驱动开发：内核通过PEB得到进程参数 - c++编程基础

TOP

驱动开发：内核通过PEB得到进程参数(二)

2023-07-23 13:31:51 【大中小】浏览:78次

hreadpoolCpuSetMasks; /*0x438*/ ULONG32 DefaultThreadpoolCpuSetMaskCount; /*0x43C*/ UINT8 _PADDING2_[0x4]; }RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS; typedef struct _PEB_LDR_DATA // 9 elements, 0x58 bytes (sizeof) { /*0x000*/ ULONG32 Length; /*0x004*/ UINT8 Initialized; /*0x005*/ UINT8 _PADDING0_[0x3]; /*0x008*/ VOID* SsHandle; /*0x010*/ struct _LIST_ENTRY InLoadOrderModuleList; // 2 elements, 0x10 bytes (sizeof) /*0x020*/ struct _LIST_ENTRY InMemoryOrderModuleList; // 2 elements, 0x10 bytes (sizeof) /*0x030*/ struct _LIST_ENTRY InInitializationOrderModuleList; // 2 elements, 0x10 bytes (sizeof) /*0x040*/ VOID* EntryInProgress; /*0x048*/ UINT8 ShutdownInProgress; /*0x049*/ UINT8 _PADDING1_[0x7]; /*0x050*/ VOID* ShutdownThreadId; }PEB_LDR_DATA, *PPEB_LDR_DATA; typedef struct _PEB64 { UCHAR InheritedAddressSpace; UCHAR ReadImageFileExecOptions; UCHAR BeingDebugged; UCHAR BitField; ULONG64 Mutant; ULONG64 ImageBaseAddress; PPEB_LDR_DATA Ldr; PRTL_USER_PROCESS_PARAMETERS ProcessParameters; ULONG64 SubSystemData; ULONG64 ProcessHeap; ULONG64 FastPebLock; ULONG64 AtlThunkSListPtr; ULONG64 IFEOKey; ULONG64 CrossProcessFlags; ULONG64 UserSharedInfoPtr; ULONG SystemReserved; ULONG AtlThunkSListPtr32; ULONG64 ApiSetMap; } PEB64, *PPEB64; #pragma pack(4) typedef struct _PEB32 { UCHAR InheritedAddressSpace; UCHAR ReadImageFileExecOptions; UCHAR BeingDebugged; UCHAR BitField; ULONG Mutant; ULONG ImageBaseAddress; ULONG Ldr; ULONG ProcessParameters; ULONG SubSystemData; ULONG ProcessHeap; ULONG FastPebLock; ULONG AtlThunkSListPtr; ULONG IFEOKey; ULONG CrossProcessFlags; ULONG UserSharedInfoPtr; ULONG SystemReserved; ULONG AtlThunkSListPtr32; ULONG ApiSetMap; } PEB32, *PPEB32; typedef struct _PEB_LDR_DATA32 { ULONG Length; BOOLEAN Initialized; ULONG SsHandle; LIST_ENTRY32 InLoadOrderModuleList; LIST_ENTRY32 InMemoryOrderModuleList; LIST_ENTRY32 InInitializationOrderModuleList; ULONG EntryInProgress; } PEB_LDR_DATA32, *PPEB_LDR_DATA32; typedef struct _LDR_DATA_TABLE_ENTRY32 { LIST_ENTRY32 InLoadOrderLinks; LIST_ENTRY32 InMemoryOrderModuleList; LIST_ENTRY32 InInitializationOrderModuleList; ULONG DllBase; ULONG EntryPoint; ULONG SizeOfImage; UNICODE_STRING32 FullDllName; UNICODE_STRING32 BaseDllName; ULONG Flags; USHORT LoadCount; USHORT TlsIndex; union { LIST_ENTRY32 HashLinks; ULONG SectionPointer; }u1; ULONG CheckSum; union { ULONG TimeDateStamp; ULONG LoadedImports; }u2; ULONG EntryPointActivationContext; ULONG PatchInformation; } LDR_DATA_TABLE_ENTRY32, *PLDR_DATA_TABLE_ENTRY32; #pragma pack()

接着就来实现对PEB的获取操作，以64位为例，我们需要调用PsGetProcessPeb()这个内核函数，因为该内核函数没有被公开所以调用之前需要头部导出，该函数需要传入用户进程的EProcess结构，该结构可用PsLookupProcessByProcessId函数动态获取到，获取到以后直接KeStackAttachProcess()附加到应用层进程上，即可直接输出进程的PEB结构信息，如下代码。

#include "peb.h"
#include <ntifs.h>

// 定义导出
NTKERNELAPI PVOID NTAPI PsGetProcessPeb(_In_ PEPROCESS Process);

VOID UnDriver(PDRIVER_OBJECT driver)
{
	DbgPrint(("Uninstall Driver Is OK \n"));
}
// LyShark
NTSTATUS DriverEntry(IN PDRIVER_OBJECT Driver, PUNICODE_STRING RegistryPath)
{
	DbgPrint

首页上一页 1 2 3 下一页尾页 2/3/3
【大中小】【打印】【繁体】【投稿】【收藏】【推荐】【举报】【评论】【关闭】【返回顶部】

上一篇：驱动开发：内核取ntoskrnl模块基..	下一篇：驱动开发：内核中实现Dump进程转储