数学建模社区-数学中国

标题: 获得进程的EPROCESS [打印本页]

作者: 韩冰    时间: 2004-10-9 14:22
标题: 获得进程的EPROCESS
文摘内容: + u8 C$ b3 A5 d$ ^9 w6 S& X--------------------------------------------------------------------------------' R8 C/ w" L8 w; ? 文摘出处:http://www.xfocus.net/articles/200406/706.html $ f2 q/ G0 t0 k+ A+ ~% y" t/ i; s6 D, f# O. |) }+ u5 R, j. b 创建时间:2004-06-01' z- y" w6 ?' \- T 文章属性:原创 1 H! T3 l# e8 v! [* X( F% i文章提交:MustBE (zf35_at_citiz.net) 4 I- z2 i ^3 U6 C3 G S; E! U$ B4 ^7 ~3 l2 x; r By [I.T.S]SystEm32 6 p( t* W; h, n8 R7 r( _ $ _( K! ^5 E: ?+ _2 @% c2 s; DWelcome to our web site http://itaq.ynpc.com/itsbbs/! q0 h. N7 V' N L$ U, D & n0 V5 T# F! u3 Q$ Athanks to SobeIt : P ; \. M( m' P% j' L---------------------------------------------------------------------------------------------6 S: U: C) k5 P8 `/ I) M; _8 J / l8 `" i& X) P 每个Windows进程都有一个相对应的执行体进程(EPROCESS,也就是KTEB),EPROCESS不仅包括了进程的许多属性,还包扩了许多指向其他数据结构的指针,其中包含了大量有用的信息.本文仅讲述如何获得特定进程对应的EPROCESS,EPROCESS的作用及数据结构不在本文讨论范围之内. 6 T3 ^7 U+ q k8 c D3 K- Y' p3 V) Y5 U/ Z" Y 绿盟高手flier在他的文章中提到,使用ZwQuerySystemInformation函数获取所有核心句柄表,线性搜索到进程句柄,其指向的内核对象就是EPROCESS。7 q o, z. ]4 n& P6 ?) H 3 J4 t1 `2 |2 t: { ZwQuerySystemInformation函数原形如下 # H" F' Q* I3 J3 g( q [% y; y& u; j 9 z* o% O3 L7 ?' F) ~& TNTSYSAPI , y, \: N* J5 ONTSTATUS * z; q2 {( T8 g8 {2 Z6 K5 ]NTAPI+ z% k% c& H% J6 b( h) N ZwQuerySystemInformation 9 D' h3 q* Z; _( ; x, Y# N: i0 J. i0 s IN SYSTEM_INFORMATION_CLASS SystemInformationClass, : |5 A1 _: n; v) V* s, M; bIN OUT PVOID SystemInformation, ; {& }7 ^( i. b; [! e WIN ULONG SystemInformationLength, 4 q6 k. r2 f, |( ^' P7 I. c/ Z% x OUT PULONG ReturnLength OPTIONAL 9 ]( z8 b7 P6 Y. E) ?5 ] K# m! n ); ( p1 H B# K* @ ) ^9 q' K5 I8 u3 U4 s( Q5 ]参数意义如下 ' @% u. ^. v$ ?% N- b2 o3 x# W$ ?4 R. h: |4 `4 @0 h SystemInformationClass:被查询的系统信息的类型,SYSTEM_INFORMATION_CLASS的枚举类型之一- n! {4 e6 D' B1 | 1 \# V. _- b% s' ~! j: _3 hSystemInformation:指向一个接受系统信息的缓冲区的指针; J1 l: y0 y5 U5 r % U. _; y( `! ?SystemInformationLength:缓冲区长度 : y0 T' f# M M2 w% X3 B7 [8 A0 z& V. p. ?6 |# V5 D ReturnLength:指向一个接受实际返回字节数的变量,可以为04 b8 [" r. Q5 T9 z. v* U+ c7 V: j % S0 w% z0 I7 C " F2 o, n ]4 M( X, c" @为了获取EPROCESS,我们使用SYSTEM_HANDLE_INFORMATION作为第一参数来调用 ZwQuerySystemInformation " | {. c+ H2 _ }) T% F6 |; l, |* K4 H, b+ e* ~" _ SYSTEM_INFORMATION_CLASS的结构如下 ; p7 {( w; o2 D: w I; H0 h; X2 d7 G& ]% H+ R typedef struct _SYSTEM_HANDLE_INFORMATION 2 c" V* }+ M; c5 F: K{( Y0 p q* _! C ULONG ProcessId;# E( z5 A7 O7 d( |0 F' n5 n- R UCHAR ObjectTypeNumber; 0 e1 n; B! i" a$ O* g! xUCHAR Flags;. `- c! k% k( U- p% c USHORT Handle;; D+ P) j" |5 K1 |* E0 q* k PVOID Object;& j0 |) K) o7 R3 N. i/ W ACCESS_MASK GrantedAccess;. m: j5 t' ]. j3 y# t } SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;; v, ?, A1 s0 f1 d, O # B8 {/ c: F/ q; N1 y0 ~2 qProcessId:进程标识符 ( d8 q/ O3 B: c: r& M$ p- I1 l7 g+ J4 u: t1 R/ w F ObjectTypeNumber;打开的对象的类型 / K9 N- j* ~1 Q' N 6 k" I' q2 [3 aFlags:句柄属性标志 * e5 k. o ^7 G0 T' N- D1 Y6 Y; Q2 Q% H2 N7 Z$ [" I Handle:句柄数值,在进程打开的句柄中唯一标识某个句柄 & F! k7 \8 u0 y# l; _" A1 z% a5 G/ y4 V % i8 W8 y9 T4 a- c' l$ T% nObject:这个就是句柄对应的EPROCESS的地址 ! N6 K3 u1 K+ x# P; L$ B0 O + P% H; G) h/ L* j6 R1 ]* BGrantedAccess:句柄对象的访问权限 : n% z8 n4 z1 P7 M + V N. X6 T2 j; U( K! U" A- F( w3 c. X1 g6 f0 m a 下面我写了一个小程序来获得EPROCESS( GetKTEB.cpp )! c# D" v5 L( B7 ~5 [7 e: j" _ 8 ~& |3 g. X* E! Z 比较faint的是程序写好后发现并未如预期般获得EPROCESS,通过调试发现ZwQuerySystemInformation()返回的进程的句柄中并没有进程本身的句柄1 W% [5 g* [; l+ q/ I 7 d$ P# \" r+ `1 {2 V0 r9 m 怎么会这样?难道程序写错了?*_* + b1 w* w9 J8 G/ Q; ?. q9 J. l6 J* O* y" d1 U8 x# F 现在只好靠SoftICE给出答案了,CTRL+D唤出SoftICE,随便选了个进程--QQ,让我们来看看SoftICE的输出6 n0 D" F% R" M % w9 t5 y i7 B; ~# I7 p :proc -o QQ: }! }" S! y+ A/ a( \4 N0 r5 I Process KPEB PID Threads Pri User Time Krnl Time Status . b. V1 \6 b" W! c- e" }1 mQQ 827CD520 11C 2A 8 00000B90 000008D4 Ready 3 g$ |, o! N, E/ i' o* H( C) B & q' W2 Y* H1 h: r- X3 E! h' z( j---- Handle Table Information ---- 4 `, b9 T/ T4 L! l7 j 2 y& K' V. H# g3 g- n, x& nHandle Table: FFAD93C8 Handle Array: E2BEB000 Entries: 590& N X. [/ v3 N" ~. u5 _' X! S ' Q8 w3 @0 W. n; q1 AHandle Ob Hdr * Object * Type 0 ~5 p7 _0 h" O2 b6 u& X& z0000 00000000 00000018 ? 6 @' F# a! q ~0004 E2DA5E58 E2DA5E70 Section2 S6 C. `, w" H% c$ c2 T/ C7 v 0008 FFAB35C8 FFAB35E0 Event & j& {+ \" Y) ~2 B3 G' |3 W000C FFAB3B08 FFAB3B20 Event f, v i- `& G, p; x0010 85C70188 85C701A0 Event 8 u6 ~ b/ D& [/ ?7 s0014 81515778 81515790 Directory6 E. i/ w4 g1 A# b3 p! r5 D U 0018 FFAB7BB2 FFAB7BCA ? $ F$ }! ]% _# H2 X001C 814A1858 814A1870 Directory0 A3 z' y8 f- ^ 0020 80288C88 80288CA0 Event+ \" G- y: [" p2 x! o2 B' c 0024 E2CFE7F9 E2CFE811 ?6 a5 O" j7 o, p 0028 842D7B08 842D7B20 Event 5 l8 Z" N+ f4 w4 w6 U9 O6 a$ t002C 80E9B989 80E9B9A1 ? + W. D9 \6 h* [0 k0030 E1372198 E13721B0 Section$ s, L" @' z9 `3 b# Z$ k* R1 u 0034 814602C0 814602D8 WindowStation: W& q/ w7 ]% h _6 { 0038 81455CE0 81455CF8 Desktop ' ?. l! Z3 n6 R# I: `) X003C 814602C0 814602D8 WindowStation & P: U0 t3 ^& ^0040 E2B3C1A8 E2B3C1C0 Key1 O8 ?4 e- j# V U 0044 E286D6E8 E286D700 Key o; }' ]+ N) n3 y0 G' k; e, x 0048 E2B3C0E8 E2B3C100 Key 0 c0 q( s( l* b! R7 w9 O$ Q0 K004C E2B3C068 E2B3C080 Key' ~$ h% `# n S 0050 E2BEE688 E2BEE6A0 Key 7 f S, S! w, T- F$ A0054 8147C998 8147C9B0 Directory _9 |7 c: N8 w9 V. | 0058 829D1128 829D1140 Event+ v/ g3 s. Y, P- V \1 P- w 005C 83F991E8 83F99200 Event1 {5 L/ K* j% i6 \0 E: u/ A9 g/ p0 b 0060 E2BEE608 E2BEE620 Key8 }+ V+ y7 J" b0 g$ \1 m/ g# c 0064 FFB07568 FFB07580 Event ' i; S! g& M( T* a6 i% N0068 801747E8 80174800 Event + m6 O" H. n9 G/ D006C 80174828 80174840 Event( Y2 Y2 h U& G5 G" I6 @/ X/ F. c: T 0070 845E8808 845E8820 Event( E6 d; X2 L3 O! R1 }3 f" K 0074 81448798 814487B0 Event% \( m0 X; s5 O5 W% V) F 0078 E2B9A888 E2B9A8A0 Key I4 Z: J! ]( d) r9 `4 D' C007C 845E8648 845E8660 Event ! r [5 d. l0 A R: w* |0080 FF9E2DB8 FF9E2DD0 Mutant # r; n, b3 y; m# ^0084 FF9E2D58 FF9E2D70 Mutant + L a; P1 q4 |( P& |+ S- q0088 83CFC378 83CFC390 Mutant, h% f! A: h/ ^3 N6 ^& C( N& [ 008C 801749B0 801749C8 File , {$ j3 z+ A9 }: d+ o8 ^0090 E2C48668 E2C48680 Section3 G3 @; I; Z% D% H 0094 FF965168 FF965180 Event 5 n; y" m1 e9 r4 P, y0098 FF9E7D88 FF9E7DA0 Event, Z, ?8 i; y' }( | 009C FFAD3DE8 FFAD3E00 Event( A0 o' g3 i. `- K9 C7 A, d 00A0 80AD63C8 80AD63E0 Event $ x4 v# V+ c/ }( Z& u; J. s00A4 E28073A8 E28073C0 Key 1 I" n- ~, U6 S1 |& W00A8 FF955588 FF9555A0 Thread% p8 M4 E5 J. F0 z0 t9 I, k 00AC E2770728 E2770740 Key6 E* [" ?" C/ ~7 Y% w8 F 00B0 FF923438 FF923450 Mutant ; O# I' Z* p. K- z8 S8 s+ t00B4 FFAE3B38 FFAE3B50 Mutant 5 }" `2 y4 D7 k8 M' f00B8 83B80728 83B80740 Event 1 h6 W& u4 y! ~% S( u- R' g00BC 83B80668 83B80680 Event # Z0 {, O5 H# G/ ?& }$ a0 {00C0 E2E3C448 E2E3C460 Section* a5 `! P+ N6 T" j. ~' H 00C4 83776A08 83776A20 Thread ) }% R( o; c9 ]* Q3 R( N0 d00C8 81489E48 81489E60 Event ' ]6 E0 T& {% C' C O" L0 N4 V+ p00CC 83776CC8 83776CE0 Event( D0 h7 W, \" N: I$ P! S 00D0 83776C88 83776CA0 Event , J6 W% ^) R c00D4 83776768 83776780 Event 6 P5 G8 w" A4 ^ X; k# {00D8 E2837D88 E2837DA0 Key ; [$ l7 F! o( n+ k: g( H p00DC 8146B3A8 8146B3C0 Event ( O5 i! B! f% c00E0 FF908308 FF908320 Event ' K7 x/ V$ [6 H5 F+ F4 M- k, r6 @00E4 81494868 81494880 Event : D1 V7 G/ e# e00E8 FF9064C8 FF9064E0 Event 6 R/ B! S. z( o( F00EC FF908FC8 FF908FE0 Event % @, ^9 h' `0 G3 D00F0 FF908F88 FF908FA0 Event4 y. F( R6 T9 v* c 00F4 FF955588 FF9555A0 Thread 5 A u( t0 }- x7 q00F8 FF908F48 FF908F60 Event $ r9 }2 B4 @: t, f00FC E2CB1558 E2CB1570 Port3 F- n/ p% J Z4 P6 b1 \& o 0100 FF90A2C8 FF90A2E0 IoCompletion " M( ~' A. v4 i2 @4 @0104 E2CFE708 E2CFE720 Port * h; P1 f6 L) y9 k% X2 g0108 FF90A2C8 FF90A2E0 IoCompletion% T+ o6 Z8 \# l6 e. A5 l 010C 837762A8 837762C0 Thread 2 a7 s9 n# `& t' V. q0110 8103BBC8 8103BBE0 Event6 z8 d3 ~! B2 l( ^% l& U 0114 813DBDB8 813DBDD0 Event , u8 |* ?8 o5 Q. Y6 |6 y0118 FF814788 FF8147A0 Event6 B7 t. T, [/ n3 { 011C E1358DA8 E1358DC0 Key( J+ u) c- B6 Z1 T4 ]# A* ] 0120 E2CFC428 E2CFC440 Key& a! Q. H) G) s6 \9 z 0124 8103B9C8 8103B9E0 Event % X: J" U r* l4 v7 a3 {0128 E2C9A968 E2C9A980 Key ! p8 h9 h9 ?8 @ D6 s012C 83B34E88 83B34EA0 Event " J3 h, V6 C$ ]7 F: e) i0130 E2CFD948 E2CFD960 Key5 ?4 \: f- j$ A$ [) F6 @/ q! ]$ v 0134 83B34E08 83B34E20 Event 3 G! | f' t8 k5 s.... 3 V, S! h8 `+ r/ f1 a8 X$ P.....................省略 1 Q5 c" M& k- b, M0 b/ r : w8 f/ [0 f: t [/ a看了一阵,确实没有QQ本身进程的Handle,那么怎么办呢?2 f5 M7 g9 x3 a3 s& `* F 3 k% }9 H, ~" v: R6 }. Q 想了一会儿...既然Win32子系统是由CSRSS.EXE来管理的,那么用户创建的进程的句柄应该在CSRSS.EXE里面找得到,用SoftICE验证后发现确实如此 " M ?" R* e% w# Y: u 1 y: ]: ~9 Q* ^9 j* F# c# D可是这没办法得到指定进程的句柄,和我所需相去甚远,只有另选它路) p6 I9 V) }! r$ V& C$ o% g 0 r* V. a: R' s1 {$ @( l后来总算想到解决办法,既然没有进程的句柄,那就创建一个吧,OpenProcess()这个函数可以打开一个进程的句柄,正合所需.- p" j# v/ S' e5 Y: ]) b0 o & Q9 e9 S4 \ @ 果然加上这么一句后,ZwQuerySystemInformation()获得了EPROCESS- m* i* ~! o1 g& K& w: ] - j" p, E W& i! n, `5 {* Z 修改好的程序代码如下,获得本身进程的EPROCESS地址,稍作修改可获取任意进程) t6 }' u/ p; v2 S$ {4 p @. ]9 w " a& V i" X' y5 c8 f9 f9 P #include " y2 L+ e. Q0 ?+ y8 R3 G7 z$ ?#include ) _; y2 U0 T# p- |3 O$ W1 \#include 5 R% L& _* L. N9 c#include - P1 o. ?/ r9 l5 W% M, S! q 5 C" Z/ p" |0 ?4 I$ a/*6 z7 c A3 j) Z! \ * you''ll find a list of NTSTATUS status codes in the DDK header 3 i8 o6 h) P& L0 ?! M& C* ntstatus.h (\WINDDK\2600.1106\inc\ddk\wxp\): T. A6 \* d, | */4 Q+ q' I0 X8 V/ b! `3 c #define NT_SUCCESS(status) ((NTSTATUS)(status)>=0)2 W0 c; d& z- N, X1 l& O" f) _ #define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L) * V0 y) P" k6 L' P7 j3 r#define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L) 1 \4 U5 d8 K) H' {: X ; [/ X+ M; Q8 v7 V# Y/*; M1 K/ X% T; c* f ************************************************************************* Q' o4 k; [+ F% c& r7 e * ntddk.h E; b- q- Y. X/ s4 B. Q& ?*/& P8 B1 x) Y: u: Q1 Z typedef LONG NTSTATUS;8 r0 z" z, f+ { typedef ULONG ACCESS_MASK; 4 ?- p0 Y4 k( z ~: s, ?9 R/ a& L/*! F' a- ]; Z8 T, c4 j * ntdef.h& P \; S% p6 O *************************************************************************7 M% Y( @2 x9 m */0 g3 ~. C, ^4 s w* M$ F" E2 U' n2 T /* ! u, ~/ X% c9 o3 `; }! S************************************************************************* $ l U5 T, C4 y- b1 E, D+ p2 g* <> - Gary Nebbett 2 O8 r7 B+ j" }$ K. z* `" G*/! X, N1 k; H4 C! {1 l - \$ y. F* J1 O$ B% y- R typedef enum _SYSTEM_INFORMATION_CLASS. A/ r( [- u7 Q, u* V$ y7 g {# {" z% c: H2 ~) w9 {8 q SystemHandleInformation = 16 ' d- [8 Z) I0 e2 {} SYSTEM_INFORMATION_CLASS;2 e0 N; A b, H. A; b4 O4 T 0 o/ m( R: b6 x4 s5 t9 p- L' x/*+ a: L* e3 K) U9 G+ S' x *Information Class 168 A2 X3 _2 b; d( ~4 i2 O8 [ */8 `" ^; t4 N! A. H4 C typedef struct _SYSTEM_HANDLE_INFORMATION ; h# X& z6 ?2 W. r+ [: \{ ' y/ ]4 Z$ l+ E3 {, V' Y; w* iULONG ProcessId;2 n1 n0 e5 n0 H0 ?2 Q4 u6 Y UCHAR ObjectTypeNumber; . }) p5 H7 ^7 Q8 xUCHAR Flags;( s! X: q4 I, v7 p g# k( \ USHORT Handle;6 T8 X/ |. z& z) t( T0 K& k PVOID Object; , s" q9 C; U- d& @$ r( M/ ]ACCESS_MASK GrantedAccess; i% {* X7 S- V: @ } SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION; + x. f. l8 t4 i& o$ o% I# Q7 L% O8 Q8 u Z* g #define InitializeObjectAttributes( p, n, a, r, s ) { (p)->Length = sizeof( OBJECT_ATTRIBUTES ); (p)->RootDirectory = r; (p)->Attributes = a; (p)->ObjectName = n; (p)->SecurityDescriptor = s; (p)->SecurityQualityOfService = NULL; }) G5 ?' ~. m: I# N /*' r9 F( c! F) [1 ] ************************************************************************* 5 z# I. J* n& P) B; j* <> - Gary Nebbett ( ~+ g- y, b, W5 ~5 u************************************************************************* ! Z3 x" d, o8 B E- D; ^. U*// X, N; R- p* }* q* \ typedef ULONG ( __stdcall *RTLNTSTATUSTODOSERROR ) ( IN NTSTATUS Status ); * q& y6 z/ o5 T2 o: m4 Atypedef NTSTATUS ( __stdcall *ZWQUERYSYSTEMINFORMATION ) ( IN SYSTEM_INFORMATION_CLASS SystemInformationClass, IN OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength OPTIONAL );5 ^' Y2 M. h8 f- H& \ /************************************************************************: f6 s8 K6 K1 ^' h1 v! L: x * * # v& K8 g3 Q6 P) c$ v6 e* Function Prototype *0 z% P8 o6 H; J * *: }0 ?8 Z0 h& t6 ~ ************************************************************************/# M- k1 a; T- y+ k1 | % o# W1 Z' V7 S+ N5 @" Ostatic DWORD GetEprocessFromPid ( ULONG PID ); / w! c: e' i5 G- L9 Wstatic BOOL LocateNtdllEntry ( void ); " i: z7 {( [1 a. c# q( g9 M9 e. h3 Z% [+ C6 H 6 @! ?7 K; T& X9 G# u /************************************************************************ 3 f9 H% t2 D. H, K9 j0 {! P# s2 H* * ' i6 E2 i& i! N, L* Static Global Var *( B* g1 |! u% \, l4 Y * *& L5 T* c) x5 |5 e5 h6 Z ************************************************************************/ 1 p; a* y7 e" l* S- ~0 V3 o 3 ?; {, Q& \) z3 `static RTLNTSTATUSTODOSERROR RtlNtStatusToDosError = NULL;% J/ J6 ~/ s* {0 W$ A static ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation = NULL; $ F& f1 F& y0 A% Q4 ` % d# d& E2 r* u$ m% fstatic HMODULE hModule = NULL; 9 D8 N7 N9 q8 R/************************************************************************/ 7 I5 |$ ^& B- Z# o, l$ e # A0 t: e" {$ |5 ~. P" m ' x M0 [. h1 e2 v! m ^* o$ Kstatic DWORD GetEprocessFromPid ( ULONG PID ); A' d. y5 D' [# u2 C {' b+ y; ~' f2 ]+ l+ E" S NTSTATUS status;2 o+ ?' C0 S# J2 d: j( L PVOID buf = NULL; ) T% Q5 P) i$ e- l$ yULONG size = 1; ! ~/ Q" ~' W) T; [) \ULONG NumOfHandle = 0;# S- K" w' m/ D0 M+ N5 F ULONG i; ! J, g' R. R1 K5 l* A& k1 z/ `8 t! V9 yPSYSTEM_HANDLE_INFORMATION h_info = NULL;6 y b. s8 i6 r8 T" Y" | ! b( x. ]; Q6 J7 A* v6 o for ( size = 1; ; size *= 2 )" c0 ^' c+ M/ a% B. Q2 C6 S0 ?6 Z { $ E! ~( g) v) T7 k. ?- dif ( NULL == ( buf = calloc( size, 1 ) ) )- U+ ?8 {& q6 u8 N6 K2 A1 \ {3 i% ^. M# U" x fprintf( stderr, "calloc( %u, 1 ) failed\n", size ); # N5 K) c, a' {# Y$ x B' ?goto GetEprocessFromPid_exit;' C: b1 K% o. |/ d }( P7 j6 N |& [* @ status = ZwQuerySystemInformation( SystemHandleInformation, buf, size, NULL );1 F% R# Y! x/ q& F# s if ( !NT_SUCCESS( status ) ) * D _9 e6 f: y* p6 O3 y{ " |) J4 @# L2 T" ?; Z3 \if ( STATUS_INFO_LENGTH_MISMATCH == status )+ @: e1 ^" \2 E2 } {" G% I# C) _2 ^! ?( D( p! g4 T* S free( buf ); 3 R! f% A' k' Obuf = NULL;* x/ X, X2 m( a; B! q1 f. _ } # P1 R5 O; z& O# B! k( t: \else 3 M# C' R) \7 p5 y2 H{ * O+ M+ p. a) ? Dprintf( "ZwQuerySystemInformation() failed"); % T8 B8 z3 p! w4 r5 n$ jgoto GetEprocessFromPid_exit; * Z# D5 f `2 p3 @, E. u# y}3 H7 Q" c5 m8 j3 M+ n5 g" p } / w3 m! a6 u& ^/ {2 i* R d* Relse9 a1 U1 t( _+ Y. s$ O { 6 E: { b$ ~3 E0 @6 o1 o! ebreak;) J, W- V! x- [: q, m9 q4 y }6 V7 a6 g# Y1 c0 o* p/ y# K1 u* }9 p } /* end of for */ 1 y! F6 N9 f' u8 x2 p- X: V' R9 X( u, a; B$ Y //返回到缓冲区的首先是一个ULONG类型的数据,表示有多少数组* J+ S$ @2 z6 |2 [ F NumOfHandle = (ULONG)buf; $ ^& a5 T0 S- l' G! j9 ` Y" { ! x1 v" \5 G" Z) a: n. `0 jh_info = ( PSYSTEM_HANDLE_INFORMATION )((ULONG)buf+4);# z& t4 A, I, ~( ?: k5 s 0 p; X/ x5 y3 ~0 efor(i = 0; i { , s0 b3 j( r @8 P6 ^3 rif( ( h_info.ProcessId == PID )&&( h_info.ObjectTypeNumber == 5 ))//&&( h_info.Handle==0x3d8 ) ) + O8 v, _ v6 O{# \5 D+ J6 x Z4 {6 x printf("Handle:0x%x,OBJECT 0x%x\n\r",h_info.Handle,h_info.Object);( G7 v; G+ V+ \8 e return((DWORD)(h_info.Object)); 7 L+ T |0 {% J5 o} 3 J/ C2 s9 ?2 n8 r}9 [' h9 N2 l; s2 Y GetEprocessFromPid_exit:+ c; R2 i. [; w9 ~ if ( buf != NULL ) 3 C/ l( v& W1 P9 A& D{5 n4 n6 ~9 N. I, T6 B free( buf ); " B" z, E' q% B; T! y Nbuf = NULL;# ?& Z+ ^/ F% T/ _2 h& y }" g$ J* o. G$ M+ p' v H0 _; q return(FALSE); ) q0 y" g4 M }2 k! [}1 t# O4 m- V6 b! @# D & M- z1 K4 k7 ]1 ]9 }" ^5 x9 R1 l 3 A' ~, M5 J" s H3 n/* $ f5 a$ n/ q& ]6 ` ^/ U) l0 C+ j* ntdll.dll) N2 `1 o- F- t9 ~; ~; ^0 X */% r3 ~: u; M% T$ m" l# x h static BOOL LocateNtdllEntry ( void )6 s1 \ m+ Y5 z" |; p {% t( V. {% m9 ` BOOL ret = FALSE;4 W+ z+ x8 \8 ] char NTDLL_DLL[] = "ntdll.dll"; % ?& u' ^% j" A- w k) _9 CHMODULE ntdll_dll = NULL; 9 D2 b4 `+ L. c7 L; i4 a2 o) {+ a' H \- y( ` ~" z1 h: H I6 A% d8 a* m1 \if ( ( ntdll_dll = GetModuleHandle( NTDLL_DLL ) ) == NULL )( I/ v1 l2 K) l3 p { " [& q0 T( P- g8 b6 H) b0 lprintf( "GetModuleHandle() failed");( Q+ L" {! T- r) K) c- k- J- Z/ { return( FALSE ); % V1 @9 Y! r! y! b4 c} ' ]; K: e9 c* `" \) F% qif ( !( ZwQuerySystemInformation = ( ZWQUERYSYSTEMINFORMATION )GetProcAddress( ntdll_dll, "ZwQuerySystemInformation" ) ) )1 O* B4 B: L% X) F9 ?* i( A { ) u2 S* P0 `. qgoto LocateNtdllEntry_exit; 4 ^$ A- D! j) W- y9 d0 i! G$ U7 q} % u1 S' C- x* `% w, _ret = TRUE;0 W$ y R4 m6 S) v g 9 o% @* R9 }! o8 [ LocateNtdllEntry_exit:' W: _( y3 n* A : L7 n( P/ H) w, B m' Mif ( FALSE == ret )+ m* C4 t, w( H3 G8 |( l. v8 U% t% R {; W2 A' K% x. p( d printf( "GetProcAddress() failed"); 8 s4 C2 e* Q& D+ Y+ S& c8 @) e}" F" X6 l3 X1 p4 {2 |& { ntdll_dll = NULL; ; E4 q) ~! ~' Y0 q! t. B8 o$ i- i# w: Hreturn( ret ); . h! k0 w D4 V1 j4 B! f$ B, w+ {} /* end of LocateNtdllEntry */5 Y. ?+ e. c( ?" a2 ~+ V. @5 N ) s0 W2 t0 B4 w9 u" A' N " Y. h, {- a. e, ]2 o7 s8 ]int main(int argc,char **argv)1 i) |& r+ I' w- @* N7 T* O { ' b0 f9 A, B' N4 [+ s8 Z: l; S" ^9 l( W- c5 ^9 X1 ` LocateNtdllEntry( ); ! Z3 _4 {& P) l) C, j5 H' l) [, r6 o7 K8 R: N% l2 J! M- o" n //打开自身句柄,这样才能在handle列表中找到自己,PROCESS 对应 ObjectTypeNum 为5 / [- V. m- G1 ]5 ~9 S2 u$ Y- SOpenProcess( PROCESS_ALL_ACCESS,FALSE,GetCurrentProcessId() ); . q; b! x% y+ ]6 M4 N- H9 K) e3 G' M1 z4 k DWORD Addr = GetEprocessFromPid( (DWORD)GetCurrentProcessId() );/ v6 q5 z' x) Q& m H + }) h: L- ]5 M2 x9 [ printf("result: Current EPROCESS''s Address is 0x%x \n\r",Addr);0 | J, Z0 {2 u 9 P5 ]# N6 g* ?0 Q3 t return TRUE; 0 |/ D4 H4 }& Q4 Z5 o6 Y7 T}




欢迎光临 数学建模社区-数学中国 (http://www.madio.net/) Powered by Discuz! X2.5