获得进程的EPROCESS

韩冰

文摘内容： -------------------------------------------------------------------------------- 文摘出处：http://www.xfocus.net/articles/200406/706.html / [+ [+ x! z* I# u& N* R3 H创建时间：2004-06-01 文章属性：原创 ( {9 J9 x: z( L; }/ |9 _0 D V+ K文章提交：MustBE (zf35_at_citiz.net) By [I.T.S]SystEm32 2 ^& l. F7 }9 L* H) ^4 c4 p- S Welcome to our web site http://itaq.ynpc.com/itsbbs/ ( J# R( v5 d. x/ h' {7 A2 H thanks to SobeIt : P 8 H3 @* y# u1 a0 f--------------------------------------------------------------------------------------------- 每个Windows进程都有一个相对应的执行体进程(EPROCESS,也就是KTEB),EPROCESS不仅包括了进程的许多属性,还包扩了许多指向其他数据结构的指针,其中包含了大量有用的信息.本文仅讲述如何获得特定进程对应的EPROCESS,EPROCESS的作用及数据结构不在本文讨论范围之内. 3 }5 g5 ]$ v2 @- c! o: Z; ~绿盟高手flier在他的文章中提到,使用ZwQuerySystemInformation函数获取所有核心句柄表，线性搜索到进程句柄，其指向的内核对象就是EPROCESS。 ) t" V+ j* c1 T2 n/ ?; ~* ^. T ) ]' I" O: O" U0 M+ e( U+ `9 YZwQuerySystemInformation函数原形如下 - }2 _2 I0 z v! E " K( u. Z+ ?5 m; D. oNTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation / G* V m" D* v, l- t( * e6 Z+ b& e! v$ Y4 ~4 w% T- i; rIN SYSTEM_INFORMATION_CLASS SystemInformationClass, / l+ B& i5 _0 U6 Z) ?IN OUT PVOID SystemInformation, : L+ O$ `. s$ ^* yIN ULONG SystemInformationLength, " ]3 { u4 B' l# J S) LOUT PULONG ReturnLength OPTIONAL ); 6 R4 z! M7 v3 R7 z, @! A + y/ L0 |: ^3 P2 @* d% ]参数意义如下 SystemInformationClass:被查询的系统信息的类型,SYSTEM_INFORMATION_CLASS的枚举类型之一 SystemInformation:指向一个接受系统信息的缓冲区的指针 SystemInformationLength:缓冲区长度 , a7 M2 H8 o' m1 ]7 q: o; B' @ 2 `+ q) N2 ~0 W# O0 _ReturnLength:指向一个接受实际返回字节数的变量,可以为0 为了获取EPROCESS,我们使用SYSTEM_HANDLE_INFORMATION作为第一参数来调用 ZwQuerySystemInformation * f' a+ s `* S0 v U( O8 z: C SYSTEM_INFORMATION_CLASS的结构如下 typedef struct _SYSTEM_HANDLE_INFORMATION 7 T) R& l+ S+ N+ P8 p, R{ ; f- P) v+ O/ c9 K9 q+ PULONG ProcessId; g) b$ P2 O2 K' ^6 d/ BUCHAR ObjectTypeNumber; UCHAR Flags; USHORT Handle; & U4 \ r, b# r/ W4 i" J5 W5 XPVOID Object; ACCESS_MASK GrantedAccess; + R5 p* Y- M: n& E3 Y} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION; 7 x2 h4 z6 p# Z0 F8 o; sProcessId:进程标识符 ObjectTypeNumber;打开的对象的类型 Flags:句柄属性标志 , v3 }' G2 J: U& v, Q : I( N) E! l2 N1 X" ?Handle:句柄数值,在进程打开的句柄中唯一标识某个句柄 9 ]5 C5 k' s$ y8 F5 l/ j. k Object:这个就是句柄对应的EPROCESS的地址 GrantedAccess:句柄对象的访问权限 % o6 d' ?% A Q/ u5 h 下面我写了一个小程序来获得EPROCESS( GetKTEB.cpp ) ! Y3 n1 X6 @: u' K8 M* o \ 比较faint的是程序写好后发现并未如预期般获得EPROCESS,通过调试发现ZwQuerySystemInformation()返回的进程的句柄中并没有进程本身的句柄 - Q, s* x' X; ?) }5 {0 _9 K* f 怎么会这样?难道程序写错了?*_* / ~+ Z( a1 i# v# `# y ) I% Z3 i0 Y( O3 q! T现在只好靠SoftICE给出答案了,CTRL+D唤出SoftICE,随便选了个进程--QQ,让我们来看看SoftICE的输出 :proc -o QQ Process KPEB PID Threads Pri User Time Krnl Time Status QQ 827CD520 11C 2A 8 00000B90 000008D4 Ready ---- Handle Table Information ---- Handle Table: FFAD93C8 Handle Array: E2BEB000 Entries: 590 . s9 ~& ]2 Z5 O * [+ }$ p: I# o: m1 [. RHandle Ob Hdr * Object * Type 0000 00000000 00000018 ? 0004 E2DA5E58 E2DA5E70 Section 0008 FFAB35C8 FFAB35E0 Event 000C FFAB3B08 FFAB3B20 Event 0010 85C70188 85C701A0 Event 0014 81515778 81515790 Directory 0018 FFAB7BB2 FFAB7BCA ? " n9 y' t1 G, |6 d) ]4 D7 g001C 814A1858 814A1870 Directory 3 {+ d! a* N* n7 L0020 80288C88 80288CA0 Event / I% I( Z$ Q% P0024 E2CFE7F9 E2CFE811 ? 0028 842D7B08 842D7B20 Event 002C 80E9B989 80E9B9A1 ? . g% ?9 R. C: T9 s# K0030 E1372198 E13721B0 Section 0034 814602C0 814602D8 WindowStation 0038 81455CE0 81455CF8 Desktop 003C 814602C0 814602D8 WindowStation ( E$ H* P4 B- P! K* K/ Z$ E0040 E2B3C1A8 E2B3C1C0 Key 0044 E286D6E8 E286D700 Key 0048 E2B3C0E8 E2B3C100 Key 004C E2B3C068 E2B3C080 Key 0050 E2BEE688 E2BEE6A0 Key 0054 8147C998 8147C9B0 Directory 6 f P9 B2 a6 t3 z/ K) \5 ^8 B6 b0058 829D1128 829D1140 Event 005C 83F991E8 83F99200 Event ' l/ z. w! w% [- T# A0060 E2BEE608 E2BEE620 Key 0064 FFB07568 FFB07580 Event 0 {, P& |# O, s, u. Q& W! M. g% I0068 801747E8 80174800 Event 006C 80174828 80174840 Event 0070 845E8808 845E8820 Event 0074 81448798 814487B0 Event ! P% v6 H/ F* O! L0078 E2B9A888 E2B9A8A0 Key 007C 845E8648 845E8660 Event 9 p u) {& F U' r! ]0080 FF9E2DB8 FF9E2DD0 Mutant 0084 FF9E2D58 FF9E2D70 Mutant 0088 83CFC378 83CFC390 Mutant ' e5 K- D e. k0 ?6 g6 H008C 801749B0 801749C8 File 0090 E2C48668 E2C48680 Section 0094 FF965168 FF965180 Event 9 y- [) } i1 q* R4 `9 c& \* B0098 FF9E7D88 FF9E7DA0 Event 009C FFAD3DE8 FFAD3E00 Event 3 h8 B7 S" [# d( ]$ B00A0 80AD63C8 80AD63E0 Event $ C4 ^. J* t S( `, P2 f00A4 E28073A8 E28073C0 Key a9 D: @+ c+ w0 X# r/ j/ G00A8 FF955588 FF9555A0 Thread 00AC E2770728 E2770740 Key % O" t, p2 |3 k9 x, M$ O' K- g/ ~00B0 FF923438 FF923450 Mutant 00B4 FFAE3B38 FFAE3B50 Mutant 00B8 83B80728 83B80740 Event 00BC 83B80668 83B80680 Event 0 f( C9 c1 j# k1 P$ N$ Y00C0 E2E3C448 E2E3C460 Section 00C4 83776A08 83776A20 Thread B+ _0 K7 F$ H: |1 a( g00C8 81489E48 81489E60 Event ; L3 U. r% F+ i( s) f00CC 83776CC8 83776CE0 Event 00D0 83776C88 83776CA0 Event 00D4 83776768 83776780 Event 00D8 E2837D88 E2837DA0 Key 9 ^9 i+ w+ O0 M) g2 I f' Q00DC 8146B3A8 8146B3C0 Event 00E0 FF908308 FF908320 Event 6 s5 C) S" n6 y00E4 81494868 81494880 Event & B( \: ~' |* J7 X" [00E8 FF9064C8 FF9064E0 Event 00EC FF908FC8 FF908FE0 Event 00F0 FF908F88 FF908FA0 Event $ C1 a- }* a6 @8 ~4 O- ?00F4 FF955588 FF9555A0 Thread q7 a- b4 J) k$ {) ]$ O2 s. C00F8 FF908F48 FF908F60 Event 00FC E2CB1558 E2CB1570 Port 0100 FF90A2C8 FF90A2E0 IoCompletion 9 g$ B k9 o# N: S5 ~- ?, e2 I0 c0104 E2CFE708 E2CFE720 Port 0108 FF90A2C8 FF90A2E0 IoCompletion 010C 837762A8 837762C0 Thread 0110 8103BBC8 8103BBE0 Event 0114 813DBDB8 813DBDD0 Event 5 O6 l9 E2 J [: q( `0118 FF814788 FF8147A0 Event 6 x3 i$ ^5 _: H9 `" m3 i" h011C E1358DA8 E1358DC0 Key : t& d2 |/ n: J% c m0120 E2CFC428 E2CFC440 Key 0124 8103B9C8 8103B9E0 Event 2 q' ^* J. H: I7 J3 y# F8 d: M. C4 f0128 E2C9A968 E2C9A980 Key " t; p% l+ Z' g9 `$ A* \012C 83B34E88 83B34EA0 Event 0130 E2CFD948 E2CFD960 Key 0134 83B34E08 83B34E20 Event ' U5 ]6 `' a0 I4 a$ P, @% }) d.... .....................省略 . R8 D. V, b3 D% Y0 {9 [9 }看了一阵,确实没有QQ本身进程的Handle,那么怎么办呢? 9 u& B! h, K# J+ l1 y 想了一会儿...既然Win32子系统是由CSRSS.EXE来管理的,那么用户创建的进程的句柄应该在CSRSS.EXE里面找得到,用SoftICE验证后发现确实如此 可是这没办法得到指定进程的句柄,和我所需相去甚远,只有另选它路 4 h& S5 X7 S$ z# J: \8 W 后来总算想到解决办法,既然没有进程的句柄,那就创建一个吧,OpenProcess()这个函数可以打开一个进程的句柄,正合所需. 果然加上这么一句后,ZwQuerySystemInformation()获得了EPROCESS / y2 Q: X! ^- N6 |' M 0 B* y0 ^# p) R- N$ j+ w* h& q5 p修改好的程序代码如下,获得本身进程的EPROCESS地址,稍作修改可获取任意进程 . `8 `/ H& O5 j5 G2 K0 Z2 y: L8 K #include ! J- t9 \0 c! H) t i#include #include #include + o; }5 b/ a) r+ `' @ ' H( n3 M% `$ G/ Z+ T+ W( e/* $ X& k8 _: g% L7 C M* you''ll find a list of NTSTATUS status codes in the DDK header * ntstatus.h (\WINDDK\2600.1106\inc\ddk\wxp\) ; C( ~3 Y' h4 c9 d5 B*/ 3 y/ ~$ l& Q4 Z( o6 A6 f/ V#define NT_SUCCESS(status) ((NTSTATUS)(status)>=0) #define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L) #define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L) 0 p ?7 n9 P7 v# w( _; B6 t /* " N7 m ~2 l, ~8 x3 \************************************************************************* * ntddk.h 1 [) H+ G# g1 T8 U. z*/ - k0 m$ Y+ T) t/ Itypedef LONG NTSTATUS; typedef ULONG ACCESS_MASK; 9 {" Q# v+ P8 X5 Y/ I; A/* * ntdef.h ************************************************************************* */ /* ************************************************************************* ! h( M- `" y# N* u T. @; ]* <> - Gary Nebbett */ + Z" ^9 Q4 [ P0 x: P- Mtypedef enum _SYSTEM_INFORMATION_CLASS { SystemHandleInformation = 16 , p+ V. u$ |- @} SYSTEM_INFORMATION_CLASS; + g; ^4 b" m- w( S/ E2 q, F % z# q7 A$ x ]/* 4 p% J$ A4 Z9 \+ y* T& q*Information Class 16 6 w, G) ~; G/ ]5 [- B* Q7 I! g( D*/ typedef struct _SYSTEM_HANDLE_INFORMATION { ULONG ProcessId; ! e c9 }. J. k* \. e' a0 ?1 kUCHAR ObjectTypeNumber; - ?( |: d- R1 L. |! E; @, l5 P; E& YUCHAR Flags; USHORT Handle; ) `+ E8 g& \" M) p+ K" w+ r- j; L$ dPVOID Object; ACCESS_MASK GrantedAccess; } SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION; 1 T" z) \, O' @/ k e, ?+ u8 Z- d- v$ V! \#define InitializeObjectAttributes( p, n, a, r, s ) { (p)->Length = sizeof( OBJECT_ATTRIBUTES ); (p)->RootDirectory = r; (p)->Attributes = a; (p)->ObjectName = n; (p)->SecurityDescriptor = s; (p)->SecurityQualityOfService = NULL; } # v- v4 q5 w- P9 u/* ************************************************************************* * <> - Gary Nebbett * s3 i) @7 q `************************************************************************* */ ( E6 \$ |; {& z: L9 d( ^% g4 k0 Mtypedef ULONG ( __stdcall *RTLNTSTATUSTODOSERROR ) ( IN NTSTATUS Status ); typedef NTSTATUS ( __stdcall *ZWQUERYSYSTEMINFORMATION ) ( IN SYSTEM_INFORMATION_CLASS SystemInformationClass, IN OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength OPTIONAL ); * L! u; m( B4 G. i/************************************************************************ * * * Function Prototype * 0 M! h7 ]: u" p4 w5 o5 M* * ************************************************************************/ static DWORD GetEprocessFromPid ( ULONG PID ); static BOOL LocateNtdllEntry ( void ); 4 z; b+ E" U- e: F- [' _/************************************************************************ & r6 D* M/ A _1 U8 v3 O* * 0 K" R8 V* X% A% B* Static Global Var * * * 4 [& [4 ]) |. D7 C( n+ {************************************************************************/ static RTLNTSTATUSTODOSERROR RtlNtStatusToDosError = NULL; static ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation = NULL; static HMODULE hModule = NULL; /************************************************************************/ 4 X: J$ [& l6 C6 d L static DWORD GetEprocessFromPid ( ULONG PID ) { NTSTATUS status; 8 f9 `( C1 x' o0 XPVOID buf = NULL; / ^7 k+ ?% e1 G. Z; s W( D4 AULONG size = 1; ULONG NumOfHandle = 0; ULONG i; 7 `( G- t! u3 u! g, H. KPSYSTEM_HANDLE_INFORMATION h_info = NULL; for ( size = 1; ; size *= 2 ) { ! D. ~7 }; {' y: mif ( NULL == ( buf = calloc( size, 1 ) ) ) { 9 ?0 Q% r7 V- ^7 N: D. gfprintf( stderr, "calloc( %u, 1 ) failed\n", size ); : ?5 d7 [, i! o& l. jgoto GetEprocessFromPid_exit; } status = ZwQuerySystemInformation( SystemHandleInformation, buf, size, NULL ); . z7 N. b; M; z9 |2 |2 p. iif ( !NT_SUCCESS( status ) ) { 3 w; C* V' f3 |% Y0 q. Z# A3 |- R7 qif ( STATUS_INFO_LENGTH_MISMATCH == status ) { free( buf ); buf = NULL; . k2 q; `" l+ U3 n& _} " b6 K; D4 y0 g- melse * x! A- i& e/ s{ 4 T, y9 w% \. b1 \7 C0 Dprintf( "ZwQuerySystemInformation() failed"); goto GetEprocessFromPid_exit; } } else { break; 2 I& _( G3 L2 {7 S' c2 W& r3 J} } /* end of for */ * D: s7 @5 K7 ^8 e9 _! L ' j5 q" }, F" ]# B# @5 u& p9 z//返回到缓冲区的首先是一个ULONG类型的数据,表示有多少数组 NumOfHandle = (ULONG)buf; ; }0 m5 Z2 M# _5 Eh_info = ( PSYSTEM_HANDLE_INFORMATION )((ULONG)buf+4); 7 g& x6 C0 \4 u r6 q# hfor(i = 0; i { ( {( j3 Z8 }, N, V9 V, j4 @if( ( h_info.ProcessId == PID )&&( h_info.ObjectTypeNumber == 5 ))//&&( h_info.Handle==0x3d8 ) ) { printf("Handle:0x%x,OBJECT 0x%x\n\r",h_info.Handle,h_info.Object); return((DWORD)(h_info.Object)); } 8 \. w" K2 q6 b5 K" R3 r. p} GetEprocessFromPid_exit: 5 ?" G/ U6 }; P- I/ ~0 G& Mif ( buf != NULL ) . e4 U ]1 v5 _- [. s+ N. L$ I{ free( buf ); " U+ p) |/ O* P+ a s) Ubuf = NULL; * Y* X- W% M% V6 ]3 G# I} 5 ~! r% z6 L$ }& @" E+ wreturn(FALSE); } - h3 w+ Y1 [( {9 ? % K T( _. \( I Z2 v7 | /* * ntdll.dll */ / k) U' N$ ^6 z: Zstatic BOOL LocateNtdllEntry ( void ) { BOOL ret = FALSE; char NTDLL_DLL[] = "ntdll.dll"; HMODULE ntdll_dll = NULL; + j. ~! x4 B3 H( w1 H: M if ( ( ntdll_dll = GetModuleHandle( NTDLL_DLL ) ) == NULL ) 9 t9 X4 G$ |2 c7 w9 V. \6 c{ # u8 r: S& |: I* k! @) kprintf( "GetModuleHandle() failed"); $ N2 D, ?! p; |. {5 q* Jreturn( FALSE ); ' z' c' b2 c* ]0 q7 f} 7 `/ U- ^+ k! |: ~) N/ V8 N$ Qif ( !( ZwQuerySystemInformation = ( ZWQUERYSYSTEMINFORMATION )GetProcAddress( ntdll_dll, "ZwQuerySystemInformation" ) ) ) { goto LocateNtdllEntry_exit; * N' Y8 s5 R e/ t' ` Y9 [1 ?} ret = TRUE; + u( }3 K4 P& h2 S G8 l1 S* A) g LocateNtdllEntry_exit: if ( FALSE == ret ) 7 T4 @$ S V3 {2 {! a4 j" J{ printf( "GetProcAddress() failed"); } % `6 q' a/ `: i; E6 B9 x, C4 lntdll_dll = NULL; 4 e9 _3 h. ^: g! rreturn( ret ); } /* end of LocateNtdllEntry */ $ _+ p6 w8 w3 w9 g, y# D- u0 M7 g " R4 X2 \3 y6 F E1 g3 ]- d/ c8 e ! N/ Z: a6 m* H3 q2 [* tint main(int argc,char **argv) { LocateNtdllEntry( ); //打开自身句柄,这样才能在handle列表中找到自己,PROCESS 对应 ObjectTypeNum 为5 OpenProcess( PROCESS_ALL_ACCESS,FALSE,GetCurrentProcessId() ); $ q- a a3 l9 ?# J2 d/ G; x" p( i0 E/ z DWORD Addr = GetEprocessFromPid( (DWORD)GetCurrentProcessId() ); # m' g- a' \5 M& Y9 Fprintf("result: Current EPROCESS''s Address is 0x%x \n\r",Addr); - l2 Y6 `% B4 h$ S7 G4 J5 R% xreturn TRUE; % k0 A8 @" ^( V) a+ C}