从另一个进程获取加载的模块

时间:2016-09-11 21:41:30

标签: c++ visual-c++ struct process inject

我想从另一个进程获取所有模块。但它返回荒谬的价值观。程序停留在do-while循环中一次。之后退出do-while循环。

我无法找到错误的位置 - 我该如何解决这个问题?我知道程序必须在do-while循环中持续几次,但事实并非如此。

NTSTATUS Status;
PROCESS_BASIC_INFORMATION pbi;
ULONG ReturnLength;
Status = NtQueryInformationProcess(
    INJECTOR_INFO.process.processHandle,
    ProcessBasicInformation,
    &pbi,
    sizeof(PROCESS_BASIC_INFORMATION),
    &ReturnLength);
if (!NT_SUCCESS(Status)) {
    printf("NtQueryInformationProcess failed.(pbi)\n");
    return;
}
else {
    PLIST_ENTRY  HeadEntry = pbi.PebBaseAddress->LoaderData->InMemoryOrderModuleList.Flink;
    PLIST_ENTRY nextEntry = pbi.PebBaseAddress->LoaderData->InMemoryOrderModuleList.Blink;


    DWORD dwBytesRead = 0;
    PLDR_MODULE pLdrModule = nullptr;
    LDR_MODULE LdrModule;
    do
    {
        LDR_DATA_TABLE_ENTRY LdrEntry;
        PLDR_DATA_TABLE_ENTRY Base = CONTAINING_RECORD(HeadEntry, LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks);

        if (NT_SUCCESS(Status = NtReadVirtualMemory(INJECTOR_INFO.process.processHandle, Base, &LdrEntry, sizeof(LdrEntry), &dwBytesRead)))
        {
            if (dwBytesRead != sizeof(LdrEntry)) {
                printf("length doesn't match");
                return;
            }
            char* pLdrModuleOffset = reinterpret_cast<char*>(HeadEntry) - sizeof(LIST_ENTRY);
            if (!NT_SUCCESS(Status = NtReadVirtualMemory(INJECTOR_INFO.process.processHandle, pLdrModuleOffset, &pLdrModule, sizeof(pLdrModule), &dwBytesRead))) { 
                printf("pLdrModuleOffset doesn't read"); return;
            }else if (dwBytesRead != sizeof(pLdrModule)) { printf("pLdrModule length doesn't match"); return; }
            if (!NT_SUCCESS(Status = NtReadVirtualMemory(INJECTOR_INFO.process.processHandle, pLdrModule, &LdrModule, sizeof(LdrModule), &dwBytesRead))) { 
                printf("pLdrModule doesn't read"); return;
            }else if (dwBytesRead != sizeof(LdrModule)) { printf("LdrModule length doesn't match"); return; }

            if (LdrEntry.DllBase)
            {
                printf("BaseAddress:     %p\n", LdrModule.BaseAddress);
                printf("Reference Count: %d\n", LdrModule.LoadCount);
            }

            HeadEntry = LdrEntry.InMemoryOrderLinks.Flink;
        }
        else { printf("LDR_DATA_TABLE_ENTRY doesn't read"); return; }
    } while (HeadEntry != nextEntry);
}

我在NtQueryInformationProcess之后在!NT_SUCCESS(Status)上为变量值设置了断点:

Values after NtQueryInformationProcess

第一个周期结束时do变量值的另一个断点:

Values for the end of the first cycle

1 个答案:

答案 0 :(得分:0)

您正在查询它的PROCESS_BASIC_INFORMATION远程进程,但随后您将继续按照自己的进程中的指示进行操作:

PLIST_ENTRY HeadEntry = pbi.PebBaseAddress->LoaderData->InMemoryOrderModuleList.Flink;

要使其正常工作,请阅读远程进程中的PEB(来自pbi.PebBaseAddress), 然后从远程进程(LoaderData)中读取PEB.LoaderData。 然后,按照InMemoryOrderModuleList(再次,读取远程进程中的数据)。

此时,您可以通过读取远程进程中的每个条目来遍历整个列表。

相关问题
最新问题