众所周知,我们可以使用下面的代码在win32中获取eprocess地址。 此代码适用于用户模式(第3环)。
#include <stdio.h>
#include <windows.h>
#define alloc(a) VirtualAlloc(0,a,MEM_COMMIT|MEM_RESERVE,PAGE_READWRITE)
#define freea(a) VirtualFree(a,0,MEM_RELEASE)
typedef struct {
PVOID Unknown1;
PVOID Unknown2;
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT NameLength;
USHORT LoadCount;
USHORT PathLength;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;
typedef struct {
ULONG Count;
SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
typedef struct _SYSTEM_HANDLE
{
DWORD ProcessId;
// USHORT CreatorBackTraceIndex;
UCHAR ObjectTypeNumber;
UCHAR Flags;
USHORT Handle;
PVOID Object;
ACCESS_MASK GrantedAccess;
} SYSTEM_HANDLE, *PSYSTEM_HANDLE;
typedef struct _SYSTEM_HANDLE_INFORMATION
{
ULONG HandleCount; /* Or NumberOfHandles if you prefer. */
SYSTEM_HANDLE Handles[1];
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
typedef enum _SYSTEM_INFORMATION_CLASS {
SystemModuleInformation = 11,
SystemHandleInformation = 16
} SYSTEM_INFORMATION_CLASS;
typedef NTSTATUS(WINAPI *_NtQuerySystemInformation)(
SYSTEM_INFORMATION_CLASS SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength
);
void main()
{
_NtQuerySystemInformation NtQuerySystemInformation=(_NtQuerySystemInformation)GetProcAddress(LoadLibrary(L"ntdll.dll"),"NtQuerySystemInformation");
PSYSTEM_MODULE_INFORMATION pmodinf;
PSYSTEM_HANDLE_INFORMATION phaninf;
ULONG len = 0;
char kname[260] = { 0 };
PVOID kbase = NULL;
DWORD cpid = GetCurrentProcessId();
HANDLE self = OpenProcess(PROCESS_QUERY_INFORMATION, NULL, cpid);
HANDLE self2 = NULL;
DuplicateHandle(GetCurrentProcess(), GetCurrentProcess(), GetCurrentProcess(), &self2, NULL, NULL, NULL);
NtQuerySystemInformation(SystemModuleInformation, NULL, 0, &len);
pmodinf = (PSYSTEM_MODULE_INFORMATION)alloc(len);
RtlSecureZeroMemory(pmodinf, len);
NtQuerySystemInformation(SystemModuleInformation, pmodinf, len, &len);
lstrcpyA(kname, pmodinf->Module[0].ImageName);
kbase = pmodinf->Module[0].Base;
printf("kbase:%x\tkname:%s\n", kbase, kname);
HANDLE hntos = LoadLibraryA(kname);
len = 4096 * 16 * 16;
// NtQuerySystemInformation(SystemHandleInformation, NULL, 0, &len);
phaninf = (PSYSTEM_HANDLE_INFORMATION)alloc(len);
RtlSecureZeroMemory(phaninf, len);
NtQuerySystemInformation(SystemHandleInformation, phaninf, len, &len);
for (UINT i = 0; i < phaninf->HandleCount; i++)
{
if (phaninf->Handles[i].ProcessId==cpid)
{
printf("ObjectType:%d\n", phaninf->Handles[i].ObjectTypeNumber);
printf("Handle:%x,OpenProcessHandle:%x,DuplicateHandle:%x\n", phaninf->Handles[i].Handle, self,self2);
puts("");
if (phaninf->Handles[i].Handle==(USHORT)self)
{
puts("=============================");
printf("OpenProcessHandle\tEProcess Found!0x%x\n", phaninf->Handles[i].Object);
puts("=============================");
}
if (phaninf->Handles[i].Handle == (USHORT)self2)
{
puts("=============================");
printf("DuplicateHandle\tEProcess Found!0x%x\n", phaninf->Handles[i].Object);
puts("=============================");
}
}
}
freea(phaninf);
freea(pmodinf);
}
我想在winx64中获取我的进程的EPROCESS地址,但是我失败了。不要使用内核函数PsGetCurrrntProcess!我希望我的代码在用户模式下工作,但是内核模式!