数学建模社区-数学中国
标题:
获得进程的EPROCESS
[打印本页]
作者:
韩冰
时间:
2004-10-9 14:22
标题:
获得进程的EPROCESS
文摘内容:
5 M1 j$ P3 W! ^$ n
--------------------------------------------------------------------------------
3 ~% a6 f! ~5 ?
文摘出处:http://www.xfocus.net/articles/200406/706.html
" n1 k( U! S8 c
! A4 ^- J" h9 ]/ F8 p/ D
创建时间:2004-06-01
) Q- k5 @8 w' y: U" D3 b* i4 [ w
文章属性:原创
+ y+ W9 h8 C* b2 u, R, E
文章提交:MustBE (zf35_at_citiz.net)
8 Y2 @$ a( L0 S. D5 ^$ |1 \5 y; `/ y- J
$ Q5 B. i$ e0 K' G! x# z
By [I.T.S]SystEm32
/ R3 w; C& f, ]
) T; F3 s- B2 k2 ^4 P
Welcome to our web site http://itaq.ynpc.com/itsbbs/
" Z* O% c$ A: ] T/ w( I
6 y }! J, |! z1 Z
thanks to SobeIt : P
; E% g3 D$ N1 L. D1 y
---------------------------------------------------------------------------------------------
V7 Z7 ]5 f) h# N: d: R+ }! e
( e( C- n& t* Z3 }, X! d! ?
每个Windows进程都有一个相对应的执行体进程(EPROCESS,也就是KTEB),EPROCESS不仅包括了进程的许多属性,还包扩了许多指向其他数据结构的指针,其中包含了大量有用的信息.本文仅讲述如何获得特定进程对应的EPROCESS,EPROCESS的作用及数据结构不在本文讨论范围之内.
8 d! w% s! f5 `- P3 S
6 y) a2 o9 a) z! \) I+ d
绿盟高手flier在他的文章中提到,使用ZwQuerySystemInformation函数获取所有核心句柄表,线性搜索到进程句柄,其指向的内核对象就是EPROCESS。
4 s9 [9 J$ R& H+ q2 {7 D, s
9 T8 K5 |6 o4 V# ~
ZwQuerySystemInformation函数原形如下
- H6 ^/ ?& o. `( N5 j; t' t
% v3 a, e! ~# t; D7 z8 x W- @
NTSYSAPI
# v) T* l( y( d$ K
NTSTATUS
) e/ n2 W9 |, [5 x% g
NTAPI
0 p- v* @! R% p2 @1 v% {3 p
ZwQuerySystemInformation
7 i% P: a. A4 m) l% h
(
, m: w/ |4 ]4 N6 a- C1 h
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
; p6 t* ?. a1 @: y
IN OUT PVOID SystemInformation,
/ i9 t' s5 ]! ^1 M# F
IN ULONG SystemInformationLength,
8 L. _0 V; M1 ~! N% }; u, u
OUT PULONG ReturnLength OPTIONAL
$ F# e* g5 @7 C/ o
);
4 t- l; \7 h, z! R5 c$ L# U
+ C9 H* b9 v4 t* G/ c7 y
参数意义如下
0 R5 K: I$ j) f" ^0 D. w
" h1 O$ N! ]% m1 D$ A& }. m
SystemInformationClass:被查询的系统信息的类型,SYSTEM_INFORMATION_CLASS的枚举类型之一
9 y/ ~) L8 G& d0 j3 b& ?1 S! B3 I6 l
, _( B, i! Y, ~0 e' I# A! b5 O3 f
SystemInformation:指向一个接受系统信息的缓冲区的指针
. z; _7 t6 Y" C; u' |3 X E& O# }' i
f' y5 o$ y; ?) L- D
SystemInformationLength:缓冲区长度
) ?1 g( x0 |* g2 y/ q
% ]) p: X0 i( @: U) H
ReturnLength:指向一个接受实际返回字节数的变量,可以为0
- @0 | U2 s C! O' ]& c" [
5 o* h( B5 `2 ]0 t8 y: Q1 \+ z' V
# d: Q+ O. r- h4 S$ o1 D0 |+ K
为了获取EPROCESS,我们使用SYSTEM_HANDLE_INFORMATION作为第一参数来调用 ZwQuerySystemInformation
; O$ k8 f1 i9 W b
! A& u+ l) a% L( u: u. b
SYSTEM_INFORMATION_CLASS的结构如下
( u- I1 w* x2 _ E
+ t5 {/ |* D/ n5 |
typedef struct _SYSTEM_HANDLE_INFORMATION
( c. R$ F$ V/ Z8 R0 }7 T
{
( _2 Q# l% Y, f, ?3 J7 ^- M9 q
ULONG ProcessId;
; T* p- f2 I, z6 u9 i' H
UCHAR ObjectTypeNumber;
. Z! r3 l8 A( |# w! ^4 {& R
UCHAR Flags;
/ ]5 {3 G# @4 o. O" T
USHORT Handle;
% _* }# M! ]2 Z; k8 ]6 s
PVOID Object;
9 U0 q9 H/ x8 }9 E# e3 Y! z% z
ACCESS_MASK GrantedAccess;
! U$ H) q l( s1 N" f
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
. F+ G6 h7 W2 L3 g. j: r2 v2 M
8 K7 g, ^1 c, s
ProcessId:进程标识符
3 |+ u' w6 G. |! W' W H
! Q4 O+ L6 j& o/ W ]
ObjectTypeNumber;打开的对象的类型
1 g0 i5 [% M2 ~
" |) g) ]3 u, Z O( L/ g t
Flags:句柄属性标志
% d# I* s2 W2 q7 F6 b. J: W
: ]" U% \* r) Z! b9 N8 Z
Handle:句柄数值,在进程打开的句柄中唯一标识某个句柄
/ c O% B8 _) ]) [$ {& e
5 n4 k4 f5 {: E$ P( r, X: S
Object:这个就是句柄对应的EPROCESS的地址
7 R! _7 C0 i6 _/ [. F" H) X
, ]$ [2 d' m8 |9 v0 O1 ?; e
GrantedAccess:句柄对象的访问权限
! E& o: Q0 J8 F
1 O2 n- y- T' T1 ?5 C
8 _- t. O. U4 h, U
下面我写了一个小程序来获得EPROCESS( GetKTEB.cpp )
% d+ [$ s- f* d- O+ |
' y+ ^7 M- N g) N4 B+ @+ |7 O
比较faint的是程序写好后发现并未如预期般获得EPROCESS,通过调试发现ZwQuerySystemInformation()返回的进程的句柄中并没有进程本身的句柄
' V; h ]2 R" a& M* S, w4 I
5 A- Z I9 x$ |, Q# ]8 b, H
怎么会这样?难道程序写错了?*_*
) P' y8 N9 l- I7 u, i- |
d; a, [1 ]. R1 y6 I3 S3 T
现在只好靠SoftICE给出答案了,CTRL+D唤出SoftICE,随便选了个进程--QQ,让我们来看看SoftICE的输出
" q: {6 G6 U1 X4 m: n! Q+ C: n0 g
5 Q2 D$ B. b5 z6 \* @, z
:proc -o QQ
: C& {5 K7 P- k0 R
Process KPEB PID Threads Pri User Time Krnl Time Status
* z$ c3 N5 U2 `8 p8 E
QQ 827CD520 11C 2A 8 00000B90 000008D4 Ready
! R4 ]5 g o% y" [; f+ W6 Y3 k
* n$ D+ e& x6 t: ?' P7 o4 A' H+ j
---- Handle Table Information ----
' ?& f6 m! d/ u1 X- S' }
7 ^* |3 f4 z* z- Y9 z9 X
Handle Table: FFAD93C8 Handle Array: E2BEB000 Entries: 590
2 M$ J0 `5 k/ M3 M
; b8 v) T# U) x* ^* }
Handle Ob Hdr * Object * Type
" T# `1 C& G6 k, Y* w! r+ Y
0000 00000000 00000018 ?
0 B1 q6 T$ Q- f' m) {1 r- b
0004 E2DA5E58 E2DA5E70 Section
) G6 \$ N, v2 ?' O+ D+ g
0008 FFAB35C8 FFAB35E0 Event
# }- h4 t/ `% h8 U2 K; d
000C FFAB3B08 FFAB3B20 Event
) s" H, p5 G* S m: G
0010 85C70188 85C701A0 Event
4 C! z, \$ v7 U
0014 81515778 81515790 Directory
3 E7 d6 r! k+ h( f% E( v3 f8 B n
0018 FFAB7BB2 FFAB7BCA ?
; B( Z) e+ X. p, }. \
001C 814A1858 814A1870 Directory
; o; N# b$ e2 R
0020 80288C88 80288CA0 Event
3 t# P7 F" w5 k
0024 E2CFE7F9 E2CFE811 ?
6 C9 [' ]3 L# W
0028 842D7B08 842D7B20 Event
9 p( V- M7 `/ F# Z' O$ O+ R
002C 80E9B989 80E9B9A1 ?
- y# x% ?7 Z* L, g
0030 E1372198 E13721B0 Section
" N9 L- r# ~( L$ H9 x# S
0034 814602C0 814602D8 WindowStation
B+ M0 f$ ]8 Y/ {1 {9 C( l7 A/ o
0038 81455CE0 81455CF8 Desktop
7 j4 l, }1 d6 K6 i
003C 814602C0 814602D8 WindowStation
6 E6 f) }4 C* h3 E) `
0040 E2B3C1A8 E2B3C1C0 Key
1 W2 a! P3 d- @# J
0044 E286D6E8 E286D700 Key
) B$ l9 y7 P3 ` P
0048 E2B3C0E8 E2B3C100 Key
, J% C; _7 `6 B
004C E2B3C068 E2B3C080 Key
- c1 s( F( {' J, m+ {
0050 E2BEE688 E2BEE6A0 Key
( s# Y$ a O p
0054 8147C998 8147C9B0 Directory
* }. Y; |. E! O2 `3 I/ r: l2 y8 ?
0058 829D1128 829D1140 Event
( w& ]6 F* E7 v) a/ [' w
005C 83F991E8 83F99200 Event
. n" E+ Z: [) Y5 g: a
0060 E2BEE608 E2BEE620 Key
' S, U9 I; }2 _) S
0064 FFB07568 FFB07580 Event
9 ~. x7 z2 I% I- w4 E9 n" t( Y
0068 801747E8 80174800 Event
- ?. ~6 `3 k& @9 E L
006C 80174828 80174840 Event
# `; |; h& \- O# |0 A6 d& R) L
0070 845E8808 845E8820 Event
" W# y' U5 G* I- G
0074 81448798 814487B0 Event
$ o: f7 C2 h( S
0078 E2B9A888 E2B9A8A0 Key
9 c% x& Q2 {9 A
007C 845E8648 845E8660 Event
% V2 P" j1 d$ S1 [& s7 `' Z2 @
0080 FF9E2DB8 FF9E2DD0 Mutant
- R+ R/ \8 D+ ^" ]
0084 FF9E2D58 FF9E2D70 Mutant
# {; o: f) p% O% M$ o/ m5 v
0088 83CFC378 83CFC390 Mutant
/ }0 _/ S, ~; S9 ]
008C 801749B0 801749C8 File
0 ?$ Y& a5 ]3 ` L4 X9 y
0090 E2C48668 E2C48680 Section
3 g$ k$ S' g" w, c
0094 FF965168 FF965180 Event
5 L J) z1 O+ e% m% x
0098 FF9E7D88 FF9E7DA0 Event
( y. h1 {+ w1 g$ |% Y! U
009C FFAD3DE8 FFAD3E00 Event
7 z0 A8 O: D' T, o2 d; L/ {4 P
00A0 80AD63C8 80AD63E0 Event
2 {5 U7 G& S5 ~* b3 l
00A4 E28073A8 E28073C0 Key
C* H9 Z; x6 Q7 X% d& F
00A8 FF955588 FF9555A0 Thread
' Z9 N( `+ o+ z z, Q
00AC E2770728 E2770740 Key
6 B# J- P, l7 w" C, q" k7 o$ r
00B0 FF923438 FF923450 Mutant
. ?1 A1 h+ n# P9 A
00B4 FFAE3B38 FFAE3B50 Mutant
' f- y2 P8 O! a# |2 p6 }- U
00B8 83B80728 83B80740 Event
9 \, z' ~: [ T3 _" H0 \2 S3 K7 D
00BC 83B80668 83B80680 Event
/ e8 C3 U) A8 d$ G& ]
00C0 E2E3C448 E2E3C460 Section
4 d0 d0 p- o7 {2 H; H: C5 k
00C4 83776A08 83776A20 Thread
- {/ Q- Q+ B9 g z X7 h# x+ w& U
00C8 81489E48 81489E60 Event
2 v$ ?7 x. f) c' L
00CC 83776CC8 83776CE0 Event
* W; q9 S; s, a) y9 g' [1 u$ V
00D0 83776C88 83776CA0 Event
& `( v8 w W+ b0 d: |
00D4 83776768 83776780 Event
+ p) c5 Z+ G0 k8 d# _/ B
00D8 E2837D88 E2837DA0 Key
' q) L1 t1 x4 }
00DC 8146B3A8 8146B3C0 Event
- t( n6 S4 I( K L6 G: Z8 p
00E0 FF908308 FF908320 Event
9 _) d0 I+ ~- C- b
00E4 81494868 81494880 Event
* q. R+ ? f7 [0 u5 R! C
00E8 FF9064C8 FF9064E0 Event
: @0 S) A0 u4 n- d2 q' ~5 l
00EC FF908FC8 FF908FE0 Event
2 v1 D4 w' l) c4 `9 W" C% s+ a
00F0 FF908F88 FF908FA0 Event
- Y# P9 S; j$ ~: b+ I$ J
00F4 FF955588 FF9555A0 Thread
Q1 d! R p/ Z! G6 @. ]. J0 b
00F8 FF908F48 FF908F60 Event
6 n" r* P% H; r' ^2 A9 \: C
00FC E2CB1558 E2CB1570 Port
. `. |$ C! w( T+ j S1 V. x
0100 FF90A2C8 FF90A2E0 IoCompletion
9 O8 m7 i- L% w6 f5 R& r
0104 E2CFE708 E2CFE720 Port
, u' y: T) E' V& a8 A+ B# D! ^/ q
0108 FF90A2C8 FF90A2E0 IoCompletion
% t; N7 d$ m3 h& U
010C 837762A8 837762C0 Thread
@3 y" S a1 M3 w5 i" ~
0110 8103BBC8 8103BBE0 Event
* g2 N; [& G0 a- f+ A( V' s# F8 @
0114 813DBDB8 813DBDD0 Event
3 u" F% B4 j2 d
0118 FF814788 FF8147A0 Event
. |: A$ Z T# E! V/ ~# _2 A3 P! N
011C E1358DA8 E1358DC0 Key
$ g7 u# \* D6 q+ r
0120 E2CFC428 E2CFC440 Key
9 j+ t, A0 [1 [( |3 d6 S/ t/ `/ Q0 p
0124 8103B9C8 8103B9E0 Event
/ |$ W$ s) }0 I: z' i! ]
0128 E2C9A968 E2C9A980 Key
, y: n7 ^ ^* G- o
012C 83B34E88 83B34EA0 Event
' M3 a9 q# v* j7 \! m
0130 E2CFD948 E2CFD960 Key
7 e8 u5 ]- q2 v+ C9 o& Y& n
0134 83B34E08 83B34E20 Event
3 q, P' V$ y% x1 y, N
....
# I l" [$ p' N" c; S( Y
.....................省略
6 I/ f2 L, y- }8 Y+ Y
8 Z) p% y1 T! Q' g+ e! H
看了一阵,确实没有QQ本身进程的Handle,那么怎么办呢?
6 e5 j1 v/ O, O
; y0 P6 s0 ~/ W1 L: ^; J
想了一会儿...既然Win32子系统是由CSRSS.EXE来管理的,那么用户创建的进程的句柄应该在CSRSS.EXE里面找得到,用SoftICE验证后发现确实如此
! j: F6 i8 J% M( e6 t$ x$ [
G" O9 [7 E- z% X
可是这没办法得到指定进程的句柄,和我所需相去甚远,只有另选它路
" _( V2 {7 K% |
# i) H" H9 p0 M3 C ]
后来总算想到解决办法,既然没有进程的句柄,那就创建一个吧,OpenProcess()这个函数可以打开一个进程的句柄,正合所需.
! B+ v, r, x+ s2 H, _6 N* _* \
7 s+ Y6 L0 d3 r& P5 U
果然加上这么一句后,ZwQuerySystemInformation()获得了EPROCESS
( c1 V3 j& z3 {+ X+ F
" Z$ ^/ _ l' V& Y. b' J! T" _
修改好的程序代码如下,获得本身进程的EPROCESS地址,稍作修改可获取任意进程
, u5 D8 P+ P: ~1 \, h0 C+ z( O1 f8 w
6 K% r4 V* q% d3 W( ?
#include
0 o* f4 t6 j j# D; K% a4 k9 q# C
#include
* r6 q0 i# E! `" g* ~
#include
/ b* T# F/ f: u% F
#include
% s) I* _8 V. X
# F/ o, h B3 J9 F$ M2 s3 N
/*
7 C3 c0 Q0 K6 k, \; Q
* you''ll find a list of NTSTATUS status codes in the DDK header
& v( Z" R4 l0 Z w; t! q* c0 P' n
* ntstatus.h (\WINDDK\2600.1106\inc\ddk\wxp\)
1 E; F8 @( H$ C/ a6 L1 U
*/
6 K7 V+ k( E U8 U
#define NT_SUCCESS(status) ((NTSTATUS)(status)>=0)
8 K7 |" I; Z7 @2 E% _# R$ n1 j. ?
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
, M7 [, q: d# W# H! j, Z
#define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L)
5 [7 U, R1 C$ K
! v% Y# z6 `& M1 C) ^ a: C8 F
/*
: ?3 h# l" q6 E. {8 D. U
*************************************************************************
5 p5 _/ B4 p$ N: r0 ~4 \2 R6 Q7 x% s# W
* ntddk.h
' H( o; o0 B3 O2 u
*/
) n; p" O$ ~! C0 c
typedef LONG NTSTATUS;
a L4 j5 M, q7 l, u! g- U' V
typedef ULONG ACCESS_MASK;
5 @. h8 |7 `* ]/ e) s) {( G/ T
/*
! L8 b8 G, E- [: |$ l g
* ntdef.h
1 @% G" ~; ]8 Z! R/ F/ Y
*************************************************************************
% T$ e9 P6 X3 \: x- w" R+ p; v
*/
& ]6 V1 G7 q$ j& f7 A
6 l( r* Z& |: m" Q; \" E
/*
2 n. d/ q# h: q* _
*************************************************************************
. P- S; |5 l) t$ ^
* <> - Gary Nebbett
( X- V+ N7 {) \1 k
*/
1 v- J6 p. A" Q) [1 `
' | C5 i" b' t- s
typedef enum _SYSTEM_INFORMATION_CLASS
1 k4 T9 \( Q. v$ @6 y9 p! D7 f
{
1 G& K2 K: I; W8 h2 m: h
SystemHandleInformation = 16
7 d, S) j. N9 `) W+ u3 G
} SYSTEM_INFORMATION_CLASS;
% e* P8 K9 R3 f( z. v& s
) e: X* u6 F! x
/*
: P$ ], u2 J" [9 [; ~
*Information Class 16
+ f# O5 X8 I1 j/ K! `5 e1 z
*/
: x# x7 ]# h* A
typedef struct _SYSTEM_HANDLE_INFORMATION
3 O1 o* [7 Q7 Y: H& y/ @
{
/ J% _5 H! Z, e" V% x/ [
ULONG ProcessId;
! d7 o7 l% v( `/ E* K2 t$ y6 n
UCHAR ObjectTypeNumber;
4 s G" x! r5 w
UCHAR Flags;
, o7 }- F" M9 f- I, ]
USHORT Handle;
, ~9 r, u& A* a H W
PVOID Object;
+ Q+ z" `( X. Q2 Y3 R# P3 H
ACCESS_MASK GrantedAccess;
4 n2 b l! F' {1 L+ j
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
/ a; j. y e7 l; P5 z5 O- q
* x. B2 C1 i2 K. d
#define InitializeObjectAttributes( p, n, a, r, s ) { (p)->Length = sizeof( OBJECT_ATTRIBUTES ); (p)->RootDirectory = r; (p)->Attributes = a; (p)->ObjectName = n; (p)->SecurityDescriptor = s; (p)->SecurityQualityOfService = NULL; }
! S& p/ E8 Y( K9 N& b# M7 }# d" }9 E
/*
" W' z" h% T) d8 K5 O+ j6 F
*************************************************************************
/ u6 h1 V( g( L& ?1 X' M: H8 {
* <> - Gary Nebbett
) }1 p8 w' e @6 L8 D J( B* C) Z
*************************************************************************
% L8 w$ W5 f: w: {) D
*/
5 [8 R( _7 P- y
typedef ULONG ( __stdcall *RTLNTSTATUSTODOSERROR ) ( IN NTSTATUS Status );
9 H) J$ R& d3 v" @8 E
typedef NTSTATUS ( __stdcall *ZWQUERYSYSTEMINFORMATION ) ( IN SYSTEM_INFORMATION_CLASS SystemInformationClass, IN OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength OPTIONAL );
: ^. m6 j. h* c3 o/ ^
/************************************************************************
9 y. X6 v6 r* n1 A v1 Y; [- _. X
* *
' G$ j7 }% v. u1 d# J! A
* Function Prototype *
* |# ^1 y) H& D% R7 a' T/ o- [7 \
* *
, G) i, X8 ?! A( i3 ]2 I/ b; E
************************************************************************/
4 ^5 W! z( K2 {' X: n+ S
" i' L7 F; O0 h/ J! {' z3 a) `
static DWORD GetEprocessFromPid ( ULONG PID );
) Y/ K1 M6 [# ^ d
static BOOL LocateNtdllEntry ( void );
6 i8 V/ k! \2 g9 T$ Q
' Y v5 w% f3 h1 ?% h" |+ |" i# }
a' D1 G. x7 Q2 ?* V9 x; e7 V0 D
/************************************************************************
) o8 k9 ]$ `" O- b) [, a7 p
* *
8 E5 J3 P* B2 x
* Static Global Var *
' W9 ~" T! |9 e: }
* *
0 _$ Z. [* `' e- d
************************************************************************/
0 v( |# ?4 f& Q0 G9 c8 [' u. B
* F: ^6 \/ k9 d g
static RTLNTSTATUSTODOSERROR RtlNtStatusToDosError = NULL;
5 \- g. B: ?% d5 W9 d
static ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation = NULL;
0 ^; j+ J1 m+ V, ^8 x7 q
7 P: h9 W q7 o" w$ j C
static HMODULE hModule = NULL;
# l" A s+ Z. ?: D, F" l' D& Y& k( g8 x8 P
/************************************************************************/
" q q7 `5 _5 E# t) ]7 C3 L
: Z: S. k2 v" d
% \1 r; `9 c5 {4 ~# r; {+ e
static DWORD GetEprocessFromPid ( ULONG PID )
u' u" o( k* G# W0 R; w
{
# x w4 D% q a: i
NTSTATUS status;
5 `' f$ n; K9 u7 ]- N, H! Q
PVOID buf = NULL;
5 F- J0 v9 w; r$ S8 l1 l
ULONG size = 1;
* h1 ?6 m8 ]# |( D0 D1 s
ULONG NumOfHandle = 0;
0 G6 j* B8 Z/ j8 o* r: a! p
ULONG i;
# l q* J9 y! V* ~
PSYSTEM_HANDLE_INFORMATION h_info = NULL;
' _7 ~' m% c Z; b* L
, Q1 I- X; ]) |: s. Y. h2 f
for ( size = 1; ; size *= 2 )
$ `, H/ D3 ~% l( C; K- ?
{
4 |7 F: J$ E0 r7 `+ H* V
if ( NULL == ( buf = calloc( size, 1 ) ) )
% L K1 s1 G8 N' p0 E
{
! c# S2 b% ]( C: @. |
fprintf( stderr, "calloc( %u, 1 ) failed\n", size );
; C: F P- a5 s0 d: S
goto GetEprocessFromPid_exit;
% ~& g# c4 U! J5 N8 t3 w5 _
}
8 z4 j$ j2 O' ~" h& [
status = ZwQuerySystemInformation( SystemHandleInformation, buf, size, NULL );
4 q6 a# N& N) j e3 O+ m, ~: ?
if ( !NT_SUCCESS( status ) )
1 e6 e* H$ q4 D/ b
{
- E) A. z0 N: o+ |& L
if ( STATUS_INFO_LENGTH_MISMATCH == status )
* X% G0 ]* P; I! L9 S0 Y
{
: c, Q% n- [- z" A- [
free( buf );
$ _ n" M$ I2 K$ M: j6 K
buf = NULL;
9 t% T$ A: Y- ~4 u4 f
}
7 S8 S! ~% R; H3 p9 D+ M& _8 ?
else
3 P4 D3 o; S: J, H1 z5 z" A
{
% ?0 p# `7 P! c- Q9 d4 F" N
printf( "ZwQuerySystemInformation() failed");
- k- g, |# M$ T* W3 V
goto GetEprocessFromPid_exit;
/ g/ h$ p, L( E+ v+ E0 p! C4 r5 C
}
; U2 K8 s# O" `
}
2 k' k/ {4 z7 w" B a5 G5 N
else
5 F6 ]/ n( c: _5 n3 `6 F
{
9 c' [% N% B- [( @; ~
break;
! p& U+ R( G/ @/ x; G: u. x
}
; c0 W4 x% ^# @
} /* end of for */
, \% z" C( T! ]4 Y. k) T
6 X- j% b k$ C; u
//返回到缓冲区的首先是一个ULONG类型的数据,表示有多少数组
7 V! i5 Z" i; E _; h
NumOfHandle = (ULONG)buf;
/ ]0 w8 B$ P: e
; j! u3 c1 r, y7 s
h_info = ( PSYSTEM_HANDLE_INFORMATION )((ULONG)buf+4);
9 Y8 B4 w7 J; R& k$ u( L% q( }
( [) k/ K0 {7 z x
for(i = 0; i {
- w' l7 ?; i+ R6 v3 q, J
if( ( h_info
.ProcessId == PID )&&( h_info
.ObjectTypeNumber == 5 ))//&&( h_info
.Handle==0x3d8 ) )
. ]. F" p& p/ h5 R
{
, |0 f, I( ?% e0 x% l
printf("Handle:0x%x,OBJECT 0x%x\n\r",h_info
.Handle,h_info
.Object);
& v# f8 \# l: k- Y4 Q
return((DWORD)(h_info
.Object));
3 _5 ` _2 k* L/ ^
}
+ y" o2 m" O, E9 k7 ?6 Z% d
}
8 _( H3 h( P; A- K% P) U
GetEprocessFromPid_exit:
: F7 D+ }0 J2 |1 \8 Q7 J
if ( buf != NULL )
# P1 ?$ [& @. R: e! k- T, f, G4 n
{
. [0 Q% V# k, \$ t5 C1 K8 K
free( buf );
! ^% B, ~% r2 S$ K4 G* `4 i
buf = NULL;
0 e7 O1 J3 r, Z5 E$ j
}
( H' H5 B8 E' ?& Q& q/ o( ^) B6 I
return(FALSE);
6 X4 k7 L# Y1 s1 F; L" i- {& N4 Y
}
- ^8 y' o# S. M( p3 G0 |6 n
0 G- C) ]/ @! I8 l5 l
- p0 s: F: ? ~, _; J* j+ S
/*
2 o. ]2 j2 K c n' N6 D; }
* ntdll.dll
2 U9 \; J4 |2 Y
*/
, q" _6 k3 v" S* f" R( N
static BOOL LocateNtdllEntry ( void )
$ u0 b* p3 ?$ G( l# Y+ Z
{
" N; [& L+ j% E, |: y3 \' n
BOOL ret = FALSE;
( |" V7 `7 m- K2 o
char NTDLL_DLL[] = "ntdll.dll";
! T6 A/ N) U( [, E: b& L- S
HMODULE ntdll_dll = NULL;
. H+ p J, v; n2 i4 ~4 r
8 A* p' j9 _ A, j5 z; W
$ G& Z9 X9 X2 g
if ( ( ntdll_dll = GetModuleHandle( NTDLL_DLL ) ) == NULL )
' ~& {5 L/ }5 B9 ?# w: x9 V' A) t" s
{
8 Z3 ^1 w8 I \% U! |% p
printf( "GetModuleHandle() failed");
8 D5 a* N4 T$ \3 S# ?5 {+ ]% ]1 d
return( FALSE );
7 \( q* `0 \. t3 O4 d
}
' L% ~! U% p+ D6 m6 h. I
if ( !( ZwQuerySystemInformation = ( ZWQUERYSYSTEMINFORMATION )GetProcAddress( ntdll_dll, "ZwQuerySystemInformation" ) ) )
0 g1 h1 C2 M6 _4 O6 h5 N8 q. k4 N
{
9 \- W8 E9 j: M/ L0 r
goto LocateNtdllEntry_exit;
, M% E7 _( ]3 D" C$ Z
}
3 Y9 s8 F; c) F7 M
ret = TRUE;
0 a0 d- ~; M$ _! j7 x) h- S
0 q2 V* G. X, m/ p$ d8 @
LocateNtdllEntry_exit:
1 M L# R4 ~( w2 Q' A! T4 V# p' U3 I7 [
7 A8 ?0 m, U8 N6 w2 @& o
if ( FALSE == ret )
4 \9 ~+ `1 G4 ~. g+ R/ s3 a% @
{
$ p# q! I4 z2 ~' a p
printf( "GetProcAddress() failed");
! A) X+ E) @' t9 H+ t. r d y
}
6 S' L C2 j4 e3 P+ z- O
ntdll_dll = NULL;
7 x. }3 c5 m4 K; ~- n ~6 r$ @
return( ret );
% H7 \2 \0 h. i, I6 @4 `6 H7 f
} /* end of LocateNtdllEntry */
V& h9 H$ o8 ?& J# h2 i/ H L
1 ^ e& o- e& c2 h- l9 n
6 b& g5 j9 J! W
int main(int argc,char **argv)
: @: W; e+ ~+ _
{
3 a5 W# U* P3 v9 Y7 e0 ^! C
8 D0 i' p/ b* W# L$ P4 b: h" \
LocateNtdllEntry( );
- _. X* Q' ?0 Z
; \- x. O' c8 H
//打开自身句柄,这样才能在handle列表中找到自己,PROCESS 对应 ObjectTypeNum 为5
! d+ L7 M% |; G2 G d' S
OpenProcess( PROCESS_ALL_ACCESS,FALSE,GetCurrentProcessId() );
* ~) X. o5 V' ^! W9 N+ c$ L) @; Z
8 ~% A" J) r' @1 ], V
DWORD Addr = GetEprocessFromPid( (DWORD)GetCurrentProcessId() );
! J9 O! q) r( ~
8 v# ?/ g) N# K$ q
printf("result: Current EPROCESS''s Address is 0x%x \n\r",Addr);
) [- z. ^( Y$ Y; U p# Y
! i( l9 s+ @" O! e
return TRUE;
% J; M4 \3 ^& G: ?9 i
}
欢迎光临 数学建模社区-数学中国 (http://www.madio.net/)
Powered by Discuz! X2.5