好贷网好贷款

x64 PEB简介 && 有关PEB的一些函数

发布时间:2016-12-3 17:48:06 编辑:www.fx114.net 分享查询网我要评论
本篇文章主要介绍了"x64 PEB简介 && 有关PEB的一些函数",主要涉及到x64 PEB简介 && 有关PEB的一些函数方面的内容,对于x64 PEB简介 && 有关PEB的一些函数感兴趣的同学可以参考一下。

尽管操作PEB BLOCK现在已经没什么价值了,但是PEB BLOCK作为内核的一个重要结构,这里还是提一下: x64 EPROCESS结构 +0x000 Pcb : _KPROCESS +0x160 ProcessLock : _EX_PUSH_LOCK +0x168 CreateTime : _LARGE_INTEGER +0x170 ExitTime : _LARGE_INTEGER +0x178 RundownProtect : _EX_RUNDOWN_REF +0x180 UniqueProcessId : Ptr64 Void +0x188 ActiveProcessLinks : _LIST_ENTRY +0x198 ProcessQuotaUsage : [2] Uint8B +0x1a8 ProcessQuotaPeak : [2] Uint8B +0x1b8 CommitCharge : Uint8B +0x1c0 QuotaBlock : Ptr64 _EPROCESS_QUOTA_BLOCK +0x1c8 CpuQuotaBlock : Ptr64 _PS_CPU_QUOTA_BLOCK +0x1d0 PeakVirtualSize : Uint8B +0x1d8 VirtualSize : Uint8B +0x1e0 SessionProcessLinks : _LIST_ENTRY +0x1f0 DebugPort : Ptr64 Void +0x1f8 ExceptionPortData : Ptr64 Void +0x1f8 ExceptionPortValue : Uint8B +0x1f8 ExceptionPortState : Pos 0, 3 Bits +0x200 ObjectTable : Ptr64 _HANDLE_TABLE +0x208 Token : _EX_FAST_REF +0x210 WorkingSetPage : Uint8B +0x218 AddressCreationLock : _EX_PUSH_LOCK +0x220 RotateInProgress : Ptr64 _ETHREAD +0x228 ForkInProgress : Ptr64 _ETHREAD +0x230 HardwareTrigger : Uint8B +0x238 PhysicalVadRoot : Ptr64 _MM_AVL_TABLE +0x240 CloneRoot : Ptr64 Void +0x248 NumberOfPrivatePages : Uint8B +0x250 NumberOfLockedPages : Uint8B +0x258 Win32Process : Ptr64 Void +0x260 Job : Ptr64 _EJOB +0x268 SectionObject : Ptr64 Void +0x270 SectionBaseAddress : Ptr64 Void +0x278 Cookie : Uint4B +0x27c UmsScheduledThreads : Uint4B +0x280 WorkingSetWatch : Ptr64 _PAGEFAULT_HISTORY +0x288 Win32WindowStation : Ptr64 Void +0x290 InheritedFromUniqueProcessId : Ptr64 Void +0x298 LdtInformation : Ptr64 Void +0x2a0 Spare : Ptr64 Void +0x2a8 ConsoleHostProcess : Uint8B +0x2b0 DeviceMap : Ptr64 Void +0x2b8 EtwDataSource : Ptr64 Void +0x2c0 FreeTebHint : Ptr64 Void +0x2c8 FreeUmsTebHint : Ptr64 Void +0x2d0 PageDirectoryPte : _HARDWARE_PTE +0x2d0 Filler : Uint8B +0x2d8 Session : Ptr64 Void +0x2e0 ImageFileName : [15] UChar +0x2ef PriorityClass : UChar +0x2f0 JobLinks : _LIST_ENTRY +0x300 LockedPagesList : Ptr64 Void +0x308 ThreadListHead : _LIST_ENTRY +0x318 SecurityPort : Ptr64 Void +0x320 Wow64Process : Ptr64 Void +0x328 ActiveThreads : Uint4B +0x32c ImagePathHash : Uint4B +0x330 DefaultHardErrorProcessing : Uint4B +0x334 LastThreadExitStatus : Int4B +0x338 Peb : Ptr64 _PEB +0x340 PrefetchTrace : _EX_FAST_REF +0x348 ReadOperationCount : _LARGE_INTEGER +0x350 WriteOperationCount : _LARGE_INTEGER +0x358 OtherOperationCount : _LARGE_INTEGER +0x360 ReadTransferCount : _LARGE_INTEGER +0x368 WriteTransferCount : _LARGE_INTEGER +0x370 OtherTransferCount : _LARGE_INTEGER +0x378 CommitChargeLimit : Uint8B +0x380 CommitChargePeak : Uint8B +0x388 AweInfo : Ptr64 Void +0x390 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO +0x398 Vm : _MMSUPPORT +0x420 MmProcessLinks : _LIST_ENTRY +0x430 HighestUserAddress : Ptr64 Void +0x438 ModifiedPageCount : Uint4B +0x43c Flags2 : Uint4B +0x43c JobNotReallyActive : Pos 0, 1 Bit +0x43c AccountingFolded : Pos 1, 1 Bit +0x43c NewProcessReported : Pos 2, 1 Bit +0x43c ExitProcessReported : Pos 3, 1 Bit +0x43c ReportCommitChanges : Pos 4, 1 Bit +0x43c LastReportMemory : Pos 5, 1 Bit +0x43c ReportPhysicalPageChanges : Pos 6, 1 Bit +0x43c HandleTableRundown : Pos 7, 1 Bit +0x43c NeedsHandleRundown : Pos 8, 1 Bit +0x43c RefTraceEnabled : Pos 9, 1 Bit +0x43c NumaAware : Pos 10, 1 Bit +0x43c ProtectedProcess : Pos 11, 1 Bit +0x43c DefaultPagePriority : Pos 12, 3 Bits +0x43c PrimaryTokenFrozen : Pos 15, 1 Bit +0x43c ProcessVerifierTarget : Pos 16, 1 Bit +0x43c StackRandomizationDisabled : Pos 17, 1 Bit +0x43c AffinityPermanent : Pos 18, 1 Bit +0x43c AffinityUpdateEnable : Pos 19, 1 Bit +0x43c PropagateNode : Pos 20, 1 Bit +0x43c ExplicitAffinity : Pos 21, 1 Bit +0x440 Flags : Uint4B +0x440 CreateReported : Pos 0, 1 Bit +0x440 NoDebugInherit : Pos 1, 1 Bit +0x440 ProcessExiting : Pos 2, 1 Bit +0x440 ProcessDelete : Pos 3, 1 Bit +0x440 Wow64SplitPages : Pos 4, 1 Bit +0x440 VmDeleted : Pos 5, 1 Bit +0x440 OutswapEnabled : Pos 6, 1 Bit +0x440 Outswapped : Pos 7, 1 Bit +0x440 ForkFailed : Pos 8, 1 Bit +0x440 Wow64VaSpace4Gb : Pos 9, 1 Bit +0x440 AddressSpaceInitialized : Pos 10, 2 Bits +0x440 SetTimerResolution : Pos 12, 1 Bit +0x440 BreakOnTermination : Pos 13, 1 Bit +0x440 DeprioritizeViews : Pos 14, 1 Bit +0x440 WriteWatch : Pos 15, 1 Bit +0x440 ProcessInSession : Pos 16, 1 Bit +0x440 OverrideAddressSpace : Pos 17, 1 Bit +0x440 HasAddressSpace : Pos 18, 1 Bit +0x440 LaunchPrefetched : Pos 19, 1 Bit +0x440 InjectInpageErrors : Pos 20, 1 Bit +0x440 VmTopDown : Pos 21, 1 Bit +0x440 ImageNotifyDone : Pos 22, 1 Bit +0x440 PdeUpdateNeeded : Pos 23, 1 Bit +0x440 VdmAllowed : Pos 24, 1 Bit +0x440 CrossSessionCreate : Pos 25, 1 Bit +0x440 ProcessInserted : Pos 26, 1 Bit +0x440 DefaultIoPriority : Pos 27, 3 Bits +0x440 ProcessSelfDelete : Pos 30, 1 Bit +0x440 SetTimerResolutionLink : Pos 31, 1 Bit +0x444 ExitStatus : Int4B +0x448 VadRoot : _MM_AVL_TABLE +0x488 AlpcContext : _ALPC_PROCESS_CONTEXT +0x4a8 TimerResolutionLink : _LIST_ENTRY +0x4b8 RequestedTimerResolution : Uint4B +0x4bc ActiveThreadsHighWatermark : Uint4B +0x4c0 SmallestTimerResolution : Uint4B +0x4c8 TimerResolutionStackRecord : Ptr64 _PO_DIAG_STACK_RECORDPEB BLOCK 位于EPROCESS块的0x338偏移位置,在应用层空间中。 x86中,寻找PEB的方法很简单 _asm { mov eax, fs:0x30 mov peb, eax //mov eax, [eax+0x10] } 在64位系统中,PEB BLOCK位于gs:[60h] .code Getgs proc mov rax, gs:[60h] ret Getgs endp end 在inc文件中输入: EXPORTS Getgs 在def文件中输入: Getgs proto; 构建编译。 在.c文件中声明 #pragma comment(lib, "xxx.lib") typedef unsigned _int64 QWORD; extern "C" QWORD __stdcall Getgs(); 即可获得PEB地址  x64PEB的结构内容 windbg一试便知: +0x000 InheritedAddressSpace : UChar +0x001 ReadImageFileExecOptions : UChar +0x002 BeingDebugged : UChar +0x003 BitField : UChar +0x003 ImageUsesLargePages : Pos 0, 1 Bit +0x003 IsProtectedProcess : Pos 1, 1 Bit +0x003 IsLegacyProcess : Pos 2, 1 Bit +0x003 IsImageDynamicallyRelocated : Pos 3, 1 Bit +0x003 SkipPatchingUser32Forwarders : Pos 4, 1 Bit +0x003 SpareBits : Pos 5, 3 Bits +0x008 Mutant : Ptr64 Void +0x010 ImageBaseAddress : Ptr64 Void +0x018 Ldr : Ptr64 _PEB_LDR_DATA +0x020 ProcessParameters : Ptr64 _RTL_USER_PROCESS_PARAMETERS +0x028 SubSystemData : Ptr64 Void +0x030 ProcessHeap : Ptr64 Void +0x038 FastPebLock : Ptr64 _RTL_CRITICAL_SECTION +0x040 AtlThunkSListPtr : Ptr64 Void +0x048 IFEOKey : Ptr64 Void +0x050 CrossProcessFlags : Uint4B +0x050 ProcessInJob : Pos 0, 1 Bit +0x050 ProcessInitializing : Pos 1, 1 Bit +0x050 ProcessUsingVEH : Pos 2, 1 Bit +0x050 ProcessUsingVCH : Pos 3, 1 Bit +0x050 ProcessUsingFTH : Pos 4, 1 Bit +0x050 ReservedBits0 : Pos 5, 27 Bits +0x058 KernelCallbackTable : Ptr64 Void +0x058 UserSharedInfoPtr : Ptr64 Void +0x060 SystemReserved : [1] Uint4B +0x064 AtlThunkSListPtr32 : Uint4B +0x068 ApiSetMap : Ptr64 Void +0x070 TlsExpansionCounter : Uint4B +0x078 TlsBitmap : Ptr64 Void +0x080 TlsBitmapBits : [2] Uint4B +0x088 ReadOnlySharedMemoryBase : Ptr64 Void +0x090 HotpatchInformation : Ptr64 Void +0x098 ReadOnlyStaticServerData : Ptr64 Ptr64 Void +0x0a0 AnsiCodePageData : Ptr64 Void +0x0a8 OemCodePageData : Ptr64 Void +0x0b0 UnicodeCaseTableData : Ptr64 Void +0x0b8 NumberOfProcessors : Uint4B +0x0bc NtGlobalFlag : Uint4B +0x0c0 CriticalSectionTimeout : _LARGE_INTEGER +0x0c8 HeapSegmentReserve : Uint8B +0x0d0 HeapSegmentCommit : Uint8B +0x0d8 HeapDeCommitTotalFreeThreshold : Uint8B +0x0e0 HeapDeCommitFreeBlockThreshold : Uint8B +0x0e8 NumberOfHeaps : Uint4B +0x0ec MaximumNumberOfHeaps : Uint4B +0x0f0 ProcessHeaps : Ptr64 Ptr64 Void +0x0f8 GdiSharedHandleTable : Ptr64 Void +0x100 ProcessStarterHelper : Ptr64 Void +0x108 GdiDCAttributeList : Uint4B +0x110 LoaderLock : Ptr64 _RTL_CRITICAL_SECTION +0x118 OSMajorVersion : Uint4B +0x11c OSMinorVersion : Uint4B +0x120 OSBuildNumber : Uint2B +0x122 OSCSDVersion : Uint2B +0x124 OSPlatformId : Uint4B +0x128 ImageSubsystem : Uint4B +0x12c ImageSubsystemMajorVersion : Uint4B +0x130 ImageSubsystemMinorVersion : Uint4B +0x138 ActiveProcessAffinityMask : Uint8B +0x140 GdiHandleBuffer : [60] Uint4B +0x230 PostProcessInitRoutine : Ptr64 void +0x238 TlsExpansionBitmap : Ptr64 Void +0x240 TlsExpansionBitmapBits : [32] Uint4B +0x2c0 SessionId : Uint4B +0x2c8 AppCompatFlags : _ULARGE_INTEGER +0x2d0 AppCompatFlagsUser : _ULARGE_INTEGER +0x2d8 pShimData : Ptr64 Void +0x2e0 AppCompatInfo : Ptr64 Void +0x2e8 CSDVersion : _UNICODE_STRING +0x2f8 ActivationContextData : Ptr64 _ACTIVATION_CONTEXT_DATA +0x300 ProcessAssemblyStorageMap : Ptr64 _ASSEMBLY_STORAGE_MAP +0x308 SystemDefaultActivationContextData : Ptr64 _ACTIVATION_CONTEXT_DATA +0x310 SystemAssemblyStorageMap : Ptr64 _ASSEMBLY_STORAGE_MAP +0x318 MinimumStackCommit : Uint8B +0x320 FlsCallback : Ptr64 _FLS_CALLBACK_INFO +0x328 FlsListHead : _LIST_ENTRY +0x338 FlsBitmap : Ptr64 Void +0x340 FlsBitmapBits : [4] Uint4B +0x350 FlsHighIndex : Uint4B +0x358 WerRegistrationData : Ptr64 Void +0x360 WerShipAssertPtr : Ptr64 Void +0x368 pContextData : Ptr64 Void +0x370 pImageHeaderHash : Ptr64 Void +0x378 TracingFlags : Uint4B +0x378 HeapTracingEnabled : Pos 0, 1 Bit +0x378 CritSecTracingEnabled : Pos 1, 1 Bit +0x378 SpareTracingBits : Pos 2, 30 Bits 获得下本机的当前PEB地址kd> !peb PEB at 000007fffffd5000 InheritedAddressSpace: No ReadImageFileExecOptions: No BeingDebugged: No ImageBaseAddress: 00000000ffec0000 Ldr 0000000077572640 Ldr.Initialized: Yes Ldr.InInitializationOrderModuleList: 00000000001d2730 . 00000000001e8100 Ldr.InLoadOrderModuleList: 00000000001d2620 . 00000000001e81d0 Ldr.InMemoryOrderModuleList: 00000000001d2630 . 00000000001e81e0 Base TimeStamp Module ffec0000 4ce79f61 Nov 20 18:13:53 2010 C:\Windows\system32\slui.exe 77440000 4ce7c8f9 Nov 20 21:11:21 2010 C:\Windows\SYSTEM32\ntdll.dll 77320000 4ce7c78b Nov 20 21:05:15 2010 C:\Windows\system32\kernel32.dll 7fefd440000 4ce7c78c Nov 20 21:05:16 2010 C:\Windows\system32\KERNELBASE.dll 7feff5f0000 4a5bde6b Jul 14 09:24:59 2009 C:\Windows\system32\ADVAPI32.dll 7feff190000 4a5bdfbe Jul 14 09:30:38 2009 C:\Windows\system32\msvcrt.dll 7feff3e0000 4a5be05e Jul 14 09:33:18 2009 C:\Windows\SYSTEM32\sechost.dll 7fefd770000 4ce7c96e Nov 20 21:13:18 2010 C:\Windows\system32\RPCRT4.dll 77220000 4ce7c9f1 Nov 20 21:15:29 2010 C:\Windows\system32\USER32.dll 7feff6d0000 4ce7c651 Nov 20 21:00:01 2010 C:\Windows\system32\GDI32.dll 7fefd760000 4a5bdf5f Jul 14 09:29:03 2009 C:\Windows\system32\LPK.dll 7fefdd80000 4ce7c9f5 Nov 20 21:15:33 2010 C:\Windows\system32\USP10.dll 7fefa5b0000 4a5be067 Jul 14 09:33:27 2009 C:\Windows\system32\sppcommdlg.dll 7fefc000000 4ce7c45b Nov 20 20:51:39 2010 C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll 7feff360000 4ce7c9ab Nov 20 21:14:19 2010 C:\Windows\system32\SHLWAPI.dll 7feff460000 4a5bdf40 Jul 14 09:28:32 2009 C:\Windows\system32\IMM32.dll 7fefe150000 4a5bdfaa Jul 14 09:30:18 2009 C:\Windows\system32\MSCTF.dll 7fefd8f0000 4ce7c92c Nov 20 21:12:12 2010 C:\Windows\system32\ole32.dll 7feff510000 4ce7c930 Nov 20 21:12:16 2010 C:\Windows\system32\OLEAUT32.dll 7fefe260000 4ce7c9a6 Nov 20 21:14:14 2010 C:\Windows\system32\SHELL32.dll 7fefb870000 4a5be0a2 Jul 14 09:34:26 2009 C:\Windows\system32\WINBRAND.dll 7fefae10000 4a5be063 Jul 14 09:33:23 2009 C:\Windows\system32\slc.dll 7fefa560000 4ce7c946 Nov 20 21:12:38 2010 C:\Windows\system32\SPPC.DLL 7fefd280000 4a5bdf91 Jul 14 09:29:53 2009 C:\Windows\system32\CRYPTBASE.dll 7fefbe20000 4a5be093 Jul 14 09:34:11 2009 C:\Windows\system32\uxtheme.dll 7fefdce0000 4a5bdeba Jul 14 09:26:18 2009 C:\Windows\system32\CLBCatQ.DLL 7fefcc40000 4a5bdf96 Jul 14 09:29:58 2009 C:\Windows\system32\CRYPTSP.dll 7fefc940000 4a5be039 Jul 14 09:32:41 2009 C:\Windows\system32\rsaenh.dll 7fefd330000 4ce7c96f Nov 20 21:13:19 2010 C:\Windows\system32\RpcRtRemote.dll 7fefa500000 4ce7c9c0 Nov 20 21:14:40 2010 C:\Windows\system32\sppcomapi.dll SubSystemData: 0000000000000000 ProcessHeap: 00000000001d0000 ProcessParameters: 00000000001d1d50 CurrentDirectory: 'C:\Windows\system32\' WindowTitle: 'C:\Windows\system32\slui.exe' ImageFile: 'C:\Windows\system32\slui.exe' CommandLine: '"C:\Windows\system32\slui.exe"' DllPath: 'C:\Windows\system32;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\' Environment: 00000000001d1320 ALLUSERSPROFILE=C:\ProgramData APPDATA=C:\Users\BillG\AppData\Roaming CommonProgramFiles=C:\Program Files\Common Files CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files CommonProgramW6432=C:\Program Files\Common Files COMPUTERNAME=WIN-TQVCU2J0T9S ComSpec=C:\Windows\system32\cmd.exe FP_NO_HOST_CHECK=NO HOMEDRIVE=C: HOMEPATH=\Users\BillG LOCALAPPDATA=C:\Users\BillG\AppData\Local LOGONSERVER=\\WIN-TQVCU2J0T9S NUMBER_OF_PROCESSORS=1 OS=Windows_NT Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC PROCESSOR_ARCHITECTURE=AMD64 PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 58 Stepping 9, GenuineIntel PROCESSOR_LEVEL=6 PROCESSOR_REVISION=3a09 ProgramData=C:\ProgramData ProgramFiles=C:\Program Files ProgramFiles(x86)=C:\Program Files (x86) ProgramW6432=C:\Program Files PSModulePath=C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ PUBLIC=C:\Users\Public SESSIONNAME=Console SystemDrive=C: SystemRoot=C:\Windows TEMP=C:\Users\BillG\AppData\Local\Temp TMP=C:\Users\BillG\AppData\Local\Temp USERDOMAIN=WIN-TQVCU2J0T9S USERNAME=BillG USERPROFILE=C:\Users\BillG windir=C:\Windows windows_tracing_flags=3 windows_tracing_logfile=C:\BVTBin\Tests\installpackage\csilogfile.log dt 000007fffffd5000 _PEB_LDR_DATA nt!_PEB_LDR_DATA +0x000 Length : 0x8000000 +0x004 Initialized : 0 '' +0x008 SsHandle : 0xffffffff`ffffffff Void +0x010 InLoadOrderModuleList : _LIST_ENTRY [ 0x00000000`ffec0000 - 0x77572640 ] +0x020 InMemoryOrderModuleList : _LIST_ENTRY [ 0x00000000`001d1d50 - 0x0 ] +0x030 InInitializationOrderModuleList : _LIST_ENTRY [ 0x00000000`001d0000 - 0x7757a900 ] +0x040 EntryInProgress : (null) +0x048 ShutdownInProgress : 0 '' +0x050 ShutdownThreadId : 0x00000000`00000001 Void InLoadOrderModuleList InMemoryOrderModuleList InInitializationOrderModuleList 这三条链是根据加载顺序、内存映像顺序、初始化顺序而建立的 其中的辅助成员Flink Blink指向_LDR_DATA_TABLE_ENTRY结构体 kd> dt _LDR_DATA_TABLE_ENTRY nt!_LDR_DATA_TABLE_ENTRY +0x000 InLoadOrderLinks : _LIST_ENTRY +0x010 InMemoryOrderLinks : _LIST_ENTRY +0x020 InInitializationOrderLinks : _LIST_ENTRY +0x030 DllBase : Ptr64 Void +0x038 EntryPoint : Ptr64 Void +0x040 SizeOfImage : Uint4B +0x048 FullDllName : _UNICODE_STRING +0x058 BaseDllName : _UNICODE_STRING +0x068 Flags : Uint4B +0x06c LoadCount : Uint2B +0x06e TlsIndex : Uint2B +0x070 HashLinks : _LIST_ENTRY +0x070 SectionPointer : Ptr64 Void +0x078 CheckSum : Uint4B +0x080 TimeDateStamp : Uint4B +0x080 LoadedImports : Ptr64 Void +0x088 EntryPointActivationContext : Ptr64 _ACTIVATION_CONTEXT +0x090 PatchInformation : Ptr64 Void +0x098 ForwarderLinks : _LIST_ENTRY +0x0a8 ServiceTagLinks : _LIST_ENTRY +0x0b8 StaticLinks : _LIST_ENTRY +0x0c8 ContextInformation : Ptr64 Void +0x0d0 OriginalBase : Uint8B +0x0d8 LoadTime : _LARGE_INTEGER至此,PEB一些重要的结构已经一览无余了。 如果病毒/木马试图在PEB隐藏自己的进程模块时,应该把这三条链全抹掉。 尽管如此,一些强力工具会检测出PEB的断链行为。这往往是_LDR_DATA_TABLE_ENTRY结构体中的SizeOfImage出卖了你。所以,我们应该修改SizeOfImage的值让它看上去和实际更像一点。 有一些古老的程序,通过PEB BLOCK来获取EXE的ImagePathName。在以前,一些木马也通过修改RTL_USER_PROCESS_PARAMETERS结构体内的成员来迷惑防火墙。 这里再总结一些Ring3层上获取进程模块的函数。 CreateToolhelp32Snapshot函数 NtQueryInformationProcess EnumProcessModules 这三种方法实现原理无一例外,底层都是通过遍历PEB块来实现的。 1、3如果大家不信,可以自己逆向一下。 第二个放出NtQueryInformaionProcess WRK的源码: NTSTATUS 00590 NtQueryInformationProcess( 00591 __in HANDLE ProcessHandle, 00592 __in PROCESSINFOCLASS ProcessInformationClass, 00593 __out_bcount(ProcessInformationLength) PVOID ProcessInformation, 00594 __in ULONG ProcessInformationLength, 00595 __out_opt PULONG ReturnLength 00596 ) case ProcessBasicInformation: 00732 00733 if (ProcessInformationLength != (ULONG) sizeof(PROCESS_BASIC_INFORMATION)) { 00734 return STATUS_INFO_LENGTH_MISMATCH; 00735 } 00736 00737 st = ObReferenceObjectByHandle (ProcessHandle, 00738 PROCESS_QUERY_INFORMATION, 00739 PsProcessType, 00740 PreviousMode, 00741 &Process, 00742 NULL); 00743 if (!NT_SUCCESS (st)) { 00744 return st; 00745 } 00746 00747 BasicInfo.ExitStatus = Process->ExitStatus; 00748 BasicInfo.PebBaseAddress = Process->Peb; 00749 BasicInfo.AffinityMask = Process->Pcb.Affinity; 00750 BasicInfo.BasePriority = Process->Pcb.BasePriority; 00751 BasicInfo.UniqueProcessId = (ULONG_PTR)Process->UniqueProcessId; 00752 BasicInfo.InheritedFromUniqueProcessId = (ULONG_PTR)Process->InheritedFromUniqueProcessId; 00753 00754 ObDereferenceObject(Process); 00755 00756 // 00757 // Either of these may cause an access violation. The 00758 // exception handler will return access violation as 00759 // status code. No further cleanup needs to be done. 00760 // 00761 00762 try { 00763 *(PPROCESS_BASIC_INFORMATION) ProcessInformation = BasicInfo; 00764 00765 if (ARGUMENT_PRESENT (ReturnLength) ) { 00766 *ReturnLength = sizeof(PROCESS_BASIC_INFORMATION); 00767 } 00768 } except (EXCEPTION_EXECUTE_HANDLER) { 00769 return GetExceptionCode (); 00770 } 00771 00772 return STATUS_SUCCESS; 所以,如果R3层上用上述函数搜索进程模块的话,实际上强度很弱。 但是,ZwQueryVirtualMemory这个函数遍历的是进程的虚拟地址空间,实际上是枚举VAD树。VAD树的根节点在EPROCESS块中,是一颗平衡树。断链无法避开这种检测。

上一篇:25条职场发展原则
下一篇:再回首2013

相关文章

相关评论