首頁 > 其他

驅動層分別使用PEB和sectionObject擷取進程執行檔案全路徑的方法

來源:互聯網
上載者:User
創建阿里雲帳戶,並獲得超過 40 款產品的免費試用版;而企業帳戶則可以享有總值 $1200 的免費試用版。立即註冊!

本人是在WIN2003 SP2下開發的,請注意不同作業系統的位移量不同

 

PEB

 

EPROCESS->PEB(_PEB)->ProcessParameters((_RTL_USER_PROCESS_PARAMETERS)->ImagePathName(_UNICODE_STRING)

  1. void GetProcessName( IN OUT PCHAR pszName)
  2. {
  4.         int pebOffeset=0x1a0;
  5.         int RTLUSERPROCESSPARAMETERSOffset= 0x010;
  6.         int imagePathNameOffset=0x038;
  8.     ANSI_STRING astr;
  9.     UNICODE_STRING US;
  10.     PEPROCESS peCurProc;
  11.     ULONG* dwAddress;
  12.     peCurProc=PsGetCurrentProcess();//EPROCESS
  13.     dwAddress=(ULONG*)peCurProc;
  14.     
  15.     if(dwAddress!=NULL)
  16.     {
  17.         dwAddress=*((ULONG**)dwAddress+pebOffeset/sizeof(ULONG));//EPROCESS->PEB
  18.         if(dwAddress!=NULL)
  19.         {
  20.             dwAddress=*((ULONG**)dwAddress+RTLUSERPROCESSPARAMETERSOffset /sizeof(ULONG));//PEB->ProcessParameters(_RTL_USER_PROCESS_PARAMETERS)
  22.             if(dwAddress!=NULL)
  23.             {
  24.                 US=*((UNICODE_STRING*)dwAddress+imagePathNameOffset/sizeof(UNICODE_STRING));//PEB->ProcessParameters->ImagePathName(_UNICODE_STRING)
  26.                 if(RtlUnicodeStringToAnsiString(&astr,(PUNICODE_STRING)&US,TRUE)==STATUS_SUCCESS)
  27.                 {
  28.                     strcpy(pszName, astr.Buffer);
  29.                     RtlFreeAnsiString( &astr );
  30.                 }
  31.             }
  32.         }
  33.     
  35.     }
  36. }

 

SectionObject

EPROCESS->SectionObject(_SECTION_OBJECT)->Segment(_SEGMENT)->ControlArea (_CONTROL_AREA)->FilePointer( _FILE_OBJECT)

 

  1. PEPROCESS   peCurProc;
  2. ULONG* dwAddress;
  3. PFILE_OBJECT FileObject;
  4. UNICODE_STRING usDosName;
  5. STRING fileName; 
  6. STRING dosName;
  7. peCurProc = PsGetCurrentProcess();
  8. dwAddress=(ULONG*)peCurProc;
  9. if(MmIsAddressValid(dwAddress))
  10. {
  11.     dwAddress=*((ULONG**)dwAddress+0x124/sizeof(ULONG));//EPROCESS->SectionObject
  12.     if(MmIsAddressValid(dwAddress))
  13.     {
  14.         dwAddress=*((ULONG**)dwAddress+0x014/sizeof(ULONG));//EPROCESS->SectionObject->Segment
  15.         if(MmIsAddressValid(dwAddress))
  16.         {
  17.             dwAddress=*((ULONG**)dwAddress+0x000/sizeof(ULONG));//EPROCESS->SectionObject->Segment->ControlArea
  18.             if(MmIsAddressValid(dwAddress))
  19.             {
  20.                 FileObject=(PFILE_OBJECT)(*((ULONG**)dwAddress+0x024 /sizeof(ULONG)));//EPROCESS->SectionObject->Segment->ControlArea->FilePointer
  21.                 if(MmIsAddressValid(FileObject));
  22.                 {
  23.                       
  24.                     if(RtlVolumeDeviceToDosName(FileObject->DeviceObject,&usDosName)==STATUS_SUCCESS)//擷取磁碟邏輯名稱
  25.                     {
  26.                         RtlUnicodeStringToAnsiString(&dosName,&usDosName, TRUE); 
  27.                         RtlUnicodeStringToAnsiString(&fileName,&FileObject->FileName, TRUE);//檔案名稱
  29.                         DbgPrint(dosName.Buffer);
  30.                         DbgPrint(fileName.Buffer);
  31.                         DbgPrint("/n/n");
  32.                         RtlFreeAnsiString(&dosName);
  33.                         RtlFreeAnsiString(&fileName);
  35.                     }
  36.                 }
  37.             }
  38.         }
  39.     }
  40. }
  41.         

 

PEB可以通過某種方式擦除

 

相關連結:

EPROCESS 的結構匯出(WINXP和WIN2003)

PEB 結構匯出(WINXP和WIN2003)

 

本文章原先以中文撰寫並發佈於 aliyun.com,亦設英文版本,僅作資訊用途。本網站不對文章的準確性,完整性或可靠性或其任何翻譯作出任何明示或暗示的陳述或保證。如對該文章有任何疑慮或投訴,請傳送電郵至 info-contact@alibabacloud.com 並提供相關疑慮或投訴的詳細說明。職員會於 5 個工作天內與您聯絡,一經驗證之後,即會刪除該侵權內容。

聯繫我們

該頁面正文內容均來源於網絡整理,並不代表阿里雲官方的觀點,該頁面所提到的產品和服務也與阿里云無關,如果該頁面內容對您造成了困擾,歡迎寫郵件給我們,收到郵件我們將在5個工作日內處理。

如果您發現本社區中有涉嫌抄襲的內容,歡迎發送郵件至: info-contact@alibabacloud.com 進行舉報並提供相關證據,工作人員會在 5 個工作天內聯絡您,一經查實,本站將立刻刪除涉嫌侵權內容。

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More