("hello lyshark \n");
NTSTATUS status = STATUS_UNSUCCESSFUL;
PEPROCESS eproc = NULL;
KAPC_STATE kpc = { 0 };
PPEB64 pPeb64 = NULL;
__try
{
// HANDLE)4656 进程PID
status = PsLookupProcessByProcessId((HANDLE)4656, &eproc);
// 得到64位PEB
pPeb64 = (PPEB64)PsGetProcessPeb(eproc);
DbgPrint("PEB64 = %p \n", pPeb64);
if (pPeb64 != 0)
{
// 验证可读性
ProbeForRead(pPeb64, sizeof(PEB32), 1);
// 附加进程
KeStackAttachProcess(eproc, &kpc);
DbgPrint("进程基地址: 0x%p \n", pPeb64->ImageBaseAddress);
DbgPrint("ProcessHeap = 0x%p \n", pPeb64->ProcessHeap);
DbgPrint("BeingDebugged = %d \n", pPeb64->BeingDebugged);
// 脱离进程
KeUnstackDetachProcess(&kpc);
}
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
Driver->DriverUnload = UnDriver;
return STATUS_SUCCESS;
}
Driver->DriverUnload = UnDriver;
return STATUS_SUCCESS;
}
PEB64代码运行后,我们加载驱动即可看到如下结果:
而相对于64位进程来说,获取32位
进程的PEB信息可以直接调用PsGetProcessWow64Process()
函数得到,该函数已被导出可以任意使用,获取PEB代码如下。
#include "peb.h"
#include <ntifs.h>
// 定义导出
NTKERNELAPI PVOID NTAPI PsGetProcessPeb(_In_ PEPROCESS Process);
VOID UnDriver(PDRIVER_OBJECT driver)
{
DbgPrint(("Uninstall Driver Is OK \n"));
}
// LyShark
NTSTATUS DriverEntry(IN PDRIVER_OBJECT Driver, PUNICODE_STRING RegistryPath)
{
DbgPrint("hello lyshark \n");
NTSTATUS status = STATUS_UNSUCCESSFUL;
PEPROCESS eproc = NULL;
KAPC_STATE kpc = { 0 };
PPEB32 pPeb32 = NULL;
__try
{
// HANDLE)4656 进程PID
status = PsLookupProcessByProcessId((HANDLE)6164, &eproc);
// 得到32位PEB
pPeb32 = (PPEB32)PsGetProcessWow64Process(eproc);
DbgPrint("PEB32 = %p \n", pPeb32);
if (pPeb32 != 0)
{
// 验证可读性
ProbeForRead(pPeb32, sizeof(PEB32), 1);
// 附加进程
KeStackAttachProcess(eproc, &kpc);
DbgPrint("进程基地址: 0x%p \n", pPeb32->ImageBaseAddress);
DbgPrint("ProcessHeap = 0x%p \n", pPeb32->ProcessHeap);
DbgPrint("BeingDebugged = %d \n", pPeb32->BeingDebugged);
// 脱离进程
KeUnstackDetachProcess(&kpc);
}
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
Driver->DriverUnload = UnDriver;
return STATUS_SUCCESS;
}
Driver->DriverUnload = UnDriver;
return STATUS_SUCCESS;
}
PEB32代码运行后,我们加载驱动即可看到如下结果: