首页
社区
课程
招聘
整合win7,win10遍历 进程模块!!(md抄的好辛苦,哪里一段这里一段拼凑起来的!大神勿喷)
发表于: 2021-10-20 22:05 9446

整合win7,win10遍历 进程模块!!(md抄的好辛苦,哪里一段这里一段拼凑起来的!大神勿喷)

2021-10-20 22:05
9446

图片描述
这是 我win10的效果。(主要我看看有没有BUG,看看多少人蓝!!)
图片描述
ULONGLONG GetModuleBase(HANDLE dwPid, char* pModuleName)
{
UNICODE_STRING ModuleName = { 0 };
NTSTATUS status = STATUS_UNSUCCESSFUL;
PEPROCESS m_Peprocess = NULL;

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
status = PsLookupProcessByProcessId(dwPid, &m_Peprocess);
if (!NT_SUCCESS(status)) {
    return 0;
}
 
CHAR_TO_UNICODE_STRING(pModuleName, &ModuleName);
 
if (PsGetProcessWow64Process(m_Peprocess))
{
    return GetModuleBase32(m_Peprocess, ModuleName);
}
else
{
    if (PsGetProcessPeb(m_Peprocess)) {
        return GetModuleBase64(m_Peprocess, ModuleName);
    }
}
 
return 0;

}
////////////////////////////////////////////////
VOID CHAR_TO_UNICODE_STRING(PCHAR ch, PUNICODE_STRING unicodeBuffer)
{
ANSI_STRING ansiBuffer;
UNICODE_STRING buffer_proc;
ULONG len = strlen(ch);

1
2
3
ansiBuffer.Buffer = ch;
ansiBuffer.Length = ansiBuffer.MaximumLength = (USHORT)len;
RtlAnsiStringToUnicodeString(unicodeBuffer, &ansiBuffer, TRUE);

}
////////////////////////////////////////////////////////
ULONGLONG GetModuleBase32(In PEPROCESS pEProcess, In UNICODE_STRING usModuleName)
{

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
ULONGLONG BaseAddr = 0;
KAPC_STATE KAPC = { 0 };
KeStackAttachProcess(pEProcess, &KAPC);
PPEB32 pPeb = (PPEB32)PsGetProcessWow64Process(pEProcess);
if (pPeb == NULL || pPeb->Ldr == 0)
{
    KeUnstackDetachProcess(&KAPC);
    return 0;
}
// init module name
 
// Ergodic ModuleList
for (PLIST_ENTRY32 pListEntry = (PLIST_ENTRY32)((PPEB_LDR_DATA32)pPeb->Ldr)->InLoadOrderModuleList.Flink;
    pListEntry != &((PPEB_LDR_DATA32)pPeb->Ldr)->InLoadOrderModuleList;
    pListEntry = (PLIST_ENTRY32)pListEntry->Flink)
{
    PLDR_DATA_TABLE_ENTRY32 LdrEntry = CONTAINING_RECORD(pListEntry, LDR_DATA_TABLE_ENTRY32, InLoadOrderLinks);
 
    if (LdrEntry->BaseDllName.Buffer == NULL)
    {
        continue;
    }
    // Current Module Name in ListFlink
    UNICODE_STRING usCurrentName = { 0 };
    RtlInitUnicodeString(&usCurrentName, (PWCHAR)LdrEntry->BaseDllName.Buffer);
    // cmp module name
    if (RtlEqualUnicodeString(&usModuleName, &usCurrentName, TRUE))
    {
 
        BaseAddr = (ULONGLONG)LdrEntry->DllBase;
        KeUnstackDetachProcess(&KAPC);
 
        return BaseAddr;
    }
}
 
KeUnstackDetachProcess(&KAPC);
return 0;

}
//////////////////////////////////////////////////////
ULONGLONG GetModuleBase64(In PEPROCESS pEProcess, In UNICODE_STRING usModuleName)
{

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
ULONGLONG BaseAddr = 0;
KAPC_STATE KAPC = { 0 };
KeStackAttachProcess(pEProcess, &KAPC);
PPEB64 pPeb = (PPEB64)PsGetProcessPeb(pEProcess);
if (pPeb == NULL || pPeb->Ldr == 0)
{
    KeUnstackDetachProcess(&KAPC);
    return 0;
}
// init module name
 
// Ergodic ModuleList
for (PLIST_ENTRY64 pListEntry = (PLIST_ENTRY64)((PPEB_LDR_DATA64)pPeb->Ldr)->InLoadOrderModuleList.Flink;
    pListEntry != &((PPEB_LDR_DATA64)pPeb->Ldr)->InLoadOrderModuleList;
    pListEntry = (PLIST_ENTRY64)pListEntry->Flink)
{
    PLDR_DATA_TABLE_ENTRY64 LdrEntry = CONTAINING_RECORD(pListEntry, LDR_DATA_TABLE_ENTRY64, InLoadOrderLinks);
 
    if (LdrEntry->BaseDllName.Buffer == NULL)
    {
        continue;
    }
    // Current Module Name in ListFlink
    UNICODE_STRING usCurrentName = { 0 };
    RtlInitUnicodeString(&usCurrentName, (PWCHAR)LdrEntry->BaseDllName.Buffer);
    // cmp module name
    if (RtlEqualUnicodeString(&usModuleName, &usCurrentName, TRUE))
    {
 
        BaseAddr = (ULONGLONG)LdrEntry->DllBase;
        KeUnstackDetachProcess(&KAPC);
 
        return BaseAddr;
    }
}
 
KeUnstackDetachProcess(&KAPC);
return 0;

}
////////////////////////////////////////////////

 

#pragma pack(4)
typedef struct _PEB32
{
UCHAR InheritedAddressSpace;
UCHAR ReadImageFileExecOptions;
UCHAR BeingDebugged;
UCHAR BitField;
ULONG Mutant;
ULONG ImageBaseAddress;
ULONG Ldr;
ULONG ProcessParameters;
ULONG SubSystemData;
ULONG ProcessHeap;
ULONG FastPebLock;
ULONG AtlThunkSListPtr;
ULONG IFEOKey;
ULONG CrossProcessFlags;
ULONG UserSharedInfoPtr;
ULONG SystemReserved;
ULONG AtlThunkSListPtr32;
ULONG ApiSetMap;
} PEB32, *PPEB32;

 

typedef struct _PEB_LDR_DATA32
{
ULONG Length;
UCHAR Initialized;
ULONG SsHandle;
LIST_ENTRY32 InLoadOrderModuleList;
LIST_ENTRY32 InMemoryOrderModuleList;
LIST_ENTRY32 InInitializationOrderModuleList;
} PEB_LDR_DATA32, *PPEB_LDR_DATA32;

 

typedef struct _LDR_DATA_TABLE_ENTRY32
{
LIST_ENTRY32 InLoadOrderLinks;
LIST_ENTRY32 InMemoryOrderLinks;
LIST_ENTRY32 InInitializationOrderLinks;
ULONG DllBase;
ULONG EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING32 FullDllName;
UNICODE_STRING32 BaseDllName;
ULONG Flags;
USHORT LoadCount;
USHORT TlsIndex;
LIST_ENTRY32 HashLinks;
ULONG TimeDateStamp;
} LDR_DATA_TABLE_ENTRY32, *PLDR_DATA_TABLE_ENTRY32;

 

#pragma pack()

 

#pragma pack(8)
typedef struct _PEB64
{
UCHAR InheritedAddressSpace;
UCHAR ReadImageFileExecOptions;
UCHAR BeingDebugged;
UCHAR BitField;
ULONG64 Mutant;
ULONG64 ImageBaseAddress;
ULONG64 Ldr;
ULONG64 ProcessParameters;
ULONG64 SubSystemData;
ULONG64 ProcessHeap;
ULONG64 FastPebLock;
ULONG64 AtlThunkSListPtr;
ULONG64 IFEOKey;
ULONG64 CrossProcessFlags;
ULONG64 UserSharedInfoPtr;
ULONG SystemReserved;
ULONG AtlThunkSListPtr32;
ULONG64 ApiSetMap;
} PEB64, *PPEB64;

 

typedef struct _PEB_LDR_DATA64
{
ULONG Length;
BOOLEAN Initialized;
ULONG64 SsHandle;
LIST_ENTRY64 InLoadOrderModuleList;
LIST_ENTRY64 InMemoryOrderModuleList;
LIST_ENTRY64 InInitializationOrderModuleList;
ULONG64 EntryInProgress;
} PEB_LDR_DATA64, *PPEB_LDR_DATA64;

 

typedef struct _LDR_DATA_TABLE_ENTRY64
{
LIST_ENTRY64 InLoadOrderLinks;
LIST_ENTRY64 InMemoryOrderModuleList;
LIST_ENTRY64 InInitializationOrderModuleList;
ULONG64 DllBase;
ULONG64 EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING64 FullDllName;
UNICODE_STRING64 BaseDllName;
ULONG Flags;
USHORT LoadCount;
USHORT TlsIndex;
union
{
LIST_ENTRY64 HashLinks;
ULONG64 SectionPointer;
};
ULONG CheckSum;
union
{
ULONG TimeDateStamp;
ULONG64 LoadedImports;
};
ULONG64 EntryPointActivationContext;
ULONG64 PatchInformation;
} LDR_DATA_TABLE_ENTRY64, *PLDR_DATA_TABLE_ENTRY64;

 

#pragma pack()
/////////////////////////////////////////////////
我抄!我抄! 我就是抄!


[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

最后于 2021-10-20 22:08 被KD9编辑 ,原因: 忘了结构体!
收藏
免费 4
支持
分享
最新回复 (3)
雪    币: 247
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
2
已收藏,感谢分享, 
不容易啊, 早早注册了看雪账号 奈何看不懂天书, 
目前勉强能看懂了
2023-3-21 21:55
0
雪    币: 271
活跃值: (5661)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
3

有点乱,markdown格式都不全,截断了

最后于 2023-3-22 14:54 被zx_901106编辑 ,原因:
2023-3-22 14:53
0
雪    币: 200
活跃值: (398)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
4
铁汁,成功路劲没有调 KeUnstackDetachProcess
2023-3-22 20:08
0
游客
登录 | 注册 方可回帖
返回
//