数学建模社区-数学中国
标题:
获得进程的EPROCESS
[打印本页]
作者:
韩冰
时间:
2004-10-9 14:22
标题:
获得进程的EPROCESS
文摘内容:
# x3 j( v$ I, P* g& N
--------------------------------------------------------------------------------
w" `! m; Q3 R {; W# E7 A" c' r
文摘出处:http://www.xfocus.net/articles/200406/706.html
! y. W) q4 r B* f: o
: ?# d& o6 C$ I: D( a
创建时间:2004-06-01
" E) o8 Z4 E6 U$ o- j# w7 B8 O
文章属性:原创
2 V* C: \$ B) ~$ \7 j
文章提交:MustBE (zf35_at_citiz.net)
. q$ `+ l" I' z
" u2 B- q' q5 _
By [I.T.S]SystEm32
6 n! O% V7 |8 o9 ?, e. Q: a
' ~/ R3 V( P2 n6 A& j8 S
Welcome to our web site http://itaq.ynpc.com/itsbbs/
) U: `/ d! d% S0 C7 `4 _' Y. y
8 n1 s, Z5 @2 }
thanks to SobeIt : P
3 T; j+ n3 Z0 b+ G
---------------------------------------------------------------------------------------------
" B8 V4 d) a& o* t8 d
3 K B# ^: M3 ^& R' N! `; w; c, P
每个Windows进程都有一个相对应的执行体进程(EPROCESS,也就是KTEB),EPROCESS不仅包括了进程的许多属性,还包扩了许多指向其他数据结构的指针,其中包含了大量有用的信息.本文仅讲述如何获得特定进程对应的EPROCESS,EPROCESS的作用及数据结构不在本文讨论范围之内.
2 U- r- v, N; ]* g. e/ T: E
& e6 R2 k, v. |
绿盟高手flier在他的文章中提到,使用ZwQuerySystemInformation函数获取所有核心句柄表,线性搜索到进程句柄,其指向的内核对象就是EPROCESS。
2 H3 e# R8 g7 y. n+ n+ X
& R; N* _+ z) Y3 ~1 @
ZwQuerySystemInformation函数原形如下
) @& @ e; Y& I% a" H" O
" ^2 _% W8 ?# V! a- `1 S5 v; t) P
NTSYSAPI
: X: P5 ?9 T& z* Z4 k
NTSTATUS
: K/ Y$ z- Y! }& k& t9 R
NTAPI
! W! u+ a! ^6 r9 ~( a
ZwQuerySystemInformation
- l# M: K9 j% n( V3 q' @7 z* w
(
9 e" l+ T, k! f" ~
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
' D& l. o: s: B. K1 ~
IN OUT PVOID SystemInformation,
+ H4 T- O3 W- j$ a, }5 [" p
IN ULONG SystemInformationLength,
I8 v& [. R' T6 K* a# l* ~
OUT PULONG ReturnLength OPTIONAL
/ l# Y# k A0 U( x4 N. [
);
2 S+ j: X8 @! t
0 I& ?) n( x$ |. s
参数意义如下
, e% B H5 v) Z* ^" l3 } z1 t
G/ H4 z1 [/ N7 W6 T$ r
SystemInformationClass:被查询的系统信息的类型,SYSTEM_INFORMATION_CLASS的枚举类型之一
4 p3 g1 p3 C: q' b' K
4 x: w$ o7 }( Y4 F& Q3 V. S
SystemInformation:指向一个接受系统信息的缓冲区的指针
" D! `# b# M! R9 q& d9 F! W1 P3 b
5 y, l) W h1 _& u! w% M
SystemInformationLength:缓冲区长度
1 Q3 q% [! n& g$ Q
4 W8 N% T; Q9 e
ReturnLength:指向一个接受实际返回字节数的变量,可以为0
9 T! K& J1 e# F4 C, ? ~) O
# `6 r7 O' v. f% n# w6 @
) \; d% t9 d( [* i( J% O% U; G
为了获取EPROCESS,我们使用SYSTEM_HANDLE_INFORMATION作为第一参数来调用 ZwQuerySystemInformation
( O6 R0 M4 e6 \3 V
/ v6 H5 f5 V5 q: U1 i
SYSTEM_INFORMATION_CLASS的结构如下
" S' T! N9 G' S8 @
+ Z0 X7 b& ~3 S
typedef struct _SYSTEM_HANDLE_INFORMATION
5 V0 i* n1 K- c0 T2 S* d
{
5 J9 \' m' q2 L
ULONG ProcessId;
/ K8 J( P9 Z e9 f" l& d* B. R
UCHAR ObjectTypeNumber;
- w$ F% J f0 M! D6 F5 N
UCHAR Flags;
P# E1 j" Q3 p9 G4 X9 H, i
USHORT Handle;
: d& \' H' k# i0 A; U, c
PVOID Object;
2 g8 M) {2 ^3 u3 P8 V/ }+ F
ACCESS_MASK GrantedAccess;
. N8 M/ z9 O j5 ~7 M7 y( L9 G
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
7 V2 N+ H l2 Y; l; @! G- l! b6 W
- E& A, r( D) y( e5 {% e
ProcessId:进程标识符
/ u1 |, Y5 a( u1 k) w
: C0 N- \! ?$ \, [
ObjectTypeNumber;打开的对象的类型
! ^& i8 h/ a' P4 T$ e( ~1 B! z8 K
5 `$ S' J& P# ?% r- t8 Y1 O
Flags:句柄属性标志
+ V8 Z; z/ K* a" [ c8 I
2 m+ e7 e. a0 E5 E& j
Handle:句柄数值,在进程打开的句柄中唯一标识某个句柄
, {* ^4 ?# }- m( K; d, @& L
. r8 q, ^/ V% P; L
Object:这个就是句柄对应的EPROCESS的地址
% V9 b5 Z: e1 `3 H" w
9 O4 w. \# e0 ]6 {+ y
GrantedAccess:句柄对象的访问权限
8 b/ R4 E! Z6 g% m& r2 T" p
$ E' F. ^/ g* @* E+ F
* d2 j2 X6 Q' O/ A, x3 ]' A
下面我写了一个小程序来获得EPROCESS( GetKTEB.cpp )
' J6 c2 ], o% W2 N
' Y, h& |- l& S) t
比较faint的是程序写好后发现并未如预期般获得EPROCESS,通过调试发现ZwQuerySystemInformation()返回的进程的句柄中并没有进程本身的句柄
+ y1 h# `6 s- l5 v/ m- g
& H. a; Q" z& ^/ w
怎么会这样?难道程序写错了?*_*
L$ n0 u' U& F L" z) n
: v2 ^2 L I' R% l0 w
现在只好靠SoftICE给出答案了,CTRL+D唤出SoftICE,随便选了个进程--QQ,让我们来看看SoftICE的输出
2 @6 s' W( j( J: \
4 `3 m% j( B0 {
:proc -o QQ
) x/ j6 |3 [+ l0 m* i" `
Process KPEB PID Threads Pri User Time Krnl Time Status
6 e0 ?: h: H! e
QQ 827CD520 11C 2A 8 00000B90 000008D4 Ready
2 @4 D+ c- N7 n4 e: o6 K/ h
& I! s* E6 V- @. h5 X
---- Handle Table Information ----
" k% ^5 `% Z0 T' v: K
8 I* E7 w# {3 Z% b. [4 T3 B
Handle Table: FFAD93C8 Handle Array: E2BEB000 Entries: 590
7 F; k2 z* v* L0 n
/ F# `9 y- c+ i4 m) K+ J3 ^6 k+ r
Handle Ob Hdr * Object * Type
' |1 |2 _$ v9 X2 t0 V* g/ x
0000 00000000 00000018 ?
& ^8 q! t2 T8 f+ R' t3 I& d7 M
0004 E2DA5E58 E2DA5E70 Section
2 `, S2 s" n# f1 T/ ^0 \) t* E
0008 FFAB35C8 FFAB35E0 Event
; ~, T8 }* W$ ^" ?& Y+ z9 f
000C FFAB3B08 FFAB3B20 Event
. l8 f- p0 p& n; l, s
0010 85C70188 85C701A0 Event
h; A0 a3 m1 }4 ?/ I" E
0014 81515778 81515790 Directory
: b1 Y1 ]7 S# X0 ^4 @
0018 FFAB7BB2 FFAB7BCA ?
% w, b2 d8 l+ L( s
001C 814A1858 814A1870 Directory
; @; Y# [8 \3 _8 {+ d( c
0020 80288C88 80288CA0 Event
5 p2 ~# x1 S2 ^. W# y
0024 E2CFE7F9 E2CFE811 ?
( I2 c {1 r- \/ e
0028 842D7B08 842D7B20 Event
0 z$ d+ o, r: }
002C 80E9B989 80E9B9A1 ?
. T- x5 ^) ^! q2 X5 k9 u
0030 E1372198 E13721B0 Section
C3 C3 [" H! T2 B) E
0034 814602C0 814602D8 WindowStation
* M/ W8 M/ l+ F7 `+ w/ H) H
0038 81455CE0 81455CF8 Desktop
5 J i V8 i! U, A& A' f
003C 814602C0 814602D8 WindowStation
& j9 B! N6 m4 S" `
0040 E2B3C1A8 E2B3C1C0 Key
; }7 G5 Y6 ~6 S6 [$ L- A* q
0044 E286D6E8 E286D700 Key
1 }& v4 R7 S9 w- S# `" [; u0 a
0048 E2B3C0E8 E2B3C100 Key
0 E9 o3 X9 P$ \' s6 @
004C E2B3C068 E2B3C080 Key
7 }/ r1 A' M5 ?, Q+ {" H1 j
0050 E2BEE688 E2BEE6A0 Key
" t8 }" l: |/ P. A* u
0054 8147C998 8147C9B0 Directory
/ W* z+ Y4 {# o- D1 \
0058 829D1128 829D1140 Event
0 ~5 F) k, R- J* m& S; F2 B, [
005C 83F991E8 83F99200 Event
% H7 e: u c2 c* M& G6 A# C
0060 E2BEE608 E2BEE620 Key
8 B( }/ M1 ]) a+ _- }) _
0064 FFB07568 FFB07580 Event
% y( ~' K- X. x9 X+ \" ?0 P9 h
0068 801747E8 80174800 Event
$ Q6 i- `9 x6 C2 |' O8 I
006C 80174828 80174840 Event
% e) M& T- c$ b$ H+ A
0070 845E8808 845E8820 Event
( |0 c) V; H# u6 {& \
0074 81448798 814487B0 Event
6 @+ [/ z E; D1 P2 T/ ~
0078 E2B9A888 E2B9A8A0 Key
- C, f( [# h9 ~
007C 845E8648 845E8660 Event
$ m4 n% ^& E( ?( c/ q
0080 FF9E2DB8 FF9E2DD0 Mutant
4 C! k1 {9 U0 a* O
0084 FF9E2D58 FF9E2D70 Mutant
- f9 F4 |' `4 p
0088 83CFC378 83CFC390 Mutant
2 ~# O! N8 c9 R0 ?9 R8 ?2 ^
008C 801749B0 801749C8 File
2 _5 P, W) u' g1 G) E
0090 E2C48668 E2C48680 Section
0 |. \& ?0 _ m6 l- \
0094 FF965168 FF965180 Event
- Z9 N# Q/ H7 @! Y
0098 FF9E7D88 FF9E7DA0 Event
$ Y" ?; c, P4 y7 v( p9 U( H6 |
009C FFAD3DE8 FFAD3E00 Event
) \6 k3 r8 `' U& ~) a6 r- J6 N O
00A0 80AD63C8 80AD63E0 Event
5 A6 w0 W$ `1 p( j' F* v
00A4 E28073A8 E28073C0 Key
2 |3 \3 `" P- z- I# c
00A8 FF955588 FF9555A0 Thread
+ |) C; `5 x' c6 S7 {
00AC E2770728 E2770740 Key
! P! @/ o Q6 ?9 h5 [6 R; Q2 a
00B0 FF923438 FF923450 Mutant
3 O: j6 L* R# I) A9 p: K; \
00B4 FFAE3B38 FFAE3B50 Mutant
5 W5 S( x6 ?6 i& U1 d K
00B8 83B80728 83B80740 Event
* x0 x, q9 f- z
00BC 83B80668 83B80680 Event
4 T; w# X7 F6 N
00C0 E2E3C448 E2E3C460 Section
( ?6 W( r) J% ]7 `7 T5 C
00C4 83776A08 83776A20 Thread
9 \) K8 F" C8 j7 V: @
00C8 81489E48 81489E60 Event
* e3 I/ ], K0 j
00CC 83776CC8 83776CE0 Event
. W" y; z: x* b8 }6 h; Z
00D0 83776C88 83776CA0 Event
- E' i# P3 ^' C/ X
00D4 83776768 83776780 Event
?/ v$ X" j5 M6 x R$ F
00D8 E2837D88 E2837DA0 Key
7 O$ Q0 D' n+ R! _9 F5 u( u) w5 \
00DC 8146B3A8 8146B3C0 Event
" W- v5 Y" C. Y: C
00E0 FF908308 FF908320 Event
: M- p8 h& q4 N; v
00E4 81494868 81494880 Event
( X4 J+ Q1 ~7 K7 x3 |
00E8 FF9064C8 FF9064E0 Event
2 \! o3 ^, B% |- P0 O
00EC FF908FC8 FF908FE0 Event
: U6 S' M4 k3 \3 a% K) |
00F0 FF908F88 FF908FA0 Event
. P: w+ H g7 T3 v5 }+ D* h! g
00F4 FF955588 FF9555A0 Thread
S* M5 q; g' j, R
00F8 FF908F48 FF908F60 Event
2 f% E$ [7 ], p. J
00FC E2CB1558 E2CB1570 Port
! }$ `0 w6 ~/ u- X+ |7 U
0100 FF90A2C8 FF90A2E0 IoCompletion
( ?" F. x9 y' {, L: V0 J
0104 E2CFE708 E2CFE720 Port
' \, c! T+ h- ]$ P8 a% x4 w& Y0 s
0108 FF90A2C8 FF90A2E0 IoCompletion
2 p/ I$ }/ e; R# d# f$ V
010C 837762A8 837762C0 Thread
6 V& p5 ]! ~; ?5 |
0110 8103BBC8 8103BBE0 Event
( `& m3 r4 y( J
0114 813DBDB8 813DBDD0 Event
" R: U( Z( z: \2 h
0118 FF814788 FF8147A0 Event
* v5 B8 W( D: L( q* |; _3 e
011C E1358DA8 E1358DC0 Key
% E) }/ k3 {1 Y$ N8 M
0120 E2CFC428 E2CFC440 Key
$ p( |- o" @# o7 ~$ L) I+ b
0124 8103B9C8 8103B9E0 Event
" h* N( _% u3 r( d
0128 E2C9A968 E2C9A980 Key
, l# t: Q) x) O0 |
012C 83B34E88 83B34EA0 Event
, s8 b7 m& L; i5 J6 b
0130 E2CFD948 E2CFD960 Key
2 K8 F9 L [2 Y/ w
0134 83B34E08 83B34E20 Event
1 }! ]5 j9 J, |: J$ p% X
....
! v# `- x9 V0 Y( O4 {/ O8 j3 t3 ~
.....................省略
% h( O6 m2 v9 o3 k% X
! @2 P3 ?- f- f+ O
看了一阵,确实没有QQ本身进程的Handle,那么怎么办呢?
+ y5 \# l8 k$ B; w% `
5 s% Y/ ]' s8 M# }7 k# v5 f4 M! p% X
想了一会儿...既然Win32子系统是由CSRSS.EXE来管理的,那么用户创建的进程的句柄应该在CSRSS.EXE里面找得到,用SoftICE验证后发现确实如此
$ e- _' `) `6 L' M
4 T. v! N% u: a- J# g8 V, ~
可是这没办法得到指定进程的句柄,和我所需相去甚远,只有另选它路
! Q5 U- M7 x7 e& E/ Z' `" j& O7 Q
& v4 }% [: ~3 M& d( v4 S
后来总算想到解决办法,既然没有进程的句柄,那就创建一个吧,OpenProcess()这个函数可以打开一个进程的句柄,正合所需.
/ u; T& [, ^" h x& }3 ?
; {' L# ^+ a Y) E; x' e0 T& e8 {& {: U
果然加上这么一句后,ZwQuerySystemInformation()获得了EPROCESS
}: g) } w( i7 C) j) E& g9 j. F4 g7 V
; ~* k& E6 V! d, u( S: {3 k/ x1 q
修改好的程序代码如下,获得本身进程的EPROCESS地址,稍作修改可获取任意进程
6 L4 g& j& K+ P
, k) d0 \) G4 j W: _/ L) |( B
#include
; r7 W. B: O. C% b+ Z
#include
( Y+ s! ^! L! ]( h0 r' ^
#include
9 x1 A4 [: S! L6 \4 r/ F1 V# L; W
#include
' Y. N O( U" P7 v% P4 [/ ~+ p, p
+ o8 [6 y* K1 H E
/*
" w! |8 b9 {* d3 f
* you''ll find a list of NTSTATUS status codes in the DDK header
* u2 a/ Y. _5 V( R- R
* ntstatus.h (\WINDDK\2600.1106\inc\ddk\wxp\)
: g9 G! s9 {. V/ q
*/
+ c4 P; A1 o. d; B) @* }
#define NT_SUCCESS(status) ((NTSTATUS)(status)>=0)
' g. H! k1 u, a: F) I
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
- T9 L2 J, W( f5 [; p+ S% R
#define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L)
H$ f0 S Z0 |; `. t
/ N( m, ?1 U# m& D% f$ i
/*
3 f' y. d7 ~6 |9 A
*************************************************************************
" y2 N9 l- {. \! N7 i& ?7 E
* ntddk.h
) P$ g% {1 s w
*/
" O1 W8 I( `1 H" p$ W, [
typedef LONG NTSTATUS;
2 f4 w. s4 H7 D' c, q
typedef ULONG ACCESS_MASK;
% |5 y! V; f$ l, [
/*
?+ p/ U( m% x0 k' y; I
* ntdef.h
7 _/ m: c* C1 K0 J( i; z
*************************************************************************
& S# ]# f5 R, v: C! N! a
*/
5 U; J. V& G) N* Z3 N
1 ?4 Q! ]1 J) Z N0 m
/*
, ^8 Y+ H6 V N$ L
*************************************************************************
X7 A& y3 j: H5 f" Y
* <> - Gary Nebbett
1 {, Q- x6 p, T
*/
4 S& d) n5 W" w6 I3 P$ _7 I
) Q5 J N( `4 d, ~. \, ?; V
typedef enum _SYSTEM_INFORMATION_CLASS
7 P) a+ U4 D$ z; n: X6 E0 l9 s; i
{
2 o4 o+ w) c+ @ u$ C/ ^/ U! N4 k
SystemHandleInformation = 16
0 l8 k% z0 o" l$ ^( @, d$ {2 b
} SYSTEM_INFORMATION_CLASS;
, K S7 ?( R& ^; S+ J8 W
! |0 S/ Z8 q' c1 a+ P; E
/*
' N! ~8 `5 F x8 u2 d" u' E0 G
*Information Class 16
: j) {1 u& A6 z# l G
*/
' F( F: P# k$ e% Y1 D9 @) k/ Z% X
typedef struct _SYSTEM_HANDLE_INFORMATION
q2 w) `) \5 H. C: b
{
- Y/ W# T7 p3 R$ T2 z; h3 m2 O
ULONG ProcessId;
6 P5 B, m% c9 i3 C/ } ^
UCHAR ObjectTypeNumber;
- D6 ^7 I% v# N# A% N- k$ ?
UCHAR Flags;
1 t# p; j H8 ^5 |( u
USHORT Handle;
( n8 W6 M- p- \& M
PVOID Object;
- h5 @2 c9 j2 k' D8 g' A
ACCESS_MASK GrantedAccess;
! t% O5 T D; ^" `
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
) k/ N2 L) T1 X/ P, x- g' Q/ h: O
\ K0 z6 ~/ D' r
#define InitializeObjectAttributes( p, n, a, r, s ) { (p)->Length = sizeof( OBJECT_ATTRIBUTES ); (p)->RootDirectory = r; (p)->Attributes = a; (p)->ObjectName = n; (p)->SecurityDescriptor = s; (p)->SecurityQualityOfService = NULL; }
0 t% d: e' R, n6 U/ [ L
/*
9 P' h$ E: s% e1 w) e
*************************************************************************
6 n1 } y3 T' B7 ?" o* U
* <> - Gary Nebbett
I3 J) c$ a q/ I( z( e: T
*************************************************************************
* r: y1 l+ f2 ^7 R w0 k1 m7 Z8 q
*/
" q7 p$ T7 e$ Q' F( V$ p
typedef ULONG ( __stdcall *RTLNTSTATUSTODOSERROR ) ( IN NTSTATUS Status );
3 ?4 v% y' d" x; z+ ]
typedef NTSTATUS ( __stdcall *ZWQUERYSYSTEMINFORMATION ) ( IN SYSTEM_INFORMATION_CLASS SystemInformationClass, IN OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength OPTIONAL );
% N( q4 z# R. ^
/************************************************************************
9 v. o- _. n3 x- R5 M
* *
3 D5 l! A+ k! n+ ~8 `- n& [
* Function Prototype *
, ?( o" [0 I) I1 ~3 j
* *
, D2 p' r: J5 z' e
************************************************************************/
' ^1 }& [0 e- i( v8 c) t1 p4 \
2 X, `! D% j& e7 J# R6 \. [
static DWORD GetEprocessFromPid ( ULONG PID );
6 j5 r% d3 m! h# q2 m4 o
static BOOL LocateNtdllEntry ( void );
; _( A$ y, x4 w
+ C7 {8 u/ W; K7 N+ w' U
/ z" ^& V/ B+ s- {; V
/************************************************************************
! f1 K" H1 B/ }3 G" d
* *
- k* h! t4 I2 o6 c" o" a; N& v2 \) R A
* Static Global Var *
( w2 \# s+ Q% w( J: X3 c# Y
* *
?" Y& B! Q& i
************************************************************************/
0 p! }7 r; A) B$ t
6 V! m- g( l' P. d& l7 @
static RTLNTSTATUSTODOSERROR RtlNtStatusToDosError = NULL;
2 t1 `/ i; _/ X4 @0 o: u
static ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation = NULL;
/ H4 U% w& `! w0 w
* |) H) D- o) E& q- X
static HMODULE hModule = NULL;
% j3 u( p6 u' R; z- V! A
/************************************************************************/
% m$ |9 w" H8 F/ X$ b( \
/ y7 E+ d5 m& ~0 y7 U
! n3 K, ^ T6 L
static DWORD GetEprocessFromPid ( ULONG PID )
( I- `! [3 x. w( A
{
' R4 |8 D; F; b0 B ^
NTSTATUS status;
0 u. _, M4 J$ p) f; _- ^/ M
PVOID buf = NULL;
! E/ K3 Z3 {8 \) p4 D
ULONG size = 1;
' b6 b/ R$ H8 r! K) `8 {0 L
ULONG NumOfHandle = 0;
5 r. z' G# y* L, W
ULONG i;
' u5 ^% F5 m+ k% V% r
PSYSTEM_HANDLE_INFORMATION h_info = NULL;
$ ^3 E5 k! @# c/ Z2 j2 K7 s
1 }; t B6 `4 f! V9 K" W
for ( size = 1; ; size *= 2 )
' ^+ W8 G+ s; D8 X. D
{
$ _! f8 A8 y8 N
if ( NULL == ( buf = calloc( size, 1 ) ) )
6 F& N, B y5 S- G# R2 p1 h
{
2 b" L v- R& n6 N% b
fprintf( stderr, "calloc( %u, 1 ) failed\n", size );
4 ]; A5 ?0 x- W: v; H
goto GetEprocessFromPid_exit;
+ r9 L! c& a3 q
}
% A, s# o7 i3 _- o8 F8 |
status = ZwQuerySystemInformation( SystemHandleInformation, buf, size, NULL );
2 {8 q& g6 g9 Y* f, a/ y9 T& ^
if ( !NT_SUCCESS( status ) )
# I# ^4 j1 `& f
{
! C+ G7 v5 e, @7 E9 D0 D
if ( STATUS_INFO_LENGTH_MISMATCH == status )
e: B& E3 n6 w* W% w9 z4 ?
{
: D/ m+ c, g& |: z4 Y& t, ~( O
free( buf );
3 o* r }9 x6 e5 O Y5 S6 g! g o2 j
buf = NULL;
6 }7 T/ Z1 m! m5 R
}
. \. e% D( B. T) D9 K
else
7 J5 t" ^- {! I/ ~ x( f: Q6 W
{
|+ u7 B( E8 ^1 R' p$ k
printf( "ZwQuerySystemInformation() failed");
* j9 Z# W, Q3 ?5 |6 ~' B. n9 N
goto GetEprocessFromPid_exit;
; r) m) X( @9 c7 d8 `3 l1 S& Y
}
# n$ r$ a T3 B. k/ L( \
}
+ X8 N( l5 x# J- {
else
) C" Y2 F, ^7 Q2 b g- ^
{
( Z0 a/ X1 x" u# S+ {8 I3 r
break;
( n$ V4 I2 U9 E# Z8 ^
}
0 M/ e e, Q1 u5 z' U% q8 J" `$ Q
} /* end of for */
1 x! V! q: R6 h% u' r! I- Q4 P4 ~
6 E# n1 X0 C- X4 ~) C+ H4 H
//返回到缓冲区的首先是一个ULONG类型的数据,表示有多少数组
, t) W' ~" W/ ]% o5 s U# L
NumOfHandle = (ULONG)buf;
. n4 L+ \- m; _# \/ Z$ b( s+ K( L
: B! S& ^- [0 n b% c b& Z
h_info = ( PSYSTEM_HANDLE_INFORMATION )((ULONG)buf+4);
1 e( I4 H4 Q/ o0 ^+ ?$ a
8 @& Y i6 z/ |! E
for(i = 0; i {
& n, H+ p) w3 @7 U, N) n, w0 `
if( ( h_info
.ProcessId == PID )&&( h_info
.ObjectTypeNumber == 5 ))//&&( h_info
.Handle==0x3d8 ) )
4 S! d3 |3 Y* v
{
( f' s1 C. U7 t8 s* S
printf("Handle:0x%x,OBJECT 0x%x\n\r",h_info
.Handle,h_info
.Object);
O* d* u; j0 w% S( e
return((DWORD)(h_info
.Object));
) }" Q7 @) K" ]9 O
}
% k N. X0 w, {7 N- U7 U
}
/ H6 N$ D- Q0 U
GetEprocessFromPid_exit:
, \# l* A, w$ o4 q E
if ( buf != NULL )
' \* A* c* D! v$ O) }7 D' O0 Q
{
/ [* A# H$ e- N# j) ~
free( buf );
* g* C7 b; U. y' ?8 e$ S: I
buf = NULL;
& M2 P7 u& g* q, [! B
}
; F; O8 |* ?2 W$ A" \
return(FALSE);
4 T' ?+ }1 A N5 _
}
, x2 m6 u: `& U* c( o* s4 b
, ^! ~1 D, Q( x- Z
! a7 S8 K# B, o: c. ~/ T% C
/*
# |7 Y4 w9 i4 F' A. R
* ntdll.dll
7 }- ]/ @( l) \. c6 o$ ?+ Q
*/
: ^7 h( i7 w* M) u, @; a
static BOOL LocateNtdllEntry ( void )
! Y( U) ^! `: [0 ]0 {8 W% i
{
9 U0 |/ K0 N9 A9 r
BOOL ret = FALSE;
" u" i/ j v/ v* _/ J
char NTDLL_DLL[] = "ntdll.dll";
% Z: P/ G; M: Q* a4 ]1 f% k
HMODULE ntdll_dll = NULL;
$ Q9 [8 S" k2 }
4 k2 u/ v$ x' n6 P, |" `. T4 f
4 v+ Z: l2 k9 I+ o
if ( ( ntdll_dll = GetModuleHandle( NTDLL_DLL ) ) == NULL )
8 \7 @- q1 l" u- N
{
6 H# N2 Z$ A5 d# Z
printf( "GetModuleHandle() failed");
$ d+ P$ G3 T# h2 _7 g
return( FALSE );
" e6 c8 P5 T* ?
}
4 ?: W. q# l4 {5 U" b& o$ j
if ( !( ZwQuerySystemInformation = ( ZWQUERYSYSTEMINFORMATION )GetProcAddress( ntdll_dll, "ZwQuerySystemInformation" ) ) )
) a$ ~! v6 |: O
{
# O5 j- N& ]# R! m. n
goto LocateNtdllEntry_exit;
+ Y) }" K, \1 Q8 N) c& H6 F
}
1 O6 O) E( b: d! B
ret = TRUE;
; T' S* N7 D) {. _) v7 \$ V
) L; [6 q0 o, M6 W
LocateNtdllEntry_exit:
2 t: N' y2 y0 o; x( X
- S6 ^4 d5 J6 F6 w7 U4 e( O5 i: d3 P
if ( FALSE == ret )
( F$ F) N. I+ }
{
8 R' S4 T* q" J o1 H8 v, R
printf( "GetProcAddress() failed");
4 F1 W9 J F/ E8 E+ O4 n3 ?
}
& E3 P2 Z2 q }
ntdll_dll = NULL;
3 v9 F5 q+ s" e- x6 A3 _3 g$ x
return( ret );
( J# U3 M$ }, W1 q3 a9 f
} /* end of LocateNtdllEntry */
4 Y$ t1 }9 u2 J; [7 n7 I8 Q. ]. ^
1 |0 U" d7 t6 w" t
/ u! t: z( D3 C# n7 Z' U8 e
int main(int argc,char **argv)
3 b) L3 t- s) x* d, G3 v8 S
{
1 f5 `6 h6 }2 n4 e2 O2 b; s
& g) }% S% ]8 R5 {
LocateNtdllEntry( );
; z1 i- I: Z" s& A6 }
s' _: H4 `- J% E. i
//打开自身句柄,这样才能在handle列表中找到自己,PROCESS 对应 ObjectTypeNum 为5
% k# {& u2 H6 w" J; z/ E' f
OpenProcess( PROCESS_ALL_ACCESS,FALSE,GetCurrentProcessId() );
& `# k9 i, b1 l: Q/ P
7 D+ d9 u0 v5 i1 |/ I
DWORD Addr = GetEprocessFromPid( (DWORD)GetCurrentProcessId() );
; e+ ~& o2 l4 e% Y x
7 x( O0 u; x/ z8 R5 T8 Q
printf("result: Current EPROCESS''s Address is 0x%x \n\r",Addr);
, X2 p3 G m: B$ m: U$ ~
/ V) J, h4 N% `: Y: m% J5 T$ W
return TRUE;
3 F0 O; b3 O) r5 p+ Z
}
欢迎光临 数学建模社区-数学中国 (http://www.madio.net/)
Powered by Discuz! X2.5