belongs.
A program's VMAs are stored in its memory descriptor both as a linked list in the MMAP field, ordered by starting virtual address, and as a red-black tree rooted at the mm_rb field. the red-black tree allows the kernel to search quickly for the memory area covering a given virtual address. when you read file/Proc/pid_of_process/maps, The kernel is simply going through the linked list of VMAs for the process and printing each one.
All VMA of a program will be stored in its own memory De
wanted:At first I thought it was a imagefilename, so I used WinDbg to find out:Discovery is 0x2e0, yes. Later, someone on the internet told me to use Psgetprocessimagefilename, which is a Microsoft exported but not documented API. This means that you can use this function directly, but it is not declared in a header file, so you need to declare it and then use it.DECLARE first:Re-use:Actually output the result I want:I wonder why, and then disassemble the API and discover that it has only two a
related technologies to enter the Windows operating system kernel, through tampering with the data structures or objects associated with the Windows operating system kernel for hidden functionality.Because the rootkit runs at the Ring 0 level, and even into the kernel space, the kernel instructions can be modified, but user-level detection does not find that the kernel operation is blockedCut.Here are two ways to implement process concealment using Rootkit techniques. It is easy to detect when
headers!dh-a: All Header informationsView struct membersDT Nt!_eprocessView the current IRQL!irqlViewing verifier detection statistics!verifierView a memory address belonging to that module!pool Address!lmi Address: View the main information of the module!PCR can view the currently executing threads and IRQL, and other information//Why doesn ' t the WinDBG command!IRQL always return to the correct IRQL for my target?[Answer by Jake Oshins, jakeo_at_windows_dot_microsoft_dot_com workaround provi
still not injected. There seems to be a problem with the drive injection. Injectlibary Entrance Add code if the program name contains Audiodg.exe, the download is interrupted, indicating that the DLL library is to be injected into this audiodg.exe. The injection process can refer to http://bbs.pediy.com/thread-208082.htm, which is to apply a piece of space in the target process, and put custom Nttestalert code shellcode to hook The Nttestalert code in Ntdll, the custom Nttestalert, is called Ld
Author: sorrowFirst, let's take a look at DebugPort. Baidu then gets the following results:------------------------------- Paste it here ------------------------------------Each process has a data structure, EPROCESS, which is in the kernel. The system is used to identify and manage the basic data structure of each win process.This structure contains an important field, DebugPort. If a process is not debugged, It is NULL. Otherwise, it is a pointer. B
mode, the TEB of the current thread is located in an independent 4 kb segment and can be accessed through the FS register of the CPU, which is generally stored in [FS: 0]. In the user mode, the $ thread command can be used in WinDbg to obtain the TEB address. The PEB (Process Environment Block) Stores Process information. Each Process has its own PEB information. Located in the user address space. In Win 2000, the address of the process environment block is fixed for each process. At 0x7FFDF000
indicate that the new process needs to be debugged. The call path of the CreateProcess function is as follows:
Createprocessa/createprocessw (kernel32.dll)Createprocessinternalw (kernel32.dll)Ntcreateprocessex (ntoskrnl. dll)Pspcreateprocess (ntos/PS/create. C: 969)
Based on the incoming dwcreationflags parameter, the createprocessinternalw function determines whether to construct the port core object for debugging port and set the corresponding debugging flag of peb. pspcreateprocess uses the
(*PCREATE_PROCESS_NOTIFY_ROUTINE) ( IN HANDLE ParentId, IN HANDLE ProcessId, IN BOOLEAN Create ); NTSTATUS PsSetCreateThreadNotifyRoutine( IN PCREATE_THREAD_NOTIFY_ROUTINE NotifyRoutine ); VOID (*PCREATE_THREAD_NOTIFY_ROUTINE) ( IN HANDLE ProcessId, IN HANDLE ThreadId, IN BOOLEAN Create );
The original form shows that the callback function only provides the process ID/thread ID. Not providedProcess name. Then we need to further obta
execute).
6. Completes the initialization of the address space (such as loading the necessary DLLs and libraries) in the new process and thread environment, and then starts to execute to the process portal.
Here the operating system completes the process of creating a new process. Here's what you do with each step of your operating system:
1. Open the image file that will be executed in the process.
The operating system first finds the executed Windows image and then creates a memory area o
here.
2, Process ID
First, the process ID is a 32-bit unsigned integer with one ID for each process, and the ID is unique within the system scope. The system uses this ID to uniquely determine a process.
In depth, the system may use the process ID to compute the base address of the kernel object representing the process (and the base address of the eprocess structure), and you can ask Microsoft's OS developers for a specific calculation formula.
3, H
. Process. Process command to specify the process to use as the process context ( Set Process Context ). Process shows the eprocess of the current session, which shows that the current process is Test.exe[CPP]View PlainCopyPrint?
kd>.process
implicitprocessisnow821f5da0
kd>?@ $proc
evaluateexpression:-2111873632=821f5da0
kd>!process821f5da00
process821f5da0sessionid:0cid:06e8 peb:7ffde000parentcid
found online, and some complexity and problems are not a good solution.
Here, I come up with two new solutions to implement this function:
First, let's take a look at how the system detects permissions,For example, when OpenProcessToken is called, we know that the permission will be verified:OpenProcessToken-> NtOpenProcessToken-> PsOpenTokenOfProcess-> PsReferencePrimaryToken-> Find the Token = Process-> Token;|-> ObOpenObjectByPointer calls the TOKEN returned above to check
That is to say, wh
object bucket. If this object already exists, check whether the object header has exclusive access, if yes, it will fail. Otherwise, the reference count or handle count of this object will be increased. This kind of search object is everywhere in the system, because in Windows NT/2000, all the operable data structures that require protection such as security_descriptor are treated as objects, for example, common process objects (eprocess/kpeb), threa
following:
//
// MDL-> startva | MDL-> byteoffset
//
Typedef struct _ MDL {
Struct _ MDL * next;
Cshort size;
Cshort mdlflags;
Struct _ eprocess * process;
Pvoid mappedsystemva;
Pvoid startva;
Ulong bytecount;
Ulong byteoffset;
} MDL, * pmdl;
From the annotations, we can see that MDL is actually a variable-length data structure. After this structure, it will be followed by an array to record the addresses mapp
process address space.2. Create a Windows executor process object.Next, the operating system calls the internal system function ntcreateprocess to create a windwos execution body process object. The procedure is as follows:(1) Create an eprocess(2) create an initial process address space (3) initialize the kernel process block kprocess(4) end the process of creating the process address space(5) Create peb(6) complete the creation process of the execu
The following virtual memory can be understood as logical memory, because I think only in this way can we talk about everything below. The following "not paging" indicates that the page is not encoded.
The following is the MDL struct (I am very depressed. I did not find this struct on msdn)Typedef struct _ MDL {Struct _ MDL * Next; // The next MDLCshort size; // sizeCshort mdlflags; // flag, protection attribute, etc.Struct _ eprocess * process ;//Pvo
different environments.Run the command kb to display the call stack information. If you have the correct symbol settings, you can see the name of the called function. If you are debugging the blue screen of your own driver, make sure to set the correct path of the driver. Otherwise, the stack unwind information not available problem may occur. After adding the correct symbol file (PDB), you can use the command! Reload: Reload the symbol file.Pass! Thread and! Process to display the current proc
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.