尽管操作PEB BLOCK现在已经没什么价值了,但是PEB BLOCK作为内核的一个重要结构,这里还是提一下:
x64 EPROCESS结构
+0x000 Pcb : _KPROCESS
+0x160 ProcessLock : _EX_PUSH_LOCK
+0x168 CreateTime : _LARGE_INTEGER
+0x170 ExitTime : _LARGE_INTEGER
+0x178 RundownProtect : _EX_RUNDOWN_REF
+0x180 UniqueProcessId : Ptr64 Void
+0x188 ActiveProcessLinks : _LIST_ENTRY
+0x198 ProcessQuotaUsage : [2] Uint8B
+0x1a8 ProcessQuotaPeak : [2] Uint8B
+0x1b8 CommitCharge : Uint8B
+0x1c0 QuotaBlock : Ptr64 _EPROCESS_QUOTA_BLOCK
+0x1c8 CpuQuotaBlock : Ptr64 _PS_CPU_QUOTA_BLOCK
+0x1d0 PeakVirtualSize : Uint8B
+0x1d8 VirtualSize : Uint8B
+0x1e0 SessionProcessLinks : _LIST_ENTRY
+0x1f0 DebugPort : Ptr64 Void
+0x1f8 ExceptionPortData : Ptr64 Void
+0x1f8 ExceptionPortValue : Uint8B
+0x1f8 ExceptionPortState : Pos 0, 3 Bits
+0x200 ObjectTable : Ptr64 _HANDLE_TABLE
+0x208 Token : _EX_FAST_REF
+0x210 WorkingSetPage : Uint8B
+0x218 AddressCreationLock : _EX_PUSH_LOCK
+0x220 RotateInProgress : Ptr64 _ETHREAD
+0x228 ForkInProgress : Ptr64 _ETHREAD
+0x230 HardwareTrigger : Uint8B
+0x238 PhysicalVadRoot : Ptr64 _MM_AVL_TABLE
+0x240 CloneRoot : Ptr64 Void
+0x248 NumberOfPrivatePages : Uint8B
+0x250 NumberOfLockedPages : Uint8B
+0x258 Win32Process : Ptr64 Void
+0x260 Job : Ptr64 _EJOB
+0x268 SectionObject : Ptr64 Void
+0x270 SectionBaseAddress : Ptr64 Void
+0x278 Cookie : Uint4B
+0x27c UmsScheduledThreads : Uint4B
+0x280 WorkingSetWatch : Ptr64 _PAGEFAULT_HISTORY
+0x288 Win32WindowStation : Ptr64 Void
+0x290 InheritedFromUniqueProcessId : Ptr64 Void
+0x298 LdtInformation : Ptr64 Void
+0x2a0 Spare : Ptr64 Void
+0x2a8 ConsoleHostProcess : Uint8B
+0x2b0 DeviceMap : Ptr64 Void
+0x2b8 EtwDataSource : Ptr64 Void
+0x2c0 FreeTebHint : Ptr64 Void
+0x2c8 FreeUmsTebHint : Ptr64 Void
+0x2d0 PageDirectoryPte : _HARDWARE_PTE
+0x2d0 Filler : Uint8B
+0x2d8 Session : Ptr64 Void
+0x2e0 ImageFileName : [15] UChar
+0x2ef PriorityClass : UChar
+0x2f0 JobLinks : _LIST_ENTRY
+0x300 LockedPagesList : Ptr64 Void
+0x308 ThreadListHead : _LIST_ENTRY
+0x318 SecurityPort : Ptr64 Void
+0x320 Wow64Process : Ptr64 Void
+0x328 ActiveThreads : Uint4B
+0x32c ImagePathHash : Uint4B
+0x330 DefaultHardErrorProcessing : Uint4B
+0x334 LastThreadExitStatus : Int4B
+0x338 Peb : Ptr64 _PEB
+0x340 PrefetchTrace : _EX_FAST_REF
+0x348 ReadOperationCount : _LARGE_INTEGER
+0x350 WriteOperationCount : _LARGE_INTEGER
+0x358 OtherOperationCount : _LARGE_INTEGER
+0x360 ReadTransferCount : _LARGE_INTEGER
+0x368 WriteTransferCount : _LARGE_INTEGER
+0x370 OtherTransferCount : _LARGE_INTEGER
+0x378 CommitChargeLimit : Uint8B
+0x380 CommitChargePeak : Uint8B
+0x388 AweInfo : Ptr64 Void
+0x390 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
+0x398 Vm : _MMSUPPORT
+0x420 MmProcessLinks : _LIST_ENTRY
+0x430 HighestUserAddress : Ptr64 Void
+0x438 ModifiedPageCount : Uint4B
+0x43c Flags2 : Uint4B
+0x43c JobNotReallyActive : Pos 0, 1 Bit
+0x43c AccountingFolded : Pos 1, 1 Bit
+0x43c NewProcessReported : Pos 2, 1 Bit
+0x43c ExitProcessReported : Pos 3, 1 Bit
+0x43c ReportCommitChanges : Pos 4, 1 Bit
+0x43c LastReportMemory : Pos 5, 1 Bit
+0x43c ReportPhysicalPageChanges : Pos 6, 1 Bit
+0x43c HandleTableRundown : Pos 7, 1 Bit
+0x43c NeedsHandleRundown : Pos 8, 1 Bit
+0x43c RefTraceEnabled : Pos 9, 1 Bit
+0x43c NumaAware : Pos 10, 1 Bit
+0x43c ProtectedProcess : Pos 11, 1 Bit
+0x43c DefaultPagePriority : Pos 12, 3 Bits
+0x43c PrimaryTokenFrozen : Pos 15, 1 Bit
+0x43c ProcessVerifierTarget : Pos 16, 1 Bit
+0x43c StackRandomizationDisabled : Pos 17, 1 Bit
+0x43c AffinityPermanent : Pos 18, 1 Bit
+0x43c AffinityUpdateEnable : Pos 19, 1 Bit
+0x43c PropagateNode : Pos 20, 1 Bit
+0x43c ExplicitAffinity : Pos 21, 1 Bit
+0x440 Flags : Uint4B
+0x440 CreateReported : Pos 0, 1 Bit
+0x440 NoDebugInherit : Pos 1, 1 Bit
+0x440 ProcessExiting : Pos 2, 1 Bit
+0x440 ProcessDelete : Pos 3, 1 Bit
+0x440 Wow64SplitPages : Pos 4, 1 Bit
+0x440 VmDeleted : Pos 5, 1 Bit
+0x440 OutswapEnabled : Pos 6, 1 Bit
+0x440 Outswapped : Pos 7, 1 Bit
+0x440 ForkFailed : Pos 8, 1 Bit
+0x440 Wow64VaSpace4Gb : Pos 9, 1 Bit
+0x440 AddressSpaceInitialized : Pos 10, 2 Bits
+0x440 SetTimerResolution : Pos 12, 1 Bit
+0x440 BreakOnTermination : Pos 13, 1 Bit
+0x440 DeprioritizeViews : Pos 14, 1 Bit
+0x440 WriteWatch : Pos 15, 1 Bit
+0x440 ProcessInSession : Pos 16, 1 Bit
+0x440 OverrideAddressSpace : Pos 17, 1 Bit
+0x440 HasAddressSpace : Pos 18, 1 Bit
+0x440 LaunchPrefetched : Pos 19, 1 Bit
+0x440 InjectInpageErrors : Pos 20, 1 Bit
+0x440 VmTopDown : Pos 21, 1 Bit
+0x440 ImageNotifyDone : Pos 22, 1 Bit
+0x440 PdeUpdateNeeded : Pos 23, 1 Bit
+0x440 VdmAllowed : Pos 24, 1 Bit
+0x440 CrossSessionCreate : Pos 25, 1 Bit
+0x440 ProcessInserted : Pos 26, 1 Bit
+0x440 DefaultIoPriority : Pos 27, 3 Bits
+0x440 ProcessSelfDelete : Pos 30, 1 Bit
+0x440 SetTimerResolutionLink : Pos 31, 1 Bit
+0x444 ExitStatus : Int4B
+0x448 VadRoot : _MM_AVL_TABLE
+0x488 AlpcContext : _ALPC_PROCESS_CONTEXT
+0x4a8 TimerResolutionLink : _LIST_ENTRY
+0x4b8 RequestedTimerResolution : Uint4B
+0x4bc ActiveThreadsHighWatermark : Uint4B
+0x4c0 SmallestTimerResolution : Uint4B
+0x4c8 TimerResolutionStackRecord : Ptr64 _PO_DIAG_STACK_RECORD
x86中,寻找PEB的方法很简单
_asm
{
mov eax, fs:0x30
mov peb, eax
//mov eax, [eax+0x10]
}在64位系统中,PEB BLOCK位于gs:[60h]
.code
Getgs proc
mov rax, gs:[60h]
ret
Getgs endp
end 在inc文件中输入:
EXPORTS
Getgs
在def文件中输入:
Getgs proto;构建编译。
在.c文件中声明
#pragma comment(lib, "xxx.lib")
typedef unsigned _int64 QWORD;
extern "C" QWORD __stdcall Getgs();即可获得PEB地址
x64PEB的结构内容 windbg一试便知:
+0x000 InheritedAddressSpace : UChar
+0x001 ReadImageFileExecOptions : UChar
+0x002 BeingDebugged : UChar
+0x003 BitField : UChar
+0x003 ImageUsesLargePages : Pos 0, 1 Bit
+0x003 IsProtectedProcess : Pos 1, 1 Bit
+0x003 IsLegacyProcess : Pos 2, 1 Bit
+0x003 IsImageDynamicallyRelocated : Pos 3, 1 Bit
+0x003 SkipPatchingUser32Forwarders : Pos 4, 1 Bit
+0x003 SpareBits : Pos 5, 3 Bits
+0x008 Mutant : Ptr64 Void
+0x010 ImageBaseAddress : Ptr64 Void
+0x018 Ldr : Ptr64 _PEB_LDR_DATA
+0x020 ProcessParameters : Ptr64 _RTL_USER_PROCESS_PARAMETERS
+0x028 SubSystemData : Ptr64 Void
+0x030 ProcessHeap : Ptr64 Void
+0x038 FastPebLock : Ptr64 _RTL_CRITICAL_SECTION
+0x040 AtlThunkSListPtr : Ptr64 Void
+0x048 IFEOKey : Ptr64 Void
+0x050 CrossProcessFlags : Uint4B
+0x050 ProcessInJob : Pos 0, 1 Bit
+0x050 ProcessInitializing : Pos 1, 1 Bit
+0x050 ProcessUsingVEH : Pos 2, 1 Bit
+0x050 ProcessUsingVCH : Pos 3, 1 Bit
+0x050 ProcessUsingFTH : Pos 4, 1 Bit
+0x050 ReservedBits0 : Pos 5, 27 Bits
+0x058 KernelCallbackTable : Ptr64 Void
+0x058 UserSharedInfoPtr : Ptr64 Void
+0x060 SystemReserved : [1] Uint4B
+0x064 AtlThunkSListPtr32 : Uint4B
+0x068 ApiSetMap : Ptr64 Void
+0x070 TlsExpansionCounter : Uint4B
+0x078 TlsBitmap : Ptr64 Void
+0x080 TlsBitmapBits : [2] Uint4B
+0x088 ReadOnlySharedMemoryBase : Ptr64 Void
+0x090 HotpatchInformation : Ptr64 Void
+0x098 ReadOnlyStaticServerData : Ptr64 Ptr64 Void
+0x0a0 AnsiCodePageData : Ptr64 Void
+0x0a8 OemCodePageData : Ptr64 Void
+0x0b0 UnicodeCaseTableData : Ptr64 Void
+0x0b8 NumberOfProcessors : Uint4B
+0x0bc NtGlobalFlag : Uint4B
+0x0c0 CriticalSectionTimeout : _LARGE_INTEGER
+0x0c8 HeapSegmentReserve : Uint8B
+0x0d0 HeapSegmentCommit : Uint8B
+0x0d8 HeapDeCommitTotalFreeThreshold : Uint8B
+0x0e0 HeapDeCommitFreeBlockThreshold : Uint8B
+0x0e8 NumberOfHeaps : Uint4B
+0x0ec MaximumNumberOfHeaps : Uint4B
+0x0f0 ProcessHeaps : Ptr64 Ptr64 Void
+0x0f8 GdiSharedHandleTable : Ptr64 Void
+0x100 ProcessStarterHelper : Ptr64 Void
+0x108 GdiDCAttributeList : Uint4B
+0x110 LoaderLock : Ptr64 _RTL_CRITICAL_SECTION
+0x118 OSMajorVersion : Uint4B
+0x11c OSMinorVersion : Uint4B
+0x120 OSBuildNumber : Uint2B
+0x122 OSCSDVersion : Uint2B
+0x124 OSPlatformId : Uint4B
+0x128 ImageSubsystem : Uint4B
+0x12c ImageSubsystemMajorVersion : Uint4B
+0x130 ImageSubsystemMinorVersion : Uint4B
+0x138 ActiveProcessAffinityMask : Uint8B
+0x140 GdiHandleBuffer : [60] Uint4B
+0x230 PostProcessInitRoutine : Ptr64 void
+0x238 TlsExpansionBitmap : Ptr64 Void
+0x240 TlsExpansionBitmapBits : [32] Uint4B
+0x2c0 SessionId : Uint4B
+0x2c8 AppCompatFlags : _ULARGE_INTEGER
+0x2d0 AppCompatFlagsUser : _ULARGE_INTEGER
+0x2d8 pShimData : Ptr64 Void
+0x2e0 AppCompatInfo : Ptr64 Void
+0x2e8 CSDVersion : _UNICODE_STRING
+0x2f8 ActivationContextData : Ptr64 _ACTIVATION_CONTEXT_DATA
+0x300 ProcessAssemblyStorageMap : Ptr64 _ASSEMBLY_STORAGE_MAP
+0x308 SystemDefaultActivationContextData : Ptr64 _ACTIVATION_CONTEXT_DATA
+0x310 SystemAssemblyStorageMap : Ptr64 _ASSEMBLY_STORAGE_MAP
+0x318 MinimumStackCommit : Uint8B
+0x320 FlsCallback : Ptr64 _FLS_CALLBACK_INFO
+0x328 FlsListHead : _LIST_ENTRY
+0x338 FlsBitmap : Ptr64 Void
+0x340 FlsBitmapBits : [4] Uint4B
+0x350 FlsHighIndex : Uint4B
+0x358 WerRegistrationData : Ptr64 Void
+0x360 WerShipAssertPtr : Ptr64 Void
+0x368 pContextData : Ptr64 Void
+0x370 pImageHeaderHash : Ptr64 Void
+0x378 TracingFlags : Uint4B
+0x378 HeapTracingEnabled : Pos 0, 1 Bit
+0x378 CritSecTracingEnabled : Pos 1, 1 Bit
+0x378 SpareTracingBits : Pos 2, 30 Bits获得下本机的当前PEB地址
kd> !peb
PEB at 000007fffffd5000
InheritedAddressSpace: No
ReadImageFileExecOptions: No
BeingDebugged: No
ImageBaseAddress: 00000000ffec0000
Ldr 0000000077572640
Ldr.Initialized: Yes
Ldr.InInitializationOrderModuleList: 00000000001d2730 . 00000000001e8100
Ldr.InLoadOrderModuleList: 00000000001d2620 . 00000000001e81d0
Ldr.InMemoryOrderModuleList: 00000000001d2630 . 00000000001e81e0
Base TimeStamp Module
ffec0000 4ce79f61 Nov 20 18:13:53 2010 C:\Windows\system32\slui.exe
77440000 4ce7c8f9 Nov 20 21:11:21 2010 C:\Windows\SYSTEM32\ntdll.dll
77320000 4ce7c78b Nov 20 21:05:15 2010 C:\Windows\system32\kernel32.dll
7fefd440000 4ce7c78c Nov 20 21:05:16 2010 C:\Windows\system32\KERNELBASE.dll
7feff5f0000 4a5bde6b Jul 14 09:24:59 2009 C:\Windows\system32\ADVAPI32.dll
7feff190000 4a5bdfbe Jul 14 09:30:38 2009 C:\Windows\system32\msvcrt.dll
7feff3e0000 4a5be05e Jul 14 09:33:18 2009 C:\Windows\SYSTEM32\sechost.dll
7fefd770000 4ce7c96e Nov 20 21:13:18 2010 C:\Windows\system32\RPCRT4.dll
77220000 4ce7c9f1 Nov 20 21:15:29 2010 C:\Windows\system32\USER32.dll
7feff6d0000 4ce7c651 Nov 20 21:00:01 2010 C:\Windows\system32\GDI32.dll
7fefd760000 4a5bdf5f Jul 14 09:29:03 2009 C:\Windows\system32\LPK.dll
7fefdd80000 4ce7c9f5 Nov 20 21:15:33 2010 C:\Windows\system32\USP10.dll
7fefa5b0000 4a5be067 Jul 14 09:33:27 2009 C:\Windows\system32\sppcommdlg.dll
7fefc000000 4ce7c45b Nov 20 20:51:39 2010 C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\COMCTL32.dll
7feff360000 4ce7c9ab Nov 20 21:14:19 2010 C:\Windows\system32\SHLWAPI.dll
7feff460000 4a5bdf40 Jul 14 09:28:32 2009 C:\Windows\system32\IMM32.dll
7fefe150000 4a5bdfaa Jul 14 09:30:18 2009 C:\Windows\system32\MSCTF.dll
7fefd8f0000 4ce7c92c Nov 20 21:12:12 2010 C:\Windows\system32\ole32.dll
7feff510000 4ce7c930 Nov 20 21:12:16 2010 C:\Windows\system32\OLEAUT32.dll
7fefe260000 4ce7c9a6 Nov 20 21:14:14 2010 C:\Windows\system32\SHELL32.dll
7fefb870000 4a5be0a2 Jul 14 09:34:26 2009 C:\Windows\system32\WINBRAND.dll
7fefae10000 4a5be063 Jul 14 09:33:23 2009 C:\Windows\system32\slc.dll
7fefa560000 4ce7c946 Nov 20 21:12:38 2010 C:\Windows\system32\SPPC.DLL
7fefd280000 4a5bdf91 Jul 14 09:29:53 2009 C:\Windows\system32\CRYPTBASE.dll
7fefbe20000 4a5be093 Jul 14 09:34:11 2009 C:\Windows\system32\uxtheme.dll
7fefdce0000 4a5bdeba Jul 14 09:26:18 2009 C:\Windows\system32\CLBCatQ.DLL
7fefcc40000 4a5bdf96 Jul 14 09:29:58 2009 C:\Windows\system32\CRYPTSP.dll
7fefc940000 4a5be039 Jul 14 09:32:41 2009 C:\Windows\system32\rsaenh.dll
7fefd330000 4ce7c96f Nov 20 21:13:19 2010 C:\Windows\system32\RpcRtRemote.dll
7fefa500000 4ce7c9c0 Nov 20 21:14:40 2010 C:\Windows\system32\sppcomapi.dll
SubSystemData: 0000000000000000
ProcessHeap: 00000000001d0000
ProcessParameters: 00000000001d1d50
CurrentDirectory: 'C:\Windows\system32\'
WindowTitle: 'C:\Windows\system32\slui.exe'
ImageFile: 'C:\Windows\system32\slui.exe'
CommandLine: '"C:\Windows\system32\slui.exe"'
DllPath: 'C:\Windows\system32;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\'
Environment: 00000000001d1320
ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\BillG\AppData\Roaming
CommonProgramFiles=C:\Program Files\Common Files
CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files
CommonProgramW6432=C:\Program Files\Common Files
COMPUTERNAME=WIN-TQVCU2J0T9S
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\BillG
LOCALAPPDATA=C:\Users\BillG\AppData\Local
LOGONSERVER=\\WIN-TQVCU2J0T9S
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=AMD64
PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 58 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=3a09
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files
ProgramFiles(x86)=C:\Program Files (x86)
ProgramW6432=C:\Program Files
PSModulePath=C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
PUBLIC=C:\Users\Public
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\BillG\AppData\Local\Temp
TMP=C:\Users\BillG\AppData\Local\Temp
USERDOMAIN=WIN-TQVCU2J0T9S
USERNAME=BillG
USERPROFILE=C:\Users\BillG
windir=C:\Windows
windows_tracing_flags=3
windows_tracing_logfile=C:\BVTBin\Tests\installpackage\csilogfile.log
dt 000007fffffd5000 _PEB_LDR_DATA
nt!_PEB_LDR_DATA
+0x000 Length : 0x8000000
+0x004 Initialized : 0 ''
+0x008 SsHandle : 0xffffffff`ffffffff Void
+0x010 InLoadOrderModuleList : _LIST_ENTRY [ 0x00000000`ffec0000 - 0x77572640 ]
+0x020 InMemoryOrderModuleList : _LIST_ENTRY [ 0x00000000`001d1d50 - 0x0 ]
+0x030 InInitializationOrderModuleList : _LIST_ENTRY [ 0x00000000`001d0000 - 0x7757a900 ]
+0x040 EntryInProgress : (null)
+0x048 ShutdownInProgress : 0 ''
+0x050 ShutdownThreadId : 0x00000000`00000001 VoidInLoadOrderModuleList InMemoryOrderModuleList InInitializationOrderModuleList 这三条链是根据加载顺序、内存映像顺序、初始化顺序而建立的
其中的辅助成员Flink Blink指向_LDR_DATA_TABLE_ENTRY结构体
kd> dt _LDR_DATA_TABLE_ENTRY
nt!_LDR_DATA_TABLE_ENTRY
+0x000 InLoadOrderLinks : _LIST_ENTRY
+0x010 InMemoryOrderLinks : _LIST_ENTRY
+0x020 InInitializationOrderLinks : _LIST_ENTRY
+0x030 DllBase : Ptr64 Void
+0x038 EntryPoint : Ptr64 Void
+0x040 SizeOfImage : Uint4B
+0x048 FullDllName : _UNICODE_STRING
+0x058 BaseDllName : _UNICODE_STRING
+0x068 Flags : Uint4B
+0x06c LoadCount : Uint2B
+0x06e TlsIndex : Uint2B
+0x070 HashLinks : _LIST_ENTRY
+0x070 SectionPointer : Ptr64 Void
+0x078 CheckSum : Uint4B
+0x080 TimeDateStamp : Uint4B
+0x080 LoadedImports : Ptr64 Void
+0x088 EntryPointActivationContext : Ptr64 _ACTIVATION_CONTEXT
+0x090 PatchInformation : Ptr64 Void
+0x098 ForwarderLinks : _LIST_ENTRY
+0x0a8 ServiceTagLinks : _LIST_ENTRY
+0x0b8 StaticLinks : _LIST_ENTRY
+0x0c8 ContextInformation : Ptr64 Void
+0x0d0 OriginalBase : Uint8B
+0x0d8 LoadTime : _LARGE_INTEGER如果病毒/木马试图在PEB隐藏自己的进程模块时,应该把这三条链全抹掉。
尽管如此,一些强力工具会检测出PEB的断链行为。这往往是_LDR_DATA_TABLE_ENTRY结构体中的SizeOfImage出卖了你。所以,我们应该修改SizeOfImage的值让它看上去和实际更像一点。
有一些古老的程序,通过PEB BLOCK来获取EXE的ImagePathName。在以前,一些木马也通过修改RTL_USER_PROCESS_PARAMETERS结构体内的成员来迷惑防火墙。
这里再总结一些Ring3层上获取进程模块的函数。
CreateToolhelp32Snapshot函数
NtQueryInformationProcess
EnumProcessModules
这三种方法实现原理无一例外,底层都是通过遍历PEB块来实现的。
1、3如果大家不信,可以自己逆向一下。
第二个放出NtQueryInformaionProcess WRK的源码:
NTSTATUS
00590 NtQueryInformationProcess(
00591 __in HANDLE ProcessHandle,
00592 __in PROCESSINFOCLASS ProcessInformationClass,
00593 __out_bcount(ProcessInformationLength) PVOID ProcessInformation,
00594 __in ULONG ProcessInformationLength,
00595 __out_opt PULONG ReturnLength
00596 )
case ProcessBasicInformation:
00732
00733 if (ProcessInformationLength != (ULONG) sizeof(PROCESS_BASIC_INFORMATION)) {
00734 return STATUS_INFO_LENGTH_MISMATCH;
00735 }
00736
00737 st = ObReferenceObjectByHandle (ProcessHandle,
00738 PROCESS_QUERY_INFORMATION,
00739 PsProcessType,
00740 PreviousMode,
00741 &Process,
00742 NULL);
00743 if (!NT_SUCCESS (st)) {
00744 return st;
00745 }
00746
00747 BasicInfo.ExitStatus = Process->ExitStatus;
00748 BasicInfo.PebBaseAddress = Process->Peb;
00749 BasicInfo.AffinityMask = Process->Pcb.Affinity;
00750 BasicInfo.BasePriority = Process->Pcb.BasePriority;
00751 BasicInfo.UniqueProcessId = (ULONG_PTR)Process->UniqueProcessId;
00752 BasicInfo.InheritedFromUniqueProcessId = (ULONG_PTR)Process->InheritedFromUniqueProcessId;
00753
00754 ObDereferenceObject(Process);
00755
00756 //
00757 // Either of these may cause an access violation. The
00758 // exception handler will return access violation as
00759 // status code. No further cleanup needs to be done.
00760 //
00761
00762 try {
00763 *(PPROCESS_BASIC_INFORMATION) ProcessInformation = BasicInfo;
00764
00765 if (ARGUMENT_PRESENT (ReturnLength) ) {
00766 *ReturnLength = sizeof(PROCESS_BASIC_INFORMATION);
00767 }
00768 } except (EXCEPTION_EXECUTE_HANDLER) {
00769 return GetExceptionCode ();
00770 }
00771
00772 return STATUS_SUCCESS;所以,如果R3层上用上述函数搜索进程模块的话,实际上强度很弱。
但是,ZwQueryVirtualMemory这个函数遍历的是进程的虚拟地址空间,实际上是枚举VAD树。VAD树的根节点在EPROCESS块中,是一颗平衡树。断链无法避开这种检测。
2220
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
