size );
+ n7 }, N- D; w3 s& w' P" i
goto GetEprocessFromPid_exit;
! F/ r" O/ L- ?$ O% v, O
}
6 |3 N/ O. |% h; R
status = ZwQuerySystemInformation( SystemHandleInformation, buf, size, NULL );
' _4 f4 [6 J, B# M) l+ C
if ( !NT_SUCCESS( status ) )
/ l( X3 w {# j4 }) J" j
{
2 G M& ?: ^/ m- l% }# U$ G
if ( STATUS_INFO_LENGTH_MISMATCH == status )
5 Y! k. J5 I0 I) a6 \0 Z! d
{
6 r3 j3 R0 r( n0 _
free( buf );
4 }) x6 M* f. n+ J
buf = NULL;
: h6 z' ?0 y- X8 |3 Y9 @
}
% x$ R4 G e0 h0 {1 w0 J
else
) D$ `0 U9 D' \$ }
{
5 N* M3 Q1 C. I8 r- s: G: F: Q
printf( "ZwQuerySystemInformation() failed");
- q7 J' r2 ]6 w2 r6 q# m
goto GetEprocessFromPid_exit;
' _0 O8 f+ N6 Y1 [# [4 Z' b8 l
}
" F) R2 {; D: M
}
7 U& G. D& k" e: B; s' G$ I9 f- x
else
* }. G5 O* d5 @# o, ]
{
* F8 o6 d: Z, ~% l! ^
break;
; J/ I+ J/ D+ f! `! Q( [6 o& }
}
3 o" p/ H, m/ M M0 W! y0 T0 K
} /* end of for */
& p( V9 Q* A5 u1 x
/ V" D- @, A( `6 p* r9 O
//返回到缓冲区的首先是一个ULONG类型的数据,表示有多少数组
, J7 r Z3 r+ x. W
NumOfHandle = (ULONG)buf;
( v. G p6 n( U
# k: c* q: B$ ^
h_info = ( PSYSTEM_HANDLE_INFORMATION )((ULONG)buf+4);
( q. u1 e, A3 q5 ?) b+ m8 A2 @
" b8 V7 W, `( j8 G: ~
for(i = 0; i {
0 r* n! l( ~9 G5 e% p
if( ( h_info
.ProcessId == PID )&&( h_info
.ObjectTypeNumber == 5 ))//&&( h_info
.Handle==0x3d8 ) )
- ?9 U! }* d; O; H
{
/ z' M* A% z( M( `/ \" s
printf("Handle:0x%x,OBJECT 0x%x\n\r",h_info
.Handle,h_info
.Object);
8 U- q E4 ~9 G6 t% w% }# [ [& r
return((DWORD)(h_info
.Object));
' C y8 n/ w6 k5 x
}
2 x: O5 b! s9 @ T) ~2 w
}
3 ?6 ]: I! }+ y; x, `6 q2 [, ~
GetEprocessFromPid_exit:
9 n5 v* g8 P% R" u
if ( buf != NULL )
/ G/ ^% \% M4 C
{
9 B% i I; s4 {6 k; ?# ^0 X+ E
free( buf );
0 u" r v& N$ F* V: c
buf = NULL;
4 s- \; t( ?# m% G P$ R
}
5 g9 ~- l- Q) ]4 D
return(FALSE);
) z0 W9 q/ N/ v- Q$ L# ]5 A
}
6 j! }3 z4 C- V. F( Z! X/ z1 N
2 Q. p* j: Q) u4 _# Y- ?: g/ S9 g
* d. t R3 c+ h, w' g
/*
5 a8 ^$ S: r: q" ?5 J- |, b
* ntdll.dll
% C5 W W% c) t
*/
' t( k: d# i% V
static BOOL LocateNtdllEntry ( void )
6 M; v; P5 b( Z1 x) |5 l1 O
{
' p6 y$ f# l# Y0 X5 c
BOOL ret = FALSE;
, H0 h& T& F$ o! ^8 ^
char NTDLL_DLL[] = "ntdll.dll";
/ M# O( N) W! p7 h$ Y3 i' T4 X- ^+ q
HMODULE ntdll_dll = NULL;
' c8 I# ], u& z. u0 P
9 g& f, P6 m" z! }# b
) |2 ^ _) `" U4 T0 w
if ( ( ntdll_dll = GetModuleHandle( NTDLL_DLL ) ) == NULL )
, p9 _" C7 z; b; f n3 D7 d/ S, Z
{
5 q- P* m0 M* C
printf( "GetModuleHandle() failed");
% u1 l) F3 o* V9 ~+ J
return( FALSE );
8 b. t0 D/ w: h! x0 _
}
% t' u9 G6 K% z3 {6 ]8 z) `% e4 g
if ( !( ZwQuerySystemInformation = ( ZWQUERYSYSTEMINFORMATION )GetProcAddress( ntdll_dll, "ZwQuerySystemInformation" ) ) )
% K+ ]2 V J* D
{
1 t. L! @, Z* `$ w' C: @
goto LocateNtdllEntry_exit;
6 N, B2 W$ O, ^9 }' W0 g
}
9 Q& B# R0 `& m- {% J3 ^5 R9 ?
ret = TRUE;
0 @0 @9 ^9 }. X, c+ K& E7 Z
) \, ], H N1 ` @/ E1 }
LocateNtdllEntry_exit:
0 b. R4 C1 f) P, s+ P# a
8 D$ ]( ^9 u% i1 i; ?8 l
if ( FALSE == ret )
* _0 [. H m: P/ s# u
{
# w9 c. s" c% [* @& N* R+ l8 P
printf( "GetProcAddress() failed");
x) Z- c( m, \" c4 t: D. A! P
}
s* o7 Q) i7 }9 ~; O
ntdll_dll = NULL;
" F) G* m/ v/ h
return( ret );
+ P9 @$ {" R" P4 k$ u- P, a9 O
} /* end of LocateNtdllEntry */
( _) F% r; }7 H3 X+ V% |$ W+ u
5 ~* `* r$ a' q+ J1 Q) |. Y7 ~
* W% }- ^# L5 F
int main(int argc,char **argv)
# U1 n0 D& `) o% [% }1 N
{
, h5 e3 ?6 K2 ~( P
4 C# \3 C) ?- Z% W4 a. {8 S
LocateNtdllEntry( );
7 G- @, i7 g- L) k" q) G2 b7 B
, _. \! `# X7 x$ J+ Z$ R
//打开自身句柄,这样才能在handle列表中找到自己,PROCESS 对应 ObjectTypeNum 为5
& j6 N: _1 K8 o# K+ Q# y
OpenProcess( PROCESS_ALL_ACCESS,FALSE,GetCurrentProcessId() );
+ i. @ w) x2 ]& q9 {
+ ?- g% p4 p6 ?/ V
DWORD Addr = GetEprocessFromPid( (DWORD)GetCurrentProcessId() );
) l I) g3 W$ m6 O4 C7 T7 C
5 |' ?; t& \- n: Z0 W
printf("result: Current EPROCESS''s Address is 0x%x \n\r",Addr);
, N; A" E* H; `1 C9 E
l7 T) l+ c) K! g$ J
return TRUE;
* \, U% ] @. L( b
}
欢迎光临 数学建模社区-数学中国 (http://www.madio.net/)
Powered by Discuz! X2.5