接著就來(lái)實(shí)現(xiàn)對(duì)PEB的獲取操作 , 以64位為例 , 我們需要調(diào)用PsGetProcessPeb()這個(gè)內(nèi)核函數(shù) , 因?yàn)樵搩?nèi)核函數(shù)沒(méi)有被公開(kāi)所以調(diào)用之前需要頭部導(dǎo)出 , 該函數(shù)需要傳入用戶(hù)進(jìn)程的EProcess結(jié)構(gòu) , 該結(jié)構(gòu)可用PsLookupProcessByProcessId函數(shù)動(dòng)態(tài)獲取到 , 獲取到以后直接KeStackAttachProcess()附加到應(yīng)用層進(jìn)程上 , 即可直接輸出進(jìn)程的PEB結(jié)構(gòu)信息 , 如下代碼 。
#include "peb.h"#include <ntifs.h>// 定義導(dǎo)出NTKERNELAPI PVOID NTAPI PsGetProcessPeb(_In_ PEPROCESS Process);VOID UnDriver(PDRIVER_OBJECT driver){ DbgPrint(("Uninstall Driver Is OK \n"));}NTSTATUS DriverEntry(IN PDRIVER_OBJECT Driver, PUNICODE_STRING RegistryPath){ DbgPrint("hello lyshark \n"); NTSTATUS status = STATUS_UNSUCCESSFUL; PEPROCESS eproc = NULL; KAPC_STATE kpc = { 0 }; PPEB64 pPeb64 = NULL; __try {// HANDLE)4656 進(jìn)程PIDstatus = PsLookupProcessByProcessId((HANDLE)4656, &eproc);// 得到64位PEBpPeb64 = (PPEB64)PsGetProcessPeb(eproc);DbgPrint("PEB64 = %p \n", pPeb64);if (pPeb64 != 0){// 驗(yàn)證可讀性ProbeForRead(pPeb64, sizeof(PEB32), 1);// 附加進(jìn)程KeStackAttachProcess(eproc, &kpc);DbgPrint("進(jìn)程基地址: 0x%p \n", pPeb64->ImageBaseAddress);DbgPrint("ProcessHeap = 0x%p \n", pPeb64->ProcessHeap);DbgPrint("BeingDebugged = %d \n", pPeb64->BeingDebugged);// 脫離進(jìn)程KeUnstackDetachProcess(&kpc);} } __except (EXCEPTION_EXECUTE_HANDLER) {Driver->DriverUnload = UnDriver;return STATUS_SUCCESS; } Driver->DriverUnload = UnDriver; return STATUS_SUCCESS;}PEB64代碼運(yùn)行后 , 我們加載驅(qū)動(dòng)即可看到如下結(jié)果:
文章插圖
而相對(duì)于64位進(jìn)程來(lái)說(shuō) , 獲取32位進(jìn)程的PEB信息可以直接調(diào)用PsGetProcessWow64Process()函數(shù)得到 , 該函數(shù)已被導(dǎo)出可以任意使用 , 獲取PEB代碼如下 。
#include "peb.h"#include <ntifs.h>// 定義導(dǎo)出NTKERNELAPI PVOID NTAPI PsGetProcessPeb(_In_ PEPROCESS Process);VOID UnDriver(PDRIVER_OBJECT driver){ DbgPrint(("Uninstall Driver Is OK \n"));}NTSTATUS DriverEntry(IN PDRIVER_OBJECT Driver, PUNICODE_STRING RegistryPath){ DbgPrint("hello lyshark \n"); NTSTATUS status = STATUS_UNSUCCESSFUL; PEPROCESS eproc = NULL; KAPC_STATE kpc = { 0 }; PPEB32 pPeb32 = NULL; __try {// HANDLE)4656 進(jìn)程PIDstatus = PsLookupProcessByProcessId((HANDLE)6164, &eproc);// 得到32位PEBpPeb32 = (PPEB32)PsGetProcessWow64Process(eproc);DbgPrint("PEB32 = %p \n", pPeb32);if (pPeb32 != 0){// 驗(yàn)證可讀性ProbeForRead(pPeb32, sizeof(PEB32), 1);// 附加進(jìn)程KeStackAttachProcess(eproc, &kpc);DbgPrint("進(jìn)程基地址: 0x%p \n", pPeb32->ImageBaseAddress);DbgPrint("ProcessHeap = 0x%p \n", pPeb32->ProcessHeap);DbgPrint("BeingDebugged = %d \n", pPeb32->BeingDebugged);// 脫離進(jìn)程KeUnstackDetachProcess(&kpc);} } __except (EXCEPTION_EXECUTE_HANDLER) {Driver->DriverUnload = UnDriver;return STATUS_SUCCESS; } Driver->DriverUnload = UnDriver; return STATUS_SUCCESS;}
經(jīng)驗(yàn)總結(jié)擴(kuò)展閱讀
- 市場(chǎng)開(kāi)發(fā)戰(zhàn)略是什么?
- 完 golang開(kāi)發(fā):go并發(fā)的建議
- 三十七 Java開(kāi)發(fā)學(xué)習(xí)----SpringBoot多環(huán)境配置及配置文件分類(lèi)
- 🔥支持 Java 19 的輕量級(jí)應(yīng)用開(kāi)發(fā)框架,Solon v1.10.4 發(fā)布
- 驅(qū)動(dòng)開(kāi)發(fā):內(nèi)核取ntoskrnl模塊基地址
- VScode開(kāi)發(fā)STM32/GD32單片機(jī)-MakeFile工程JlinkRTT配置
- 一個(gè)C#開(kāi)發(fā)者學(xué)習(xí)SpringCloud搭建微服務(wù)的心路歷程
- 勞務(wù)報(bào)酬需要開(kāi)發(fā)票嗎
- VScode開(kāi)發(fā)STM32/GD32單片機(jī)-環(huán)境搭建
- python+request+pymysql+pytest數(shù)據(jù)驅(qū)動(dòng)