- 在线时间
- 0 小时
- 最后登录
- 2007-9-23
- 注册时间
- 2004-9-10
- 听众数
- 3
- 收听数
- 0
- 能力
- 0 分
- 体力
- 9975 点
- 威望
- 7 点
- 阅读权限
- 150
- 积分
- 4048
- 相册
- 0
- 日志
- 0
- 记录
- 0
- 帖子
- 1893
- 主题
- 823
- 精华
- 2
- 分享
- 0
- 好友
- 0
我的地盘我做主
该用户从未签到
 |
|
文摘内容:5 n* {- W; d( U# e$ N9 o: f4 }! c
--------------------------------------------------------------------------------; w0 C, i `) Y6 @
文摘出处:http://www.xfocus.net/articles/200406/706.html% B0 v9 z1 j% u6 y5 n
: _8 O0 Q" p: M8 U
创建时间:2004-06-01
3 X; O' A4 U& y4 h: s6 y文章属性:原创1 q. v! b: V9 i7 N0 \* ?: E
文章提交:MustBE (zf35_at_citiz.net)( `4 E) K, e2 y* G
/ Y. b* N% n3 L$ h5 \, [/ a% ~
By [I.T.S]SystEm32. F* ]7 |( \6 L0 s( n
$ b4 }7 h4 U1 {
Welcome to our web site http://itaq.ynpc.com/itsbbs/
1 t0 b$ W$ a- n; M
- [' t: u8 e4 f* Kthanks to SobeIt : P
' ^9 }" f2 D" S: j---------------------------------------------------------------------------------------------
, Q: A* c4 B3 Q5 ?1 @, v2 \; j/ c- ?: L" u
每个Windows进程都有一个相对应的执行体进程(EPROCESS,也就是KTEB),EPROCESS不仅包括了进程的许多属性,还包扩了许多指向其他数据结构的指针,其中包含了大量有用的信息.本文仅讲述如何获得特定进程对应的EPROCESS,EPROCESS的作用及数据结构不在本文讨论范围之内.9 K2 K3 Z0 U9 z A. m4 V4 q
% \5 ~( @5 [2 `9 T( `绿盟高手flier在他的文章中提到,使用ZwQuerySystemInformation函数获取所有核心句柄表,线性搜索到进程句柄,其指向的内核对象就是EPROCESS。9 f. \4 Z% O* b8 d; [
$ i* L6 n) P! y* [% |; f. O0 R- y5 _
ZwQuerySystemInformation函数原形如下+ U8 G; K1 x- n4 G$ c* X! d8 ^
2 t! O: v+ j! t
NTSYSAPI
! {6 j! m$ n, \2 T. s8 s( ZNTSTATUS
' f6 Z, m5 u9 U' l+ c/ yNTAPI1 A/ O9 z# ~8 A
ZwQuerySystemInformation$ s% {+ N1 f6 B2 C9 J3 B) g+ n) f* ?
( ; ^* m- B# q! L2 D/ h) R( H
IN SYSTEM_INFORMATION_CLASS SystemInformationClass, " @/ }& ?+ z6 i# j
IN OUT PVOID SystemInformation,
) x3 Y- N) v, ^/ u8 U: u8 L9 bIN ULONG SystemInformationLength,
) v, E8 s0 u7 e7 O2 B8 iOUT PULONG ReturnLength OPTIONAL ( l' ^7 D9 A. T3 E1 ]& z! T
);& A+ U4 V: m0 S! ^& s- f+ P+ Z
! H) X9 b% U: x5 E7 T1 z; k
参数意义如下
+ G1 |4 q$ K* F3 J1 o7 U; t e# O5 F5 o' ^ I+ b0 J4 K
SystemInformationClass:被查询的系统信息的类型,SYSTEM_INFORMATION_CLASS的枚举类型之一8 I' S V s1 J7 f2 {+ ]9 `
' ^7 w( _2 P- {& B# x* o, [" d$ W! [% g
SystemInformation:指向一个接受系统信息的缓冲区的指针
! |# i$ o5 c) Y5 Q9 w
4 f8 R3 A# Z4 W, H3 U* @* {" q0 d/ o2 fSystemInformationLength:缓冲区长度- I$ V9 O9 o! p& T
, Y% b$ l6 N% O$ a4 fReturnLength:指向一个接受实际返回字节数的变量,可以为05 _/ w- h& E; _9 m! k
) j* u8 J+ M& {' k$ `
5 X: A H( A' V/ m: T9 T' k/ J; E0 [1 N为了获取EPROCESS,我们使用SYSTEM_HANDLE_INFORMATION作为第一参数来调用 ZwQuerySystemInformation! Y& y0 t& t" {
& T6 U1 M5 l4 E0 H% V7 z9 hSYSTEM_INFORMATION_CLASS的结构如下
) t: n2 y; [% P* T7 j$ U/ u- r6 v# x+ q
typedef struct _SYSTEM_HANDLE_INFORMATION
% J- L& `' \5 t, {: s& x% j' k{ @$ `# ^7 F0 X
ULONG ProcessId;9 ^8 n4 T( X9 I) X/ M* }
UCHAR ObjectTypeNumber;" t: k3 g3 m7 [! J: ]/ |
UCHAR Flags;
" b" o0 D# c/ g, |USHORT Handle;& d3 u7 d" k7 m2 H4 y+ I) {
PVOID Object;2 T5 X1 x, o f: k
ACCESS_MASK GrantedAccess;; J3 Z5 B+ k! V& o5 G
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;1 d6 x& I% V9 }; r
5 J" D% A* l/ Y4 q4 }2 {
ProcessId:进程标识符
# J$ h7 x- H+ @0 _6 R" a. o1 n% n5 U2 C, i3 b* C
ObjectTypeNumber;打开的对象的类型
1 k+ `2 h* X9 v5 Z5 K/ l3 I% M1 h- B
Flags:句柄属性标志
5 _$ ^* j# b4 J2 q% l
% M/ V9 C7 N% ?" I6 m; {! [ VHandle:句柄数值,在进程打开的句柄中唯一标识某个句柄; z2 g# y. G5 \& ^
3 W `" _' c7 ~# N& v0 x- r
Object:这个就是句柄对应的EPROCESS的地址 |9 Q1 ?3 e# k* r$ E4 m
; l2 x) r7 l0 R, A$ B
GrantedAccess:句柄对象的访问权限- G n d J3 o h' A" e5 [
\( f$ Q8 f1 `0 v& x- X5 z
5 G. Z" D5 R/ T. V% Y/ m2 p下面我写了一个小程序来获得EPROCESS( GetKTEB.cpp )1 a& e0 V5 ], G3 y9 p* X; P
) C' v. J( W N1 e( S" F
比较faint的是程序写好后发现并未如预期般获得EPROCESS,通过调试发现ZwQuerySystemInformation()返回的进程的句柄中并没有进程本身的句柄0 }0 o& c Q$ m
) g: J6 D8 I; l& q6 } Z% k怎么会这样?难道程序写错了?*_*, Y# a' f% e4 _% J( p2 S; F
" x: C# E( t6 s& s# ?5 ?
现在只好靠SoftICE给出答案了,CTRL+D唤出SoftICE,随便选了个进程--QQ,让我们来看看SoftICE的输出
* P7 ]- n6 [: t( o2 l% u# o2 R" g. n+ a
:proc -o QQ
- \0 H# T4 b. N& }Process KPEB PID Threads Pri User Time Krnl Time Status8 r) k9 ?0 w8 D7 s! [
QQ 827CD520 11C 2A 8 00000B90 000008D4 Ready
/ f7 t- z2 {$ Z: E1 D# u2 M4 u) `7 t9 u0 H; N4 _ g O$ m2 @
---- Handle Table Information ----
3 u8 }$ h. [- Q% D: y( h
8 W$ }# x) \4 o# a* S1 i# H! MHandle Table: FFAD93C8 Handle Array: E2BEB000 Entries: 590
1 d% y& _/ E& `7 P; a/ H6 f' I# p/ E5 R0 }4 C
Handle Ob Hdr * Object * Type
% p q; |5 Z1 I6 e* F0000 00000000 00000018 ?
K/ ?# f: G9 v7 U& B3 W0004 E2DA5E58 E2DA5E70 Section+ F& W) G5 H( H0 F! t; t' v3 j
0008 FFAB35C8 FFAB35E0 Event
' {2 `. F& q# n000C FFAB3B08 FFAB3B20 Event
! n! k% G" s1 l5 t, T2 u( W0010 85C70188 85C701A0 Event
9 Q! ]1 g4 d; d0014 81515778 81515790 Directory
: E$ i4 ]( d. L: r+ d( h" G8 q* q0018 FFAB7BB2 FFAB7BCA ?
) z1 I% D( m# j: {001C 814A1858 814A1870 Directory {7 ~% Y, N1 n7 R
0020 80288C88 80288CA0 Event( R2 _9 L# Z9 G2 o
0024 E2CFE7F9 E2CFE811 ?2 y. e& }% a1 u+ V
0028 842D7B08 842D7B20 Event/ n3 F( P! p9 C( @
002C 80E9B989 80E9B9A1 ?
) B W: b1 n% _7 \; ?0030 E1372198 E13721B0 Section
' q1 w" w* A2 W; w+ I) w; N6 V3 s' W0034 814602C0 814602D8 WindowStation
) M2 t8 k2 c/ Q: Y! o& f0038 81455CE0 81455CF8 Desktop
8 S6 k* Q9 O9 y( G" N: g6 s k003C 814602C0 814602D8 WindowStation
0 ~9 t+ |2 t: S: `& g0040 E2B3C1A8 E2B3C1C0 Key$ ]6 z! b& ~; |$ b; I3 [) m2 h w
0044 E286D6E8 E286D700 Key0 s- B5 f0 u2 d" m
0048 E2B3C0E8 E2B3C100 Key6 }2 z" i. J$ k
004C E2B3C068 E2B3C080 Key8 Q! q3 e( P/ o) q+ f H. @
0050 E2BEE688 E2BEE6A0 Key
5 ^' ]; @% R! h! `$ i0054 8147C998 8147C9B0 Directory, ]' {8 B5 g+ Y7 y" [1 ~
0058 829D1128 829D1140 Event
0 T4 m( \0 Z9 x4 d; n0 ]005C 83F991E8 83F99200 Event! i/ L# d* ]. t, X M% B1 j
0060 E2BEE608 E2BEE620 Key: A; d3 B; b, h1 b \' f- s; [
0064 FFB07568 FFB07580 Event
J" b( h2 g6 D0068 801747E8 80174800 Event
2 y5 F0 L& i& X, x$ w; b0 ]: L006C 80174828 80174840 Event- \) D: |6 i. g8 Z
0070 845E8808 845E8820 Event
- m, o" ?4 Y% K7 C$ K6 k) B4 h0074 81448798 814487B0 Event' i, S" s* j' J) t$ J
0078 E2B9A888 E2B9A8A0 Key3 I6 G! H7 F& u1 ^- n9 B- _
007C 845E8648 845E8660 Event1 d& m# a! R8 Y) r, h4 u
0080 FF9E2DB8 FF9E2DD0 Mutant6 m- n) W, ]5 P h/ J- J: b+ p
0084 FF9E2D58 FF9E2D70 Mutant0 ^8 G! r" z& ~8 J7 h; ?
0088 83CFC378 83CFC390 Mutant
+ [3 W+ c; }! r008C 801749B0 801749C8 File
8 G0 A" k$ O! g' v& y3 C1 v0090 E2C48668 E2C48680 Section' d& Q% ~. M) w) ?* P8 C
0094 FF965168 FF965180 Event
* }! I( p4 ~% y0098 FF9E7D88 FF9E7DA0 Event
7 |9 _5 V/ V+ Y7 Y+ W/ i" W009C FFAD3DE8 FFAD3E00 Event2 l( _0 b$ P) m4 m
00A0 80AD63C8 80AD63E0 Event$ {/ y. h6 f n1 R& p9 h; _
00A4 E28073A8 E28073C0 Key
) |" Z# k1 `4 A2 ]2 W) w00A8 FF955588 FF9555A0 Thread4 U: j2 j! g# E& J/ X6 i% ^7 S" Q
00AC E2770728 E2770740 Key
6 a4 i+ L0 o/ T$ K$ }# L0 u& q5 r00B0 FF923438 FF923450 Mutant W: {5 G+ @5 O' R1 F9 a4 A
00B4 FFAE3B38 FFAE3B50 Mutant
0 j# n. }7 v1 W* ?00B8 83B80728 83B80740 Event
& A2 c- Y) F5 v+ A7 c$ H9 u00BC 83B80668 83B80680 Event
8 _& v/ l3 n5 K* v' Y00C0 E2E3C448 E2E3C460 Section' v/ q# I9 C4 ~, g5 U: j# r
00C4 83776A08 83776A20 Thread8 @- S d5 X$ d3 m# w( x
00C8 81489E48 81489E60 Event
/ k5 h/ _. h# i K" P; N/ M00CC 83776CC8 83776CE0 Event, s/ Z3 D7 }/ O
00D0 83776C88 83776CA0 Event
* W: _' F5 b% d/ t2 V7 x, v3 B1 X! i- P00D4 83776768 83776780 Event: R' g' b! j/ H7 w {" U3 ~1 I% A
00D8 E2837D88 E2837DA0 Key) V% ^1 q% \ h+ |6 t
00DC 8146B3A8 8146B3C0 Event
4 A* D0 L: {" k00E0 FF908308 FF908320 Event
+ F# m7 X3 y; }0 P00E4 81494868 81494880 Event
2 T9 I$ U. ~9 }0 [$ K$ a00E8 FF9064C8 FF9064E0 Event
6 h; i" ^2 [# O( v00EC FF908FC8 FF908FE0 Event
: Y! \5 E# u- r. g; k& _00F0 FF908F88 FF908FA0 Event, I/ ~$ r+ p3 r+ F
00F4 FF955588 FF9555A0 Thread' H# W% m2 ? o! C
00F8 FF908F48 FF908F60 Event
1 n) C, r v; t6 \8 w9 c! r00FC E2CB1558 E2CB1570 Port
' A+ p, V9 Z. D/ ~) F; E* O3 m0100 FF90A2C8 FF90A2E0 IoCompletion- D! ~' ?+ L5 }7 h5 o/ `
0104 E2CFE708 E2CFE720 Port
* b5 W+ n; r6 Y0108 FF90A2C8 FF90A2E0 IoCompletion& _" r1 L( p) {# y% Z5 ?. L7 @$ s: O; ^
010C 837762A8 837762C0 Thread- N% F* \# }3 R# r" a1 I
0110 8103BBC8 8103BBE0 Event. U: ~7 D- k1 F$ Z; l
0114 813DBDB8 813DBDD0 Event2 N7 H6 Y/ Q) I4 f) W' ^, _+ b9 |8 i
0118 FF814788 FF8147A0 Event. A0 X1 h% U8 u K. K" b
011C E1358DA8 E1358DC0 Key
+ m+ G" A: U8 V0 y; M" F0120 E2CFC428 E2CFC440 Key
% ]4 {8 |/ ?! P9 d0124 8103B9C8 8103B9E0 Event% F1 i5 p5 z( O6 o' l- H& O0 b
0128 E2C9A968 E2C9A980 Key
9 i4 C v/ o! ^* T2 Z012C 83B34E88 83B34EA0 Event
, P+ x. n5 n% ?" c! T: k0130 E2CFD948 E2CFD960 Key
% ]; M# {. v; p. V0134 83B34E08 83B34E20 Event
4 F c+ P4 U$ \% j2 n& k ]. }....
9 h- O3 p$ N+ L Q; e+ T.....................省略" r) |- U5 [& h3 O1 D7 ^
$ e$ t+ R: ~$ G8 R# M& d看了一阵,确实没有QQ本身进程的Handle,那么怎么办呢?2 ~% d; \+ P! S+ d4 k; U2 S' Z1 P
( ?+ M) ^2 r' B2 Q想了一会儿...既然Win32子系统是由CSRSS.EXE来管理的,那么用户创建的进程的句柄应该在CSRSS.EXE里面找得到,用SoftICE验证后发现确实如此. O; s/ {, V. }8 U6 u9 U( z) G
3 r; ?/ p/ r% K% v
可是这没办法得到指定进程的句柄,和我所需相去甚远,只有另选它路
. {1 k) T2 c) ~6 s i6 t! G4 `4 x1 [; d
后来总算想到解决办法,既然没有进程的句柄,那就创建一个吧,OpenProcess()这个函数可以打开一个进程的句柄,正合所需.
3 [2 Z' H% W7 R
$ l& ~+ W9 B8 v/ `" \3 G/ L" v, Z果然加上这么一句后,ZwQuerySystemInformation()获得了EPROCESS
+ Y7 ]7 e, N Y. q4 b' M3 b
' ~; C* X4 W) u修改好的程序代码如下,获得本身进程的EPROCESS地址,稍作修改可获取任意进程7 b# _7 i, }, R6 c
* j) f# s' s) p0 [
#include
$ H8 |7 ]6 M4 _4 M#include 2 W$ e+ |+ j- y& g/ \, g/ m
#include - p* i' G5 Z* t0 d0 ~1 S
#include 1 P7 B$ r" D2 \2 m" U& }
, k* @# j# y8 F3 o) Z$ L. X2 K/*4 U" L1 ]1 U7 G! k3 |% L
* you''ll find a list of NTSTATUS status codes in the DDK header
! ?/ a+ @' d# X9 C% j0 X% L1 w* ntstatus.h (\WINDDK\2600.1106\inc\ddk\wxp\)
D3 g6 v8 H& H*/6 D5 t# l1 V2 ?
#define NT_SUCCESS(status) ((NTSTATUS)(status)>=0)
& `8 E9 \6 j* |4 S9 v& N- A( X& e#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
. m) y( ?$ L3 u, e- P7 |0 b#define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L)
# Y" s; C0 r5 l V
k* w' k) U4 M3 Q- c* G/*9 c( {; v! G! l6 F: X9 K- s
*************************************************************************
7 G' r; q; r2 k% n( D1 W* ntddk.h
+ Q6 v( Z9 i& m*/: \! O3 J, I+ K5 y+ j0 L1 y0 I
typedef LONG NTSTATUS;$ w1 n/ [$ a1 z6 N) ^3 [
typedef ULONG ACCESS_MASK;' X# `; }0 R( U* @5 n' m6 [' z
/*" Y9 f2 v- q2 ~! t1 [! u: l
* ntdef.h
7 J$ F" Y% k! V*************************************************************************
8 }( Q& l' x/ k- y* z C*/4 y5 h/ v2 Y/ R' J8 s5 [& G
$ w; ?+ q3 e4 c) }% y R \/*
% J3 o" |( v) M+ C8 m) J5 I# v*************************************************************************
& u E0 x- k7 j- M6 O# ~- F) r* <> - Gary Nebbett
" H9 C4 O% _0 B0 {( X5 V& b4 X- w*/
; f$ d( N. M; x i2 A4 b
" o, B" O% W2 y2 mtypedef enum _SYSTEM_INFORMATION_CLASS& ?( } l m: ]1 }
{
2 y I" k+ k9 L/ vSystemHandleInformation = 16
* n2 }# u" d8 {& q} SYSTEM_INFORMATION_CLASS;
2 ^2 g8 C# N1 I* b0 `: ? |
+ w' A: y! v5 ^# t! e8 Z/*
, z( _: j" Z6 f- U9 t& f/ O4 v*Information Class 16
* u9 o% D, X. X$ S% t1 o. k% i*/
* Q3 N% {4 g* K2 m9 L- Q4 ltypedef struct _SYSTEM_HANDLE_INFORMATION) d# `: {0 y2 `: R
{) o8 L6 E5 d4 i2 T* c: R% K
ULONG ProcessId;( K# Z7 ]5 v9 _0 u; p# E( z
UCHAR ObjectTypeNumber;( r/ K, f0 N$ P6 t
UCHAR Flags;
; Y3 {8 Y( E+ D- H4 \USHORT Handle;
; |# t% C* Z+ K, ZPVOID Object;' f6 F: {7 l: A( T5 t5 t! w" F
ACCESS_MASK GrantedAccess;
/ w0 W, s: h( f} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
& b) R- M: u& B. ?! Y# A% X" ?( I- ^# | z9 {- @
#define InitializeObjectAttributes( p, n, a, r, s ) { (p)->Length = sizeof( OBJECT_ATTRIBUTES ); (p)->RootDirectory = r; (p)->Attributes = a; (p)->ObjectName = n; (p)->SecurityDescriptor = s; (p)->SecurityQualityOfService = NULL; }7 g) P1 `* U' X
/*
/ t& h6 L, y( ^1 Y*************************************************************************: Q; l0 p z- g/ a! Y# I: [* A, e
* <> - Gary Nebbett: k5 t# v- Y; w+ I+ M0 r
*************************************************************************
: }6 F( U% Y4 ], `*/
4 }& \* p: Y! F% `8 Otypedef ULONG ( __stdcall *RTLNTSTATUSTODOSERROR ) ( IN NTSTATUS Status );
1 }- q6 v* z9 G& H% }' Ztypedef NTSTATUS ( __stdcall *ZWQUERYSYSTEMINFORMATION ) ( IN SYSTEM_INFORMATION_CLASS SystemInformationClass, IN OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength OPTIONAL );; N' O$ l# z, J2 D ]
/************************************************************************' F; T! [& s! P
* *" S/ V/ f6 K1 y4 l1 Z- ~8 o: I4 F; u
* Function Prototype *- Q% _* Z% \7 h8 ^- n
* *
/ |/ S+ R7 h, _' Q+ r************************************************************************/, P+ @# k/ G. p/ T0 [0 x
8 f6 w$ g1 t9 ~; S# \+ _- S' A( J ]static DWORD GetEprocessFromPid ( ULONG PID );
) }1 W3 s$ d2 kstatic BOOL LocateNtdllEntry ( void );
* ^3 _2 H6 P9 @( x1 }6 U
% o6 p: x* t3 A) a$ `3 p1 {
% O; ]7 Z1 w$ k& h/************************************************************************- @' |; Q7 ~6 F" i7 t6 l
* *
% ]& y' f3 _1 `! ~' M* Static Global Var *
! D4 \% n5 S9 N+ p* *
; u9 y+ S; Y& C) C) m' R; k************************************************************************/
# R m( ~+ ?& y. j3 a6 a
1 A: Y! r5 d) |2 R4 \static RTLNTSTATUSTODOSERROR RtlNtStatusToDosError = NULL;5 G" ?- Y* I. ~$ V0 M
static ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation = NULL;7 O, c3 c5 I6 U$ ^
x5 D: c; i1 ?; h: `6 S% R5 hstatic HMODULE hModule = NULL;! k8 [; C! i! X9 G7 F9 `
/************************************************************************/' ~- ?2 p! a! R6 X1 `/ p9 q! _
% p5 A3 @* E/ {
1 `3 y m+ _% |9 O7 b! f6 x9 J5 Vstatic DWORD GetEprocessFromPid ( ULONG PID )
2 h3 \/ d, S- p' A{
' R3 A/ a) N/ p" K0 M; fNTSTATUS status;
, y- O$ @' T1 U5 VPVOID buf = NULL;) J/ H3 }& F+ l8 R
ULONG size = 1;6 P0 o, K2 H$ S" B$ g$ c7 o
ULONG NumOfHandle = 0;
3 @ S' u' L J P6 D% ^% x8 V, PULONG i;* C6 ~3 g4 k* o& [
PSYSTEM_HANDLE_INFORMATION h_info = NULL;6 N: n# G1 [: `6 A& z% K- e. E2 e
, }, p" I% X3 }/ E8 o1 Y! O; }for ( size = 1; ; size *= 2 )% Q6 B) @, |+ O) g5 w
{! ]- Z& `1 \) ]- f& ?4 y& {' F+ x
if ( NULL == ( buf = calloc( size, 1 ) ) )
& ]& h3 F: i' O, c m* S{" x# e7 y! N. h4 \/ R: k6 {- F
fprintf( stderr, "calloc( %u, 1 ) failed\n", size );
- [% F w K2 W4 D, rgoto GetEprocessFromPid_exit;
% y4 ^ E6 @- {( M1 r# J" r% O}7 M6 o) T% M: z7 b
status = ZwQuerySystemInformation( SystemHandleInformation, buf, size, NULL );/ p0 Q n. m7 g5 Z# i: \6 i
if ( !NT_SUCCESS( status ) )
; f3 C3 P- k; f{1 H$ v( x1 c$ w6 v$ W* e) A8 c, e
if ( STATUS_INFO_LENGTH_MISMATCH == status )
4 g( x" A5 s( |7 B9 P. S# ^{
: W* ~( z9 i2 I. ^2 P1 p' H# tfree( buf );
# C$ _# e3 f: q9 ?1 l5 vbuf = NULL;
+ y z7 k$ y. |* M}& \7 \/ f* D/ ?* S
else H$ v& N% f% l/ F, {; z
{
O6 F# R0 D$ `& A( tprintf( "ZwQuerySystemInformation() failed");1 y2 }4 X. \1 R4 M8 ]3 z) h% [
goto GetEprocessFromPid_exit;- a$ @3 V2 Q9 a! @
}
. r3 n8 k" i) \5 Q2 J8 A$ N}0 O7 ^# Z6 G/ C; }. E* e- A! E
else
5 m8 {! q0 P, S' F6 J) f{' f4 ]% R0 s& O3 q: I0 h! q
break;
: |1 U+ i- l* V S/ M, e}' @( q3 L( R- U4 z
} /* end of for */! m3 z3 ]1 Y& N+ }
& n* v' M; R% \# ]
//返回到缓冲区的首先是一个ULONG类型的数据,表示有多少数组, f- t$ K: D# g6 C7 F0 A
NumOfHandle = (ULONG)buf;
& _" d4 Z. O6 V1 k1 ?
0 U* m' t( r* g1 O- sh_info = ( PSYSTEM_HANDLE_INFORMATION )((ULONG)buf+4);
1 X/ X( [( N" v6 d7 H1 P) {8 Y8 h4 B' Y% E0 B# @
for(i = 0; i {8 E+ F; f6 E0 Z0 |
if( ( h_info.ProcessId == PID )&&( h_info.ObjectTypeNumber == 5 ))//&&( h_info.Handle==0x3d8 ) ), A+ f* _% j. |5 g @
{
/ ~' T9 ]: H! e$ D* e1 R+ y' sprintf("Handle:0x%x,OBJECT 0x%x\n\r",h_info.Handle,h_info.Object); M. K# F5 S: E
return((DWORD)(h_info.Object));! M+ [, r, |( X, b
}
- ~, t1 |$ ? `4 K z}
/ K+ B1 V. `; pGetEprocessFromPid_exit:
9 W l7 r2 Y; ]) vif ( buf != NULL ) E& l1 k9 W. m+ l8 K$ T
{
H! r+ V2 d# F& W7 mfree( buf );% Y3 C) O* C) i" L* f5 Q
buf = NULL;" J' k' ]3 r- Y3 v" X+ ]
}7 q$ ?: @. f& i4 ~8 F! i
return(FALSE);- {5 h. h/ J* w. F5 C+ u
}! c6 C% t* G1 d
. o7 g9 S9 m% S# `2 g
1 i( ?. w; E% m- V' M" G; V/*
5 D$ O: A8 d5 R6 @% C6 V* ntdll.dll
, H* k- W) u* W1 u9 ~*/
8 x* _! w3 n1 p2 A7 y4 o6 ostatic BOOL LocateNtdllEntry ( void )
8 w3 W! P! D& |{7 N6 Q2 m. e% _! W+ s v$ e- D4 g& T
BOOL ret = FALSE;
6 C1 X6 \; Q# R; ?char NTDLL_DLL[] = "ntdll.dll";
! b. o' B3 U' E2 m" }3 J& L& {HMODULE ntdll_dll = NULL;- j/ c& _. k8 s7 t, ^" m
/ x2 e) [( p7 B9 N" ~
t) z" }2 h0 b4 d7 A- k2 }if ( ( ntdll_dll = GetModuleHandle( NTDLL_DLL ) ) == NULL ); e1 X4 i% W. V6 W$ h
{) p/ u/ [2 x8 q7 h
printf( "GetModuleHandle() failed");
8 L( ^4 E* j( A8 w7 t/ p, Z) ]return( FALSE );; n! R, ^" Z# V1 [
}
7 p6 W c' h" `* l4 e: Z9 Oif ( !( ZwQuerySystemInformation = ( ZWQUERYSYSTEMINFORMATION )GetProcAddress( ntdll_dll, "ZwQuerySystemInformation" ) ) ). }4 L( _; }- U( d! b& t, ]( j, b9 D8 a
{
/ r5 `) q& s: K8 rgoto LocateNtdllEntry_exit;
( S4 q7 Z7 n2 i2 n}' V" i+ o$ _2 n# v R
ret = TRUE;0 D; F# U2 J- g, A+ B4 O, E7 O0 |6 ~
X* A- q4 I& ~. A5 E% MLocateNtdllEntry_exit:
% H8 x( V. W' L
, t1 b! N0 @% z7 b/ x. rif ( FALSE == ret )
/ d3 J& l( o- H5 z0 i: R' J{2 T6 G6 \/ T% N; `
printf( "GetProcAddress() failed");% p/ ^( z0 {6 ~
}) }% m( c$ K5 C' f! H
ntdll_dll = NULL;
5 j3 C2 p, T. P; _% Q$ oreturn( ret );
% m6 z3 A/ [% B4 k% \" T% v& {} /* end of LocateNtdllEntry */
& H0 I" d" d3 U+ [* e! n( Z q% I! j8 m& ]
j' I( F6 J! @# K+ Z/ r0 ]
int main(int argc,char **argv)1 o/ F3 D0 |' f( y- A: V6 w2 c
{
' [7 l: W" A* ?( ?$ f' h9 h" R
' e# W. q& m# `* {# xLocateNtdllEntry( );! c& r I; B. j) {
+ y! t5 b. h- Q//打开自身句柄,这样才能在handle列表中找到自己,PROCESS 对应 ObjectTypeNum 为5
* @: ]/ b( @) G: {$ M1 |OpenProcess( PROCESS_ALL_ACCESS,FALSE,GetCurrentProcessId() );2 F+ N Y4 f0 a1 a& A8 K9 j
* s* k' t# S* y" i- f3 F; t
DWORD Addr = GetEprocessFromPid( (DWORD)GetCurrentProcessId() );
4 Z( U% y, s7 |3 O6 o% @- O8 ?- x' Q, F
printf("result: Current EPROCESS''s Address is 0x%x \n\r",Addr);7 N. N8 n, ~# }/ t% p
$ S9 L7 I/ d+ u0 g1 y* Xreturn TRUE;" f2 B' D9 B% U+ f
} |
zan
|
IP卡
狗仔卡
发表于 2004-10-9 14:22
转播
淘帖
分享
收藏
支持
反对
微信
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
抢沙发
显身卡
