-
-
[求助]64 EPROCESS->PEB->LDR 的疑问
-
发表于:
2016-1-20 11:04
4508
-
[求助]64 EPROCESS->PEB->LDR 的疑问
想在ring0 下遍历进程模块。遇到奇怪问题
疑问1.
64 下 通过PsLookupProcessByProcessId 获取的EPROCESS->PEB
PEB 的地址为0x1 是不是64下不能用了
+0x328 DefaultHardErrorProcessing : 2
+0x32c LastThreadExitStatus : 0n-641649353
[B] +0x330 Peb : 0x00000000`00000001 _PEB[/B]
+0x338 PrefetchTrace : _EX_FAST_REF
+0x340 ReadOperationCount : _LARGE_INTEGER 0x0
疑问2.
后通过
ZwQueryInformationProcess 查询 ProcessBasicInformation
typedef struct _PROCESS_BASIC_INFORMATION {
NTSTATUS ExitStatus;
[B]PPEB[/B] [B]PebBaseAddress[/B];
ULONG_PTR AffinityMask;
KPRIORITY BasePriority;
ULONG_PTR UniqueProcessId;
ULONG_PTR InheritedFromUniqueProcessId;
} PROCESS_BASIC_INFORMATION,*PPROCESS_BASIC_INFORMATION;
ZwQueryInformationProcess(NtCurrentProcess(), ProcessBasicInformation, &process_base_info, sizeof(PROCESS_BASIC_INFORMATION), &Ret_Lenght);可以正常获取PEB,可是遍历的时候
代码如下
state = ZwQueryInformationProcess(NtCurrentProcess(), ProcessBasicInformation, &process_base_info, sizeof(PROCESS_BASIC_INFORMATION), &Ret_Lenght);
state = PsLookupProcessByProcessId(PsGetCurrentProcessId(), &eprocess);
if (NT_SUCCESS(state))
{
KeAttachProcess(eprocess);
__try
{
PPEB_LDR_DATA lpLDRData = (PPEB_LDR_DATA)*(PULONG)((ULONG)(process_base_info.PebBaseAddress) + 0x18);
PLIST_ENTRY pHead = &lpLDRData->InLoadOrderModuleList;
PLIST_ENTRY pTemp = NULL;
PLDR_DATA_TABLE_ENTRY pFind = NULL;
pTemp = pHead->Flink;
while (pTemp&&pTemp != pHead)
{
pFind = CONTAINING_RECORD(pTemp, LDR_DATA_TABLE_ENTRY, InLoadOrderModuleList);
dprintf("[MODULE]:%ws\n", pFind->BaseDllName.Buffer);
pTemp = pTemp->Flink;
}
}
__except (1)
{
dprintf("[Error]\n");
}
KeDetachProcess();
}
只能获取少量模块
[MODULE]:ntdll.dll
[MODULE]:wow64.dll
[MODULE]:wow64win.dll
[MODULE]:wow64cpu.dll
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
