免费A级毛片无码专区网站-成人国产精品视频一区二区-啊 日出水了 用力乖乖在线-国产黑色丝袜在线观看下-天天操美女夜夜操美女-日韩网站在线观看中文字幕-AV高清hd片XXX国产-亚洲av中文字字幕乱码综合-搬开女人下面使劲插视频

  1. 首頁 > 生活 > >

驅(qū)動開發(fā):內(nèi)核通過PEB得到進程參數(shù)

生活百科PEB

PEB結(jié)構(gòu)(Process Envirorment Block Structure)其中文名是進程環(huán)境塊信息 , 進程環(huán)境塊內(nèi)部包含了進程運行的詳細參數(shù)信息 , 每一個進程在運行后都會存在一個特有的PEB結(jié)構(gòu) , 通過附加進程并遍歷這段結(jié)構(gòu)即可得到非常多的有用信息 。
在應(yīng)用層下 , 如果想要得到PEB的基地址只需要取fs:[0x30]即可 , TEB線程環(huán)境塊則是fs:[0x18] , 如果在內(nèi)核層想要得到應(yīng)用層進程的PEB信息我們需要調(diào)用特定的內(nèi)核函數(shù)來獲取 , 如下案例將教大家如何在內(nèi)核層取到應(yīng)用層進程的PEB結(jié)構(gòu) 。
首先在開始寫代碼之前需要先定義好PEB進程環(huán)境快結(jié)構(gòu)體 , 用于對內(nèi)存指針解析 , 新建peb.h文件并保存如下代碼 , 這些是微軟的結(jié)構(gòu)定義分為32位與64位 , 官方定義規(guī)范而已不需要費工夫 。
#pragma once#include <ntifs.h>typedef struct _CURDIR              // 2 elements, 0x18 bytes (sizeof){ /*0x000*/     struct _UNICODE_STRING DosPath; // 3 elements, 0x10 bytes (sizeof) /*0x010*/     VOID*        Handle;}CURDIR, *PCURDIR;typedef struct _RTL_DRIVE_LETTER_CURDIR // 4 elements, 0x18 bytes (sizeof){ /*0x000*/     UINT16       Flags; /*0x002*/     UINT16       Length; /*0x004*/     ULONG32      TimeStamp; /*0x008*/     struct _STRING DosPath;             // 3 elements, 0x10 bytes (sizeof)}RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR;typedef enum _SYSTEM_DLL_TYPE  // 7 elements, 0x4 bytes{ PsNativeSystemDll = 0 /*0x0*/, PsWowX86SystemDll = 1 /*0x1*/, PsWowArm32SystemDll = 2 /*0x2*/, PsWowAmd64SystemDll = 3 /*0x3*/, PsWowChpeX86SystemDll = 4 /*0x4*/, PsVsmEnclaveRuntimeDll = 5 /*0x5*/, PsSystemDllTotalTypes = 6 /*0x6*/}SYSTEM_DLL_TYPE, *PSYSTEM_DLL_TYPE;typedef struct _EWOW64PROCESS        // 3 elements, 0x10 bytes (sizeof){ /*0x000*/     VOID*        Peb; /*0x008*/     UINT16       Machine; /*0x00A*/     UINT8        _PADDING0_[0x2]; /*0x00C*/     enum _SYSTEM_DLL_TYPE NtdllType;}EWOW64PROCESS, *PEWOW64PROCESS;typedef struct _RTL_USER_PROCESS_PARAMETERS                // 37 elements, 0x440 bytes (sizeof){ /*0x000*/     ULONG32      MaximumLength; /*0x004*/     ULONG32      Length; /*0x008*/     ULONG32      Flags; /*0x00C*/     ULONG32      DebugFlags; /*0x010*/     VOID*        ConsoleHandle; /*0x018*/     ULONG32      ConsoleFlags; /*0x01C*/     UINT8        _PADDING0_[0x4]; /*0x020*/     VOID*        StandardInput; /*0x028*/     VOID*        StandardOutput; /*0x030*/     VOID*        StandardError; /*0x038*/     struct _CURDIR CurrentDirectory;                       // 2 elements, 0x18 bytes (sizeof) /*0x050*/     struct _UNICODE_STRING DllPath;                        // 3 elements, 0x10 bytes (sizeof) /*0x060*/     struct _UNICODE_STRING ImagePathName;                  // 3 elements, 0x10 bytes (sizeof) /*0x070*/     struct _UNICODE_STRING CommandLine;                    // 3 elements, 0x10 bytes (sizeof) /*0x080*/     VOID*        Environment; /*0x088*/     ULONG32      StartingX; /*0x08C*/     ULONG32      StartingY; /*0x090*/     ULONG32      CountX; /*0x094*/     ULONG32      CountY; /*0x098*/     ULONG32      CountCharsX; /*0x09C*/     ULONG32      CountCharsY; /*0x0A0*/     ULONG32      FillAttribute; /*0x0A4*/     ULONG32      WindowFlags; /*0x0A8*/     ULONG32      ShowWindowFlags; /*0x0AC*/     UINT8        _PADDING1_[0x4]; /*0x0B0*/     struct _UNICODE_STRING WindowTitle;                    // 3 elements, 0x10 bytes (sizeof) /*0x0C0*/     struct _UNICODE_STRING DesktopInfo;                    // 3 elements, 0x10 bytes (sizeof) /*0x0D0*/     struct _UNICODE_STRING ShellInfo;                      // 3 elements, 0x10 bytes (sizeof) /*0x0E0*/     struct _UNICODE_STRING RuntimeData;                    // 3 elements, 0x10 bytes (sizeof) /*0x0F0*/     struct _RTL_DRIVE_LETTER_CURDIR CurrentDirectores[32]; /*0x3F0*/     UINT64       EnvironmentSize; /*0x3F8*/     UINT64       EnvironmentVersion; /*0x400*/     VOID*        PackageDependencyData; /*0x408*/     ULONG32      ProcessGroupId; /*0x40C*/     ULONG32      LoaderThreads; /*0x410*/     struct _UNICODE_STRING RedirectionDllName;             // 3 elements, 0x10 bytes (sizeof) /*0x420*/     struct _UNICODE_STRING HeapPartitionName;              // 3 elements, 0x10 bytes (sizeof) /*0x430*/     UINT64*      DefaultThreadpoolCpuSetMasks; /*0x438*/     ULONG32      DefaultThreadpoolCpuSetMaskCount; /*0x43C*/     UINT8        _PADDING2_[0x4];}RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;typedef struct _PEB_LDR_DATA                            // 9 elements, 0x58 bytes (sizeof){ /*0x000*/     ULONG32      Length; /*0x004*/     UINT8        Initialized; /*0x005*/     UINT8        _PADDING0_[0x3]; /*0x008*/     VOID*        SsHandle; /*0x010*/     struct _LIST_ENTRY InLoadOrderModuleList;           // 2 elements, 0x10 bytes (sizeof) /*0x020*/     struct _LIST_ENTRY InMemoryOrderModuleList;         // 2 elements, 0x10 bytes (sizeof) /*0x030*/     struct _LIST_ENTRY InInitializationOrderModuleList; // 2 elements, 0x10 bytes (sizeof) /*0x040*/     VOID*        EntryInProgress; /*0x048*/     UINT8        ShutdownInProgress; /*0x049*/     UINT8        _PADDING1_[0x7]; /*0x050*/     VOID*        ShutdownThreadId;}PEB_LDR_DATA, *PPEB_LDR_DATA;typedef struct _PEB64{ UCHAR InheritedAddressSpace; UCHAR ReadImageFileExecOptions; UCHAR BeingDebugged; UCHAR BitField; ULONG64 Mutant; ULONG64 ImageBaseAddress; PPEB_LDR_DATA Ldr; PRTL_USER_PROCESS_PARAMETERS ProcessParameters; ULONG64 SubSystemData; ULONG64 ProcessHeap; ULONG64 FastPebLock; ULONG64 AtlThunkSListPtr; ULONG64 IFEOKey; ULONG64 CrossProcessFlags; ULONG64 UserSharedInfoPtr; ULONG SystemReserved; ULONG AtlThunkSListPtr32; ULONG64 ApiSetMap;} PEB64, *PPEB64;#pragma pack(4)typedef struct _PEB32{ UCHAR InheritedAddressSpace; UCHAR ReadImageFileExecOptions; UCHAR BeingDebugged; UCHAR BitField; ULONG Mutant; ULONG ImageBaseAddress; ULONG Ldr; ULONG ProcessParameters; ULONG SubSystemData; ULONG ProcessHeap; ULONG FastPebLock; ULONG AtlThunkSListPtr; ULONG IFEOKey; ULONG CrossProcessFlags; ULONG UserSharedInfoPtr; ULONG SystemReserved; ULONG AtlThunkSListPtr32; ULONG ApiSetMap;} PEB32, *PPEB32;typedef struct _PEB_LDR_DATA32{ ULONG Length; BOOLEAN Initialized; ULONG SsHandle; LIST_ENTRY32 InLoadOrderModuleList; LIST_ENTRY32 InMemoryOrderModuleList; LIST_ENTRY32 InInitializationOrderModuleList; ULONG EntryInProgress;} PEB_LDR_DATA32, *PPEB_LDR_DATA32;typedef struct _LDR_DATA_TABLE_ENTRY32{ LIST_ENTRY32 InLoadOrderLinks; LIST_ENTRY32 InMemoryOrderModuleList; LIST_ENTRY32 InInitializationOrderModuleList; ULONG DllBase; ULONG EntryPoint; ULONG SizeOfImage; UNICODE_STRING32 FullDllName; UNICODE_STRING32 BaseDllName; ULONG Flags; USHORT LoadCount; USHORT TlsIndex; union {LIST_ENTRY32 HashLinks;ULONG SectionPointer; }u1; ULONG CheckSum; union {ULONG TimeDateStamp;ULONG LoadedImports; }u2; ULONG EntryPointActivationContext; ULONG PatchInformation;} LDR_DATA_TABLE_ENTRY32, *PLDR_DATA_TABLE_ENTRY32;#pragma pack()

經(jīng)驗總結(jié)擴展閱讀