Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Problem z NtQueryInformationProcess
#1
Próbuję uzyskać xll dll z procesu x64 przy użyciu PEB ... ale wydaje się nie zawsze zwracać dll x64 czy widzisz coś nie tak?         Kod:   #pragma once #include <windef.h> #define BOOLIFY (x) !! (x) #define STATUS_SUCCESS ((NTSTATUS) 0x00000000L) typedef enum class _PROCESS_INFORMATION_CLASS_FULL {ProcessBasicInformation, ProcessQuotaLimits, ProcessIoCounters, ProcessVmCounters, ProcessTimes, ProcessBasePriority, ProcessRaisePriority, ProcessDebugPort , ProcessExceptionPort, ProcessAccessToken, ProcessLdtInformation, ProcessLdtSize, ProcessDefaultHardErrorMode, ProcessIoPortHandlers, ProcessPooledUsageAndLimits, ProcessWorkingSetWatch, ProcessUserModeIOPL, ProcessEnableAlignmentFaultFixup, ProcessPriorityClass, ProcessWx86Information, ProcessHandleCount, ProcessAffinityMask, ProcessPriorityBoost, MaxProcessInfoClass} PROCESS_INFORMATION_CLASS_FULL * PPROCESS_INFORMATION_CLASS_FULL; typedef struct _UNICODE_STRING {USHORT Długość; USHORT MaximumLength; Bufor PWSTR; } UNICODE_STRING, * PUNICODE_STRING; template <class T> struct _LDR_DATA_TABLE_ENTRY {LIST_ENTRY InLoadOrderLinks; LIST_ENTRY InMemoryOrderLinks; LIST_ENTRY InInitializationOrderLinks; PVOID DllBase; PVOID EntryPoint; ULONG SizeOfImage; UNICODE_STRING FullDllName; UNICODE_STRING BaseDllName; Flagi ULONG; WORD LoadCount; WORD TlsIndex; union {LIST_ENTRY HashLinks; struct {PVOID SectionPointer; ULONG CheckSum; }; }; union {ULONG TimeDateStamp; PVOID LoadedImport; }; _ACTIVATION_CONTEXT * EntryPointActivationContext; PVOID PatchInformacja; LIST_ENTRY ForwarderLinks; LIST_ENTRY ServiceTagLinks; LIST_ENTRY StaticLinks; }; typedef _LDR_DATA_TABLE_ENTRY <DWORD> LDR_DATA_TABLE_ENTRY32; typedef _LDR_DATA_TABLE_ENTRY <DWORD64> LDR_DATA_TABLE_ENTRY64; typedef struct _PEB_LDR_DATA {ULONG Długość; BOOLEAN Inicjalizowany; PVOID SsHandle; LIST_ENTRY InLoadOrderModuleList; LIST_ENTRY InMemoryOrderModuleList; LIST_ENTRY InInitializationOrderModuleList; } PEB_LDR_DATA, * PPEB_LDR_DATA; // PEB pochodzi z http://blog.rewolf.pl/blog/?p=294 #pragma pack (push) #pragma pack (1) template <class T, class NGF, int A> struct _PEB_T {union {struct {BYTE InheritedAddressSpace; BYTE ReadImageFileExecOptions; BYTE BeingDebugged; BYTE BitField; }; T dummy01; }; T Mutant; T ImageBaseAddress; PPEB_LDR_DATA Ldr; T ProcessParameters; T SubSystemData; T ProcessHeap; T FastPebLock; T AtlThunkSListPtr; T IFEOKey; T CrossProcessFlags; T UserSharedInfoPtr; DWORD SystemReserved; DWORD AtlThunkSListPtr32; T ApiSetMap; T TlsExpansionCounter; T TlsBitmap; DWORD TlsBitmapBits [2]; T ReadOnlySharedMemoryBase; T HotpatchInformation; T ReadOnlyStaticServerData; T AnsiCodePageData; T OemCodePageData; T UnicodeCaseTableData; DWORD NumberOfProcessors; union {DWORD NtGlobalFlag; NGF dummy02; }; LARGE_INTEGER CriticalSectionTimeout; T HeapSegmentReserve; T HeapSegmentCommit; T HeapDeCommitTotalFreeThreshold; T HeapDeCommitFreeBlockThreshold; DWORD NumberOfHeaps; DWORD MaximumNumberOfHeaps; T ProcessHeaps; T GdiSharedHandleTable; T ProcessStarterHelper; T GdiDCAttributeList; T LoaderLock; DWORD OSMajorVersion; DWORD OSMinorVersion; WORD OSBuildNumber; WORD OSCSDVersion; DWORD OSPlatformId; DWORD ImageSubsystem; DWORD ImageSubsystemMajorVersion; T ImageSubsystemMinorVersion; T ActiveProcessAffinityMask; T GdiHandleBuffer [A]; T PostProcessInitRoutine; T TlsExpansionBitmap; DWORD TlsExpansionBitmapBits [32]; T SessionId; ULARGE_INTEGER AppCompatFlags; ULARGE_INTEGER AppCompatFlagsUser; T pShimData; T AppCompatInfo; UNICODE_STRING CSDVersion; T ActivationContextData; T ProcessAssemblyStorageMap; T SystemDefaultActivationContextData; T SystemAssemblyStorageMap; T MinimumStackCommit; T FlsCallback; LIST_ENTRY FlsListHead; T FlsBitmap; DWORD FlsBitmapBits [4]; T FlsHighIndex; T WerRegistrationData; T WerShipAssertPtr; T pContextData; T pImageHeaderHash; T TracingFlags; }; typedef _PEB_T <DWORD, DWORD64, 34> PEB32; typedef _PEB_T <DWORD64, DWORD, 30> PEB64; #pragma pack (pop) #ifdef _M_IX86 używa PEB = PEB32; using LDR_DATA_TABLE_ENTRY = LDR_DATA_TABLE_ENTRY32; #elif zdefiniowane _M_AMD64 przy użyciu PEB = PEB64; using LDR_DATA_TABLE_ENTRY = LDR_DATA_TABLE_ENTRY64; #else #error "Nieobsługiwana architektura" #endif s
Reply
#2
PROCESS_INFORMATION_CLASS_FULL :: ProcessBasicInformation zwraca tylko PEB x64. ProcessWow64Information to PEB x86.
Reply




Users browsing this thread: 1 Guest(s)