设为首页收藏本站
开启辅助访问 切换到宽版

看流星社区

 找回密码
 注册账号
看流星社区»看流星社区 » 【编程技术】 驱动开发技术 内核遍历r3进程模块 获取信息(32,64,WoW64)
返回列表 发新帖
查看: 2798|回复: 0

内核遍历r3进程模块 获取信息(32,64,WoW64)

[复制链接]
debra

该用户从未签到
发表于 2018-2-27 13:34:39 | 显示全部楼层 |阅读模式

没什么技术含量,只是突然用到了,然后写出来,又突然想到看流星了,然后又发上来,
一想到长期潜水,看帖不回就羞愧的不要不要的;

  2. //通过进程PID来获取目标模块路径;
  3. NTSTATUS GetModulesPathByProcessID (IN HANDLE ProcessId, IN WCHAR* ModuleName, OUT WCHAR* ModulesPath) {
  4.     typedef PPEB (__stdcall * pfn_PsGetProcessPeb) (PEPROCESS pEProcess);
  5.     typedef PPEB32 (__stdcall * pfn_PsGetProcessWow64Process) (PEPROCESS Process);
  6.     NTSTATUS nStatus;
  7.     KAPC_STATE KAPC = { 0 };
  8.     PEPROCESS  pEProcess = NULL; //EPROCESS结构指针;
  9.     PPEB pPEB = NULL; //PEB结构指针;
  10.     UNICODE_STRING uniFunctionName; //查找的函数名称;
  11.     PLDR_DATA_TABLE_ENTRY pLdrDataEntry = NULL; //LDR链表入口;
  12.     PLIST_ENTRY pListEntryStart = NULL; //链表头节点、尾节点;
  13.     PLIST_ENTRY pListEntryEnd = NULL;
  14.     //函数指针;
  15.     pfn_PsGetProcessPeb  PsGetProcessPeb = NULL;
  16.     //获取进程的EPROCESS结构指针;
  17.     nStatus = PsLookupProcessByProcessId (ProcessId, &pEProcess);
  18.     if (!NT_SUCCESS (nStatus)) {
  19.         return STATUS_UNSUCCESSFUL;
  20.     }
  21.     //查找函数地址;
  22.     RtlInitUnicodeString (&uniFunctionName, L"PsGetProcessPeb");
  23.     PsGetProcessPeb = (pfn_PsGetProcessPeb) (SIZE_T)MmGetSystemRoutineAddress (&uniFunctionName);
  24.     pPEB = PsGetProcessPeb (pEProcess);
  25.     KeStackAttachProcess (pEProcess, &KAPC);
  26.     pListEntryStart = pPEB->Ldr->InMemoryOrderModuleList.Flink;
  27.     pListEntryEnd = pPEB->Ldr->InMemoryOrderModuleList.Flink;
  28.     do {//输出DLL全路径;
  29.         pLdrDataEntry = (PLDR_DATA_TABLE_ENTRY)CONTAINING_RECORD (pListEntryStart, LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks);
  30.         //KdPrint (("module:%wZ\n", &pLdrDataEntry->BaseDllName));
  31.         if (_wcsicmp (pLdrDataEntry->BaseDllName.Buffer, ModuleName) == 0) {
  32.             wcscpy (ModulesPath, pLdrDataEntry->FullDllName.Buffer);
  33.             goto end;
  34.         }
  35.         pListEntryStart = pListEntryStart->Flink;
  36.     } while (pListEntryStart != pListEntryEnd);
  37. #ifdef _AMD64_// 或wow64进程;
  38.     PPEB32 pPEB32 = NULL; //PEB结构指针;
  39.     PLDR_DATA_TABLE_ENTRY32 pLdrDataEntry32 = NULL; //LDR链表入口;
  40.     PLIST_ENTRY32 pListEntryStart32 = NULL; //链表头节点、尾节点;
  41.     PLIST_ENTRY32 pListEntryEnd32 = NULL;
  42.     //函数指针;
  43.     pfn_PsGetProcessWow64Process PsGetProcessWow64Process = NULL;
  44.     RtlInitUnicodeString (&uniFunctionName, L"PsGetProcessWow64Process");
  45.     PsGetProcessWow64Process = (pfn_PsGetProcessWow64Process) (SIZE_T)MmGetSystemRoutineAddress (&uniFunctionName);
  46.     //获取PEB指针
  47.     pPEB32 = PsGetProcessWow64Process (pEProcess);
  48.     pListEntryStart32 = (PLIST_ENTRY32) (((PEB_LDR_DATA32*)pPEB32->Ldr)->InMemoryOrderModuleList.Flink);
  49.     pListEntryEnd32 = (PLIST_ENTRY32) (((PEB_LDR_DATA32*)pPEB32->Ldr)->InMemoryOrderModuleList.Flink);
  50.     do {//输出DLL全路径;
  51.         pLdrDataEntry32 = (PLDR_DATA_TABLE_ENTRY32)CONTAINING_RECORD (pListEntryStart32, LDR_DATA_TABLE_ENTRY32, InMemoryOrderLinks);
  52.         //KdPrint (("wow64:%ws\n", pLdrDataEntry32->BaseDllName.Buffer));
  53.         if (_wcsicmp ((WCHAR*)pLdrDataEntry32->BaseDllName.Buffer, ModuleName) == 0) {
  54.             wcscpy (ModulesPath, (WCHAR*)pLdrDataEntry32->FullDllName.Buffer);
  55.             goto end;
  56.         }
  57.         pListEntryStart32 = (PLIST_ENTRY32)pListEntryStart32->Flink;
  58.     } while (pListEntryStart32 != pListEntryEnd32);
  59. #endif
  60. end:
  61.     KeUnstackDetachProcess (&KAPC);
  62.     ObDereferenceObject (pEProcess);
  63.     return STATUS_SUCCESS;
  64. }
复制代码


附上用到的几个结构
  1. typedef struct _PEB {
  2.     UCHAR InheritedAddressSpace;
  3.     UCHAR ReadImageFileExecOptions;
  4.     UCHAR BeingDebugged;
  5.     UCHAR Spare;
  6.     PVOID Mutant;
  7.     PVOID ImageBaseAddress;
  8.     PPEB_LDR_DATA Ldr;
  9.     PRTL_USER_PROCESS_PARAMETERS  ProcessParameters;
  10.     PVOID SubSystemData;
  11. } PEB, *PPEB;
  12. //专为WoW64准备;
  13. typedef struct _PEB32 {
  14.     UCHAR InheritedAddressSpace;
  15.     UCHAR ReadImageFileExecOptions;
  16.     UCHAR BeingDebugged;
  17.     UCHAR Spare;
  18.     ULONG Mutant;
  19.     ULONG ImageBaseAddress;
  20.     ULONG/*PPEB_LDR_DATA32*/ Ldr;
  21. } PEB32, *PPEB32;

  23. typedef struct _PEB_LDR_DATA {
  24.     ULONG Length;
  25.     UCHAR Initialized;
  26.     PVOID SsHandle;
  27.     LIST_ENTRY InLoadOrderModuleList;
  28.     LIST_ENTRY InMemoryOrderModuleList;
  29.     LIST_ENTRY InInitializationOrderModuleList;
  30.     PVOID EntryInProgress;
  31. } PEB_LDR_DATA, *PPEB_LDR_DATA;
  32. //专为WoW64准备;
  33. typedef struct _PEB_LDR_DATA32 {
  34.     ULONG Length;
  35.     UCHAR Initialized;
  36.     ULONG SsHandle;
  37.     LIST_ENTRY32 InLoadOrderModuleList;
  38.     LIST_ENTRY32 InMemoryOrderModuleList;
  39.     LIST_ENTRY32 InInitializationOrderModuleList;
  40.     ULONG EntryInProgress;
  41. } PEB_LDR_DATA32, *PPEB_LDR_DATA32;

  43. typedef struct _LDR_DATA_TABLE_ENTRY {
  44.     LIST_ENTRY InLoadOrderLinks;
  45.     LIST_ENTRY InMemoryOrderLinks;
  46.     LIST_ENTRY InInitializationOrderLinks;
  47.     PVOID DllBase;
  48.     PVOID EntryPoint;
  49.     ULONG SizeOfImage;
  50.     UNICODE_STRING FullDllName;
  51.     UNICODE_STRING BaseDllName;
  52.     ULONG Flags;
  53.     USHORT LoadCount;
  54.     USHORT TlsIndex;
  55.     LIST_ENTRY HashLinks;
  56.     PVOID SectionPointer;
  57.     ULONG CheckSum;
  58.     ULONG TimeDateStamp;
  59.     PVOID LoadedImports;
  60.     PVOID EntryPointActivationContext;
  61.     PVOID PatchInformation;
  62.     LIST_ENTRY ForwarderLinks;
  63.     LIST_ENTRY ServiceTagLinks;
  64.     LIST_ENTRY StaticLinks;
  65.     PVOID ContextInformation;
  66.     PVOID OriginalBase;
  67.     LARGE_INTEGER LoadTime;
  68. } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
  69. //专为WoW64准备;
  70. typedef struct _LDR_DATA_TABLE_ENTRY32 {
  71.     LIST_ENTRY32 InLoadOrderLinks;
  72.     LIST_ENTRY32 InMemoryOrderLinks;
  73.     LIST_ENTRY32 InInitializationOrderLinks;
  74.     ULONG DllBase;
  75.     ULONG EntryPoint;
  76.     ULONG SizeOfImage;
  77.     UNICODE_STRING32 FullDllName;
  78.     UNICODE_STRING32 BaseDllName;
  79.     ULONG Flags;
  80.     USHORT LoadCount;
  81.     USHORT TlsIndex;
  82.     LIST_ENTRY32 HashLinks;
  83.     ULONG SectionPointer;
  84.     ULONG CheckSum;
  85.     ULONG TimeDateStamp;
  86.     ULONG LoadedImports;
  87.     ULONG EntryPointActivationContext;
  88.     ULONG PatchInformation;
  89.     LIST_ENTRY32 ForwarderLinks;
  90.     LIST_ENTRY32 ServiceTagLinks;
  91.     LIST_ENTRY32 StaticLinks;
  92.     ULONG ContextInformation;
  93.     ULONG OriginalBase;
  94.     LARGE_INTEGER LoadTime;
  95. } LDR_DATA_TABLE_ENTRY32, *PLDR_DATA_TABLE_ENTRY32;
复制代码
回复

举报

返回列表 发新帖
点击按钮快速添加回复内容: 支持 高兴 激动 给力 加油 苦寻 生气 回帖 路过 感恩
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 注册账号

本版积分规则

小黑屋|手机版|Archiver|看流星社区 |网站地图

GMT+8, 2024-4-19 20:47

Powered by Kanliuxing X3.4

© 2010-2019 kanliuxing.com

快速回复 返回顶部 返回列表