-
-
[原创]进程EPROCESS地址获取
-
发表于: 2012-11-22 22:44
-
至于EPROCESS有何作用,呵呵,不用明说了,获取方式由如下代码,大牛莫见笑
.586p
.model flat, stdcall
option casemap:none
include PidToEprocess.inc
EXP_PsLookupProcessByProcessId typedef proto :HANDLE,:PEPROCESS
FUN_EXP_PsLookupProcessByProcessId typedef ptr EXP_PsLookupProcessByProcessId
.data
FUN_PsLookupProcessByProcessId FUN_EXP_PsLookupProcessByProcessId ?
.code
DriverUnload proc pDriverObject:PDRIVER_OBJECT
invoke DbgPrint,$CTA0("Unload Driver Success\n")
ret
DriverUnload endp
GetKernelExpFunAddr proc uniFunName:PUNICODE_STRING
LOCAL retFunAddr:dword
cli
invoke MmGetSystemRoutineAddress,uniFunName
mov retFunAddr,eax
sti
mov eax,retFunAddr
ret
GetKernelExpFunAddr endp
PidToEprocess proc imgPid:DWORD
LOCAL funAddr:DWORD
LOCAL imgEprocess:PEPROCESS
LOCAL funName:UNICODE_STRING
invoke RtlInitUnicodeString,addr funName,$CCOUNTED_UNICODE_STRING("PsLookupProcessByProcessId")
invoke GetKernelExpFunAddr,$CCOUNTED_UNICODE_STRING("PsLookupProcessByProcessId")
;invoke MmGetSystemRoutineAddress,$CCOUNTED_UNICODE_STRING("PsLookupProcessByProcessId")
mov funAddr,eax
mov FUN_PsLookupProcessByProcessId,eax
.if funAddr==0
invoke DbgPrint,$CTA0("Get PsLookupProcessByProcessId Address Failed.\n")
ret
.endif
;lea eax,imgEprocess
;push eax
;push imgPid
;call funAddr
invoke FUN_PsLookupProcessByProcessId,imgPid,addr imgEprocess
mov eax,dword ptr [imgEprocess]
ret
PidToEprocess endp
DriverEntry proc pDriverObject:PDRIVER_OBJECT,pusRegistryPath:PUNICODE_STRING
mov esi,pDriverObject
mov [esi+34h],offset DriverUnload
invoke PidToEprocess,1676
invoke DbgPrint,$CTA0("EPROCESS Address: 0x%08X\n"),eax
mov eax,STATUS_SUCCESS
ret
DriverEntry endp
end DriverEntry
.586p
.model flat, stdcall
option casemap:none
include PidToEprocess.inc
EXP_PsLookupProcessByProcessId typedef proto :HANDLE,:PEPROCESS
FUN_EXP_PsLookupProcessByProcessId typedef ptr EXP_PsLookupProcessByProcessId
.data
FUN_PsLookupProcessByProcessId FUN_EXP_PsLookupProcessByProcessId ?
.code
DriverUnload proc pDriverObject:PDRIVER_OBJECT
invoke DbgPrint,$CTA0("Unload Driver Success\n")
ret
DriverUnload endp
GetKernelExpFunAddr proc uniFunName:PUNICODE_STRING
LOCAL retFunAddr:dword
cli
invoke MmGetSystemRoutineAddress,uniFunName
mov retFunAddr,eax
sti
mov eax,retFunAddr
ret
GetKernelExpFunAddr endp
PidToEprocess proc imgPid:DWORD
LOCAL funAddr:DWORD
LOCAL imgEprocess:PEPROCESS
LOCAL funName:UNICODE_STRING
invoke RtlInitUnicodeString,addr funName,$CCOUNTED_UNICODE_STRING("PsLookupProcessByProcessId")
invoke GetKernelExpFunAddr,$CCOUNTED_UNICODE_STRING("PsLookupProcessByProcessId")
;invoke MmGetSystemRoutineAddress,$CCOUNTED_UNICODE_STRING("PsLookupProcessByProcessId")
mov funAddr,eax
mov FUN_PsLookupProcessByProcessId,eax
.if funAddr==0
invoke DbgPrint,$CTA0("Get PsLookupProcessByProcessId Address Failed.\n")
ret
.endif
;lea eax,imgEprocess
;push eax
;push imgPid
;call funAddr
invoke FUN_PsLookupProcessByProcessId,imgPid,addr imgEprocess
mov eax,dword ptr [imgEprocess]
ret
PidToEprocess endp
DriverEntry proc pDriverObject:PDRIVER_OBJECT,pusRegistryPath:PUNICODE_STRING
mov esi,pDriverObject
mov [esi+34h],offset DriverUnload
invoke PidToEprocess,1676
invoke DbgPrint,$CTA0("EPROCESS Address: 0x%08X\n"),eax
mov eax,STATUS_SUCCESS
ret
DriverEntry endp
end DriverEntry
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
