-
-
[原创][原创]【WindowsXP】在【进程创建通知回调】中获取进程命令行参数
-
2020-5-21 15:42 5280
-
1)背景
最近听同事说在WindowsXP
下通过PsSetCreateProcessNotifyRoutine
注册了一个进程创建回调,然后尝试通过PEB
来获取被创建进程的命令行参数,发现PEB
结构中的命令行等相关数据还没有被填充进去。
通过查看GetCommandLineA
函数的反汇编,得知进程的命令行保存在一个固定的地址0x7C8855F4
1 2 | MOVE EAX, DWORD PTR [ 0x7C8855F4 ] RETN |
在进程创建回调中,附加到目标进程,再查看这个地址的数据,如下所示。 因为时机还不对,这个地址还没被申请呢!!
1 2 3 4 5 6 7 8 9 | kd> db 0x7C8855F4 7c8855f4 ?? ?? ?? ?? ?? ?? ?? ?? - ?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 7c885604 ?? ?? ?? ?? ?? ?? ?? ?? - ?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 7c885614 ?? ?? ?? ?? ?? ?? ?? ?? - ?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 7c885624 ?? ?? ?? ?? ?? ?? ?? ?? - ?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 7c885634 ?? ?? ?? ?? ?? ?? ?? ?? - ?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 7c885644 ?? ?? ?? ?? ?? ?? ?? ?? - ?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 7c885654 ?? ?? ?? ?? ?? ?? ?? ?? - ?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 7c885664 ?? ?? ?? ?? ?? ?? ?? ?? - ?? ?? ?? ?? ?? ?? ?? ?? ???????????????? |
通过windbg
,检查PEB
结构中的ProcessParameters
字段,该字段指向一个_RTL_USER_PROCESS_PARAMETERS
结构,并且该字段地址为0x20000
1 2 3 4 5 6 7 8 9 10 11 12 | kd> dt _PEB 7ffd5000 ntdll!_PEB + 0x000 InheritedAddressSpace : 0 '' + 0x001 ReadImageFileExecOptions : 0 '' + 0x002 BeingDebugged : 0 '' + 0x003 SpareBool : 0 '' + 0x004 Mutant : 0xffffffff Void + 0x008 ImageBaseAddress : 0x01000000 Void + 0x00c Ldr : (null) + 0x010 ProcessParameters : 0x00020000 _RTL_USER_PROCESS_PARAMETERS + 0x014 SubSystemData : (null) + 0x018 ProcessHeap : (null) |
查看ProcessParameters
中的数据,发现Commdline
字段中保存的是一个无效地址0x000008ec
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 | kd> dt _RTL_USER_PROCESS_PARAMETERS 0x00020000 ntdll!_RTL_USER_PROCESS_PARAMETERS + 0x000 MaximumLength : 0x1000 + 0x004 Length : 0x970 + 0x008 Flags : 0x2000 + 0x00c DebugFlags : 0 + 0x010 ConsoleHandle : 0x00310002 Void + 0x014 ConsoleFlags : 0 + 0x018 StandardInput : 0x00000003 Void + 0x01c StandardOutput : 0x00000007 Void + 0x020 StandardError : 0x0000000b Void + 0x024 CurrentDirectory : _CURDIR + 0x030 DllPath : _UNICODE_STRING "--- memory read error at address 0x00000498 ---" + 0x038 ImagePathName : _UNICODE_STRING "--- memory read error at address 0x000008ac ---" + 0x040 CommandLine : _UNICODE_STRING "--- memory read error at address 0x000008ec ---" + 0x048 Environment : 0x00010000 Void + 0x04c StartingX : 0 + 0x050 StartingY : 1 + 0x054 CountX : 0x64 + 0x058 CountY : 0x64 + 0x05c CountCharsX : 0 + 0x060 CountCharsY : 0 + 0x064 FillAttribute : 0 + 0x068 WindowFlags : 0 + 0x06c ShowWindowFlags : 1 + 0x070 WindowTitle : _UNICODE_STRING "--- memory read error at address 0x0000091c ---" + 0x078 DesktopInfo : _UNICODE_STRING "--- memory read error at address 0x0000094c ---" + 0x080 ShellInfo : _UNICODE_STRING "--- memory read error at address 0x0000096c ---" + 0x088 RuntimeData : _UNICODE_STRING "" + 0x090 CurrentDirectores : [ 32 ] _RTL_DRIVE_LETTER_CURDIR |
但是通过windbg
的扩展命令!peb
却能正常查看PEB
结构中的命令行数据,怎么直接通过dt _PEB address
就不行了?
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | kd> !peb PEB at 7ffd5000 InheritedAddressSpace: No ReadImageFileExecOptions: No BeingDebugged: No ImageBaseAddress: 01000000 NtGlobalFlag: 0 NtGlobalFlag2: 0 Ldr 00000000 * * * unable to read Ldr table at 00000000 SubSystemData: 00000000 ProcessHeap: 00000000 ProcessParameters: 00020000 CurrentDirectory: '< Name not readable >' WindowTitle: 'notepad 11111111111.txt' ImageFile: 'C:\WINDOWS\system32\notepad.exe' CommandLine: 'notepad 11111111111.txt' |
尝试在进程空间内暴力搜索命令行参数,得到以下两个结果:
1 2 3 | kd> s - u 0x0 0x7ffffff "notepad 11111111111" 000208ec 006e 006f 0074 0065 0070 0061 0064 0020 n.o.t.e.p.a.d. . 0002091c 006e 006f 0074 0065 0070 0061 0064 0020 n.o.t.e.p.a.d. . |
000208ec
这个地址看起来很眼熟,原来是(PEB.ProcessParameters + PEB.ProcessParameters.CommandLine)
,因为PEB结构中的_RTL_USER_PROCESS_PARAMETERS
结构还没被完全填充好,在创建进程的通知回调被触发时,这个结构中的CommandLine
只是一个相对偏移。
(000208ec = 0x00020000 + 0x000008ec )
2)分析
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 | 00020000 00 10 00 00 64 09 00 00 - 00 20 00 00 00 00 00 00 ....d.... ...... 00020010 01 00 30 00 00 00 00 00 - 03 00 00 00 07 00 00 00 .. 0. ............ 00020020 0b 00 00 00 4e 00 08 02 - 90 02 00 00 0e 00 00 00 ....N........... 00020030 12 04 14 04 98 04 00 00 - 38 00 3a 00 ac 08 00 00 ........ 8. :..... 00020040 28 00 2a 00 e8 08 00 00 - 00 00 01 00 00 00 00 00 (. * ............. < - - - - WORD PTR [ 0x00020044 ] = offset; 0x20000 + offset = commandline; 00020050 01 00 00 00 64 00 00 00 - 64 00 00 00 00 00 00 00 ....d...d....... 00020060 00 00 00 00 00 00 00 00 - 00 00 00 00 01 00 00 00 ................ 00020070 28 00 2a 00 14 09 00 00 - 1e 00 20 00 40 09 00 00 (. * ....... .@... 00020080 00 00 02 00 60 09 00 00 - 00 00 00 00 00 00 00 00 ....`........... 00020090 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 000200a0 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 000200b0 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 000200c0 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 000200d0 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 000200e0 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 000200f0 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00020100 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00020110 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00020120 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00020130 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00020140 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00020150 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00020160 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00020170 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00020180 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00020190 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 000201a0 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 000201b0 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 000201c0 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 000201d0 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 000201e0 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 000201f0 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00020200 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00020210 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00020220 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00020230 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00020240 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00020250 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00020260 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00020270 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00020280 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00020290 43 00 3a 00 5c 00 44 00 - 6f 00 63 00 75 00 6d 00 C.:.\.D.o.c.u.m. 000202a0 65 00 6e 00 74 00 73 00 - 20 00 61 00 6e 00 64 00 e.n.t.s. .a.n.d. 000202b0 20 00 53 00 65 00 74 00 - 74 00 69 00 6e 00 67 00 .S.e.t.t.i.n.g. 000202c0 73 00 5c 00 41 00 64 00 - 6d 00 69 00 6e 00 69 00 s.\.A.d.m.i.n.i. 000202d0 73 00 74 00 72 00 61 00 - 74 00 6f 00 72 00 00 00 s.t.r.a.t.o.r... 000202e0 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 000202f0 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00020300 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00020310 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00020320 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00020330 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00020340 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00020350 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00020360 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00020370 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00020380 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00020390 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 000203a0 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 000203b0 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 000203c0 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 000203d0 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 000203e0 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 000203f0 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00020400 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00020410 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00020420 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00020430 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00020440 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00020450 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00020460 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00020470 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00020480 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 ................ 00020490 00 00 00 00 00 00 00 00 - 43 00 3a 00 5c 00 57 00 ........C.:.\.W. 000204a0 49 00 4e 00 44 00 4f 00 - 57 00 53 00 5c 00 73 00 I.N.D.O.W.S.\.s. 000204b0 79 00 73 00 74 00 65 00 - 6d 00 33 00 32 00 3b 00 y.s.t.e.m. 3.2 .;. 000204c0 43 00 3a 00 5c 00 57 00 - 49 00 4e 00 44 00 4f 00 C.:.\.W.I.N.D.O. 000204d0 57 00 53 00 5c 00 73 00 - 79 00 73 00 74 00 65 00 W.S.\.s.y.s.t.e. 000204e0 6d 00 33 00 32 00 3b 00 - 43 00 3a 00 5c 00 57 00 m. 3.2 .;.C.:.\.W. 000204f0 49 00 4e 00 44 00 4f 00 - 57 00 53 00 5c 00 73 00 I.N.D.O.W.S.\.s. 00020500 79 00 73 00 74 00 65 00 - 6d 00 3b 00 43 00 3a 00 y.s.t.e.m.;.C.:. 00020510 5c 00 57 00 49 00 4e 00 - 44 00 4f 00 57 00 53 00 \.W.I.N.D.O.W.S. 00020520 3b 00 2e 00 3b 00 43 00 - 3a 00 5c 00 50 00 79 00 ;...;.C.:.\.P.y. 00020530 74 00 68 00 6f 00 6e 00 - 32 00 37 00 3b 00 43 00 t.h.o.n. 2.7 .;.C. 00020540 3a 00 5c 00 50 00 72 00 - 6f 00 67 00 72 00 61 00 :.\.P.r.o.g.r.a. 00020550 6d 00 20 00 46 00 69 00 - 6c 00 65 00 73 00 5c 00 m. .F.i.l.e.s.\. 00020560 42 00 6f 00 72 00 6c 00 - 61 00 6e 00 64 00 5c 00 B.o.r.l.a.n.d.\. 00020570 44 00 65 00 6c 00 70 00 - 68 00 69 00 37 00 5c 00 D.e.l.p.h.i. 7. \. 00020580 42 00 69 00 6e 00 3b 00 - 43 00 3a 00 5c 00 50 00 B.i.n.;.C.:.\.P. 00020590 72 00 6f 00 67 00 72 00 - 61 00 6d 00 20 00 46 00 r.o.g.r.a.m. .F. 000205a0 69 00 6c 00 65 00 73 00 - 5c 00 42 00 6f 00 72 00 i.l.e.s.\.B.o.r. 000205b0 6c 00 61 00 6e 00 64 00 - 5c 00 44 00 65 00 6c 00 l.a.n.d.\.D.e.l. 000205c0 70 00 68 00 69 00 37 00 - 5c 00 50 00 72 00 6f 00 p.h.i. 7. \.P.r.o. 000205d0 6a 00 65 00 63 00 74 00 - 73 00 5c 00 42 00 70 00 j.e.c.t.s.\.B.p. 000205e0 6c 00 5c 00 3b 00 43 00 - 3a 00 5c 00 50 00 52 00 l.\.;.C.:.\.P.R. 000205f0 4f 00 47 00 52 00 41 00 - 7e 00 31 00 5c 00 42 00 O.G.R.A.~. 1. \.B. 00020600 6f 00 72 00 6c 00 61 00 - 6e 00 64 00 5c 00 43 00 o.r.l.a.n.d.\.C. 00020610 42 00 55 00 49 00 4c 00 - 44 00 7e 00 31 00 5c 00 B.U.I.L.D.~. 1. \. 00020620 42 00 69 00 6e 00 3b 00 - 43 00 3a 00 5c 00 50 00 B.i.n.;.C.:.\.P. 00020630 52 00 4f 00 47 00 52 00 - 41 00 7e 00 31 00 5c 00 R.O.G.R.A.~. 1. \. 00020640 42 00 6f 00 72 00 6c 00 - 61 00 6e 00 64 00 5c 00 B.o.r.l.a.n.d.\. 00020650 43 00 42 00 55 00 49 00 - 4c 00 44 00 7e 00 31 00 C.B.U.I.L.D.~. 1. 00020660 5c 00 50 00 72 00 6f 00 - 6a 00 65 00 63 00 74 00 \.P.r.o.j.e.c.t. 00020670 73 00 5c 00 42 00 70 00 - 6c 00 3b 00 43 00 3a 00 s.\.B.p.l.;.C.:. 00020680 5c 00 57 00 49 00 4e 00 - 44 00 4f 00 57 00 53 00 \.W.I.N.D.O.W.S. 00020690 5c 00 73 00 79 00 73 00 - 74 00 65 00 6d 00 33 00 \.s.y.s.t.e.m. 3. 000206a0 32 00 3b 00 43 00 3a 00 - 5c 00 57 00 49 00 4e 00 2. ;.C.:.\.W.I.N. 000206b0 44 00 4f 00 57 00 53 00 - 3b 00 43 00 3a 00 5c 00 D.O.W.S.;.C.:.\. 000206c0 57 00 49 00 4e 00 44 00 - 4f 00 57 00 53 00 5c 00 W.I.N.D.O.W.S.\. 000206d0 53 00 79 00 73 00 74 00 - 65 00 6d 00 33 00 32 00 S.y.s.t.e.m. 3.2 . 000206e0 5c 00 57 00 62 00 65 00 - 6d 00 3b 00 43 00 3a 00 \.W.b.e.m.;.C.:. 000206f0 5c 00 50 00 72 00 6f 00 - 67 00 72 00 61 00 6d 00 \.P.r.o.g.r.a.m. 00020700 20 00 46 00 69 00 6c 00 - 65 00 73 00 5c 00 4d 00 .F.i.l.e.s.\.M. 00020710 69 00 63 00 72 00 6f 00 - 73 00 6f 00 66 00 74 00 i.c.r.o.s.o.f.t. 00020720 20 00 56 00 69 00 73 00 - 75 00 61 00 6c 00 20 00 .V.i.s.u.a.l. . 00020730 53 00 74 00 75 00 64 00 - 69 00 6f 00 5c 00 43 00 S.t.u.d.i.o.\.C. 00020740 6f 00 6d 00 6d 00 6f 00 - 6e 00 5c 00 54 00 6f 00 o.m.m.o.n.\.T.o. 00020750 6f 00 6c 00 73 00 5c 00 - 57 00 69 00 6e 00 4e 00 o.l.s.\.W.i.n.N. 00020760 54 00 3b 00 43 00 3a 00 - 5c 00 50 00 72 00 6f 00 T.;.C.:.\.P.r.o. 00020770 67 00 72 00 61 00 6d 00 - 20 00 46 00 69 00 6c 00 g.r.a.m. .F.i.l. 00020780 65 00 73 00 5c 00 4d 00 - 69 00 63 00 72 00 6f 00 e.s.\.M.i.c.r.o. 00020790 73 00 6f 00 66 00 74 00 - 20 00 56 00 69 00 73 00 s.o.f.t. .V.i.s. 000207a0 75 00 61 00 6c 00 20 00 - 53 00 74 00 75 00 64 00 u.a.l. .S.t.u.d. 000207b0 69 00 6f 00 5c 00 43 00 - 6f 00 6d 00 6d 00 6f 00 i.o.\.C.o.m.m.o. 000207c0 6e 00 5c 00 4d 00 53 00 - 44 00 65 00 76 00 39 00 n.\.M.S.D.e.v. 9. 000207d0 38 00 5c 00 42 00 69 00 - 6e 00 3b 00 43 00 3a 00 8. \.B.i.n.;.C.:. 000207e0 5c 00 50 00 72 00 6f 00 - 67 00 72 00 61 00 6d 00 \.P.r.o.g.r.a.m. 000207f0 20 00 46 00 69 00 6c 00 - 65 00 73 00 5c 00 4d 00 .F.i.l.e.s.\.M. 00020800 69 00 63 00 72 00 6f 00 - 73 00 6f 00 66 00 74 00 i.c.r.o.s.o.f.t. 00020810 20 00 56 00 69 00 73 00 - 75 00 61 00 6c 00 20 00 .V.i.s.u.a.l. . 00020820 53 00 74 00 75 00 64 00 - 69 00 6f 00 5c 00 43 00 S.t.u.d.i.o.\.C. 00020830 6f 00 6d 00 6d 00 6f 00 - 6e 00 5c 00 54 00 6f 00 o.m.m.o.n.\.T.o. 00020840 6f 00 6c 00 73 00 3b 00 - 43 00 3a 00 5c 00 50 00 o.l.s.;.C.:.\.P. 00020850 72 00 6f 00 67 00 72 00 - 61 00 6d 00 20 00 46 00 r.o.g.r.a.m. .F. 00020860 69 00 6c 00 65 00 73 00 - 5c 00 4d 00 69 00 63 00 i.l.e.s.\.M.i.c. 00020870 72 00 6f 00 73 00 6f 00 - 66 00 74 00 20 00 56 00 r.o.s.o.f.t. .V. 00020880 69 00 73 00 75 00 61 00 - 6c 00 20 00 53 00 74 00 i.s.u.a.l. .S.t. 00020890 75 00 64 00 69 00 6f 00 - 5c 00 56 00 43 00 39 00 u.d.i.o.\.V.C. 9. 000208a0 38 00 5c 00 62 00 69 00 - 6e 00 00 00 43 00 3a 00 8. \.b.i.n...C.:. 000208b0 5c 00 57 00 49 00 4e 00 - 44 00 4f 00 57 00 53 00 \.W.I.N.D.O.W.S. 000208c0 5c 00 73 00 79 00 73 00 - 74 00 65 00 6d 00 33 00 \.s.y.s.t.e.m. 3. 000208d0 32 00 5c 00 63 00 61 00 - 6c 00 63 00 2e 00 65 00 2. \.c.a.l.c...e. 000208e0 78 00 65 00 00 00 00 00 - 63 00 61 00 6c 00 63 00 x.e.....c.a.l.c. < - - - - 0x000208E0 = calc - test 123456789 000208f0 20 00 2d 00 74 00 65 00 - 73 00 74 00 20 00 31 00 . - .t.e.s.t. . 1. 00020900 32 00 33 00 34 00 35 00 - 36 00 37 00 38 00 39 00 2.3 . 4.5 . 6.7 . 8.9 . 00020910 00 00 00 00 63 00 61 00 - 6c 00 63 00 20 00 2d 00 ....c.a.l.c. . - . 00020920 74 00 65 00 73 00 74 00 - 20 00 31 00 32 00 33 00 t.e.s.t. . 1.2 . 3. 00020930 34 00 35 00 36 00 37 00 - 38 00 39 00 00 00 00 00 4.5 . 6.7 . 8.9 ..... 00020940 57 00 69 00 6e 00 53 00 - 74 00 61 00 30 00 5c 00 W.i.n.S.t.a. 0. \. 00020950 44 00 65 00 66 00 61 00 - 75 00 6c 00 74 00 00 00 D.e.f.a.u.l.t... |
3)代码
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 | #include <ntifs.h> void PcreateProcessNotifyRoutine(HANDLE ParentId,HANDLE ProcessId,BOOLEAN Create) { PEPROCESS SubEProcess; if (Create) { DbgPrint( "[Create Process]: ParentId:%d ProcessId:%d \n" , (ULONG)ParentId, (ULONG)ProcessId); SubEProcess = NULL; if (NT_SUCCESS(PsLookupProcessByProcessId(ProcessId, &SubEProcess))) { KAPC_STATE ks; KeStackAttachProcess(SubEProcess, &ks); PPEB pPeb = PsGetProcessPeb(SubEProcess); if (pPeb && pPeb - >ProcessParameters) { PRTL_USER_PROCESS_PARAMETERS ProcessParameters = (PRTL_USER_PROCESS_PARAMETERS)pPeb - >ProcessParameters; wchar_t * pRealComandLine = (wchar_t * )((ULONG_PTR)ProcessParameters - >CommandLine. Buffer + (ULONG_PTR)ProcessParameters); DbgPrint( "[KeStackAttachProcess]: commandline from 0x%08x: %S\n" , (ULONG_PTR)pRealComandLine, pRealComandLine); } KeUnstackDetachProcess(&ks); ObDereferenceObject(SubEProcess); } } } VOID DriverUnload(PDRIVER_OBJECT DriverObject) { UNREFERENCED_PARAMETER(DriverObject); DbgPrint( "DriverUnload Enter \n" ); PsSetCreateProcessNotifyRoutine(PcreateProcessNotifyRoutine, TRUE); } NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath) { UNREFERENCED_PARAMETER(RegistryPath); DbgPrint( "DriverEntry Enter \n" ); do { PsSetCreateProcessNotifyRoutine(PcreateProcessNotifyRoutine,FALSE); DriverObject - >DriverUnload = DriverUnload; } while ( 0 ); return STATUS_SUCCESS; } |
4)效果
最后于 2021-8-3 11:31
被Adventure编辑
,原因:
赞赏
他的文章
看原图