Posted on 2009-10-29 12:13
S.l.e!ep.¢% 閱讀(312)
評論(0) 編輯 收藏 引用 所屬分類:
RootKit
[轉載]如何在驅動程序(SYS)中得到當前進程的完整路徑和進程名?
2009-02-09 13:07
首先利用PsGetCurrentProcess或IoGetCurrentProcess函數得到當前進程的句柄,這個句柄是指向_EPROCESS結構的指針,_EPROCESS的結構如下:
typedef struct _EPROCESS
{
KPROCESS Pcb;
NTSTATUS ExitStatus;
KEVENT LockEvent;
DWORD LockCount;
QWORD CreateTime;
QWORD ExitTime;
PVOID LockOwner;
DWORD UniqueProcessId;
QWORD ActiveProcessLinks;
DWORD QuotaPeakPoolUsage [2]; // NP, P
DWORD QuotaPoolUsage [2]; // NP, P
DWORD PagefileUsage;
DWORD CommitCharge;
DWORD PeakPagefileUsage;
DWORD PeakVirtualSize;
QWORD VirtualSize;
DWORD Vm [12];
DWORD LastProtoPteFault;
DWORD DebugPort;
DWORD ExceptionPort;
DWORD ObjectTable;
DWORD Token;
DWORD WorkingSetLock [8];
DWORD WorkingSetPage;
BOOLEAN ProcessOutswapEnabled;
BOOLEAN ProcessOutswapped;
BOOLEAN AddressSpaceInitialized;
BOOLEAN AddressSpaceDeleted;
DWORD AddressCreationLock [9];
DWORD ForkInProgress;
DWORD VmOperation;
DWORD VmOperationEvent;
DWORD PageDirectoryPte;
QWORD LastFaultCount;
PVOID VadRoot;
DWORD VadHint;
DWORD CloneRoot;
DWORD NumberOfPrivatePages;
DWORD NumberOfLockedPages;
WORD w184;
BOOLEAN ExitProcessCalled;
BOOLEAN CreateProcessReported;
HANDLE SectionHandle;
struct _PEB *Peb; // offset 0x1B0
PVOID SectionBaseAddress;
PVOID QuotaBlock;
NTSTATUS LastThreadExitStatus;
PROCESS_WS_WATCH_INFORMATION WorkingSetWatch;
DWORD InheritedFromUniqueProcessId;
ACCESS_MASK GrantedAccess;
DWORD DefaultHardErrorProcessing;
DWORD LdtInformation;
DWORD VadFreeHint;
DWORD VdmObjects;
KMUTANT ProcessMutant;
BYTE ImageFileName [16]; // offset 0x1FC
DWORD VmTrimFaultValue [2];
PVOID Win32Process;
DWORD d1F8;
DWORD d1FC;
}
EPROCESS,
* PEPROCESS,
**PPEPROCESS;
從上面這個結構可以看出,進程名稱就是ImageFileName,只要用_EPROCESS的基地址加上偏移地址0x1FC就可以得到進程名稱的地址,代碼如下:
char *ProcessName = (char*)PsGetCurrentProcess() + 0x1FC;
KdPrint((“Current Process Name: %s\n”, ProcessName));
要得到完整路徑還需要利用_EPROCESS結構中的_PEB結構指針來得到ProcessParameters的地址。ProcessParameters保存著進程的完整路徑。可以通過DDK附帶的WinDbg工具打開一個可執行程序,然后用!peb命令來顯示_PEB的結構信息。如下所示:
———————————————————————————————————————
> !peb
Debugger extension library [F:\WINNT\system32\ntsdexts] loaded
PEB at 7FFDF000
InheritedAddressSpace: No
ReadImageFileExecOptions: No
BeingDebugged: Yes
ImageBaseAddress: 00400000
Ldr.Initialized: Yes
Ldr.InInitializationOrderModuleList: 131f88 . 132998
Ldr.InLoadOrderModuleList: 131ee0 . 132988
Ldr.InMemoryOrderModuleList: 131ee8 . 132990
00400000 D:\NtSysInfo.exe
77F80000 F:\WINNT\System32\ntdll.dll
77E60000 F:\WINNT\system32\KERNEL32.dll
77DF0000 F:\WINNT\system32\USER32.dll
77F40000 F:\WINNT\system32\GDI32.DLL
76AF0000 F:\WINNT\system32\comdlg32.dll
70BD0000 F:\WINNT\system32\SHLWAPI.DLL
77D90000 F:\WINNT\system32\ADVAPI32.dll
77D20000 F:\WINNT\system32\RPCRT4.DLL
71700000 F:\WINNT\system32\COMCTL32.DLL
77560000 F:\WINNT\system32\SHELL32.DLL
78000000 F:\WINNT\system32\MSVCRT.DLL
777C0000 F:\WINNT\System32\WINSPOOL.DRV
SubSystemData: 0
ProcessHeap: 130000
ProcessParameters: 20000
WindowTitle: 'D:\NtSysInfo.exe'
ImageFile: 'D:\NtSysInfo.exe'
CommandLine: '"D:\NtSysInfo.exe" '
DllPath: 'D:\;.;F:\WINNT\System32;F:\WINNT\system;F:\WINNT;F:\WINNT\system32;F:\WINNT;F:\WINNT\System32\Wbem;J:\WINDOWS;J:\WINDOWS\COMMAND;E:\WINDOWS\SYSTEM\WBEM;J:\WINDOWS;J:\WINDOWS\COMMAND;E:\WINDOWS\SYSTEM\WBEM;J:\WINDOWS;J:\WINDOWS\
COMMAND'
Environment: 0x10000
從WinDbg輸出的PEB結構信息可以看出ProcessParameters的地址為0x20000,ImageFile字段就是進程的完整路徑。那么PorcessParamters的地址又保存在_PEB結構的什么地方呢?_PEB結構的基地址為0x7ffdf000,通過WinDbg的“db 0x7ffdf000” 命令顯示0x7ffdf000地址的信息可以發現ProcessParameters的地址保存在_PEB結構的0x10偏移量處,內容為0x20000。
繼續用“db 0x20000”命令顯示ProcessParameters地址的內容,偏移量為0x3C處保存完整路徑的地址,0x3C處的內容如果是:0x20670,利用“db 0x20670”即可顯示出完整路徑。完整路徑用UNICODE格式保存。
我們利用程序模擬上面的步驟則可以得到當前進程的完整路徑,代碼如下:
PCWSTR GetCurrentProcessFileName()
{
DWORD dwAddress = (DWORD)PsGetCurrentProcess();
if(dwAddress == 0 || dwAddress == 0xFFFFFFFF)
return NULL;
dwAddress += 0x1B0;
if((dwAddress = *(DWORD*)dwAddress) == 0) return 0;
dwAddress += 0x10;
if((dwAddress = *(DWORD*)dwAddress) == 0) return 0;
dwAddress += 0x3C;
if((dwAddress = *(DWORD*)dwAddress) == 0) return 0;
KdPrint((“Current Process Full Path Name: %ws\n”, (PCWSTR)dwAddress));
return (PCWSTR)dwAddress;
}
Windows NT與Windows 2000的_EPROCESS結構略有不同,所以偏移地址也不相同,故此上面的程序不能正常運行于Windows NT。要想在Windows NT下獲得進程名和完整路徑可以用類似的方法得出正確的偏移地址,進而編寫出正確的程序。
如果想得到關于如何在Windows 9x的驅動程序(VXD)中得到當前進程的進程名和完整路徑或者其他更多知識,可以訪問費爾安全實驗室的網站:http://www.xfilt.com。
|