内核遍历R3进程模块 获取信息(32,64,WoW64)
没什么技术含量,只是突然用到了,然后写出来,又突然想到看流星了,然后又发上来,
一想到长期潜水,看帖不回就羞愧的不要不要的;
//通过进程PID来获取目标模块路径;
NTSTATUS GetModulesPathByProcessID (IN HANDLE ProcessId, IN WCHAR* ModuleName, OUT WCHAR* ModulesPath) {
typedef PPEB (__stdcall * pfn_PsGetProcessPeb) (PEPROCESS pEProcess);
typedef PPEB32 (__stdcall * pfn_PsGetProcessWow64Process) (PEPROCESS Process);
NTSTATUS nStatus;
KAPC_STATE KAPC = { 0 };
PEPROCESSpEProcess = NULL; //EPROCESS结构指针;
PPEB pPEB = NULL; //PEB结构指针;
UNICODE_STRING uniFunctionName; //查找的函数名称;
PLDR_DATA_TABLE_ENTRY pLdrDataEntry = NULL; //LDR链表入口;
PLIST_ENTRY pListEntryStart = NULL; //链表头节点、尾节点;
PLIST_ENTRY pListEntryEnd = NULL;
//函数指针;
pfn_PsGetProcessPebPsGetProcessPeb = NULL;
//获取进程的EPROCESS结构指针;
nStatus = PsLookupProcessByProcessId (ProcessId, &pEProcess);
if (!NT_SUCCESS (nStatus)) {
return STATUS_UNSUCCESSFUL;
}
//查找函数地址;
RtlInitUnicodeString (&uniFunctionName, L"PsGetProcessPeb");
PsGetProcessPeb = (pfn_PsGetProcessPeb) (SIZE_T)MmGetSystemRoutineAddress (&uniFunctionName);
pPEB = PsGetProcessPeb (pEProcess);
KeStackAttachProcess (pEProcess, &KAPC);
pListEntryStart = pPEB->Ldr->InMemoryOrderModuleList.Flink;
pListEntryEnd = pPEB->Ldr->InMemoryOrderModuleList.Flink;
do {//输出DLL全路径;
pLdrDataEntry = (PLDR_DATA_TABLE_ENTRY)CONTAINING_RECORD (pListEntryStart, LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks);
//KdPrint (("module:%wZ\n", &pLdrDataEntry->BaseDllName));
if (_wcsicmp (pLdrDataEntry->BaseDllName.Buffer, ModuleName) == 0) {
wcscpy (ModulesPath, pLdrDataEntry->FullDllName.Buffer);
goto end;
}
pListEntryStart = pListEntryStart->Flink;
} while (pListEntryStart != pListEntryEnd);
#ifdef _AMD64_// 或wow64进程;
PPEB32 pPEB32 = NULL; //PEB结构指针;
PLDR_DATA_TABLE_ENTRY32 pLdrDataEntry32 = NULL; //LDR链表入口;
PLIST_ENTRY32 pListEntryStart32 = NULL; //链表头节点、尾节点;
PLIST_ENTRY32 pListEntryEnd32 = NULL;
//函数指针;
pfn_PsGetProcessWow64Process PsGetProcessWow64Process = NULL;
RtlInitUnicodeString (&uniFunctionName, L"PsGetProcessWow64Process");
PsGetProcessWow64Process = (pfn_PsGetProcessWow64Process) (SIZE_T)MmGetSystemRoutineAddress (&uniFunctionName);
//获取PEB指针
pPEB32 = PsGetProcessWow64Process (pEProcess);
pListEntryStart32 = (PLIST_ENTRY32) (((PEB_LDR_DATA32*)pPEB32->Ldr)->InMemoryOrderModuleList.Flink);
pListEntryEnd32 = (PLIST_ENTRY32) (((PEB_LDR_DATA32*)pPEB32->Ldr)->InMemoryOrderModuleList.Flink);
do {//输出DLL全路径;
pLdrDataEntry32 = (PLDR_DATA_TABLE_ENTRY32)CONTAINING_RECORD (pListEntryStart32, LDR_DATA_TABLE_ENTRY32, InMemoryOrderLinks);
//KdPrint (("wow64:%ws\n", pLdrDataEntry32->BaseDllName.Buffer));
if (_wcsicmp ((WCHAR*)pLdrDataEntry32->BaseDllName.Buffer, ModuleName) == 0) {
wcscpy (ModulesPath, (WCHAR*)pLdrDataEntry32->FullDllName.Buffer);
goto end;
}
pListEntryStart32 = (PLIST_ENTRY32)pListEntryStart32->Flink;
} while (pListEntryStart32 != pListEntryEnd32);
#endif
end:
KeUnstackDetachProcess (&KAPC);
ObDereferenceObject (pEProcess);
return STATUS_SUCCESS;
}
附上用到的几个结构
typedef struct _PEB {
UCHAR InheritedAddressSpace;
UCHAR ReadImageFileExecOptions;
UCHAR BeingDebugged;
UCHAR Spare;
PVOID Mutant;
PVOID ImageBaseAddress;
PPEB_LDR_DATA Ldr;
PRTL_USER_PROCESS_PARAMETERSProcessParameters;
PVOID SubSystemData;
} PEB, *PPEB;
//专为WoW64准备;
typedef struct _PEB32 {
UCHAR InheritedAddressSpace;
UCHAR ReadImageFileExecOptions;
UCHAR BeingDebugged;
UCHAR Spare;
ULONG Mutant;
ULONG ImageBaseAddress;
ULONG/*PPEB_LDR_DATA32*/ Ldr;
} PEB32, *PPEB32;
typedef struct _PEB_LDR_DATA {
ULONG Length;
UCHAR Initialized;
PVOID SsHandle;
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
PVOID EntryInProgress;
} PEB_LDR_DATA, *PPEB_LDR_DATA;
//专为WoW64准备;
typedef struct _PEB_LDR_DATA32 {
ULONG Length;
UCHAR Initialized;
ULONG SsHandle;
LIST_ENTRY32 InLoadOrderModuleList;
LIST_ENTRY32 InMemoryOrderModuleList;
LIST_ENTRY32 InInitializationOrderModuleList;
ULONG EntryInProgress;
} PEB_LDR_DATA32, *PPEB_LDR_DATA32;
typedef struct _LDR_DATA_TABLE_ENTRY {
LIST_ENTRY InLoadOrderLinks;
LIST_ENTRY InMemoryOrderLinks;
LIST_ENTRY InInitializationOrderLinks;
PVOID DllBase;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
USHORT LoadCount;
USHORT TlsIndex;
LIST_ENTRY HashLinks;
PVOID SectionPointer;
ULONG CheckSum;
ULONG TimeDateStamp;
PVOID LoadedImports;
PVOID EntryPointActivationContext;
PVOID PatchInformation;
LIST_ENTRY ForwarderLinks;
LIST_ENTRY ServiceTagLinks;
LIST_ENTRY StaticLinks;
PVOID ContextInformation;
PVOID OriginalBase;
LARGE_INTEGER LoadTime;
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
//专为WoW64准备;
typedef struct _LDR_DATA_TABLE_ENTRY32 {
LIST_ENTRY32 InLoadOrderLinks;
LIST_ENTRY32 InMemoryOrderLinks;
LIST_ENTRY32 InInitializationOrderLinks;
ULONG DllBase;
ULONG EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING32 FullDllName;
UNICODE_STRING32 BaseDllName;
ULONG Flags;
USHORT LoadCount;
USHORT TlsIndex;
LIST_ENTRY32 HashLinks;
ULONG SectionPointer;
ULONG CheckSum;
ULONG TimeDateStamp;
ULONG LoadedImports;
ULONG EntryPointActivationContext;
ULONG PatchInformation;
LIST_ENTRY32 ForwarderLinks;
LIST_ENTRY32 ServiceTagLinks;
LIST_ENTRY32 StaticLinks;
ULONG ContextInformation;
ULONG OriginalBase;
LARGE_INTEGER LoadTime;
} LDR_DATA_TABLE_ENTRY32, *PLDR_DATA_TABLE_ENTRY32;
页:
[1]