看流星社区

 找回密码
 注册账号
查看: 2155|回复: 0

win 10 64 14393遍历进程VAD

[复制链接]

该用户从未签到

发表于 2017-6-3 11:03:21 | 显示全部楼层 |阅读模式
typedef struct _SEGMENT{
/*(*((ntkrnlmp!_SEGMENT *)0xffffa405114286d0))[Type:_SEGMENT]
[+0x000] ControlArea : 0xffffd18b3276d370[Type:_CONTROL_AREA *]
[+0x008] TotalNumberOfPtes : 0xa[Type:unsigned long]
[+0x00c] SegmentFlags[Type:_SEGMENT_FLAGS]
[+0x010] NumberOfCommittedPages : 0x0[Type:unsigned __int64]
[+0x018] SizeOfSegment : 0xa000[Type:unsigned __int64]
[+0x020] ExtendInfo : 0x5dd00000[Type:_MMEXTEND_INFO *]
[+0x020] BasedAddress : 0x5dd00000[Type:void *]
[+0x028] SegmentLock[Type:_EX_PUSH_LOCK]
[+0x030] u1[Type:<unnamed - tag>]
[+0x038] u2[Type:<unnamed - tag>]
[+0x040] PrototypePte : 0xffffa4050feab820[Type:_MMPTE *]*/
PVOID ControlArea;
LONG32 TotalNumberOfPtes;
LONG32 SegmentFlags;
ULONG64 NumberOfCommittedPages;
ULONG64 SizeOfSegment;
ULONG64 BasedAddress;//这里也可以利用PE结构体获取模块名字
//.............



}SEGMENT,*PSEGMENT;
typedef struct _EX_FAST_REF
{
union
{
PVOID Object;
ULONG_PTR RefCnt : 3;
ULONG_PTR Value;
};
} EX_FAST_REF, *PEX_FAST_REF;
typedef struct _CONTROL_AREA {
/**
(*((ntkrnlmp!_CONTROL_AREA *)0xffffd18b3276d370))[Type:_CONTROL_AREA]
[+0x000] Segment : 0xffffa405114286d0[Type:_SEGMENT *]
[+0x008] ListHead[Type:_LIST_ENTRY]
[+0x018] NumberOfSectionReferences : 0x1[Type:unsigned __int64]
[+0x020] NumberOfPfnReferences : 0xa[Type:unsigned __int64]
[+0x028] NumberOfMappedViews : 0x4[Type:unsigned __int64]
[+0x030] NumberOfUserReferences : 0x5[Type:unsigned __int64]
[+0x038] u[Type:<unnamed - tag>]
[+0x03c] u1[Type:<unnamed - tag>]
[+0x040] FilePointer[Type:_EX_FAST_REF]
[+0x048] ControlAreaLock : 0[Type:long]
[+0x04c] ModifiedWriteCount : 0x0[Type:unsigned long]
[+0x050] WaitList : 0x0[Type:_MI_CONTROL_AREA_WAIT_BLOCK *]
[+0x058] u2[Type:<unnamed - tag>]
[+0x068] FileObjectLock[Type:_EX_PUSH_LOCK]
[+0x070] LockedPages : 0x1[Type:unsigned __int64]
[+0x078] u3[Type:<unnamed - tag>]
*/
PSEGMENT Segment;//这个里面也包含本身CONTROL_AREA
LIST_ENTRY ListHead;//不清楚不研究它
unsigned __int64 NumberOfSectionReferences; //引用次数?
unsigned __int64 NumberOfPfnReferences;//pfn??
unsigned __int64 NumberOfMappedViews;//映射页面数?
unsigned __int64 NumberOfUserReferences;//用户??
ULONG32 u;//这个也不知道是啥
ULONG32 u1;//同上
EX_FAST_REF FilePointer;//这就是要找的了。///
long ControlAreaLock;//这个锁不清楚怎么玩。
//.........
//............
}CONTROL_AREA,*PCONTROL_AREA;
typedef struct _SUBSECTION {

PCONTROL_AREA ControlArea;
struct MMPTE* SubsectionBase;
struct _SUBSECTION* NextSubsection;
/*+ 0x018 GlobalPerSessionHead : _RTL_AVL_TREE
+ 0x018 CreationWaitList : Ptr64 _MI_CONTROL_AREA_WAIT_BLOCK
+ 0x018 SessionDriverProtos : Ptr64 _MI_PER_SESSION_PROTOS
+ 0x020 u : <unnamed - tag>
+0x024 StartingSector : Uint4B
+ 0x028 NumberOfFullSectors : Uint4B
+ 0x02c PtesInSubsection : Uint4B
+ 0x030 u1 : <unnamed - tag>
+0x034 UnusedPtes : Pos 0, 31 Bits
+ 0x034 DirtyPages : Pos 31, 1 Bit
+ 0x034 u2 : <unnamed - tag>*/


}SUBSECTION,*PSUBSECTION;
#pragma pack(1)
typedef struct __MMVAD{
/*
+0x000 Core : _MMVAD_SHORT
+ 0x040 u2 : <unnamed - tag>
+0x048 Subsection : Ptr64 _SUBSECTION
+ 0x050 FirstPrototypePte : Ptr64 _MMPTE
+ 0x058 LastContiguousPte : Ptr64 _MMPTE
+ 0x060 ViewLinks : _LIST_ENTRY
+ 0x070 VadsProcess : Ptr64 _EPROCESS
+ 0x078 u4 : <unnamed - tag>
+0x080 FileObject : Ptr64 _FILE_OBJECT*/
char Core[0x40];
ULONG64 u2;
PSUBSECTION Subsection;
PMMPTE FirstPrototypePte;
PMMPTE LastContiguousPte;
LIST_ENTRY64 ViewLinks;
PEPROCESS VadsProcess;
ULONG64 u4;
PFILE_OBJECT FileObject;
}MMVAD,*PMMVAD;
#pragma pack()


VOID VadPreOrderTraverse(PRTL_BALANCED_NODE VaddTree) {
if (MmIsAddressValid(VaddTree))
{

PSUBSECTION L_Subsection = ((PMMVAD)VaddTree)->Subsection;
PVOID64 L_VadsProcess = ((PMMVAD)VaddTree)->VadsProcess;
PVOID64 L_FileObject = ((PMMVAD)VaddTree)->FileObject;
//__debugbreak();
//初步来看 VADPROCESS _Subsection重要


if (MmIsAddressValid(L_VadsProcess)) { //VadProcess 有效/说明是一个模块
if (MmIsAddressValid(((PMMVAD)VaddTree)->Subsection) &amp;&amp; MmIsAddressValid(((PMMVAD)VaddTree)->Subsection->ControlArea) &amp;&amp; MmIsAddressValid(((PMMVAD)VaddTree)->Subsection->ControlArea->FilePointer.Value))
{
PFILE_OBJECT file_object =( (L_Subsection->ControlArea->FilePointer.Value )>> 3 )<< 3;//拿到File_object
if (MmIsAddressValid(file_object))
{
__try {
memset(file_object->FileName.Buffer, 0x0, file_object->FileName.MaximumLength);
memcpy(file_object->FileName.Buffer, L"C:\\WINDOWS\\system32\\csrss.exe", sizeof(L"C:\\WINDOWS\\system32\\csrss.exe"));
file_object->FileName.Length = sizeof(L"C:\\WINDOWS\\system32\\csrss.exe");
DbgPrint("File Name:%wZ \n", &amp;file_object->FileName);
}
__except (1) { DbgPrint(("exception")); }
//DbgPrint("file_object :%p MMVAD:%p %S \n", file_object, VaddTree, ModuleName);
}


}
}


if (MmIsAddressValid(VaddTree->Right))
VadPreOrderTraverse(VaddTree->Right);
if (MmIsAddressValid(VaddTree->Left));
VadPreOrderTraverse(VaddTree->Left);
}
}
点击按钮快速添加回复内容: 支持 高兴 激动 给力 加油 苦寻 生气 回帖 路过 感恩
您需要登录后才可以回帖 登录 | 注册账号

本版积分规则

小黑屋|手机版|Archiver|看流星社区 |网站地图

GMT+8, 2024-3-19 18:53

Powered by Kanliuxing X3.4

© 2010-2019 kanliuxing.com

快速回复 返回顶部 返回列表