最近在做一个进程监视器,这个对大家来说也许都没有什么难度了,不过在我这里遇到些小问题,很奇怪的,请大家帮帮我,看问题出在哪里?(WindowsXP SP2下)
在DriverEntry中使用PsSetCreateProcessNotifyRoutine挂上监控进程的函数ProcessCreateMon
status = PsSetCreateProcessNotifyRoutine(ProcessCreateMon, FALSE);
if (!NT_SUCCESS( status ))
{
DbgPrint("PsSetCreateProcessNotifyRoutine()\n");
return status;
}
下面是ProcessCreateMon这个函数:
VOID ProcessCreateMon ( IN HANDLE hParentId, IN HANDLE PId,IN BOOLEAN bCreate )
{
PEPROCESS EProcess;
ULONG ulCurrentProcessId;
LPTSTR lpCurProc;
NTSTATUS status;
PEPROCESS pep;
ULONG ulOffset;
ULONG ulPathOffset;
GetImageFileNameOffset(&ulOffset);
status = PsLookupProcessByProcessId( (ULONG)PId, &EProcess);
if (!NT_SUCCESS( status ))
{
DbgPrint("PsLookupProcessByProcessId()\n");
return ;
}
if ( bCreate )
{
lpCurProc = (LPTSTR)EProcess;
lpCurProc = lpCurProc + ulOffset;
ulPathOffset = (ULONG)EProcess + 0x1b0; //PEB
ulPathOffset = *(PULONG)ulPathOffset;
if ( !MmIsAddressValid( (PVOID)ulPathOffset )) //检测PEB是否有效
{
DbgPrint("Peb is invalid!\n");
return;
}
ulPathOffset += 0x10; //通过PEB获得RTL_USER_PROCESS_PARAMETERS
ulPathOffset = *(PULONG)ulPathOffset;
if ( !MmIsAddressValid( (PVOID)ulPathOffset )) //检测RTL_USER_PROCESS_PARAMETERS是否有效
{
DbgPrint("RTL_USER_PROCESS_PARAMETERS is invalid!\n");
return;
}
ulPathOffset += 0x38; //通过RTL_USER_PROCESS_PARAMETERS获得ImagePathName
ulPathOffset = *(PULONG)ulPathOffset;
if ( !MmIsAddressValid( (PVOID)ulPathOffset )) //检测ImagePathName是否有效
{
DbgPrint("ImagePathName is invalid!\n");
return;
}
DbgPrint(" Process Full Path Name: %ws\n", (PCWSTR)ulPathOffset); //输出路径信息
DbgPrint( "CREATE PROCESS = PROCESS NAME: %s , PROCESS PARENTID: %d, PROCESS ID: %d, PROCESS ADDRESS %x:\n",
lpCurProc,
hParentId,
PId,
EProcess );
}
else
{
DbgPrint( "TERMINATED == PROCESS ID: %d\n", PId);
}
}
在虚拟机中加载驱动,用windbg调试,却总是发现获取的PEB或者RTL_USER_PROCESS_PARAMETERS不正确。
比如:在获取的EProcess是:0x813d0020
在Windbg中 dt _EPROCESS 0x813d0020
显示:......
+0x174 ImageFileName : [16] "DbgView.exe"
......
+0x1b0 Peb : 0x7ffd9000 _PEB
再:dt _PEB 0x7ffd9000 得到
kd> dt _PEB 0x7ffd9000
nt!_PEB
+0x000 InheritedAddressSpace : 0x4c 'L'
+0x001 ReadImageFileExecOptions : 0xfe ''
+0x002 BeingDebugged : 0x5c '\'
+0x003 SpareBool : 0x2 ''
+0x004 Mutant : 0x025d0000
+0x008 ImageBaseAddress : 0x025c2000
+0x00c Ldr : (null)
+0x010 ProcessParameters : 0x00001e00 _RTL_USER_PROCESS_PARAMETERS
......
这个时候ProcessParameters 的值0x00001e00就已经不正确了,请问这是为什么啊???
怎么才能在监控进程启动的时候获取其全路径呢?
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)