数学建模社区-数学中国
标题:
获得进程的EPROCESS
[打印本页]
作者:
韩冰
时间:
2004-10-9 14:22
标题:
获得进程的EPROCESS
文摘内容:
+ u8 C$ b3 A5 d$ ^9 w6 S& X
--------------------------------------------------------------------------------
' R8 C/ w" L8 w; ?
文摘出处:http://www.xfocus.net/articles/200406/706.html
$ f2 q/ G0 t0 k+ A+ ~% y" t/ i; s
6 D, f# O. |) }+ u5 R, j. b
创建时间:2004-06-01
' z- y" w6 ?' \- T
文章属性:原创
1 H! T3 l# e8 v! [* X( F% i
文章提交:MustBE (zf35_at_citiz.net)
4 I- z2 i ^3 U6 C3 G
S; E! U$ B4 ^7 ~3 l2 x; r
By [I.T.S]SystEm32
6 p( t* W; h, n8 R7 r( _
$ _( K! ^5 E: ?+ _2 @% c2 s; D
Welcome to our web site http://itaq.ynpc.com/itsbbs/
! q0 h. N7 V' N L$ U, D
& n0 V5 T# F! u3 Q$ A
thanks to SobeIt : P
; \. M( m' P% j' L
---------------------------------------------------------------------------------------------
6 S: U: C) k5 P8 `/ I) M; _8 J
/ l8 `" i& X) P
每个Windows进程都有一个相对应的执行体进程(EPROCESS,也就是KTEB),EPROCESS不仅包括了进程的许多属性,还包扩了许多指向其他数据结构的指针,其中包含了大量有用的信息.本文仅讲述如何获得特定进程对应的EPROCESS,EPROCESS的作用及数据结构不在本文讨论范围之内.
6 T3 ^7 U+ q k8 c D3 K
- Y' p3 V) Y5 U/ Z" Y
绿盟高手flier在他的文章中提到,使用ZwQuerySystemInformation函数获取所有核心句柄表,线性搜索到进程句柄,其指向的内核对象就是EPROCESS。
7 q o, z. ]4 n& P6 ?) H
3 J4 t1 `2 |2 t: {
ZwQuerySystemInformation函数原形如下
# H" F' Q* I3 J3 g( q [% y; y& u; j
9 z* o% O3 L7 ?' F) ~& T
NTSYSAPI
, y, \: N* J5 O
NTSTATUS
* z; q2 {( T8 g8 {2 Z6 K5 ]
NTAPI
+ z% k% c& H% J6 b( h) N
ZwQuerySystemInformation
9 D' h3 q* Z; _
(
; x, Y# N: i0 J. i0 s
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
: |5 A1 _: n; v) V* s, M; b
IN OUT PVOID SystemInformation,
; {& }7 ^( i. b; [! e W
IN ULONG SystemInformationLength,
4 q6 k. r2 f, |( ^' P7 I. c/ Z% x
OUT PULONG ReturnLength OPTIONAL
9 ]( z8 b7 P6 Y. E) ?5 ] K# m! n
);
( p1 H B# K* @
) ^9 q' K5 I8 u3 U4 s( Q5 ]
参数意义如下
' @% u. ^. v$ ?% N- b
2 o3 x# W$ ?4 R. h: |4 `4 @0 h
SystemInformationClass:被查询的系统信息的类型,SYSTEM_INFORMATION_CLASS的枚举类型之一
- n! {4 e6 D' B1 |
1 \# V. _- b% s' ~! j: _3 h
SystemInformation:指向一个接受系统信息的缓冲区的指针
; J1 l: y0 y5 U5 r
% U. _; y( `! ?
SystemInformationLength:缓冲区长度
: y0 T' f# M M2 w% X3 B
7 [8 A0 z& V. p. ?6 |# V5 D
ReturnLength:指向一个接受实际返回字节数的变量,可以为0
4 b8 [" r. Q5 T9 z. v* U+ c7 V: j
% S0 w% z0 I7 C
" F2 o, n ]4 M( X, c" @
为了获取EPROCESS,我们使用SYSTEM_HANDLE_INFORMATION作为第一参数来调用 ZwQuerySystemInformation
" | {. c+ H2 _ }
) T% F6 |; l, |* K4 H, b+ e* ~" _
SYSTEM_INFORMATION_CLASS的结构如下
; p7 {( w; o2 D: w I; H
0 h; X2 d7 G& ]% H+ R
typedef struct _SYSTEM_HANDLE_INFORMATION
2 c" V* }+ M; c5 F: K
{
( Y0 p q* _! C
ULONG ProcessId;
# E( z5 A7 O7 d( |0 F' n5 n- R
UCHAR ObjectTypeNumber;
0 e1 n; B! i" a$ O* g! x
UCHAR Flags;
. `- c! k% k( U- p% c
USHORT Handle;
; D+ P) j" |5 K1 |* E0 q* k
PVOID Object;
& j0 |) K) o7 R3 N. i/ W
ACCESS_MASK GrantedAccess;
. m: j5 t' ]. j3 y# t
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
; v, ?, A1 s0 f1 d, O
# B8 {/ c: F/ q; N1 y0 ~2 q
ProcessId:进程标识符
( d8 q/ O3 B: c: r& M$ p
- I1 l7 g+ J4 u: t1 R/ w F
ObjectTypeNumber;打开的对象的类型
/ K9 N- j* ~1 Q' N
6 k" I' q2 [3 a
Flags:句柄属性标志
* e5 k. o ^7 G0 T' N- D
1 Y6 Y; Q2 Q% H2 N7 Z$ [" I
Handle:句柄数值,在进程打开的句柄中唯一标识某个句柄
& F! k7 \8 u0 y# l; _" A1 z% a5 G/ y4 V
% i8 W8 y9 T4 a- c' l$ T% n
Object:这个就是句柄对应的EPROCESS的地址
! N6 K3 u1 K+ x# P; L$ B0 O
+ P% H; G) h/ L* j6 R1 ]* B
GrantedAccess:句柄对象的访问权限
: n% z8 n4 z1 P7 M
+ V N. X6 T2 j; U( K
! U" A- F( w3 c. X1 g6 f0 m a
下面我写了一个小程序来获得EPROCESS( GetKTEB.cpp )
! c# D" v5 L( B7 ~5 [7 e: j" _
8 ~& |3 g. X* E! Z
比较faint的是程序写好后发现并未如预期般获得EPROCESS,通过调试发现ZwQuerySystemInformation()返回的进程的句柄中并没有进程本身的句柄
1 W% [5 g* [; l+ q/ I
7 d$ P# \" r+ `1 {2 V0 r9 m
怎么会这样?难道程序写错了?*_*
+ b1 w* w9 J8 G/ Q; ?. q9 J. l
6 J* O* y" d1 U8 x# F
现在只好靠SoftICE给出答案了,CTRL+D唤出SoftICE,随便选了个进程--QQ,让我们来看看SoftICE的输出
6 n0 D" F% R" M
% w9 t5 y i7 B; ~# I7 p
:proc -o QQ
: }! }" S! y+ A/ a( \4 N0 r5 I
Process KPEB PID Threads Pri User Time Krnl Time Status
. b. V1 \6 b" W! c- e" }1 m
QQ 827CD520 11C 2A 8 00000B90 000008D4 Ready
3 g$ |, o! N, E/ i' o* H( C) B
& q' W2 Y* H1 h: r- X3 E! h' z( j
---- Handle Table Information ----
4 `, b9 T/ T4 L! l7 j
2 y& K' V. H# g3 g- n, x& n
Handle Table: FFAD93C8 Handle Array: E2BEB000 Entries: 590
& N X. [/ v3 N" ~. u5 _' X! S
' Q8 w3 @0 W. n; q1 A
Handle Ob Hdr * Object * Type
0 ~5 p7 _0 h" O2 b6 u& X& z
0000 00000000 00000018 ?
6 @' F# a! q ~
0004 E2DA5E58 E2DA5E70 Section
2 S6 C. `, w" H% c$ c2 T/ C7 v
0008 FFAB35C8 FFAB35E0 Event
& j& {+ \" Y) ~2 B3 G' |3 W
000C FFAB3B08 FFAB3B20 Event
f, v i- `& G, p; x
0010 85C70188 85C701A0 Event
8 u6 ~ b/ D& [/ ?7 s
0014 81515778 81515790 Directory
6 E. i/ w4 g1 A# b3 p! r5 D U
0018 FFAB7BB2 FFAB7BCA ?
$ F$ }! ]% _# H2 X
001C 814A1858 814A1870 Directory
0 A3 z' y8 f- ^
0020 80288C88 80288CA0 Event
+ \" G- y: [" p2 x! o2 B' c
0024 E2CFE7F9 E2CFE811 ?
6 a5 O" j7 o, p
0028 842D7B08 842D7B20 Event
5 l8 Z" N+ f4 w4 w6 U9 O6 a$ t
002C 80E9B989 80E9B9A1 ?
+ W. D9 \6 h* [0 k
0030 E1372198 E13721B0 Section
$ s, L" @' z9 `3 b# Z$ k* R1 u
0034 814602C0 814602D8 WindowStation
: W& q/ w7 ]% h _6 {
0038 81455CE0 81455CF8 Desktop
' ?. l! Z3 n6 R# I: `) X
003C 814602C0 814602D8 WindowStation
& P: U0 t3 ^& ^
0040 E2B3C1A8 E2B3C1C0 Key
1 O8 ?4 e- j# V U
0044 E286D6E8 E286D700 Key
o; }' ]+ N) n3 y0 G' k; e, x
0048 E2B3C0E8 E2B3C100 Key
0 c0 q( s( l* b! R7 w9 O$ Q0 K
004C E2B3C068 E2B3C080 Key
' ~$ h% `# n S
0050 E2BEE688 E2BEE6A0 Key
7 f S, S! w, T- F$ A
0054 8147C998 8147C9B0 Directory
_9 |7 c: N8 w9 V. |
0058 829D1128 829D1140 Event
+ v/ g3 s. Y, P- V \1 P- w
005C 83F991E8 83F99200 Event
1 {5 L/ K* j% i6 \0 E: u/ A9 g/ p0 b
0060 E2BEE608 E2BEE620 Key
8 }+ V+ y7 J" b0 g$ \1 m/ g# c
0064 FFB07568 FFB07580 Event
' i; S! g& M( T* a6 i% N
0068 801747E8 80174800 Event
+ m6 O" H. n9 G/ D
006C 80174828 80174840 Event
( Y2 Y2 h U& G5 G" I6 @/ X/ F. c: T
0070 845E8808 845E8820 Event
( E6 d; X2 L3 O! R1 }3 f" K
0074 81448798 814487B0 Event
% \( m0 X; s5 O5 W% V) F
0078 E2B9A888 E2B9A8A0 Key
I4 Z: J! ]( d) r9 `4 D' C
007C 845E8648 845E8660 Event
! r [5 d. l0 A R: w* |
0080 FF9E2DB8 FF9E2DD0 Mutant
# r; n, b3 y; m# ^
0084 FF9E2D58 FF9E2D70 Mutant
+ L a; P1 q4 |( P& |+ S- q
0088 83CFC378 83CFC390 Mutant
, h% f! A: h/ ^3 N6 ^& C( N& [
008C 801749B0 801749C8 File
, {$ j3 z+ A9 }: d+ o8 ^
0090 E2C48668 E2C48680 Section
3 G3 @; I; Z% D% H
0094 FF965168 FF965180 Event
5 n; y" m1 e9 r4 P, y
0098 FF9E7D88 FF9E7DA0 Event
, Z, ?8 i; y' }( |
009C FFAD3DE8 FFAD3E00 Event
( A0 o' g3 i. `- K9 C7 A, d
00A0 80AD63C8 80AD63E0 Event
$ x4 v# V+ c/ }( Z& u; J. s
00A4 E28073A8 E28073C0 Key
1 I" n- ~, U6 S1 |& W
00A8 FF955588 FF9555A0 Thread
% p8 M4 E5 J. F0 z0 t9 I, k
00AC E2770728 E2770740 Key
6 E* [" ?" C/ ~7 Y% w8 F
00B0 FF923438 FF923450 Mutant
; O# I' Z* p. K- z8 S8 s+ t
00B4 FFAE3B38 FFAE3B50 Mutant
5 }" `2 y4 D7 k8 M' f
00B8 83B80728 83B80740 Event
1 h6 W& u4 y! ~% S( u- R' g
00BC 83B80668 83B80680 Event
# Z0 {, O5 H# G/ ?& }$ a0 {
00C0 E2E3C448 E2E3C460 Section
* a5 `! P+ N6 T" j. ~' H
00C4 83776A08 83776A20 Thread
) }% R( o; c9 ]* Q3 R( N0 d
00C8 81489E48 81489E60 Event
' ]6 E0 T& {% C' C O" L0 N4 V+ p
00CC 83776CC8 83776CE0 Event
( D0 h7 W, \" N: I$ P! S
00D0 83776C88 83776CA0 Event
, J6 W% ^) R c
00D4 83776768 83776780 Event
6 P5 G8 w" A4 ^ X; k# {
00D8 E2837D88 E2837DA0 Key
; [$ l7 F! o( n+ k: g( H p
00DC 8146B3A8 8146B3C0 Event
( O5 i! B! f% c
00E0 FF908308 FF908320 Event
' K7 x/ V$ [6 H5 F+ F4 M- k, r6 @
00E4 81494868 81494880 Event
: D1 V7 G/ e# e
00E8 FF9064C8 FF9064E0 Event
6 R/ B! S. z( o( F
00EC FF908FC8 FF908FE0 Event
% @, ^9 h' `0 G3 D
00F0 FF908F88 FF908FA0 Event
4 y. F( R6 T9 v* c
00F4 FF955588 FF9555A0 Thread
5 A u( t0 }- x7 q
00F8 FF908F48 FF908F60 Event
$ r9 }2 B4 @: t, f
00FC E2CB1558 E2CB1570 Port
3 F- n/ p% J Z4 P6 b1 \& o
0100 FF90A2C8 FF90A2E0 IoCompletion
" M( ~' A. v4 i2 @4 @
0104 E2CFE708 E2CFE720 Port
* h; P1 f6 L) y9 k% X2 g
0108 FF90A2C8 FF90A2E0 IoCompletion
% T+ o6 Z8 \# l6 e. A5 l
010C 837762A8 837762C0 Thread
2 a7 s9 n# `& t' V. q
0110 8103BBC8 8103BBE0 Event
6 z8 d3 ~! B2 l( ^% l& U
0114 813DBDB8 813DBDD0 Event
, u8 |* ?8 o5 Q. Y6 |6 y
0118 FF814788 FF8147A0 Event
6 B7 t. T, [/ n3 {
011C E1358DA8 E1358DC0 Key
( J+ u) c- B6 Z1 T4 ]# A* ]
0120 E2CFC428 E2CFC440 Key
& a! Q. H) G) s6 \9 z
0124 8103B9C8 8103B9E0 Event
% X: J" U r* l4 v7 a3 {
0128 E2C9A968 E2C9A980 Key
! p8 h9 h9 ?8 @ D6 s
012C 83B34E88 83B34EA0 Event
" J3 h, V6 C$ ]7 F: e) i
0130 E2CFD948 E2CFD960 Key
5 ?4 \: f- j$ A$ [) F6 @/ q! ]$ v
0134 83B34E08 83B34E20 Event
3 G! | f' t8 k5 s
....
3 V, S! h8 `+ r/ f1 a8 X$ P
.....................省略
1 Q5 c" M& k- b, M0 b/ r
: w8 f/ [0 f: t [/ a
看了一阵,确实没有QQ本身进程的Handle,那么怎么办呢?
2 f5 M7 g9 x3 a3 s& `* F
3 k% }9 H, ~" v: R6 }. Q
想了一会儿...既然Win32子系统是由CSRSS.EXE来管理的,那么用户创建的进程的句柄应该在CSRSS.EXE里面找得到,用SoftICE验证后发现确实如此
" M ?" R* e% w# Y: u
1 y: ]: ~9 Q* ^9 j* F# c# D
可是这没办法得到指定进程的句柄,和我所需相去甚远,只有另选它路
) p6 I9 V) }! r$ V& C$ o% g
0 r* V. a: R' s1 {$ @( l
后来总算想到解决办法,既然没有进程的句柄,那就创建一个吧,OpenProcess()这个函数可以打开一个进程的句柄,正合所需.
- p" j# v/ S' e5 Y: ]) b0 o
& Q9 e9 S4 \ @
果然加上这么一句后,ZwQuerySystemInformation()获得了EPROCESS
- m* i* ~! o1 g& K& w: ]
- j" p, E W& i! n, `5 {* Z
修改好的程序代码如下,获得本身进程的EPROCESS地址,稍作修改可获取任意进程
) t6 }' u/ p; v2 S$ {4 p @. ]9 w
" a& V i" X' y5 c8 f9 f9 P
#include
" y2 L+ e. Q0 ?+ y8 R3 G7 z$ ?
#include
) _; y2 U0 T# p- |3 O$ W1 \
#include
5 R% L& _* L. N9 c
#include
- P1 o. ?/ r9 l5 W% M, S! q
5 C" Z/ p" |0 ?4 I$ a
/*
6 z7 c A3 j) Z! \
* you''ll find a list of NTSTATUS status codes in the DDK header
3 i8 o6 h) P& L0 ?! M& C
* ntstatus.h (\WINDDK\2600.1106\inc\ddk\wxp\)
: T. A6 \* d, |
*/
4 Q+ q' I0 X8 V/ b! `3 c
#define NT_SUCCESS(status) ((NTSTATUS)(status)>=0)
2 W0 c; d& z- N, X1 l& O" f) _
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
* V0 y) P" k6 L' P7 j3 r
#define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L)
1 \4 U5 d8 K) H' {: X
; [/ X+ M; Q8 v7 V# Y
/*
; M1 K/ X% T; c* f
*************************************************************************
Q' o4 k; [+ F% c& r7 e
* ntddk.h
E; b- q- Y. X/ s4 B. Q& ?
*/
& P8 B1 x) Y: u: Q1 Z
typedef LONG NTSTATUS;
8 r0 z" z, f+ {
typedef ULONG ACCESS_MASK;
4 ?- p0 Y4 k( z ~: s, ?9 R/ a& L
/*
! F' a- ]; Z8 T, c4 j
* ntdef.h
& P \; S% p6 O
*************************************************************************
7 M% Y( @2 x9 m
*/
0 g3 ~. C, ^4 s
w* M$ F" E2 U' n2 T
/*
! u, ~/ X% c9 o3 `; }! S
*************************************************************************
$ l U5 T, C4 y- b1 E, D+ p2 g
* <> - Gary Nebbett
2 O8 r7 B+ j" }$ K. z* `" G
*/
! X, N1 k; H4 C! {1 l
- \$ y. F* J1 O$ B% y- R
typedef enum _SYSTEM_INFORMATION_CLASS
. A/ r( [- u7 Q, u* V$ y7 g
{
# {" z% c: H2 ~) w9 {8 q
SystemHandleInformation = 16
' d- [8 Z) I0 e2 {
} SYSTEM_INFORMATION_CLASS;
2 e0 N; A b, H. A; b4 O4 T
0 o/ m( R: b6 x4 s5 t9 p- L' x
/*
+ a: L* e3 K) U9 G+ S' x
*Information Class 16
8 A2 X3 _2 b; d( ~4 i2 O8 [
*/
8 `" ^; t4 N! A. H4 C
typedef struct _SYSTEM_HANDLE_INFORMATION
; h# X& z6 ?2 W. r+ [: \
{
' y/ ]4 Z$ l+ E3 {, V' Y; w* i
ULONG ProcessId;
2 n1 n0 e5 n0 H0 ?2 Q4 u6 Y
UCHAR ObjectTypeNumber;
. }) p5 H7 ^7 Q8 x
UCHAR Flags;
( s! X: q4 I, v7 p g# k( \
USHORT Handle;
6 T8 X/ |. z& z) t( T0 K& k
PVOID Object;
, s" q9 C; U- d& @$ r( M/ ]
ACCESS_MASK GrantedAccess;
i% {* X7 S- V: @
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
+ x. f. l8 t4 i& o$ o% I# Q7 L
% O8 Q8 u Z* g
#define InitializeObjectAttributes( p, n, a, r, s ) { (p)->Length = sizeof( OBJECT_ATTRIBUTES ); (p)->RootDirectory = r; (p)->Attributes = a; (p)->ObjectName = n; (p)->SecurityDescriptor = s; (p)->SecurityQualityOfService = NULL; }
) G5 ?' ~. m: I# N
/*
' r9 F( c! F) [1 ]
*************************************************************************
5 z# I. J* n& P) B; j
* <> - Gary Nebbett
( ~+ g- y, b, W5 ~5 u
*************************************************************************
! Z3 x" d, o8 B E- D; ^. U
*/
/ X, N; R- p* }* q* \
typedef ULONG ( __stdcall *RTLNTSTATUSTODOSERROR ) ( IN NTSTATUS Status );
* q& y6 z/ o5 T2 o: m4 A
typedef NTSTATUS ( __stdcall *ZWQUERYSYSTEMINFORMATION ) ( IN SYSTEM_INFORMATION_CLASS SystemInformationClass, IN OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength OPTIONAL );
5 ^' Y2 M. h8 f- H& \
/************************************************************************
: f6 s8 K6 K1 ^' h1 v! L: x
* *
# v& K8 g3 Q6 P) c$ v6 e
* Function Prototype *
0 z% P8 o6 H; J
* *
: }0 ?8 Z0 h& t6 ~
************************************************************************/
# M- k1 a; T- y+ k1 |
% o# W1 Z' V7 S+ N5 @" O
static DWORD GetEprocessFromPid ( ULONG PID );
/ w! c: e' i5 G- L9 W
static BOOL LocateNtdllEntry ( void );
" i: z7 {( [1 a. c# q( g
9 M9 e. h3 Z% [+ C6 H
6 @! ?7 K; T& X9 G# u
/************************************************************************
3 f9 H% t2 D. H, K9 j0 {! P# s2 H
* *
' i6 E2 i& i! N, L
* Static Global Var *
( B* g1 |! u% \, l4 Y
* *
& L5 T* c) x5 |5 e5 h6 Z
************************************************************************/
1 p; a* y7 e" l* S- ~0 V3 o
3 ?; {, Q& \) z3 `
static RTLNTSTATUSTODOSERROR RtlNtStatusToDosError = NULL;
% J/ J6 ~/ s* {0 W$ A
static ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation = NULL;
$ F& f1 F& y0 A% Q4 `
% d# d& E2 r* u$ m% f
static HMODULE hModule = NULL;
9 D8 N7 N9 q8 R
/************************************************************************/
7 I5 |$ ^& B- Z# o, l$ e
# A0 t: e" {$ |5 ~. P" m
' x M0 [. h1 e2 v! m ^* o$ K
static DWORD GetEprocessFromPid ( ULONG PID )
; A' d. y5 D' [# u2 C
{
' b+ y; ~' f2 ]+ l+ E" S
NTSTATUS status;
2 o+ ?' C0 S# J2 d: j( L
PVOID buf = NULL;
) T% Q5 P) i$ e- l$ y
ULONG size = 1;
! ~/ Q" ~' W) T; [) \
ULONG NumOfHandle = 0;
# S- K" w' m/ D0 M+ N5 F
ULONG i;
! J, g' R. R1 K5 l* A& k1 z/ `8 t! V9 y
PSYSTEM_HANDLE_INFORMATION h_info = NULL;
6 y b. s8 i6 r8 T" Y" |
! b( x. ]; Q6 J7 A* v6 o
for ( size = 1; ; size *= 2 )
" c0 ^' c+ M/ a% B. Q2 C6 S0 ?6 Z
{
$ E! ~( g) v) T7 k. ?- d
if ( NULL == ( buf = calloc( size, 1 ) ) )
- U+ ?8 {& q6 u8 N6 K2 A1 \
{
3 i% ^. M# U" x
fprintf( stderr, "calloc( %u, 1 ) failed\n", size );
# N5 K) c, a' {# Y$ x B' ?
goto GetEprocessFromPid_exit;
' C: b1 K% o. |/ d
}
( P7 j6 N |& [* @
status = ZwQuerySystemInformation( SystemHandleInformation, buf, size, NULL );
1 F% R# Y! x/ q& F# s
if ( !NT_SUCCESS( status ) )
* D _9 e6 f: y* p6 O3 y
{
" |) J4 @# L2 T" ?; Z3 \
if ( STATUS_INFO_LENGTH_MISMATCH == status )
+ @: e1 ^" \2 E2 }
{
" G% I# C) _2 ^! ?( D( p! g4 T* S
free( buf );
3 R! f% A' k' O
buf = NULL;
* x/ X, X2 m( a; B! q1 f. _
}
# P1 R5 O; z& O# B! k( t: \
else
3 M# C' R) \7 p5 y2 H
{
* O+ M+ p. a) ? D
printf( "ZwQuerySystemInformation() failed");
% T8 B8 z3 p! w4 r5 n$ j
goto GetEprocessFromPid_exit;
* Z# D5 f `2 p3 @, E. u# y
}
3 H7 Q" c5 m8 j3 M+ n5 g" p
}
/ w3 m! a6 u& ^/ {2 i* R d* R
else
9 a1 U1 t( _+ Y. s$ O
{
6 E: { b$ ~3 E0 @6 o1 o! e
break;
) J, W- V! x- [: q, m9 q4 y
}
6 V7 a6 g# Y1 c0 o* p/ y# K1 u* }9 p
} /* end of for */
1 y! F6 N9 f' u8 x2 p
- X: V' R9 X( u, a; B$ Y
//返回到缓冲区的首先是一个ULONG类型的数据,表示有多少数组
* J+ S$ @2 z6 |2 [ F
NumOfHandle = (ULONG)buf;
$ ^& a5 T0 S- l' G! j9 ` Y" {
! x1 v" \5 G" Z) a: n. `0 j
h_info = ( PSYSTEM_HANDLE_INFORMATION )((ULONG)buf+4);
# z& t4 A, I, ~( ?: k5 s
0 p; X/ x5 y3 ~0 e
for(i = 0; i {
, s0 b3 j( r @8 P6 ^3 r
if( ( h_info
.ProcessId == PID )&&( h_info
.ObjectTypeNumber == 5 ))//&&( h_info
.Handle==0x3d8 ) )
+ O8 v, _ v6 O
{
# \5 D+ J6 x Z4 {6 x
printf("Handle:0x%x,OBJECT 0x%x\n\r",h_info
.Handle,h_info
.Object);
( G7 v; G+ V+ \8 e
return((DWORD)(h_info
.Object));
7 L+ T |0 {% J5 o
}
3 J/ C2 s9 ?2 n8 r
}
9 [' h9 N2 l; s2 Y
GetEprocessFromPid_exit:
+ c; R2 i. [; w9 ~
if ( buf != NULL )
3 C/ l( v& W1 P9 A& D
{
5 n4 n6 ~9 N. I, T6 B
free( buf );
" B" z, E' q% B; T! y N
buf = NULL;
# ?& Z+ ^/ F% T/ _2 h& y
}
" g$ J* o. G$ M+ p' v H0 _; q
return(FALSE);
) q0 y" g4 M }2 k! [
}
1 t# O4 m- V6 b! @# D
& M- z1 K4 k7 ]1 ]9 }" ^5 x9 R1 l
3 A' ~, M5 J" s H3 n
/*
$ f5 a$ n/ q& ]6 ` ^/ U) l0 C+ j
* ntdll.dll
) N2 `1 o- F- t9 ~; ~; ^0 X
*/
% r3 ~: u; M% T$ m" l# x h
static BOOL LocateNtdllEntry ( void )
6 s1 \ m+ Y5 z" |; p
{
% t( V. {% m9 `
BOOL ret = FALSE;
4 W+ z+ x8 \8 ]
char NTDLL_DLL[] = "ntdll.dll";
% ?& u' ^% j" A- w k) _9 C
HMODULE ntdll_dll = NULL;
9 D2 b4 `+ L. c
7 L; i4 a2 o) {+ a' H \- y( `
~" z1 h: H I6 A% d8 a* m1 \
if ( ( ntdll_dll = GetModuleHandle( NTDLL_DLL ) ) == NULL )
( I/ v1 l2 K) l3 p
{
" [& q0 T( P- g8 b6 H) b0 l
printf( "GetModuleHandle() failed");
( Q+ L" {! T- r) K) c- k- J- Z/ {
return( FALSE );
% V1 @9 Y! r! y! b4 c
}
' ]; K: e9 c* `" \) F% q
if ( !( ZwQuerySystemInformation = ( ZWQUERYSYSTEMINFORMATION )GetProcAddress( ntdll_dll, "ZwQuerySystemInformation" ) ) )
1 O* B4 B: L% X) F9 ?* i( A
{
) u2 S* P0 `. q
goto LocateNtdllEntry_exit;
4 ^$ A- D! j) W- y9 d0 i! G$ U7 q
}
% u1 S' C- x* `% w, _
ret = TRUE;
0 W$ y R4 m6 S) v g
9 o% @* R9 }! o8 [
LocateNtdllEntry_exit:
' W: _( y3 n* A
: L7 n( P/ H) w, B m' M
if ( FALSE == ret )
+ m* C4 t, w( H3 G8 |( l. v8 U% t% R
{
; W2 A' K% x. p( d
printf( "GetProcAddress() failed");
8 s4 C2 e* Q& D+ Y+ S& c8 @) e
}
" F" X6 l3 X1 p4 {2 |& {
ntdll_dll = NULL;
; E4 q) ~! ~' Y0 q! t. B8 o$ i- i# w: H
return( ret );
. h! k0 w D4 V1 j4 B! f$ B, w+ {
} /* end of LocateNtdllEntry */
5 Y. ?+ e. c( ?" a2 ~+ V. @5 N
) s0 W2 t0 B4 w9 u" A' N
" Y. h, {- a. e, ]2 o7 s8 ]
int main(int argc,char **argv)
1 i) |& r+ I' w- @* N7 T* O
{
' b0 f9 A, B' N4 [+ s8 Z: l
; S" ^9 l( W- c5 ^9 X1 `
LocateNtdllEntry( );
! Z3 _4 {& P) l) C, j5 H' l) [
, r6 o7 K8 R: N% l2 J! M- o" n
//打开自身句柄,这样才能在handle列表中找到自己,PROCESS 对应 ObjectTypeNum 为5
/ [- V. m- G1 ]5 ~9 S2 u$ Y- S
OpenProcess( PROCESS_ALL_ACCESS,FALSE,GetCurrentProcessId() );
. q; b! x% y+ ]6 M4 N- H9 K
) e3 G' M1 z4 k
DWORD Addr = GetEprocessFromPid( (DWORD)GetCurrentProcessId() );
/ v6 q5 z' x) Q& m H
+ }) h: L- ]5 M2 x9 [
printf("result: Current EPROCESS''s Address is 0x%x \n\r",Addr);
0 | J, Z0 {2 u
9 P5 ]# N6 g* ?0 Q3 t
return TRUE;
0 |/ D4 H4 }& Q4 Z5 o6 Y7 T
}
欢迎光临 数学建模社区-数学中国 (http://www.madio.net/)
Powered by Discuz! X2.5