通过PEB枚举进程模块_x86_x64

最新推荐文章于 2023-12-29 18:32:49 发布
最新推荐文章于 2023-12-29 18:32:49 发布
阅读量763 收藏 1
点赞数
分类专栏: Windows编程技术
原文链接:https://www.cnblogs.com/lsh123/p/8295774.html
版权

抄的,原文很详细的说明了原理
作者:沉疴
出处:https://www.cnblogs.com/lsh123/p/8295774.html

.h

#pragma once
#include <windows.h>
#include <winternl.h>
#include <ntstatus.h>
#include <TlHelp32.h>
#include <Psapi.h>
#include <vector>
using namespace std;
 
 
enum MODULE_TYPE
{
    MODULE_X86,
    MODULE_X64,
};
struct _PROCESS_MODULE_INFORMATION_
{
    ULONG64   ModuleBase;                                //操作系统中可能存在64位与32位的程序
    size_t    ModuleSize;
    WCHAR     ModuleFullPathData[MAX_PATH];
    MODULE_TYPE ModuleType;
};
template <typename T>
struct _LIST_ENTRY_
{
    T Flink;
    T Blink;
};
 
template <typename T>
struct _UNICODE_STRING_
{
    WORD BufferLength;
    WORD MaximumLength;
    T BufferData;
};
 
 
 
template <typename T, typename NGF, int A>
struct _PEB_
{
    typedef T type;
 
    union
    {
        struct
        {
            BYTE InheritedAddressSpace;
            BYTE ReadImageFileExecOptions;
            BYTE BeingDebugged;
            BYTE BitField;
        };
        T dummy01;
    };
    T Mutant;
    T ImageBaseAddress;
    T Ldr;
    T ProcessParameters;
    T SubSystemData;
    T ProcessHeap;
    T FastPebLock;
    T AtlThunkSListPtr;
    T IFEOKey;
    T CrossProcessFlags;
    T UserSharedInfoPtr;
    DWORD SystemReserved;
    DWORD AtlThunkSListPtr32;
    T ApiSetMap;
    T TlsExpansionCounter;
    T TlsBitmap;
    DWORD TlsBitmapBits[2];
    T ReadOnlySharedMemoryBase;
    T HotpatchInformation;
    T ReadOnlyStaticServerData;
    T AnsiCodePageData;
    T OemCodePageData;
    T UnicodeCaseTableData;
    DWORD NumberOfProcessors;
    union
    {
        DWORD NtGlobalFlag;
        NGF dummy02;
    };
    LARGE_INTEGER CriticalSectionTimeout;
    T HeapSegmentReserve;
    T HeapSegmentCommit;
    T HeapDeCommitTotalFreeThreshold;
    T HeapDeCommitFreeBlockThreshold;
    DWORD NumberOfHeaps;
    DWORD MaximumNumberOfHeaps;
    T ProcessHeaps;
    T GdiSharedHandleTable;
    T ProcessStarterHelper;
    T GdiDCAttributeList;
    T LoaderLock;
    DWORD OSMajorVersion;
    DWORD OSMinorVersion;
    WORD OSBuildNumber;
    WORD OSCSDVersion;
    DWORD OSPlatformId;
    DWORD ImageSubsystem;
    DWORD ImageSubsystemMajorVersion;
    T ImageSubsystemMinorVersion;
    T ActiveProcessAffinityMask;
    T GdiHandleBuffer[A];
    T PostProcessInitRoutine;
    T TlsExpansionBitmap;
    DWORD TlsExpansionBitmapBits[32];
    T SessionId;
    ULARGE_INTEGER AppCompatFlags;
    ULARGE_INTEGER AppCompatFlagsUser;
    T pShimData;
    T AppCompatInfo;
    _UNICODE_STRING_<T> CSDVersion;
    T ActivationContextData;
    T ProcessAssemblyStorageMap;
    T SystemDefaultActivationContextData;
    T SystemAssemblyStorageMap;
    T MinimumStackCommit;
    T FlsCallback;
    _LIST_ENTRY_<T> FlsListHead;
    T FlsBitmap;
    DWORD FlsBitmapBits[4];
    T FlsHighIndex;
    T WerRegistrationData;
    T WerShipAssertPtr;
    T pContextData;
    T pImageHeaderHash;
    T TracingFlags;
    T CsrServerReadOnlySharedMemoryBase;
};
typedef _PEB_<DWORD, DWORD64, 34> _PEB32_;
typedef _PEB_<DWORD64, DWORD, 30> _PEB64_;
template<typename T>
struct _PEB_T
{
    typedef typename std::conditional<std::is_same<T, DWORD>::value, _PEB32_, _PEB64_>::type type;
};
 
template<typename T>
struct _PEB_LDR_DATA_
{
    unsigned long Length;
    unsigned char Initialized;
    T SsHandle;
    _LIST_ENTRY_<T> InLoadOrderModuleList;
    _LIST_ENTRY_<T> InMemoryOrderModuleList;
    _LIST_ENTRY_<T> InInitializationOrderModuleList;
    T EntryInProgress;
    unsigned char ShutdownInProgress;
    T ShutdownThreadId;
};
 
 
template<typename T>
struct _LDR_DATA_TABLE_ENTRY_
{
    _LIST_ENTRY_<T> InLoadOrderLinks;
    _LIST_ENTRY_<T> InMemoryOrderLinks;
    _LIST_ENTRY_<T> InInitializationOrderLinks;
    T DllBase;
    T EntryPoint;
    unsigned long SizeOfImage;
    _UNICODE_STRING_<T> FullDllName;
    _UNICODE_STRING_<T> BaseDllName;
    unsigned long Flags;
    unsigned short LoadCount;
    unsigned short TlsIndex;
    _LIST_ENTRY_<T> HashLinks;
    unsigned long TimeDateStamp;
    T EntryPointActivationContext;
    T PatchInformation;
};
template<typename T>
struct _PROCESS_BASIC_INFORMATION_
{
    NTSTATUS ExitStatus;
    ULONG    Reserved0;
    T        PebBaseAddress;
    T        AffinityMask;
    LONG     BasePriority;
    ULONG    Reserved1;
    T        UniqueProcessId;
    T        InheritedFromUniqueProcessId;
};
 
 
 
 
 
typedef decltype(&NtQueryInformationProcess) LPFN_NTQUERYINFORMATIONPROCESS;
 
 
 
typedef NTSTATUS(NTAPI *LPFN_NTWOW64QUERYINFORMATIONPROCESS64)(
    IN  HANDLE ProcessHandle,
    IN  ULONG  ProcessInformationClass,
    OUT PVOID  ProcessInformation,
    IN  ULONG  ProcessInformationLength,
    OUT PULONG ReturnLength OPTIONAL);
 
typedef NTSTATUS(NTAPI *LPFN_NTWOW64READVIRTUALMEMORY64)(
    IN  HANDLE   ProcessHandle,
    IN  ULONG64  BaseAddress,
    OUT PVOID    BufferData,
    IN  ULONG64  BufferLength,
    OUT PULONG64 ReturnLength OPTIONAL);
struct _PROCESS_INFORMATION_
{
    ULONG  ProcessID;
    char   ImageNameData[MAX_PATH];
    char   ProcessFullPathData[MAX_PATH];
};
typedef struct
{
    DWORD ExitStatus;
    DWORD PebBaseAddress;
    DWORD AffinityMask;
    DWORD BasePriority;
    ULONG UniqueProcessId;
    ULONG InheritedFromUniqueProcessId;
}   __PROCESS_BASIC_INFORMATION__;
 
typedef LONG(__stdcall *PROCNTQSIP)(HANDLE, UINT, PVOID, ULONG, PULONG);
 
 
 
SIZE_T SeEnumProcessModuleList(ULONG ProcessID, vector<_PROCESS_MODULE_INFORMATION_>& ProcessModuleInfo);
SIZE_T SeEnumModuleInfoByPeb(ULONG ProcessID, vector<_PROCESS_MODULE_INFORMATION_>& ProcessModuleInfo);
template<typename T>
SIZE_T EnumModuleInfoByPeb(HANDLE ProcessHandle, vector<_PROCESS_MODULE_INFORMATION_>& ProcessModuleInfo);
ULONG64 GetPeb(HANDLE ProcessHandle, _PEB64_* Peb);
ULONG32 GetPeb(HANDLE ProcessHandle, _PEB32_* Peb);
BOOL SeReadProcessMemory(HANDLE ProcessHandle, DWORD BaseAddress, LPVOID BufferData, size_t BufferLength, DWORD64* ReturnLength);
BOOL SeReadProcessMemory(HANDLE ProcessHandle, DWORD64 BaseAddress, LPVOID BufferData, size_t BufferLength, DWORD64 *ReturnLength);

.cpp

BOOL EnumDllLoaderedProcess(vector<_PROCESS_INFORMATION_>  ProcessInfo, string DllName)
{
    OnInitMember();
    vector<_PROCESS_INFORMATION_>::iterator i;
    string DllFullPath;
    int j = 0;
    for (i = ProcessInfo.begin(); i != ProcessInfo.end(); i++)
    {
        ULONG ProcessID = i->ProcessID;
        vector<_PROCESS_MODULE_INFORMATION_>ProcessModuleInfomationVector;
        SeEnumProcessModuleList(ProcessID, ProcessModuleInfomationVector);
        int index = 0;
        vector<_PROCESS_MODULE_INFORMATION_>::iterator m;
 
        for (m = ProcessModuleInfomationVector.begin(); m != ProcessModuleInfomationVector.end(); m++)
        {
 
            DllFullPath = SeUtf16ToUtf8(m->ModuleFullPathData);
            index = DllFullPath.find(DllName);
            if (index == -1)
            {
                continue;
            }
            else
            {
                printf("%s", i->ProcessFullPathData);
                printf("-----------------------------\n\n");
                break;
            }
        }
 
 
 
    }
    return TRUE;
}
 
SIZE_T SeEnumProcessModuleList(ULONG ProcessID, vector<_PROCESS_MODULE_INFORMATION_>& ProcessModuleInfo)
{
    SeEnumModuleInfoByPeb(ProcessID, ProcessModuleInfo);
 
    return ProcessModuleInfo.size();
}
SIZE_T SeEnumModuleInfoByPeb(ULONG ProcessID, vector<_PROCESS_MODULE_INFORMATION_>& ProcessModuleInfo)
{
    HANDLE ProcessHandle = NULL;
    BOOL   IsWow64 = FALSE;
    ProcessHandle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, ProcessID);
    int a = GetLastError();
    if (ProcessHandle == NULL)
    {
        goto Error;
    }
    IsWow64Process(ProcessHandle, &IsWow64);
 
    if (IsWow64 == TRUE)
    {
        EnumModuleInfoByPeb<DWORD>(ProcessHandle, ProcessModuleInfo);
    }
    else
    {
        EnumModuleInfoByPeb<DWORD64>(ProcessHandle, ProcessModuleInfo);
    }
Error:
    if (ProcessHandle != NULL)
    {
        CloseHandle(ProcessHandle);
        ProcessHandle = NULL;
    }
    return ProcessModuleInfo.size();
}
template<typename T>
SIZE_T EnumModuleInfoByPeb(HANDLE ProcessHandle, vector<_PROCESS_MODULE_INFORMATION_>& ProcessModuleInfo)
{
    typename _PEB_T<T>::type Peb = { { { 0 } } };
    _PEB_LDR_DATA_<T> PebLdrData = { 0 };
 
    ProcessModuleInfo.clear();
 
 
    if (GetPeb(ProcessHandle, &Peb) != 0 && SeReadProcessMemory(ProcessHandle,
        Peb.Ldr, &PebLdrData, sizeof(PebLdrData), 0) == TRUE)
    {
        for (T CheckPtr = PebLdrData.InLoadOrderModuleList.Flink;
            CheckPtr != (Peb.Ldr + FIELD_OFFSET(_PEB_LDR_DATA_<T>, InLoadOrderModuleList));
            SeReadProcessMemory(ProcessHandle, static_cast<ULONG64>(CheckPtr), &CheckPtr, sizeof(CheckPtr), 0))
        {
            _PROCESS_MODULE_INFORMATION_ v1;
            wchar_t ModuleFullPathData[MAX_PATH] = { 0 };
            _LDR_DATA_TABLE_ENTRY_<T> LdrDataTableEntry = { { 0 } };
 
            SeReadProcessMemory(ProcessHandle, CheckPtr, &LdrDataTableEntry, sizeof(LdrDataTableEntry), 0);
            SeReadProcessMemory(ProcessHandle, LdrDataTableEntry.FullDllName.BufferData, ModuleFullPathData,
                LdrDataTableEntry.FullDllName.BufferLength, 0);
 
            v1.ModuleBase = LdrDataTableEntry.DllBase;
            v1.ModuleSize = LdrDataTableEntry.SizeOfImage;
            wmemcpy(v1.ModuleFullPathData, ModuleFullPathData, MAX_PATH);
            printf("%ls\n", v1.ModuleFullPathData);
 
            v1.ModuleType = std::is_same<T, DWORD>::value ? MODULE_X86 : MODULE_X64;
 
            ProcessModuleInfo.emplace_back(v1);
        }
    }
 
    return ProcessModuleInfo.size();
}
ULONG64 GetPeb(HANDLE ProcessHandle, _PEB64_* Peb)
{
    _PROCESS_BASIC_INFORMATION_<DWORD64> ProcessBasicInfo = { 0 };
    ULONG ReturnLength = 0;
    if (NT_SUCCESS(__NtWow64QueryInformationProcess64(ProcessHandle, ProcessBasicInformation, &ProcessBasicInfo,
        (ULONG)sizeof(ProcessBasicInfo), &ReturnLength)) && Peb)
    {
        __NtWow64ReadVirtualMemory64(ProcessHandle, ProcessBasicInfo.PebBaseAddress, Peb, sizeof(_PEB64_), NULL);
    }
 
    return ProcessBasicInfo.PebBaseAddress;
}
ULONG32 GetPeb(HANDLE ProcessHandle, _PEB32_* Peb)
{
    PROCESS_BASIC_INFORMATION ProcessBasicInfo = { 0 };
    ULONG ReturnLength = 0;
 
 
    if (NT_SUCCESS(__NtQueryInformationProcess(ProcessHandle, ProcessBasicInformation, &ProcessBasicInfo,
        (ULONG)sizeof(ProcessBasicInfo), &ReturnLength)) && Peb)
    {
        ReadProcessMemory(ProcessHandle, ProcessBasicInfo.PebBaseAddress, Peb, sizeof(_PEB32_), NULL);
    }
    return reinterpret_cast<ULONG32>(ProcessBasicInfo.PebBaseAddress);
}
BOOL SeReadProcessMemory(HANDLE ProcessHandle, DWORD BaseAddress, LPVOID BufferData, size_t BufferLength, DWORD64* ReturnLength)
{
    return ReadProcessMemory(ProcessHandle, reinterpret_cast<LPVOID>(BaseAddress), BufferData,
        BufferLength, reinterpret_cast<SIZE_T*>(ReturnLength));
 
}
BOOL SeReadProcessMemory(HANDLE ProcessHandle, DWORD64 BaseAddress, LPVOID BufferData, size_t BufferLength, DWORD64 *ReturnLength)
{
    if (__NtWow64ReadVirtualMemory64(ProcessHandle,
        BaseAddress, BufferData, BufferLength, ReturnLength) != STATUS_SUCCESS)
    {
        return FALSE;
    }
 
    return TRUE;
}
 
 
BOOL OnInitMember()
{
    HMODULE NtdllModuleBase = NULL;
    NtdllModuleBase = GetModuleHandle("Ntdll.dll");
    if (NtdllModuleBase == NULL)
    {
        return FALSE;
    }
    __NtWow64QueryInformationProcess64 = (LPFN_NTWOW64QUERYINFORMATIONPROCESS64)GetProcAddress(NtdllModuleBase,
        "NtWow64QueryInformationProcess64");
    __NtWow64ReadVirtualMemory64 = (LPFN_NTWOW64READVIRTUALMEMORY64)GetProcAddress(NtdllModuleBase,
        "NtWow64ReadVirtualMemory64");
    __NtQueryInformationProcess = (LPFN_NTQUERYINFORMATIONPROCESS)GetProcAddress(NtdllModuleBase,
        "NtQueryInformationProcess");
    if (__NtWow64QueryInformationProcess64 == NULL || __NtWow64ReadVirtualMemory64 == NULL || __NtQueryInformationProcess == NULL)
    {
        return FALSE;
    }
    return TRUE;
}
QQQqQqqqqrrrr
关注
专栏目录
利用32位PEB结构实现从进程ID中得到进程完整路径
nyzdmc的博客
11-20 1311
本程序只使用于32位! 即只能寻找32位进程的完整路径! 使用PEB结构以得到进程的完整路径(包括从进程ID得到进程PEB地址和从PEB结构得到进程完整路径) GetProcessFullPathByProcessID相当于两个函数GetPebByProcessID,GetProcessFullPathByPeb的合并。 从PEB结构中得到进程的完整路径: 通过PEB结构中的RTL_USER_PROCESS_PARAMETERS类型的ProcessParameters成员,ProcessParamet
PEB结构的获取
SauceJ的专栏
08-15 3594
PEB结构----枚举用户模块列表。 PEB
VC32位程序通过NtWow64ReadVirtualMemory64 PEB枚举32-64位程序进程模块及基址
wh445306
08-07 3638
//#include "pch.h" #include <stdio.h> #include "windows.h" #define NT_SUCCESS(x) ((x) >= 0) #define ProcessBasicInformation 0 typedef NTSTATUS(NTAPI *pfnNtWow64QueryInformationProcess64)( IN HANDLE ProcessHandle, IN ULONG ProcessInf...
准确在64位系统下枚举进程模块
04-08
在32位进程中使用WMI枚举其他进程模块,支持32位系统和64位系统。
PEB结构----枚举用户模块列表
木休的斋堂
03-14 654
本文在主主要以上述两篇文章为基础,对PEB的结构进行了详细的分析,重点是在揭示PEB结构中的list—entry的应用,并且以C语言Code进行实证。 本文主要分为四个部分,第一部分说明PEB地址如何获得;第二部分说明PEB的框架结构;第三部对PEB中的List-Entry结构进行了详细剖析,第四部分给出了枚举用户模块列表的代码。 ---------------------------
通过PEB遍历进程模块x64/wow4)
HXD1C6001的博客
11-14 576
未整理 转载于:https://www.cnblogs.com/IMRIVER/p/9960785.html
利用peb枚举当前进程加载模块
冰点的专栏
02-09 681
其实就是根据http://blog.csdn.net/iiprogram/archive/2006/03/22/632573.aspx上的c代码写的希望作者不会鄙视我include /masm32/include/windows.incinclude /masm32/include/kernel32.incinclude /masm32/include/user32.incinclud
通过PEB枚举进程中所有模块
03-29 233
背景知识网上可搜到 这儿有个视频讲得比较详细:http://www.52pojie.cn/thread-178258-1-1.html 废话不说,上代码 首先是一些结构体的定义: 1 typedef LONG KPRIORITY; 2 typedef void** PPVOID; 3 4 typedef struct _LDR_DATA_TABLE_E...
windows实验-Wrk源码编译与进程模块分析
03-24
为了实现列举进程模块的目标,需要深入了解进程环境块(PEB)的概念及其内部结构。 1. **PEB结构介绍**:PEB进程环境块的简称,是每个进程特有的数据结构,位于EPROCESS结构中。它包含了进程运行时的重要信息,如...
CreateProcess进程创建的内核跟踪分析
zjw1989
09-12 1032
<br />*[标题]:CreateProcess进程创建的内核跟踪分析<br />*[作者]:gz1X [gz1x(at)tom(dot)com]<br />*[来自]:中国黑客联盟 [CHU]<br /><br />    <br />*[正文]:<br /><br /><br />[实现流程]<br />——————————————————————<br />1.打开需要执行的文件(.exe);<br />2.创建执行体进程对象; //<-------重点<br />3.创建初始线程; /
e语言-32位进程枚举64位进程模块信息
08-23
资源介绍:' WOW64的32位程序其实拥有64位程序的全部功能,包括32注入64位、枚举64位进程模块、Hook64位模块、调用64位API等等等等....' 因为WOW64程序不是完全的虚拟化的,是伪虚拟化,本身就是一个64位进程,只是自己以为是32位程序而已. 所以Wow64进程 里面' 既有 64位环境结构,又有32位环境结构, 使用api  NtWow64QueryInformationProcess64 可以获取 进程的64位PEB结构地址,' 使用api  NtWow64ReadVirtualMemory64 可以读取进程的64位内存地址的数据. 通过PEB64结构进行遍历进程的64位模块!资源作者:
32位进程枚举64位进程模块信息
06-02
资源介绍:。' WOW64的32位程序其实拥有64位程序的全部功能,包括32注入64位、枚举64位进程模块、Hook64位模块、调用64位API等等等等....' 因为WOW64程序不是完全的虚拟化的,是伪虚拟化,本身就是一个64位进程,只是自己以为是32位程序而已. 所以Wow64进程 里面。' 既有 64位环境结构,又有32位环境结构, 使用api  NtWow64QueryInformationProcess64 可以获取 进程的64位PEB结构地址,。' 使用api  NtWow64ReadVirtualMemory64 可以读取进程的64位内存地址的数据. 通过PEB64结构进行遍历进程的64位模块!。资源作者:。@iokey。资源下载:。Tags:64位进程
HideDriver_hidedriver_TP_驱动隐藏_驱动断链隐藏_隐藏驱动
09-11
驱动隐藏 断链隐藏驱动及驱动注册回调,可过TP双击调试
Windows 内核之双机调试与windbg命令大全
玄道的网安博客
12-29 1062
在今后会有相当的实验环节,对于windows内核实验,调试环境是必不可少的,本章讲解双机调试的环境搭建与常见的WINDBG指令。 准备材料: VMware workstation : [https://www.vmware.com/go/downloadworkstation-cn] windows 7 x64 ISO (请使用种子下载工具进行下载): [ed2k://|file|cn_windows_7_ultimate_with_sp1_x64_dvd_u_677408.iso|34205573
PEB结构----枚举用户模块列表(图)
多媒体编程、网络编程、系统编程、网络安全编程、驱动编程
09-04 2116
本文在主主要以上述两篇文章为基础,对PEB的结构进行了详细的分析,重点是在揭示PEB结构中的list—entry的应用,并且以C语言Code进行实证。   本文主要分为四个部分,第一部分说明PEB地址如何获得;第二部分说明PEB的框架结构;第三部对PEB中的List-Entry结构进行了详细剖析,第四部分给出了枚举用户模块列表的代码。   -----------------------
枚举PEB获取进程模块列表
08-11 227
枚举进程模块的方法有很多种,常见的有枚举PEB和内存搜索法,今天,先来看看实现起来最简单的枚举PEB实现获取进程模块列表。 首先,惯例是各种繁琐的结构体定义。需要包含 ntifs.h 和 WinDef.h, 此处不再列出,各位看官根据情况自行添加。 [cpp] view plain copy print? typedefP...
利用 PEB_LDR_DATA 结构枚举进程模块信息
最新发布
溡漪幽博客
12-29 1806
我们常常通过很多方法来获取进程模块信息,例如EnumProcessModules 函数、CreateToolhelp32Snapshot 函数、WTSEnumerateProcesses 函数、ZwQuerySystemInformation 函数等。但是调用这些接口进行模块枚举的原理是什么我们并不知道。通过学习 PEBPEB_LDR_DATA 结构的知识,我们可以对进程模块信息的查询以及相关存储数据结构有进一步的了解。
枚举进程 模块 堆栈
x
10-22 347
void walkProcess() { HANDLE hSnap = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 ); if(hSnap == INVALID_HANDLE_VALUE) return; PROCESSENTRY32 p32; p32.dwSize = sizeof(PROCES...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值