设为首页收藏本站
切换到宽版

龙马谷

 找回密码
 立即注册

QQ登录

只需一步,快速开始

龙马谷»龙马谷论坛 技术专区 C/C++技术分享 进程、注册表路径 内核函数封装源码
龙马谷VIP会员办理客服QQ:82926983(如果临时会话没有收到回复,请先加QQ好友再发。)
1 [已完结] GG修改器新手入门与实战教程 31课 2 [已完结] GG修改器美化修改教程 6课 3 [已完结] GG修改器Lua脚本新手入门教程 12课
4 [已完结] 触动精灵脚本新手入门必学教程 22课 5 [已完结] 手游自动化脚本入门实战教程 9课 6 [已完结] C++射击游戏方框骨骼透视与自瞄教程 27课
7 [已完结] C++零基础UE4逆向开发FPS透视自瞄教程 29课 8 [已完结] C++零基础大漠模拟器手游自动化辅助教程 22课 9 [已完结] C++零基础开发DXF内存脚本辅助教程 32课
以下是天马阁VIP教程,本站与天马阁合作,赞助VIP可以获得天马阁对应VIP会员,名额有限! 点击进入天马阁论坛
1 [已完结] x64CE与x64dbg入门基础教程 7课 2 [已完结] x64汇编语言基础教程 16课 3 [已完结] x64辅助入门基础教程 9课
4 [已完结] C++x64内存辅助实战技术教程 149课 5 [已完结] C++x64内存检测与过检测技术教程 10课 6 [已完结] C+x64二叉树分析遍历与LUA自动登陆教程 19课
7 [已完结] C++BT功能原理与x64实战教程 29课 8 [已完结] C+FPS框透视与自瞄x64实现原理及防护思路
返回列表 发新帖
查看: 11204|回复: 0

进程、注册表路径 内核函数封装源码

[复制链接]
123456790

8

主题

1

回帖

15

积分

编程入门

Rank: 1

龙马币
56
123456790 | 显示全部楼层 |阅读模式



  3. //依据EPROCESS得到进程全路径
  4. extern VOID GetFullPathByEprocess( ULONG eprocess,PCHAR ProcessImageName );

  6. //得到当前调用函数的进程信息
  7. extern VOID GetCurrentProcess(PULONG pid, PCHAR name, PCHAR path);

  9. //路径解析出子进程名
  10. extern VOID GetSonName( PCHAR ProcessPath, PCHAR ProcessName );

  12. //根据SectionHandle得到进程全路径
  13. extern VOID GetFullPathBySectionHandle( HANDLE SectionHandle, PCHAR ProcessImageName);

  15. //根据ProcessHandle得到进程全路径
  16. extern VOID GetFullPathByProcessHandle( HANDLE ProcessHandle, PCHAR ProcessImageName , PULONG pid );

  18. //FileObject得到进程全路径
  19. extern VOID GetFullPathByFileObject( PFILE_OBJECT FileObject, PCHAR ProcessImageName);

  21. //KeyHandle得到注册表全路径
  22. extern BOOLEAN GetRegKeyNameByHandle(HANDLE handle, char *realpath);

  24. //
  25. extern VOID UnicodeTochar(PUNICODE_STRING dst , char *src);
  26. //
  27. extern VOID WcharToChar(PWCHAR src,PCHAR dst);

  29. 代码:
  30. extern POBJECT_TYPE *PsProcessType;

  32. NTKERNELAPI
  33. UCHAR *
  34. PsGetProcessImageFileName(
  35. PEPROCESS Process);

  37. NTKERNELAPI
  38. NTSTATUS
  39. ObQueryNameString(
  40. INPVOID Object,
  41. OUT POBJECT_NAME_INFORMATION ObjectNameInfo,
  42. INULONG Length,
  43. OUT PULONG ReturnLength);

  45. //路径解析出子进程名
  46. VOIDGetSonName( char *ProcessPath, char *ProcessName )
  47. {
  48. ULONG n = strlen( ProcessPath) - 1;
  49. ULONG i = n;
  50. //KdPrint(("%d",n));
  51. while( ProcessPath[i] != '\\')
  52. {
  53. i = i-1;
  54. }
  55. strncpy( ProcessName,ProcessPath+i+1,n-i);
  56. }

  58. //依据EPROCESS得到进程全路径
  59. VOID GetFullPathByEprocess( ULONG eprocess,PCHAR ProcessImageName )
  60. {
  61. //原理Eprocess->sectionobject(0x138)->Segment(0x014)->ControlAera(0x000)->FilePointer(0x024)->(FileObject->FileName,FileObject->DeviceObject)
  62. ULONG object;
  63. PFILE_OBJECT FileObject;
  64. UNICODE_STRING FilePath;
  65. UNICODE_STRING DosName;
  66. STRING AnsiString;

  68. FileObject = NULL;
  69. FilePath.Buffer = NULL;
  70. FilePath.Length = 0;
  71. *ProcessImageName = 0;

  73. if(MmIsAddressValid((PULONG)(eprocess+0x138)))//Eprocess->sectionobject(0x138)
  74. {
  75. object=(*(PULONG)(eprocess+0x138));
  76. //KdPrint(("[GetProcessFileName] sectionobject :0x%x\n",object));
  77. if(MmIsAddressValid((PULONG)((ULONG)object+0x014)))
  78. {
  79. object=*(PULONG)((ULONG)object+0x014);
  80. //KdPrint(("[GetProcessFileName] Segment :0x%x\n",object));
  81. if(MmIsAddressValid((PULONG)((ULONG)object+0x0)))
  82. {
  83. object=*(PULONG)((ULONG_PTR)object+0x0);
  84. //KdPrint(("[GetProcessFileName] ControlAera :0x%x\n",object));
  85. if(MmIsAddressValid((PULONG)((ULONG)object+0x024)))
  86. {
  87. object=*(PULONG)((ULONG)object+0x024);
  88. //KdPrint(("[GetProcessFileName] FilePointer :0x%x\n",object));
  89. }
  90. else
  91. return ;
  92. }
  93. else
  94. return ;
  95. }
  96. else
  97. return ;
  98. }
  99. else
  100. return ;
  101. FileObject=(PFILE_OBJECT)object;

  103. FilePath.Buffer = ExAllocatePool(PagedPool,0x200);
  104. FilePath.MaximumLength = 0x200;
  105. //KdPrint(("[GetProcessFileName] FilePointer :%wZ\n",&FilePointer->FileName));
  106. ObReferenceObjectByPointer((PVOID)FileObject,0,NULL,KernelMode);//引用计数+1,操作对象

  108. RtlVolumeDeviceToDosName(FileObject-> DeviceObject, &DosName);
  109. RtlCopyUnicodeString(&FilePath, &DosName);
  110. RtlAppendUnicodeStringToString(&FilePath, &FileObject->FileName);
  111. ObDereferenceObject(FileObject);

  113. RtlUnicodeStringToAnsiString(&AnsiString, &FilePath, TRUE);
  114. if ( AnsiString.Length >= 216 )
  115. {
  116. memcpy(ProcessImageName, AnsiString.Buffer, 0x100u);
  117. *(ProcessImageName + 215) = 0;
  118. }
  119. else
  120. {
  121. memcpy(ProcessImageName, AnsiString.Buffer, AnsiString.Length);
  122. ProcessImageName[AnsiString.Length] = 0;
  123. }
  124. RtlFreeAnsiString(&AnsiString);
  125. ExFreePool(DosName.Buffer);
  126. ExFreePool(FilePath.Buffer);
  127. }


  130. //
  131. VOID GetCurrentProcess(PULONG pid, PCHAR name, PCHAR path)
  132. {
  133. PEPROCESS Cprocess;
  134. Cprocess = PsGetCurrentProcess();
  135. *pid = *(PULONG)((ULONG)Cprocess+0x84);
  136. strcpy(name ,PsGetProcessImageFileName(Cprocess));
  137. GetFullPathByEprocess((ULONG)Cprocess,path);
  138. }


  141. //根据SectionHandle得到进程全路径
  142. VOID GetFullPathBySectionHandle( HANDLE SectionHandle, PCHAR ProcessImageName )
  143. {
  144. PVOID SectionObject;
  145. PFILE_OBJECT FileObject;
  146. UNICODE_STRING FilePath;
  147. UNICODE_STRING DosName;
  148. NTSTATUS Status;
  149. STRING AnsiString;

  151. SectionObject = NULL;
  152. FileObject = NULL;
  153. FilePath.Buffer = NULL;
  154. FilePath.Length = 0;
  155. *ProcessImageName = 0;
  156. Status = ObReferenceObjectByHandle(SectionHandle, 0, NULL, KernelMode, &SectionObject, NULL);

  158. if ( NT_SUCCESS(Status) )
  159. {
  160. FilePath.Buffer = ExAllocatePool(PagedPool,0x200);
  161. FilePath.MaximumLength = 0x200;
  162. FileObject = (PFILE_OBJECT)(*((ULONG *)SectionObject + 5)); // PSEGMENT
  163. FileObject = *(PFILE_OBJECT *)FileObject; // CONTROL_AREA
  164. FileObject = *(PFILE_OBJECT *)((ULONG)FileObject + 36); // FILE_OBJECT
  165. ObReferenceObjectByPointer((PVOID)FileObject, 0, NULL, KernelMode);
  166. RtlVolumeDeviceToDosName(FileObject-> DeviceObject, &DosName);
  167. RtlCopyUnicodeString(&FilePath, &DosName);
  168. RtlAppendUnicodeStringToString(&FilePath, &FileObject->FileName);
  169. ObDereferenceObject(FileObject);
  170. ObDereferenceObject(SectionObject);
  171. RtlUnicodeStringToAnsiString(&AnsiString, &FilePath, TRUE);
  172. if ( AnsiString.Length >= 216 )
  173. {
  174. memcpy(ProcessImageName, AnsiString.Buffer, 0x100u);
  175. *(ProcessImageName + 215) = 0;
  176. }
  177. else
  178. {
  179. memcpy(ProcessImageName, AnsiString.Buffer, AnsiString.Length);
  180. ProcessImageName[AnsiString.Length] = 0;
  181. }
  182. RtlFreeAnsiString(&AnsiString);
  183. ExFreePool(DosName.Buffer);
  184. ExFreePool(FilePath.Buffer);
  185. }
  186. }


  189. //根据ProcessHandle得到EPROCESS然后得到进程全路径
  190. VOID GetFullPathByProcessHandle( HANDLE ProcessHandle, PCHAR ProcessImageName , PULONG pid )
  191. {
  192. NTSTATUS status;
  193. PVOID ProcessObject;
  194. ULONG eprocess;

  196. status = ObReferenceObjectByHandle( ProcessHandle ,0,*PsProcessType,KernelMode, &ProcessObject, NULL);
  197. if(!NT_SUCCESS(status)) //失败
  198. {
  199. DbgPrint("Object Error");
  200. KdPrint(("[GetFullPathByProcessHandle] error status:0x%x\n",status));
  201. return;
  202. }
  203. //KdPrint(("[GetTerminateProcessPath] Eprocess :0x%x\n",(ULONG)ProcessObject));
  204. //Object转换成EPROCESS: object低二位清零
  205. eprocess = ((ULONG)ProcessObject) & 0xFFFFFFFC;
  206. *pid = *(PULONG)((ULONG)eprocess+0x84);
  207. ObDereferenceObject(ProcessObject);
  208. GetFullPathByEprocess( eprocess ,ProcessImageName);
  209. }


  212. //根据FileObject得到全路径
  213. VOID GetFullPathByFileObject( PFILE_OBJECT FileObject, PCHAR ProcessImageName)
  214. {

  216. UNICODE_STRING FilePath;
  217. UNICODE_STRING DosName;
  218. STRING AnsiString;

  220. FilePath.Buffer = NULL;
  221. FilePath.Length = 0;
  222. *ProcessImageName = 0;

  224. FilePath.Buffer = ExAllocatePool(PagedPool,0x200);
  225. FilePath.MaximumLength = 0x200;
  226. //KdPrint(("[GetProcessFileName] FilePointer :%wZ\n",&FilePointer->FileName));
  227. ObReferenceObjectByPointer((PVOID)FileObject,0,NULL,KernelMode);//引用计数+1,操作对象

  229. RtlVolumeDeviceToDosName(FileObject-> DeviceObject, &DosName);
  230. RtlCopyUnicodeString(&FilePath, &DosName);
  231. RtlAppendUnicodeStringToString(&FilePath, &FileObject->FileName);
  232. ObDereferenceObject(FileObject);

  234. RtlUnicodeStringToAnsiString(&AnsiString, &FilePath, TRUE);
  235. if ( AnsiString.Length >= 216 )
  236. {
  237. memcpy(ProcessImageName, AnsiString.Buffer, 0x100u);
  238. *(ProcessImageName + 215) = 0;
  239. }
  240. else
  241. {
  242. memcpy(ProcessImageName, AnsiString.Buffer, AnsiString.Length);
  243. ProcessImageName[AnsiString.Length] = 0;
  244. }
  245. RtlFreeAnsiString(&AnsiString);
  246. ExFreePool(DosName.Buffer);
  247. ExFreePool(FilePath.Buffer);
  248. }


  251. //解析注册表路径
  252. BOOLEAN StandardPrintHkey(char * path,char *realpath)
  253. {

  255. int judgeTop;
  256. int judgeSecond;
  257. int judgeThird;
  258. inti;
  259. int j;
  260. int t;
  261. int k;
  262. int lencur;
  263. char realname[255]={0};
  264. j=0;
  265. k=0;
  266. t=0;
  267. judgeTop=strncmp("\\REGISTRY\\USER",path,14);

  269. if(judgeTop==0)
  270. {

  272. lencur=strlen(path);
  273. for(i=0;i<lencur;i++)
  274. {
  275. if(path[i]=='-')
  276. {
  277. if(path[i+1]=='5')
  278. {
  279. if(path[i+2]=='0')
  280. {
  281. if(path[i+3]=='0')
  282. {if(path[i+4]=='_')
  283. {
  284. k=i+12;
  285. t=1;
  286. }
  287. else
  288. {
  289. j=i+4;
  290. t=1;
  291. }
  292. }
  293. }
  294. }
  295. }
  296. }

  298. DbgPrint("[j]%d\n",j);
  299. DbgPrint("[k]%d\n",k);
  300. if((k==0)&&(t==1))
  301. {
  302. strcpy(realname,"HKEY_CURRENT_USER");
  303. strncat(realname,&path[j],sizeof(path)-j);
  304. DbgPrint("[HKEY_CURRENT_USER]%s",path);
  305. }
  306. if((j==0)&&(t==1))
  307. {
  308. strcpy(realname,"HKEY_CLASSES_ROOT");
  309. strncat(realname,&path[k],sizeof(path)-k);
  310. DbgPrint("[HKEY_CLASSES_ROOT]%s",path);
  311. }
  312. if(t==0)
  313. {
  314. strcpy(realname,"HKEY_USERS");
  315. strncat(realname,&path[14],sizeof(path)-14);
  316. DbgPrint("[HKEY_USER]%s",path);
  317. }
  318. }
  319. else
  320. {
  321. judgeThird=strncmp("\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Hardware Profiles\\0001",path,61);
  322. if(judgeThird==0)
  323. {
  324. strcpy(realname,"HKEY_CURRENT_CONFIG");
  325. strncat(realname,&path[61],sizeof(path)-61);
  326. DbgPrint("[HKEY_CURRENT_CONFIG]%s",path);
  327. }
  328. else
  329. {


  332. strcpy(realname,"HKEY_LOCAL_MACHINE");
  333. strncat(realname,&path[17],sizeof(path)-17);
  334. DbgPrint("[HKEY_LOCAL_MACHINE]%s",path);


  337. }
  338. }
  339. strcpy(realpath,realname);
  340. return TRUE;
  341. }


  344. //注册表根据KeyHandle得到键
  345. BOOLEAN GetRegKeyNameByHandle(HANDLE handle, char *realpath)
  346. {

  348. ULONG uactLength;
  349. POBJECT_NAME_INFORMATIONpustr;
  350. ANSI_STRING astr;
  351. PVOID pObj;
  352. NTSTATUS ns;
  353. char pch[256]={0};
  354. ns = ObReferenceObjectByHandle( handle, 0, NULL, KernelMode, &pObj, NULL );
  355. if (!NT_SUCCESS(ns))
  356. {
  357. KdPrint(("111!\n"));
  358. KdPrint(("0x%x\n",ns));
  359. return FALSE;
  360. }
  361. pustr = ExAllocatePool(NonPagedPool,1024+4);

  363. if (pObj==NULL||pch==NULL)
  364. return FALSE;

  366. ns = ObQueryNameString(pObj,pustr,512,&uactLength);

  368. if (NT_SUCCESS(ns))
  369. {
  370. RtlUnicodeStringToAnsiString(&astr,(PUNICODE_STRING)pustr,TRUE);
  371. strncpy(pch,astr.Buffer,256);
  372. }
  373. ExFreePool(pustr);
  374. RtlFreeAnsiString( &astr );
  375. if (pObj)
  376. {
  377. ObDereferenceObject(pObj);
  378. }
  379. StandardPrintHkey(pch,realpath);
  380. return TRUE;
  381. }


  384. //UnicodeTochar
  385. VOID UnicodeTochar(PUNICODE_STRING dst , char *src)
  386. {
  387. ANSI_STRING string;
  388. RtlUnicodeStringToAnsiString(&string,dst, TRUE);
  389. strcpy(src,string.Buffer);
  390. RtlFreeAnsiString(&string);
  391. }


  394. //wcharTochar
  395. VOID WcharToChar(PWCHAR src,PCHAR dst)
  396. {
  397. UNICODE_STRING uString;
  398. ANSI_STRING aString;
  399. RtlInitUnicodeString(&uString,src);
  400. RtlUnicodeStringToAnsiString(&aString,&uString,TRUE);
  401. strcpy(dst,aString.Buffer);
  402. RtlFreeAnsiString(&aString);
  403. }


复制代码
回复

举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

龙马谷| C/C++辅助教程| 安卓逆向安全| 论坛导航| 免责申明|Archiver|
拒绝任何人以任何形式在本论坛发表与中华人民共和国法律相抵触的言论,本站内容均为会员发表,并不代表龙马谷立场!
任何人不得以任何方式翻录、盗版或出售本站视频,一经发现我们将追究其相关责任!
我们一直在努力成为最好的编程论坛!
Copyright© 2018-2021 All Right Reserved.
关闭

会员办理

售后客服

技术支持

工作时间:9:00-22:00

在线客服
快速回复 返回顶部 返回列表