[求助]ZwCreateUserProcess第10个参数结构-编程技术-看雪-安全社区|安全招聘|kanxue.com

最新回复 (6)
wang王雪币： 4668 活跃值： (1713) 能力值： ( LV2，RANK：10 ) 在线值：发帖 8 回帖 255 粉丝 0 关注私信	wang王 2 楼 NTSTATUS __stdcall ZwCreateUserProcess(OUT PHANDLE ProcessHandle,OUT PHANDLE ThreadHandle,IN ACCESS_MASK ProcessDesiredAccess, IN ACCESS_MASK ThreadDesiredAccess,IN POBJECT_ATTRIBUTES ProcessObjectAttributes OPTIONAL, IN POBJECT_ATTRIBUTES ThreadObjectAttributes OPTIONAL,IN ULONG CreateProcessFlags,IN ULONG CreateThreadFlags, IN PRTL_USER_PROCESS_PARAMETERS ProcessParameters,IN PVOID Parameter10,IN PNT_PROC_THREAD_ATTRIBUTE_LIST AttributeList); DWORD WINAPI GetProcessId( _In_ HANDLE Process ); Process [in] A handle to the process. The handle must have the PROCESS_QUERY_INFORMATION or PROCESS_QUERY_LIMITED_INFORMATION access right. For more information, see Process Security and Access Rights. 2016-3-8 23:23 0
wang王雪币： 4668 活跃值： (1713) 能力值： ( LV2，RANK：10 ) 在线值：发帖 8 回帖 255 粉丝 0 关注私信	wang王 3 楼 GetProcessId(*ProcessHandle) 2016-3-8 23:27 0
赵建新雪币： 8 活跃值： (21) 能力值： ( LV2，RANK：10 ) 在线值：发帖 156 回帖 410 粉丝 1 关注私信	赵建新 4 楼 Win7没有这个函数，而且还要open到那个属性才得到的的句柄，才能正确返回是不 2016-3-9 00:03 0
wang王雪币： 4668 活跃值： (1713) 能力值： ( LV2，RANK：10 ) 在线值：发帖 8 回帖 255 粉丝 0 关注私信	wang王 5 楼 Minimum supported client Windows Vista, Windows XP with SP1 [desktop apps only] Minimum supported server Windows Server 2003 [desktop apps only] Header WinBase.h on Windows XP, Windows Server 2003, Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2 (include Windows.h); Processthreadsapi.h on Windows 8 and Windows Server 2012 Library Kernel32.lib DLL Kernel32.dll 2016-3-9 00:30 0
Diabloking 雪币： 350 活跃值： (13) 能力值： ( LV2，RANK：10 ) 在线值：发帖 5 回帖 117 粉丝 0 关注私信	Diabloking 6 楼 NTSTATUS NTAPI NtCreateUserProcess( OUT PHANDLE ProcessHandle, OUT PHANDLE ThreadHandle, IN ACCESS_MASK ProcessDesiredAccess, IN ACCESS_MASK ThreadDesiredAccess, IN POBJECT_ATTRIBUTES ProcessObjectAttributes OPTIONAL, IN POBJECT_ATTRIBUTES ThreadObjectAttributes OPTIONAL, IN ULONG ProcessFlags, // PROCESS_CREATE_FLAGS_* IN ULONG ThreadFlags, // THREAD_CREATE_FLAGS_* IN PRTL_USER_PROCESS_PARAMETERS ProcessParameters, IN OUT PPS_CREATE_INFO CreateInfo, IN PPS_ATTRIBUTE_LIST AttributeList ); typedef struct _PS_CREATE_INFO { SIZE_T Size; PS_CREATE_STATE State; union { // PsCreateInitialState struct { union { ULONG InitFlags; struct { UCHAR WriteOutputOnExit : 1; UCHAR DetectManifest : 1; UCHAR SpareBits1 : 6; UCHAR IFEOKeyState : 2; // PS_IFEO_KEY_STATE UCHAR SpareBits2 : 6; USHORT ProhibitedImageCharacteristics : 16; }; }; ACCESS_MASK AdditionalFileAccess; } InitState; // PsCreateFailOnSectionCreate struct { HANDLE FileHandle; } FailSection; // PsCreateFailExeName struct { HANDLE IFEOKey; } ExeName; // PsCreateSuccess struct { union { ULONG OutputFlags; struct { UCHAR ProtectedProcess : 1; UCHAR AddressSpaceOverride : 1; UCHAR DevOverrideEnabled : 1; // from Image File Execution Options UCHAR ManifestDetected : 1; UCHAR SpareBits1 : 4; UCHAR SpareBits2 : 8; USHORT SpareBits3 : 16; }; }; HANDLE FileHandle; HANDLE SectionHandle; ULONGLONG UserProcessParametersNative; ULONG UserProcessParametersWow64; ULONG CurrentParameterFlags; ULONGLONG PebAddressNative; ULONG PebAddressWow64; ULONGLONG ManifestAddress; ULONG ManifestSize; } SuccessState; }; } PS_CREATE_INFO, *PPS_CREATE_INFO; 新进程的PID在AttributeList里, 有个PS_ATTRIBUTE_CLIENT_ID, 指向一个CLIENT_ID 2016-3-9 00:54 0
赵建新雪币： 8 活跃值： (21) 能力值： ( LV2，RANK：10 ) 在线值：发帖 156 回帖 410 粉丝 1 关注私信	赵建新 7 楼 // private typedef enum _PS_ATTRIBUTE_NUM { PsAttributeParentProcess, // in HANDLE PsAttributeDebugPort, // in HANDLE PsAttributeToken, // in HANDLE PsAttributeClientId, // out PCLIENT_ID PsAttributeTebAddress, // out PTEB * PsAttributeImageName, // in PWSTR PsAttributeImageInfo, // out PSECTION_IMAGE_INFORMATION PsAttributeMemoryReserve, // in PPS_MEMORY_RESERVE PsAttributePriorityClass, // in UCHAR PsAttributeErrorMode, // in ULONG PsAttributeStdHandleInfo, // 10, in PPS_STD_HANDLE_INFO PsAttributeHandleList, // in PHANDLE PsAttributeGroupAffinity, // in PGROUP_AFFINITY PsAttributePreferredNode, // in PUSHORT PsAttributeIdealProcessor, // in PPROCESSOR_NUMBER PsAttributeUmsThread, // ? in PUMS_CREATE_THREAD_ATTRIBUTES PsAttributeMitigationOptions, // in UCHAR PsAttributeMax } PS_ATTRIBUTE_NUM; // begin_rev #define PsAttributeValue(Number, Thread, Input, Unknown) \ (((Number) & PS_ATTRIBUTE_NUMBER_MASK) \| \ ((Thread) ? PS_ATTRIBUTE_THREAD : 0) \| \ ((Input) ? PS_ATTRIBUTE_INPUT : 0) \| \ ((Unknown) ? PS_ATTRIBUTE_UNKNOWN : 0)) #define PS_ATTRIBUTE_PARENT_PROCESS \ PsAttributeValue(PsAttributeParentProcess, FALSE, TRUE, TRUE) #define PS_ATTRIBUTE_DEBUG_PORT \ PsAttributeValue(PsAttributeDebugPort, FALSE, TRUE, TRUE) #define PS_ATTRIBUTE_TOKEN \ PsAttributeValue(PsAttributeToken, FALSE, TRUE, TRUE) #define PS_ATTRIBUTE_CLIENT_ID \ PsAttributeValue(PsAttributeClientId, TRUE, FALSE, FALSE) #define PS_ATTRIBUTE_TEB_ADDRESS \ PsAttributeValue(PsAttributeTebAddress, TRUE, FALSE, FALSE) #define PS_ATTRIBUTE_IMAGE_NAME \ PsAttributeValue(PsAttributeImageName, FALSE, TRUE, FALSE) #define PS_ATTRIBUTE_IMAGE_INFO \ PsAttributeValue(PsAttributeImageInfo, FALSE, FALSE, FALSE) #define PS_ATTRIBUTE_MEMORY_RESERVE \ PsAttributeValue(PsAttributeMemoryReserve, FALSE, TRUE, FALSE) #define PS_ATTRIBUTE_PRIORITY_CLASS \ PsAttributeValue(PsAttributePriorityClass, FALSE, TRUE, FALSE) #define PS_ATTRIBUTE_ERROR_MODE \ PsAttributeValue(PsAttributeErrorMode, FALSE, TRUE, FALSE) #define PS_ATTRIBUTE_STD_HANDLE_INFO \ PsAttributeValue(PsAttributeStdHandleInfo, FALSE, TRUE, FALSE) #define PS_ATTRIBUTE_HANDLE_LIST \ PsAttributeValue(PsAttributeHandleList, FALSE, TRUE, FALSE) #define PS_ATTRIBUTE_GROUP_AFFINITY \ PsAttributeValue(PsAttributeGroupAffinity, TRUE, TRUE, FALSE) #define PS_ATTRIBUTE_PREFERRED_NODE \ PsAttributeValue(PsAttributePreferredNode, FALSE, TRUE, FALSE) #define PS_ATTRIBUTE_IDEAL_PROCESSOR \ PsAttributeValue(PsAttributeIdealProcessor, TRUE, TRUE, FALSE) #define PS_ATTRIBUTE_MITIGATION_OPTIONS \ PsAttributeValue(PsAttributeMitigationOptions, FALSE, TRUE, TRUE) // end_rev // begin_private typedef struct _PS_ATTRIBUTE { //这个结构里怎么没有连接上边PS_ATTRIBUTE_NUM的指针呢 ULONG Attribute; SIZE_T Size; union { ULONG Value; PVOID ValuePtr; //这个是指向哪里的，上边的哪个结构吗 }; PSIZE_T ReturnLength; } PS_ATTRIBUTE, PPS_ATTRIBUTE; typedef struct _PS_ATTRIBUTE_LIST { SIZE_T TotalLength; PS_ATTRIBUTE Attributes[1]; } PS_ATTRIBUTE_LIST, PPS_ATTRIBUTE_LIST; 2016-3-9 13:09 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

wang王

雪币： 4668

活跃值： (1713)

能力值：

( LV2，RANK：10 )

在线值：

发帖

8

回帖

255

粉丝

0

关注

私信

wang王: 2 楼

NTSTATUS __stdcall ZwCreateUserProcess(OUT PHANDLE ProcessHandle,OUT PHANDLE ThreadHandle,IN ACCESS_MASK ProcessDesiredAccess,
		IN ACCESS_MASK ThreadDesiredAccess,IN POBJECT_ATTRIBUTES ProcessObjectAttributes OPTIONAL,
		IN POBJECT_ATTRIBUTES ThreadObjectAttributes OPTIONAL,IN ULONG CreateProcessFlags,IN ULONG CreateThreadFlags,
		IN PRTL_USER_PROCESS_PARAMETERS ProcessParameters,IN PVOID Parameter10,IN PNT_PROC_THREAD_ATTRIBUTE_LIST AttributeList);

DWORD WINAPI GetProcessId(
_In_ HANDLE Process
);

Process [in]
A handle to the process. The handle must have the PROCESS_QUERY_INFORMATION or PROCESS_QUERY_LIMITED_INFORMATION access right. For more information, see Process Security and Access Rights.

2016-3-8 23:23

0

wang王

雪币： 4668

活跃值： (1713)

能力值：

( LV2，RANK：10 )

在线值：

发帖

8

回帖

255

粉丝

0

关注

私信

wang王: 3 楼

GetProcessId(*ProcessHandle)

2016-3-8 23:27

0

赵建新

雪币： 8

活跃值： (21)

能力值：

( LV2，RANK：10 )

在线值：

发帖

156

回帖

410

粉丝

1

关注

私信

赵建新: 4 楼

Win7没有这个函数，而且还要open到那个属性才得到的的句柄，才能正确返回是不

2016-3-9 00:03

0

wang王

雪币： 4668

活跃值： (1713)

能力值：

( LV2，RANK：10 )

在线值：

发帖

8

回帖

255

粉丝

0

关注

私信

wang王: 5 楼

Minimum supported client
Windows Vista, Windows XP with SP1 [desktop apps only]

Minimum supported server
Windows Server 2003 [desktop apps only]

Header
WinBase.h on Windows XP, Windows Server 2003, Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2 (include Windows.h); Processthreadsapi.h on Windows 8 and Windows Server 2012

Library
Kernel32.lib

DLL
Kernel32.dll

2016-3-9 00:30

0

Diabloking

雪币： 350

活跃值： (13)

能力值：

( LV2，RANK：10 )

在线值：

发帖

5

回帖

117

粉丝

0

关注

私信

Diabloking: 6 楼

NTSTATUS
NTAPI
NtCreateUserProcess(
    OUT     PHANDLE                         ProcessHandle,
    OUT     PHANDLE                         ThreadHandle,
    IN      ACCESS_MASK                     ProcessDesiredAccess,
    IN      ACCESS_MASK                     ThreadDesiredAccess,
    IN      POBJECT_ATTRIBUTES              ProcessObjectAttributes OPTIONAL,
    IN      POBJECT_ATTRIBUTES              ThreadObjectAttributes OPTIONAL,
    IN      ULONG                           ProcessFlags,                   // PROCESS_CREATE_FLAGS_*
    IN      ULONG                           ThreadFlags,                    // THREAD_CREATE_FLAGS_*
    IN      PRTL_USER_PROCESS_PARAMETERS    ProcessParameters,
    IN OUT  PPS_CREATE_INFO                 CreateInfo,
    IN      PPS_ATTRIBUTE_LIST              AttributeList
);

typedef struct _PS_CREATE_INFO
{
    SIZE_T Size;
    PS_CREATE_STATE State;
    union
    {
        // PsCreateInitialState
        struct
        {
            union
            {
                ULONG InitFlags;
                struct
                {
                    UCHAR WriteOutputOnExit : 1;
                    UCHAR DetectManifest : 1;
                    UCHAR SpareBits1 : 6;
                    UCHAR IFEOKeyState : 2; // PS_IFEO_KEY_STATE
                    UCHAR SpareBits2 : 6;
                    USHORT ProhibitedImageCharacteristics : 16;
                };
            };
            ACCESS_MASK AdditionalFileAccess;
        } InitState;

        // PsCreateFailOnSectionCreate
        struct
        {
            HANDLE FileHandle;
        } FailSection;

        // PsCreateFailExeName
        struct
        {
            HANDLE IFEOKey;
        } ExeName;

        // PsCreateSuccess
        struct
        {
            union
            {
                ULONG OutputFlags;
                struct
                {
                    UCHAR ProtectedProcess : 1;
                    UCHAR AddressSpaceOverride : 1;
                    UCHAR DevOverrideEnabled : 1; // from Image File Execution Options
                    UCHAR ManifestDetected : 1;
                    UCHAR SpareBits1 : 4;
                    UCHAR SpareBits2 : 8;
                    USHORT SpareBits3 : 16;
                };
            };

            HANDLE FileHandle;
            HANDLE SectionHandle;
            ULONGLONG UserProcessParametersNative;
            ULONG UserProcessParametersWow64;
            ULONG CurrentParameterFlags;
            ULONGLONG PebAddressNative;
            ULONG PebAddressWow64;
            ULONGLONG ManifestAddress;
            ULONG ManifestSize;
        } SuccessState;
    };
} PS_CREATE_INFO, *PPS_CREATE_INFO;

新进程的PID在AttributeList里, 有个PS_ATTRIBUTE_CLIENT_ID, 指向一个CLIENT_ID

2016-3-9 00:54

0

赵建新

雪币： 8

活跃值： (21)

能力值：

( LV2，RANK：10 )

在线值：

发帖

156

回帖

410

粉丝

1

关注

私信

赵建新: 7 楼

// private
typedef enum _PS_ATTRIBUTE_NUM
{
    PsAttributeParentProcess, // in HANDLE
    PsAttributeDebugPort, // in HANDLE
    PsAttributeToken, // in HANDLE
    PsAttributeClientId, // out PCLIENT_ID
    PsAttributeTebAddress, // out PTEB *
    PsAttributeImageName, // in PWSTR
    PsAttributeImageInfo, // out PSECTION_IMAGE_INFORMATION
    PsAttributeMemoryReserve, // in PPS_MEMORY_RESERVE
    PsAttributePriorityClass, // in UCHAR
    PsAttributeErrorMode, // in ULONG
    PsAttributeStdHandleInfo, // 10, in PPS_STD_HANDLE_INFO
    PsAttributeHandleList, // in PHANDLE
    PsAttributeGroupAffinity, // in PGROUP_AFFINITY
    PsAttributePreferredNode, // in PUSHORT
    PsAttributeIdealProcessor, // in PPROCESSOR_NUMBER
    PsAttributeUmsThread, // ? in PUMS_CREATE_THREAD_ATTRIBUTES
    PsAttributeMitigationOptions, // in UCHAR
    PsAttributeMax
} PS_ATTRIBUTE_NUM;

// begin_rev

#define PsAttributeValue(Number, Thread, Input, Unknown) \
    (((Number) & PS_ATTRIBUTE_NUMBER_MASK) | \
    ((Thread) ? PS_ATTRIBUTE_THREAD : 0) | \
    ((Input) ? PS_ATTRIBUTE_INPUT : 0) | \
    ((Unknown) ? PS_ATTRIBUTE_UNKNOWN : 0))

#define PS_ATTRIBUTE_PARENT_PROCESS \
    PsAttributeValue(PsAttributeParentProcess, FALSE, TRUE, TRUE)
#define PS_ATTRIBUTE_DEBUG_PORT \
    PsAttributeValue(PsAttributeDebugPort, FALSE, TRUE, TRUE)
#define PS_ATTRIBUTE_TOKEN \
    PsAttributeValue(PsAttributeToken, FALSE, TRUE, TRUE)
#define PS_ATTRIBUTE_CLIENT_ID \
    PsAttributeValue(PsAttributeClientId, TRUE, FALSE, FALSE)
#define PS_ATTRIBUTE_TEB_ADDRESS \
    PsAttributeValue(PsAttributeTebAddress, TRUE, FALSE, FALSE)
#define PS_ATTRIBUTE_IMAGE_NAME \
    PsAttributeValue(PsAttributeImageName, FALSE, TRUE, FALSE)
#define PS_ATTRIBUTE_IMAGE_INFO \
    PsAttributeValue(PsAttributeImageInfo, FALSE, FALSE, FALSE)
#define PS_ATTRIBUTE_MEMORY_RESERVE \
    PsAttributeValue(PsAttributeMemoryReserve, FALSE, TRUE, FALSE)
#define PS_ATTRIBUTE_PRIORITY_CLASS \
    PsAttributeValue(PsAttributePriorityClass, FALSE, TRUE, FALSE)
#define PS_ATTRIBUTE_ERROR_MODE \
    PsAttributeValue(PsAttributeErrorMode, FALSE, TRUE, FALSE)
#define PS_ATTRIBUTE_STD_HANDLE_INFO \
    PsAttributeValue(PsAttributeStdHandleInfo, FALSE, TRUE, FALSE)
#define PS_ATTRIBUTE_HANDLE_LIST \
    PsAttributeValue(PsAttributeHandleList, FALSE, TRUE, FALSE)
#define PS_ATTRIBUTE_GROUP_AFFINITY \
    PsAttributeValue(PsAttributeGroupAffinity, TRUE, TRUE, FALSE)
#define PS_ATTRIBUTE_PREFERRED_NODE \
    PsAttributeValue(PsAttributePreferredNode, FALSE, TRUE, FALSE)
#define PS_ATTRIBUTE_IDEAL_PROCESSOR \
    PsAttributeValue(PsAttributeIdealProcessor, TRUE, TRUE, FALSE)
#define PS_ATTRIBUTE_MITIGATION_OPTIONS \
    PsAttributeValue(PsAttributeMitigationOptions, FALSE, TRUE, TRUE)

// end_rev

// begin_private

typedef struct _PS_ATTRIBUTE
{                             //这个结构里怎么没有连接上边PS_ATTRIBUTE_NUM的指针呢
    ULONG Attribute;
    SIZE_T Size;
    union
    {
        ULONG Value;     
        PVOID ValuePtr;  //这个是指向哪里的，上边的哪个结构吗
    };
    PSIZE_T ReturnLength;
} PS_ATTRIBUTE, *PPS_ATTRIBUTE;

typedef struct _PS_ATTRIBUTE_LIST
{
    SIZE_T TotalLength;
    PS_ATTRIBUTE Attributes[1]; 
} PS_ATTRIBUTE_LIST, *PPS_ATTRIBUTE_LIST;

2016-3-9 13:09

0