eprocess

System: XP SP2 You can use eprocess ---> peb ---> _ prb_ldr_data kd> dt _eprocessntdll!_EPROCESS +0x000 Pcb : _KPROCESS +0x06c ProcessLock : _EX_PUSH_LOCK +0x070 CreateTime : _LARGE_INTEGER +0x078 ExitTime : _LARGE_INTEGER +0x080 RundownProtect : _EX_RUNDOWN_REF +0x084 UniqueProcessId : Ptr32 Void +0x088 ActiveProcessLinks : _LIST_ENTRY +0x090 QuotaUsage : [3] Uint4B +0x09c QuotaPeak

Eprocess-> peb-> processparameters-> imagepathname Environment: XP SP3 Eprocess Structure Kd> dt _ eprocess NT! _ Eprocess+ 0x000 PCB: _ kprocess+ 0x06c processlock: _ ex_push_lock+ 0x070 createtime: _ large_integer+ 0x078 exittime: _ large_integer+ 0x080 rundownprotect: _ ex_rundown_ref+ 0x084 uniqueprocessid: ptr32

technology. How does the system determine when to use copy-on-write? This is determined by the virtual address Pte. When the copy-on-write mark in the Pte is set, any write operation on this virtual address will result in a copy-on-write. [Three feasible methods]To implement global hook, we cannot be restricted by the copy-on-write mechanism. Currently, I have come up with three methods to achieve our goal.1. use the driver to modify the attributes of the page table item (PTE) so that the virtu

PrincipleWindows, each process has its own EPROCESS structure, which contains the basic information of the program, and the data has a process linked list, through the process list (doubly linked list) can find the structure of other processes EPROCESS , so you can use this to traverse the process in the system.Using windbg eprocess The structure that can be seen

Original address: http://www.osronline.com/article.cfm? Id = 472 Over the years developers have needed or wanted to know the name of the image executing in a given process. Traditionally, this was often done usingPsgetprocessimagefile name, Which returns the contents of a field inEprocessStructure Used by the Windows OS to maintain per-process state information. As we can see from the information in the local debugger session (seeFigure 1) The process image file is little more than a field

howThey do it. A colleague mentioned that they may be walking the handle tableFor CSRSS. EXE to find all the Win32 processes. Hmmm. That wocould be a niceTrick. So, I set off to get myself out of the handle table for CSRSS. exe. This meant I had to some research on the structure of the handle table. First, where do you find a process 'handle table. Well, the handle tableStructure is pointed to by the process 'eprocess block. Want to know where? Try t

systemaddress;Peprocess process;Dprint ("Ntreadvirtualmemory (processhandle % x, baseaddress % x,""Buffer % x, numberofbytestoread % d)/n", Processhandle, baseaddress,Buffer, numberofbytestoread );Status = obreferenceobjectbyhandle (processhandle,Process_vm_write,Null,Usermode,(Pvoid *) ( process ),Null ); If(Status! = STATUS_SUCCESS){Return(Status );} The obreferenceobjectbyhandle function obtains the eprocess pointer from the handle repres

= mapviewoffile (G_hmpm,4,0,0x30000,0x1000 );If (g_pmapphysicalmemory = NULL){Return NULL;} Return g_hmpm;} Void insertproc (int pid, char * Name ){Int I; For (I = 0; I If (procs. PID = PID) return; Procs [nprocs]. PID = PID;Strncpy (procs [nprocs]. Name, name, 16 );// Fprintf (stderr, "% d % S/R/N", PID, name );Nprocs ++; } Peprocess processobject (pethread ETHREAD ){Ulong P;P = (ulong) ETHREAD;// (Peprocess) (ETHREAD-> TCB. apcstate. process );P = getdata (pvoid) (p + 0x0 + 0x34 + 0x10 ));Ret

The driver's Loading Function DriverEntry is running in the system process. you can use psgetcurrentprocess to obtain the address of the kernel eprocess structure of the system process, and then start searching for the "System" string from this address. find the offset of the eprocess process name. after obtaining the offset of the process name in the eprocess st

the definition of this structure.The Kddebuggerdatablock is referenced in the Kdinitsystem function, and Ntoskrnl.exe's export function Kdenabledebugger calls the Kdinitsystem function.Code:Ulongfindpsactiveprocesshead1 () {//1. Kdinitsystem address found from Kdenabledebugger address //nt! kdenabledebugger804f7810//804f78376a00 push0//804f78396a00 push0 //804f783bc605ecab558001movbyteptr[nt! pohiberinprogress (8055abec)],1//804f7842e8f7951600 callnt! kdinitsystem (80660e3e) //804f7847e8649a160

symbolsLn is my favorite command. Because it can quickly and easily access installed symbol files. It is an ideal supplement to the X command. However, the latter applies to the addresses that list all system symbols. The ln command is used to search for symbols by address or name.1. ln 2. ln ! Processfield: List eprocess membersBefore this command! It means it comes from the extended modules of the debugger-kdextx86.dll. This command shows the memb

F8, there is a disable driver signature startup option, select it to start.Bcdedit/dbgsettings serial baudrate:115200 Debugport:1 (last 1 represents the COM1 set in the virtual machine)bcdedit/copy {current}/d debug (remember the ID number returned here, used below)Bcdedit/displayorder {current} {ID} Here the ID is set to the ID returned by the 2nd commandBcdedit/debug {ID} on here the ID is set to the ID returned by the 2nd commandReboot. Code Automatic conversion to ULONG64 for

(client) rect------------------------------------------------------A0312da8 0001002a 0001000c 77dff0df, 0, 0 (0, 0, 0)A0310d50 00010022 0001000c 775331c4)A03176b8 0002004a 0001000c 77dff0df 0, 0, 0 (0, 0, 0)A031a500 00010082 0001000c 76621ac6 44,44, 812,581 (808,577)A0318fa8 00010062 0001000c 775676f4 1024,768, 1024,768) Next I will talk about window class. When talking about class, you can think of many things, such as C ++ classes. As for window class, I think I should refer to the Microsoft

allocates a specific CPU time slice for execution, and the CPU clock interruption of the system determines the time slice allocated by each process. That is, the process scheduling request generated when the system CPU clock is interrupted. When the processor clock is interrupted, KiDispatchInterrupt () is called to compare the time slice allocated by the current process. If it is used up, KiQuantumEnd () is called () select a new thread (ETHREAD) based on the thread priority and other informat

the same function. Therefore, you can consider modifying part of the code of these public functions so that the information of specific processes cannot be returned to hide the virus. However, it is far less simple than imagined. As the saying goes, "It's a little too high, it's a little too high. Due to the efforts of many reverse engineering engineers, many secrets that Microsoft tries to hide have been gradually mined. Of course, this includes the management process used by the WINDOWS Kerne