获得进程的EPROCESS

韩冰

文摘内容： 0 G% Q ^/ u' Z$ W, F$ X; l* r-------------------------------------------------------------------------------- 文摘出处：http://www.xfocus.net/articles/200406/706.html % ~& h! K& h- Z9 j# L; t# w7 C创建时间：2004-06-01 5 ?; Z5 C% v# v; c文章属性：原创 + w9 R' R( d8 [, `( h文章提交：MustBE (zf35_at_citiz.net) By [I.T.S]SystEm32 5 _! C) k# W% p2 c* e2 | 2 W* H( U* l, s7 i1 b8 A# DWelcome to our web site http://itaq.ynpc.com/itsbbs/ 7 m/ V. N8 K; i$ E9 g 5 H+ m* y- l8 q" R# B' Sthanks to SobeIt : P u1 t: ]$ x) v3 ^0 A--------------------------------------------------------------------------------------------- 5 q( [5 ~3 I/ p! R2 G) z5 C每个Windows进程都有一个相对应的执行体进程(EPROCESS,也就是KTEB),EPROCESS不仅包括了进程的许多属性,还包扩了许多指向其他数据结构的指针,其中包含了大量有用的信息.本文仅讲述如何获得特定进程对应的EPROCESS,EPROCESS的作用及数据结构不在本文讨论范围之内. 绿盟高手flier在他的文章中提到,使用ZwQuerySystemInformation函数获取所有核心句柄表，线性搜索到进程句柄，其指向的内核对象就是EPROCESS。 3 a* c- @( B9 E4 b) x" q" ] * |9 l! s# P# ]1 K9 l; x+ qZwQuerySystemInformation函数原形如下 2 {- v1 q) p7 O$ j2 @ / i0 y+ I8 C0 j; K. m+ M% uNTSYSAPI 0 [9 F' _) T: }/ q$ p, kNTSTATUS NTAPI 7 |' d$ [1 z! f, W# uZwQuerySystemInformation ! G \9 m/ {' H6 l8 E( ; F' b: C, |1 zIN SYSTEM_INFORMATION_CLASS SystemInformationClass, IN OUT PVOID SystemInformation, . e% \: J! X; QIN ULONG SystemInformationLength, OUT PULONG ReturnLength OPTIONAL n6 X+ c" _, L1 ^- a: F q; ~); 8 G$ T* j9 Z% F2 i- f- ]8 M$ R% q参数意义如下 : [, Y" ?4 {+ V- h2 ZSystemInformationClass:被查询的系统信息的类型,SYSTEM_INFORMATION_CLASS的枚举类型之一 0 P* U, K. T+ y0 h5 }) C SystemInformation:指向一个接受系统信息的缓冲区的指针 SystemInformationLength:缓冲区长度 2 `7 t. `9 a& N: c; e# `! X) C ) f1 u# q3 A7 n8 F. U( s3 @ReturnLength:指向一个接受实际返回字节数的变量,可以为0 6 O( ]; |; ~2 y3 Y5 t4 m! v . j& D+ I$ b4 Z8 [+ |为了获取EPROCESS,我们使用SYSTEM_HANDLE_INFORMATION作为第一参数来调用 ZwQuerySystemInformation % q* ]1 |4 F r5 ` SYSTEM_INFORMATION_CLASS的结构如下 typedef struct _SYSTEM_HANDLE_INFORMATION , I+ m& q+ z: c* f T! p& i{ % w* d9 N) u: ]9 Y' G. Q# iULONG ProcessId; UCHAR ObjectTypeNumber; UCHAR Flags; ) x( x9 h$ y- Z/ Q3 Q XUSHORT Handle; PVOID Object; ACCESS_MASK GrantedAccess; - A" @6 K% O/ k& \ w! u} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION; ( t- C0 J+ `- s+ [ 5 O! O2 H+ z! ^2 E6 x2 N! kProcessId:进程标识符 ! }1 n: M$ L6 ~* }ObjectTypeNumber;打开的对象的类型 5 \+ m1 ~, r/ y; |" B* |, y9 N6 n9 V : U" E6 D" ~1 x* L1 R mFlags:句柄属性标志 Handle:句柄数值,在进程打开的句柄中唯一标识某个句柄 3 X# X7 g- h' R C' t, W Object:这个就是句柄对应的EPROCESS的地址 2 S7 F- l6 p' Y5 x0 O$ S# I4 \GrantedAccess:句柄对象的访问权限 , [) b3 E( m" M 0 C( k- A# ?7 v7 q! E% q5 F下面我写了一个小程序来获得EPROCESS( GetKTEB.cpp ) / Z! |/ t3 @) K O4 P/ [比较faint的是程序写好后发现并未如预期般获得EPROCESS,通过调试发现ZwQuerySystemInformation()返回的进程的句柄中并没有进程本身的句柄 2 i, J9 m; j" E4 I4 q怎么会这样?难道程序写错了?*_* 现在只好靠SoftICE给出答案了,CTRL+D唤出SoftICE,随便选了个进程--QQ,让我们来看看SoftICE的输出 . f- {( O6 O5 ~+ f* ^/ }& w :proc -o QQ , ^& z0 I2 ?3 @3 e5 ]Process KPEB PID Threads Pri User Time Krnl Time Status - t! V/ [+ E; u3 F2 ^) L2 i9 SQQ 827CD520 11C 2A 8 00000B90 000008D4 Ready ---- Handle Table Information ---- # N0 P+ J$ ]* p+ i' ^( ~6 e6 T" ^ 4 d( c* E1 r' m3 {, uHandle Table: FFAD93C8 Handle Array: E2BEB000 Entries: 590 4 |& C Y/ }, i/ l5 w Handle Ob Hdr * Object * Type 0000 00000000 00000018 ? 1 |7 G) z+ m& }! [* ^. L2 B1 f0004 E2DA5E58 E2DA5E70 Section 0008 FFAB35C8 FFAB35E0 Event 4 q0 G% r8 |, G# B8 C000C FFAB3B08 FFAB3B20 Event ; \6 l, _% X# z9 v* E- N0010 85C70188 85C701A0 Event 3 K7 O5 K$ b) K% G0014 81515778 81515790 Directory ( X& f; a% i$ B. f" l6 C1 {$ ~) j1 ~0018 FFAB7BB2 FFAB7BCA ? 001C 814A1858 814A1870 Directory 0020 80288C88 80288CA0 Event + ?; | p0 d8 _" c( E4 E0024 E2CFE7F9 E2CFE811 ? 7 ]& I( Z/ q: n8 h' q E& a0028 842D7B08 842D7B20 Event 002C 80E9B989 80E9B9A1 ? 0030 E1372198 E13721B0 Section . `3 f3 {. A; T; y* m$ I0034 814602C0 814602D8 WindowStation 0038 81455CE0 81455CF8 Desktop 6 ~# k" m3 D, J5 R7 U, W2 K; B/ ^9 G% @003C 814602C0 814602D8 WindowStation * q2 A' n L& _- c0040 E2B3C1A8 E2B3C1C0 Key 2 n1 `0 C. z7 v: @$ e9 Q* p! `0044 E286D6E8 E286D700 Key - i" w) |9 m2 I! e% n: f. w0 @' ~0048 E2B3C0E8 E2B3C100 Key . u: D* V$ K( p4 J% p004C E2B3C068 E2B3C080 Key 0050 E2BEE688 E2BEE6A0 Key 9 V/ V ]' o' c0054 8147C998 8147C9B0 Directory 0058 829D1128 829D1140 Event - G: `8 h# S, x1 Q: H: w/ K2 E3 x5 C# o4 j005C 83F991E8 83F99200 Event 0060 E2BEE608 E2BEE620 Key 0064 FFB07568 FFB07580 Event 0068 801747E8 80174800 Event 006C 80174828 80174840 Event 0070 845E8808 845E8820 Event $ V R# Q3 F* g0074 81448798 814487B0 Event 0078 E2B9A888 E2B9A8A0 Key 007C 845E8648 845E8660 Event % T+ n) N% W2 a6 B0 f: B0080 FF9E2DB8 FF9E2DD0 Mutant * V. a/ n, T4 w2 C( l0084 FF9E2D58 FF9E2D70 Mutant ) Q* C, F( n4 q& m, H0088 83CFC378 83CFC390 Mutant / K( h5 G, N4 o$ D6 ^5 |; M) \008C 801749B0 801749C8 File 1 [0 s6 I. Y) Y3 I s6 C0090 E2C48668 E2C48680 Section 4 m4 Y& C6 i( j9 l7 ]0094 FF965168 FF965180 Event 1 x/ g/ t, q3 Q- L+ D0098 FF9E7D88 FF9E7DA0 Event 009C FFAD3DE8 FFAD3E00 Event 00A0 80AD63C8 80AD63E0 Event ( @+ T5 ^4 t( L G; ?8 s00A4 E28073A8 E28073C0 Key 00A8 FF955588 FF9555A0 Thread 00AC E2770728 E2770740 Key 00B0 FF923438 FF923450 Mutant $ ]8 Q3 X- b" Q& }$ v* r8 n. k1 m00B4 FFAE3B38 FFAE3B50 Mutant 00B8 83B80728 83B80740 Event 00BC 83B80668 83B80680 Event 00C0 E2E3C448 E2E3C460 Section 5 O6 f+ N* }/ Q0 I9 S& _00C4 83776A08 83776A20 Thread 00C8 81489E48 81489E60 Event ; ^& N2 F; m8 Y, L00CC 83776CC8 83776CE0 Event ! P, Y' a7 M% @00D0 83776C88 83776CA0 Event % L: O" t ^" Q, \" j" p! X00D4 83776768 83776780 Event 00D8 E2837D88 E2837DA0 Key 0 V: F, K7 _; P( i. a3 b00DC 8146B3A8 8146B3C0 Event 00E0 FF908308 FF908320 Event 00E4 81494868 81494880 Event 00E8 FF9064C8 FF9064E0 Event 00EC FF908FC8 FF908FE0 Event 00F0 FF908F88 FF908FA0 Event 3 L3 L! ~" o( n8 V+ s2 u" Z00F4 FF955588 FF9555A0 Thread ( e0 ]3 @, y" u# y- _00F8 FF908F48 FF908F60 Event ; p' T+ L- [- c0 |00FC E2CB1558 E2CB1570 Port Y; c+ v( v1 {0 V o! }$ {0100 FF90A2C8 FF90A2E0 IoCompletion 0104 E2CFE708 E2CFE720 Port ( t7 X1 M6 z1 ^! i0108 FF90A2C8 FF90A2E0 IoCompletion $ o) n& U( k# r4 |" G; U0 {/ f, B! d010C 837762A8 837762C0 Thread 0110 8103BBC8 8103BBE0 Event 0114 813DBDB8 813DBDD0 Event * |+ C( U: I/ D. Y# V( o# g: r0118 FF814788 FF8147A0 Event 011C E1358DA8 E1358DC0 Key 0120 E2CFC428 E2CFC440 Key 0124 8103B9C8 8103B9E0 Event 0 c: o( ]5 E; A' P2 `0128 E2C9A968 E2C9A980 Key 012C 83B34E88 83B34EA0 Event 9 G1 y/ c% @* ?" o) k( t0130 E2CFD948 E2CFD960 Key 1 \: h& x7 d! N3 }& q/ B% [0134 83B34E08 83B34E20 Event .... ! l8 @( ~$ I) p& t8 x6 w- s.....................省略 ; D- D0 m9 X( T. V8 `8 |% C $ j" n9 h" a) ~看了一阵,确实没有QQ本身进程的Handle,那么怎么办呢? `' d* b9 h9 ^+ i想了一会儿...既然Win32子系统是由CSRSS.EXE来管理的,那么用户创建的进程的句柄应该在CSRSS.EXE里面找得到,用SoftICE验证后发现确实如此 2 `& @7 E4 J2 n# q 可是这没办法得到指定进程的句柄,和我所需相去甚远,只有另选它路 ; Y7 H* B# y- [后来总算想到解决办法,既然没有进程的句柄,那就创建一个吧,OpenProcess()这个函数可以打开一个进程的句柄,正合所需. ) e2 L1 l# v4 ]1 U/ o! A 果然加上这么一句后,ZwQuerySystemInformation()获得了EPROCESS + m. s/ s5 _$ @+ \修改好的程序代码如下,获得本身进程的EPROCESS地址,稍作修改可获取任意进程 * P9 u4 V+ N6 a& v* u #include #include 3 L4 p8 m: Q) v+ ~2 \- t; Q( A: S) y#include #include + ^8 Z4 z2 [* r9 N# R /* 7 i# {: G4 v- E; t0 ]* you''ll find a list of NTSTATUS status codes in the DDK header * ntstatus.h (\WINDDK\2600.1106\inc\ddk\wxp\) */ #define NT_SUCCESS(status) ((NTSTATUS)(status)>=0) #define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L) + }3 \, K. B5 r#define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L) /* ************************************************************************* . F3 o2 f- `! ] `' J$ R5 i* ntddk.h */ ' R9 j1 V7 }8 f% ^+ itypedef LONG NTSTATUS; 5 }7 L6 E7 G# Dtypedef ULONG ACCESS_MASK; /* * ntdef.h 6 Z3 I& S- A8 c, F& y************************************************************************* */ / V6 V9 u. z- h- o* h( ] % W7 r) i3 A' \7 H# |8 z/* ************************************************************************* 1 e) ]. y) i* |) g- G+ {: l* <> - Gary Nebbett */ typedef enum _SYSTEM_INFORMATION_CLASS { SystemHandleInformation = 16 ) ~8 }4 d E2 o8 z! p5 d F, [} SYSTEM_INFORMATION_CLASS; 6 k, {7 m4 U1 l: R/* 6 B& r5 N5 a, } l*Information Class 16 8 o3 d( Z: i3 A w1 \*/ typedef struct _SYSTEM_HANDLE_INFORMATION 2 N8 M# o w' ?4 a4 D+ K3 S) |{ ULONG ProcessId; 3 C7 Q, `1 L% ]0 m" p' _: @6 XUCHAR ObjectTypeNumber; UCHAR Flags; USHORT Handle; PVOID Object; ACCESS_MASK GrantedAccess; } SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION; #define InitializeObjectAttributes( p, n, a, r, s ) { (p)->Length = sizeof( OBJECT_ATTRIBUTES ); (p)->RootDirectory = r; (p)->Attributes = a; (p)->ObjectName = n; (p)->SecurityDescriptor = s; (p)->SecurityQualityOfService = NULL; } $ s! v& F- E2 c% e/ r5 {9 p! e( q/* 2 A( k8 X! h# }1 i! q************************************************************************* 4 \- @2 h- V! _$ J/ n, ?* H* <> - Gary Nebbett ( X$ F7 |3 K1 V7 Y2 E% J8 Z************************************************************************* 8 F4 v7 v1 t5 D2 `*/ ! ~8 Q& e' c# P! dtypedef ULONG ( __stdcall *RTLNTSTATUSTODOSERROR ) ( IN NTSTATUS Status ); typedef NTSTATUS ( __stdcall *ZWQUERYSYSTEMINFORMATION ) ( IN SYSTEM_INFORMATION_CLASS SystemInformationClass, IN OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength OPTIONAL ); /************************************************************************ * * * Function Prototype * a2 d* ^) g: R' \& N* * ; r7 P5 ~% P. d1 a- a& V7 @, n************************************************************************/ 5 |& M- K7 T( @+ V) N static DWORD GetEprocessFromPid ( ULONG PID ); " i& V- J; X/ C( j4 t0 _) gstatic BOOL LocateNtdllEntry ( void ); 0 c* D* c, u2 S6 p0 u9 e) W' ?; x @ * p) e! d9 \) f8 |/ o2 Z0 \6 \2 f$ Z /************************************************************************ 9 t7 h+ E5 W' C$ F8 w2 y- `( V* * 4 ^( b6 k) D+ c1 o t9 Q& e8 V8 B* Static Global Var * * * " F8 [; l0 c. Q: f" H; q************************************************************************/ , X, B* i5 K. I$ g, Q ! u' W, X* `* O" O8 Xstatic RTLNTSTATUSTODOSERROR RtlNtStatusToDosError = NULL; ) q6 f% T( {+ p$ fstatic ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation = NULL; & A+ h7 [ W) J6 n# D/ v5 L static HMODULE hModule = NULL; /************************************************************************/ 8 C7 ~6 R6 B6 q7 Z7 K7 V static DWORD GetEprocessFromPid ( ULONG PID ) { # J; j, o" Y" i% M( k& ZNTSTATUS status; PVOID buf = NULL; ULONG size = 1; : x9 w2 Y" G5 ?! r: fULONG NumOfHandle = 0; ULONG i; PSYSTEM_HANDLE_INFORMATION h_info = NULL; ' u9 e2 `0 r+ v% H# B. c' \ for ( size = 1; ; size *= 2 ) 2 d% l2 q9 p$ `* }6 l{ 3 V \& Z6 Y$ {9 M# _& b( Z' Nif ( NULL == ( buf = calloc( size, 1 ) ) ) { 8 c' X' S: g0 g0 i5 j& Y k1 U/ Qfprintf( stderr, "calloc( %u, 1 ) failed\n", size ); goto GetEprocessFromPid_exit; c' P8 _3 N; a$ {. h& V3 S8 z} status = ZwQuerySystemInformation( SystemHandleInformation, buf, size, NULL ); if ( !NT_SUCCESS( status ) ) 3 Q; x0 r* _4 H1 C. t) x{ # ^3 ]9 t0 [ Aif ( STATUS_INFO_LENGTH_MISMATCH == status ) ! o8 h3 A% h5 E/ s2 m& g* G{ % _( D0 D9 H T$ ]free( buf ); + i# Y: y6 o9 {1 J3 B$ Kbuf = NULL; ' ]/ U' c( d7 f2 z( R; r* {} else { printf( "ZwQuerySystemInformation() failed"); ( p% v9 k3 U( O1 B7 dgoto GetEprocessFromPid_exit; X( j9 H3 N: {& O# V( `} } else { , s9 V8 h/ k# w' z8 Tbreak; } ; n" ]: r8 N9 {. l8 O, n} /* end of for */ 4 ^; ~ p& }2 b- C6 h' K 5 y, D( p9 E' F# A//返回到缓冲区的首先是一个ULONG类型的数据,表示有多少数组 NumOfHandle = (ULONG)buf; + O" M( r' M1 K" H9 _ Lh_info = ( PSYSTEM_HANDLE_INFORMATION )((ULONG)buf+4); 7 ]% U4 H2 x: Z0 [2 c) K * g1 r$ y0 E0 E6 d, p5 ^1 }for(i = 0; i { 9 ? u/ n2 [6 R3 ^if( ( h_info.ProcessId == PID )&&( h_info.ObjectTypeNumber == 5 ))//&&( h_info.Handle==0x3d8 ) ) % h2 a5 i+ h# v1 x5 D3 ^+ J{ printf("Handle:0x%x,OBJECT 0x%x\n\r",h_info.Handle,h_info.Object); + y s# I6 o& R! vreturn((DWORD)(h_info.Object)); } } GetEprocessFromPid_exit: 2 B6 L+ s4 U8 y0 G8 a$ |4 Hif ( buf != NULL ) . U- Q* Q: N! f* _8 e5 H{ 0 k9 @5 }; y: L' D1 ~free( buf ); ! ?" ?2 _. h# Gbuf = NULL; ! F: ?, A+ Q3 B6 a2 {1 j- U0 P} 2 C! Q7 `/ [. W$ y$ mreturn(FALSE); ' P- l- ^) J- V} /* & \8 Y. C; j9 E$ F( G8 k* ntdll.dll 7 w: w. C4 k- C1 N% w* |* x0 P4 G*/ static BOOL LocateNtdllEntry ( void ) { 4 k+ N# h1 s5 q" W# \BOOL ret = FALSE; & E6 U0 A" G+ n# W' Ychar NTDLL_DLL[] = "ntdll.dll"; HMODULE ntdll_dll = NULL; 2 ^2 L: s! A, M4 A' Y! q ) v; \5 ]/ V) \$ n- fif ( ( ntdll_dll = GetModuleHandle( NTDLL_DLL ) ) == NULL ) 3 a+ e5 Y& H1 w0 ~6 ~{ ! q1 Y$ X4 ~' y( r9 V5 m! W$ _: o. dprintf( "GetModuleHandle() failed"); return( FALSE ); } + x& g9 t5 n3 f& Fif ( !( ZwQuerySystemInformation = ( ZWQUERYSYSTEMINFORMATION )GetProcAddress( ntdll_dll, "ZwQuerySystemInformation" ) ) ) { goto LocateNtdllEntry_exit; 3 W; z6 v5 m K& F0 [" C& Z3 v} ' Z2 O2 P2 I* x8 Hret = TRUE; LocateNtdllEntry_exit: 4 L/ A' X7 h/ g4 j2 O6 h" a 6 q4 F+ | a0 C/ K1 yif ( FALSE == ret ) { printf( "GetProcAddress() failed"); } ntdll_dll = NULL; return( ret ); ) A! H( R' T; }/ o7 z- T- B} /* end of LocateNtdllEntry */ 0 A- X+ ~0 z3 ~+ @+ s& Z3 {; f+ Y 0 x4 q7 r2 M& I int main(int argc,char **argv) { & ^9 u+ R/ v8 `- u }# v5 R! V5 z/ V 1 K3 ?3 [. U# u" Y% GLocateNtdllEntry( ); //打开自身句柄,这样才能在handle列表中找到自己,PROCESS 对应 ObjectTypeNum 为5 OpenProcess( PROCESS_ALL_ACCESS,FALSE,GetCurrentProcessId() ); # t: [ m& e0 o5 P) x$ f0 R: v DWORD Addr = GetEprocessFromPid( (DWORD)GetCurrentProcessId() ); ' H+ i( M6 p" V6 t% v1 gprintf("result: Current EPROCESS''s Address is 0x%x \n\r",Addr); 6 R/ Z5 j/ A1 J4 P, u& s return TRUE; ; R, u+ k9 [; E! ^) Q5 x}