http://wenku.baidu.com/link?url=6g2-YYkXCecd7JTgVxRJ42RkeG1uujWeb9Fn4h9oQtic3mYTO2DYyOK8IJtTxo3X-Tt92675Ii5jNkv76HQT4d8H6DbdTmM7IKfK8fje8A_
获得进程的EPROCESS
获得进程的EPROCESS
/*
* ntdef.h
*********************************************************************
****
*/
/*
*********************************************************************
****
* <<Windows NT/2000 Native API Reference>> - Gary Nebbett
*/
typedef enum _SYSTEM_INFORMATION_CLASS
{
SystemHandleInformation = 16
} SYSTEM_INFORMATION_CLASS;
/*
*Information Class 16
*/
typedef struct _SYSTEM_HANDLE_INFORMATION
{
ULONG ProcessId;
UCHAR ObjectTypeNumber;
UCHAR Flags;
USHORT Handle;
PVOID Object;
ACCESS_MASK GrantedAccess;
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
#define InitializeObjectAttributes( p, n, a, r, s ) { (p)->Length
=
sizeof( OBJECT_ATTRIBUTES ); (p)->RootDirectory = r;
(p)->Attributes = a;
(p)->ObjectName = n; (p)->SecurityDescriptor = s;
(p)->SecurityQualityOfService = NULL; }
/*
*********************************************************************
****
* <<Windows NT/2000 Native API Reference>> - Gary Nebbett
*********************************************************************
****
*/
typedef ULONG ( __stdcall *RTLNTSTATUSTODOSERROR ) ( IN
NTSTATUS
Status );
typedef NTSTATUS ( __stdcall *ZWQUERYSYSTEMINFORMATION ) ( IN
SYSTEM_INFORMATION_CLASS SystemInformationClass, IN OUT PVOID
SystemInformation, IN ULONG SystemInformationLength, OUT PULONG
ReturnLength OPTIONAL );
/********************************************************************
****
*
*
* Function Prototype
*
*
*
*********************************************************************
***/
static DWORD GetEprocessFromPid ( ULONG PID );
static BOOL LocateNtdllEntry ( void );
/********************************************************************
****
*
*
* Static Global Var
*
*
*
*********************************************************************
***/
static
RTLNTSTATUSTODOSERROR RtlNtStatusToDosError =
NULL;
static ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation = NULL;
static HMODULE hModule =
NULL;
/********************************************************************
****/
static DWORD GetEprocessFromPid ( ULONG PID )
{
NTSTATUS status;
PVOID buf = NULL;
ULONG size = 1;
ULONG NumOfHandle = 0;
ULONG i;
PSYSTEM_HANDLE_INFORMATION h_info = NULL;
for ( size = 1; size *= 2 )
{
if ( NULL == ( buf = calloc( size, 1 ) ) )
{
fprintf( stderr, "calloc( %u, 1 ) failed\n", size );
goto GetEprocessFromPid_exit;
}
status =
ZwQuerySystemInformation( SystemHandleInformation, buf,
size, NULL );
if ( !NT_SUCCESS( status ) )
{
if ( STATUS_INFO_LENGTH_MISMATCH == status )
{
free( buf );
buf = NULL;
}
else
{
printf( "ZwQuerySystemInformation() failed");
goto GetEprocessFromPid_exit;
}
}
else
{
break;
}
} /* end of for */
//
返回到缓冲区的首先是一个
ULONG
类型的数据
,
表示有多少数组
NumOfHandle = (ULONG)buf;
h_info = ( PSYSTEM_HANDLE_INFORMATION )((ULONG)buf+4);
for(i = 0; i<NumOfHandle i++)
{
if( ( h_info[i].ProcessId ==
PID )&&( h_info[i].ObjectTypeNumber
== 5 ))//&&( h_info[i].Handle==0x3d8 ) )
{
printf("Handle:0x%x,OBJECT
0x%x\n\r",h_info[i].Handle,h_info[i].Object);
return((DWORD)(h_info[i].Object));
}
}
GetEprocessFromPid_exit:
if ( buf != NULL )
{
free( buf );
buf = NULL;
}
return(FALSE);
}
/*
* ntdll.dll
*/
static BOOL LocateNtdllEntry ( void )
{
BOOL ret = FALSE;
char NTDLL_DLL[] = "ntdll.dll";
HMODULE ntdll_dll = NULL;
if ( ( ntdll_dll = GetModuleHandle( NTDLL_DLL ) ) == NULL )
{
printf( "GetModuleHandle() failed");
return( FALSE );
}
if
(
!(
ZwQuerySystemInformation
=
(
ZWQUERYSYSTEMINFORMATION
)GetProcAddress( ntdll_dll, "ZwQuerySystemInformation" ) ) )
{
goto LocateNtdllEntry_exit;
}
ret = TRUE;
LocateNtdllEntry_exit:
if ( FALSE == ret )
{
printf( "GetProcAddress() failed");
}
ntdll_dll = NULL;
return( ret );
} /* end of LocateNtdllEntry */
int main(int argc,char **argv)
{
LocateNtdllEntry( );
//
打开自身句柄
,
这样才能在
handle
列表中找到自己
,PROCESS
对应
ObjectTypeNum
为
5
OpenProcess( PROCESS_ALL_ACCESS,FALSE,GetCurrentProcessId() );
DWORD Addr =
GetEprocessFromPid( (DWORD)GetCurrentProcessId() );
printf("result: Current EPROCESS's Address is 0x%x
\n\r",Addr);
return TRUE;
}
