PsGetCurrentProcess

最新推荐文章于 2023-11-21 20:00:42 发布

cnbragon

最新推荐文章于 2023-11-21 20:00:42 发布

阅读量3k

点赞数

分类专栏：我的日记文章标签： buffer integer output object input pointers

本文链接：https://blog.csdn.net/cnbragon/article/details/5842612

版权

我的日记专栏收录该内容

21 篇文章 1 订阅

订阅专栏

 PsGetCurrentProcess的定义如下：

PsGetCurrentProcess

The PsGetCurrentProcess routine returns a pointer to the process of the current thread.

PEPROCESS
  PsGetCurrentProcess(
    VOID
    );

Parameters

None

Return Value

PsGetCurrentProcess returns a pointer to an opaque process object.

IoGetCurrentProcess和PsGetCurrentProcess是同一个函数，其反汇编代码如下：

kd> u PsGetCurrentProcess nt!IoGetCurrentProcess: 804ef2e8 64a124010000 mov eax,dword ptr fs:[00000124h] 804ef2ee 8b4044 mov eax,dword ptr [eax+44h] 804ef2f1 c3 ret

kd> dt _kpcr nt!_KPCR +0x000 NtTib : _NT_TIB +0x01c SelfPcr : Ptr32 _KPCR +0x020 Prcb : Ptr32 _KPRCB +0x024 Irql : UChar +0x028 IRR : Uint4B +0x02c IrrActive : Uint4B +0x030 IDR : Uint4B +0x034 KdVersionBlock : Ptr32 Void +0x038 IDT : Ptr32 _KIDTENTRY +0x03c GDT : Ptr32 _KGDTENTRY +0x040 TSS : Ptr32 _KTSS +0x044 MajorVersion : Uint2B +0x046 MinorVersion : Uint2B +0x048 SetMember : Uint4B +0x04c StallScaleFactor : Uint4B +0x050 DebugActive : UChar +0x051 Number : UChar +0x052 Spare0 : UChar +0x053 SecondLevelCacheAssociativity : UChar +0x054 VdmAlert : Uint4B +0x058 KernelReserved : [14] Uint4B +0x090 SecondLevelCacheSize : Uint4B +0x094 HalReserved : [16] Uint4B +0x0d4 InterruptMode : Uint4B +0x0d8 Spare1 : UChar +0x0dc KernelReserved2 : [17] Uint4B +0x120 PrcbData : _KPRCB

kd> dt _KPRCB ntdll!_KPRCB +0x000 MinorVersion : Uint2B +0x002 MajorVersion : Uint2B +0x004 CurrentThread : Ptr32 _KTHREAD +0x008 NextThread : Ptr32 _KTHREAD +0x00c IdleThread : Ptr32 _KTHREAD

在删除一个服务的时候，首先要使用ControlService发送SERVICE_STOP控制码给服务，

这个时候不能立即就调用DeleteService来删除服务，这样服务是删除不掉的，只是标记为

已删除状态，而没有真正的从注册表里删除掉这个服务键值。所以，当再次调用CreateService或

其他与该服务相关的函数时，会返回ERROR_SERVICE_MARKED_FOR_DELETE，这样只有重启了。

如果这个时候调用QueryServiceStatus函数时，会返回SERVICE_STOP_PENDING状态，这表示

服务在停止的时候阻塞了，因此正确的做法是在调用ControlService停止服务后，要等待一段时间，

再删除。为此，我在网上找到一个别人写的WaitForServiceStatus函数，很强大，这样可以成功的

卸载服务了，代码如下：

对CTL_CODE四种状态的解释

#define IOCTL_Device_Function CTL_CODE(DeviceType, Function, Method, Access)

The system describes buffers for each TransferType value as follows:

METHOD_BUFFERED

For this transfer type, IRPs supply a pointer to a buffer at Irp->AssociatedIrp.SystemBuffer. This buffer represents both the input buffer and the output buffer that are specified in calls to DeviceIoControl and IoBuildDeviceIoControlRequest. The driver transfers data out of, and then into, this buffer.

For input data, the buffer size is specified by Parameters.DeviceIoControl.InputBufferLength in the driver's IO_STACK_LOCATION structure. For output data, the buffer size is specified by Parameters.DeviceIoControl.OutputBufferLength in the driver's IO_STACK_LOCATION structure.

The size of the space that the system allocates for the single input/output buffer is the larger of the two length values.

METHOD_IN_DIRECT or METHOD_OUT_DIRECT

For these transfer types, IRPs supply a pointer to a buffer at Irp->AssociatedIrp.SystemBuffer. This represents the input buffer that is specified in calls to DeviceIoControl and IoBuildDeviceIoControlRequest. The buffer size is specified by Parameters.DeviceIoControl.InputBufferLength in the driver's IO_STACK_LOCATION structure.

For these transfer types, IRPs also supply a pointer to an MDL at Irp->MdlAddress. This represents the output buffer that is specified in calls to DeviceIoControl and IoBuildDeviceIoControlRequest. However, this buffer can actually be used as either an input buffer or an output buffer, as follows:

METHOD_IN_DIRECT is specified if the driver that handles the IRP receives data in the buffer when it is called. The MDL describes an input buffer, and specifying METHOD_IN_DIRECT ensures that the executing thread has read-access to the buffer.
METHOD_OUT_DIRECT is specified if the driver that handles the IRP will write data into the buffer before completing the IRP. The MDL describes an output buffer, and specifying METHOD_OUT_DIRECT ensures that the executing thread has write-access to the buffer.

For both of these transfer types, Parameters.DeviceIoControl.OutputBufferLength specifies the size of the buffer that is described by the MDL.

METHOD_NEITHER

The I/O manager does not provide any system buffers or MDLs. The IRP supplies the user-mode virtual addresses of the input and output buffers that were specified to DeviceIoControl or IoBuildDeviceIoControlRequest, without validating or mapping them.

The input buffer's address is supplied by Parameters.DeviceIoControl.Type3InputBuffer in the driver's IO_STACK_LOCATION structure, and the output buffer's address is specified by Irp->UserBuffer.

Buffer sizes are supplied by Parameters.DeviceIoControl.InputBufferLength and Parameters.DeviceIoControl.OutputBufferLength in the driver's IO_STACK_LOCATION structure.

kd> dt nt!_EPROCESS +0x000 Pcb : _KPROCESS +0x06c ProcessLock : _EX_PUSH_LOCK +0x070 CreateTime : _LARGE_INTEGER +0x078 ExitTime : _LARGE_INTEGER +0x080 RundownProtect : _EX_RUNDOWN_REF +0x084 UniqueProcessId : Ptr32 Void +0x088 ActiveProcessLinks : _LIST_ENTRY ... +0x138 SectionObject : Ptr32 Void +0x13c SectionBaseAddress : Ptr32 Void ... kd> dt _SECTION_OBJECT nt_400000!_SECTION_OBJECT +0x000 StartingVa : Ptr32 Void +0x004 EndingVa : Ptr32 Void +0x008 Parent : Ptr32 Void +0x00c LeftChild : Ptr32 Void +0x010 RightChild : Ptr32 Void +0x014 Segment : Ptr32 _SEGMENT_OBJECT kd> dt _SEGMENT_OBJECT nt_400000!_SEGMENT_OBJECT +0x000 BaseAddress : Ptr32 Void +0x004 TotalNumberOfPtes : Uint4B +0x008 SizeOfSegment : _LARGE_INTEGER +0x010 NonExtendedPtes : Uint4B +0x014 ImageCommitment : Uint4B +0x018 ControlArea : Ptr32 _CONTROL_AREA +0x01c Subsection : Ptr32 _SUBSECTION +0x020 LargeControlArea : Ptr32 _LARGE_CONTROL_AREA +0x024 MmSectionFlags : Ptr32 _MMSECTION_FLAGS +0x028 MmSubSectionFlags : Ptr32 _MMSUBSECTION_FLAGS kd> dt _CONTROL_AREA nt_400000!_CONTROL_AREA +0x000 Segment : Ptr32 _SEGMENT +0x004 DereferenceList : _LIST_ENTRY +0x00c NumberOfSectionReferences : Uint4B +0x010 NumberOfPfnReferences : Uint4B +0x014 NumberOfMappedViews : Uint4B +0x018 NumberOfSubsections : Uint2B +0x01a FlushInProgressCount : Uint2B +0x01c NumberOfUserReferences : Uint4B +0x020 u : __unnamed +0x024 FilePointer : Ptr32 _FILE_OBJECT +0x028 WaitingForDeletion : Ptr32 _EVENT_COUNTER +0x02c ModifiedWriteCount : Uint2B +0x02e NumberOfSystemCacheViews : Uint2B kd> dt _FILE_OBJECT nt_400000!_FILE_OBJECT +0x000 Type : Int2B +0x002 Size : Int2B +0x004 DeviceObject : Ptr32 _DEVICE_OBJECT +0x008 Vpb : Ptr32 _VPB +0x00c FsContext : Ptr32 Void +0x010 FsContext2 : Ptr32 Void +0x014 SectionObjectPointer : Ptr32 _SECTION_OBJECT_POINTERS +0x018 PrivateCacheMap : Ptr32 Void +0x01c FinalStatus : Int4B +0x020 RelatedFileObject : Ptr32 _FILE_OBJECT +0x024 LockOperation : UChar +0x025 DeletePending : UChar +0x026 ReadAccess : UChar +0x027 WriteAccess : UChar +0x028 DeleteAccess : UChar +0x029 SharedRead : UChar +0x02a SharedWrite : UChar +0x02b SharedDelete : UChar +0x02c Flags : Uint4B +0x030 FileName : _UNICODE_STRING +0x038 CurrentByteOffset : _LARGE_INTEGER +0x040 Waiters : Uint4B +0x044 Busy : Uint4B +0x048 LastLock : Ptr32 Void +0x04c Lock : _KEVENT +0x05c Event : _KEVENT +0x06c CompletionContext : Ptr32 _IO_COMPLETION_CONTEXT

cnbragon

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
PsGetCurrentProcess

PsGetCurrentProcess的定义如下：PsGetCurrentProcessThe PsGetCurrentProcess routine returns a pointer to the process of the current thread.PEPROCESS PsGetCurrentProcess( VOID );ParametersNone Return ValuePsGetCurrentProcess returns a pointer to an opaque p
复制链接

扫一扫