获得目标进程PEB,并获得进程各种信息
来源:互联网 发布:linux jdk环境变量 编辑:程序博客网 时间:2024/06/05 14:08
本程序可完美获得x64和x86程序PEB,及环境变量等信息。
程序首先用OpenProcess打开目标进程,然后用Ntddl.dll导入表中微软未公开函数NtWow64QueryInformationProcess64(NtQueryInformationProcess)、NtWow64ReadVirtualMemory64(ReadProcessMemory)来获得目标进程信息。
// EnumPEB.cpp : 定义控制台应用程序的入口点。//#include "stdafx.h"#include<Windows.h>#include<iostream>#include <Strsafe.h>using namespace std;#define NT_SUCCESS(x) ((x) >= 0)#define ProcessBasicInformation 0typedefNTSTATUS(WINAPI *pfnNtWow64QueryInformationProcess64)(HANDLE ProcessHandle, UINT32 ProcessInformationClass,PVOID ProcessInformation, UINT32 ProcessInformationLength,UINT32* ReturnLength);typedefNTSTATUS(WINAPI *pfnNtWow64ReadVirtualMemory64)(HANDLE ProcessHandle, PVOID64 BaseAddress,PVOID BufferData, UINT64 BufferLength,PUINT64 ReturnLength);typedefNTSTATUS(WINAPI *pfnNtQueryInformationProcess)(HANDLE ProcessHandle, ULONG ProcessInformationClass,PVOID ProcessInformation, UINT32 ProcessInformationLength,UINT32* ReturnLength);template <typename T>struct _UNICODE_STRING_T{WORD Length;WORD MaximumLength;T Buffer;};template <typename T>struct _LIST_ENTRY_T{T Flink;T Blink;};template <typename T, typename NGF, int A>struct _PEB_T{typedef T type;union{struct{BYTE InheritedAddressSpace;BYTE ReadImageFileExecOptions;BYTE BeingDebugged;BYTE BitField;};T dummy01;};T Mutant;T ImageBaseAddress; //进程加载基地址T Ldr; T ProcessParameters; //各种信息,环境变量,命令行等等T SubSystemData;T ProcessHeap;T FastPebLock;T AtlThunkSListPtr;T IFEOKey;T CrossProcessFlags;T UserSharedInfoPtr;DWORD SystemReserved;DWORD AtlThunkSListPtr32;T ApiSetMap;T TlsExpansionCounter;T TlsBitmap;DWORD TlsBitmapBits[2];T ReadOnlySharedMemoryBase;T HotpatchInformation;T ReadOnlyStaticServerData;T AnsiCodePageData;T OemCodePageData;T UnicodeCaseTableData;DWORD NumberOfProcessors;union{DWORD NtGlobalFlag;NGF dummy02;};LARGE_INTEGER CriticalSectionTimeout;T HeapSegmentReserve;T HeapSegmentCommit;T HeapDeCommitTotalFreeThreshold;T HeapDeCommitFreeBlockThreshold;DWORD NumberOfHeaps;DWORD MaximumNumberOfHeaps;T ProcessHeaps;T GdiSharedHandleTable;T ProcessStarterHelper;T GdiDCAttributeList;T LoaderLock;DWORD OSMajorVersion;DWORD OSMinorVersion;WORD OSBuildNumber;WORD OSCSDVersion;DWORD OSPlatformId;DWORD ImageSubsystem;DWORD ImageSubsystemMajorVersion;T ImageSubsystemMinorVersion;T ActiveProcessAffinityMask;T GdiHandleBuffer[A];T PostProcessInitRoutine;T TlsExpansionBitmap;DWORD TlsExpansionBitmapBits[32];T SessionId;ULARGE_INTEGER AppCompatFlags;ULARGE_INTEGER AppCompatFlagsUser;T pShimData;T AppCompatInfo;_UNICODE_STRING_T<T> CSDVersion;T ActivationContextData;T ProcessAssemblyStorageMap;T SystemDefaultActivationContextData;T SystemAssemblyStorageMap;T MinimumStackCommit;T FlsCallback;_LIST_ENTRY_T<T> FlsListHead;T FlsBitmap;DWORD FlsBitmapBits[4];T FlsHighIndex;T WerRegistrationData;T WerShipAssertPtr;T pContextData;T pImageHeaderHash;T TracingFlags;T CsrServerReadOnlySharedMemoryBase;};template <typename T>struct _STRING_T{WORD Length;WORD MaximumLength;T Buffer;};template <typename T>struct _RTL_DRIVE_LETTER_CURDIR_T{WORD Flags;WORD Length;ULONG TimeStamp;_STRING_T<T> DosPath;};template <typename T>struct _CURDIR_T{_UNICODE_STRING_T<T> DosPath;T Handle;};template <typename T>struct _RTL_USER_PROCESS_PARAMETERS_T{ULONG MaximumLength;ULONG Length;ULONG Flags;ULONG DebugFlags;T ConsoleHandle;ULONG ConsoleFlags;T StandardInput;T StandardOutput;T StandardError;_CURDIR_T<T> CurrentDirectory;_UNICODE_STRING_T<T> DllPath;_UNICODE_STRING_T<T> ImagePathName; //进程完整路径_UNICODE_STRING_T<T> CommandLine; //进程命令行T Environment; //环境变量(地址)ULONG StartingX;ULONG StartingY;ULONG CountX;ULONG CountY;ULONG CountCharsX;ULONG CountCharsY;ULONG FillAttribute;ULONG WindowFlags;ULONG ShowWindowFlags;_UNICODE_STRING_T<T> WindowTitle;_UNICODE_STRING_T<T> DesktopInfo;_UNICODE_STRING_T<T> ShellInfo;_UNICODE_STRING_T<T> RuntimeData;_RTL_DRIVE_LETTER_CURDIR_T<T> CurrentDirectores[32];ULONG EnvironmentSize;};typedef _PEB_T<DWORD, DWORD64, 34> _PEB32;typedef _PEB_T<DWORD64, DWORD, 30> _PEB64;typedef _RTL_USER_PROCESS_PARAMETERS_T<UINT32> _RTL_USER_PROCESS_PARAMETERS32;typedef _RTL_USER_PROCESS_PARAMETERS_T<UINT64> _RTL_USER_PROCESS_PARAMETERS64;typedef struct _PROCESS_BASIC_INFORMATION64 {NTSTATUS ExitStatus;UINT32 Reserved0;UINT64 PebBaseAddress;UINT64 AffinityMask;UINT32 BasePriority;UINT32 Reserved1;UINT64 UniqueProcessId;UINT64 InheritedFromUniqueProcessId;} PROCESS_BASIC_INFORMATION64;typedef struct _PROCESS_BASIC_INFORMATION32 {NTSTATUS ExitStatus;UINT32 PebBaseAddress;UINT32 AffinityMask;UINT32 BasePriority;UINT32 UniqueProcessId;UINT32 InheritedFromUniqueProcessId;} PROCESS_BASIC_INFORMATION32;typedef struct _PEB_INFO {UINT64 ImageBaseAddress; //进程加载基地址UINT64 Ldr; //模块加载基地址UINT64 ProcessHeap; //进程默认堆UINT64 ProcessParameters; //进程信息UINT64 Environment; //环境变量}PEBInfo,*PPEBInfo;int main(){printf("输入进程ID\r\n");UINT32 ProcessID;cin >> ProcessID;HANDLE ProcessHandle = NULL;//获得进程句柄ProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessID);PEBInfo PebInfo = {0};BOOL bSource = FALSE;BOOL bTarget = FALSE;//判断自己的位数IsWow64Process(GetCurrentProcess(), &bSource);//判断目标的位数IsWow64Process(ProcessHandle, &bTarget);//自己是32 目标64if (bTarget == FALSE && bSource == TRUE){HMODULE NtdllModule = GetModuleHandle("ntdll.dll");pfnNtWow64QueryInformationProcess64 NtWow64QueryInformationProcess64 = (pfnNtWow64QueryInformationProcess64)GetProcAddress(NtdllModule,"NtWow64QueryInformationProcess64");pfnNtWow64ReadVirtualMemory64 NtWow64ReadVirtualMemory64 = (pfnNtWow64ReadVirtualMemory64)GetProcAddress(NtdllModule, "NtWow64ReadVirtualMemory64");PROCESS_BASIC_INFORMATION64 pbi = { 0 };UINT64 ReturnLength = 0;NTSTATUS Status = NtWow64QueryInformationProcess64(ProcessHandle, ProcessBasicInformation,&pbi, (UINT32)sizeof(pbi), (UINT32*)&ReturnLength);if (NT_SUCCESS(Status)){_PEB64* Peb = (_PEB64*)malloc(sizeof(_PEB64));Status = NtWow64ReadVirtualMemory64(ProcessHandle, (PVOID64)pbi.PebBaseAddress,(_PEB64*)Peb, sizeof(_PEB64), &ReturnLength);_RTL_USER_PROCESS_PARAMETERS64 Parameters64;Status = NtWow64ReadVirtualMemory64(ProcessHandle, (PVOID64)Peb->ProcessParameters,&Parameters64, sizeof(_RTL_USER_PROCESS_PARAMETERS64), &ReturnLength);BYTE* Environment = new BYTE[Parameters64.EnvironmentSize * 2];Status = NtWow64ReadVirtualMemory64(ProcessHandle, (PVOID64)Parameters64.Environment, Environment, Parameters64.EnvironmentSize, NULL);//赋值PebInfo.ImageBaseAddress = Peb->ImageBaseAddress;PebInfo.Ldr = Peb->Ldr;PebInfo.ProcessHeap = Peb->ProcessHeap;PebInfo.ProcessParameters = Peb->ProcessParameters;PebInfo.Environment = Parameters64.Environment;printf("ImageBaseAddress:0x%x\r\n", PebInfo.ImageBaseAddress);printf("Ldr:0x%x\r\n", PebInfo.Ldr);printf("ProcessHeap:0x%x\r\n", PebInfo.ProcessHeap);printf("ProcessParameters:0x%x\r\n", PebInfo.ProcessParameters);printf("Environment:0x%x\r\n", PebInfo.Environment);while (Environment != NULL){char* v1 = NULL;int DataLength = WideCharToMultiByte(CP_ACP, NULL, (WCHAR*)Environment, -1, NULL, 0, NULL, FALSE);v1 = new char[DataLength + 1];WideCharToMultiByte(CP_OEMCP, NULL, (WCHAR*)Environment, -1, v1, Parameters64.EnvironmentSize * 2, NULL, FALSE);printf("%s\r\n", v1);// 指针移动到字符串末尾 while (*(WCHAR*)Environment != '\0')Environment += 2;Environment += 2;// 是否是最后一个字符串 if (*Environment == '\0')break;}BYTE* CommandLine = new BYTE[Parameters64.CommandLine.Length];Status = NtWow64ReadVirtualMemory64(ProcessHandle, (PVOID64)Parameters64.CommandLine.Buffer, CommandLine, Parameters64.CommandLine.Length, NULL);if (CommandLine != NULL){char* v1 = NULL;int DataLength = WideCharToMultiByte(CP_ACP, NULL, (WCHAR*)CommandLine, -1, NULL, 0, NULL, FALSE);v1 = new char[DataLength];WideCharToMultiByte(CP_OEMCP, NULL, (WCHAR*)CommandLine, -1, v1, Parameters64.CommandLine.Length, NULL, FALSE);printf("CommandLine:%s\r\n", v1);}BYTE* ImagePathName = new BYTE[Parameters64.ImagePathName.Length];Status = NtWow64ReadVirtualMemory64(ProcessHandle, (PVOID64)Parameters64.ImagePathName.Buffer, ImagePathName, Parameters64.ImagePathName.Length, NULL);if (ImagePathName != NULL){char* v1 = NULL;int DataLength = WideCharToMultiByte(CP_ACP, NULL, (WCHAR*)ImagePathName, -1, NULL, 0, NULL, FALSE);v1 = new char[DataLength];WideCharToMultiByte(CP_OEMCP, NULL, (WCHAR*)ImagePathName, -1, v1, Parameters64.ImagePathName.Length, NULL, FALSE);printf("ImagePathName:%s\r\n", v1);}}}//自己是32 目标是32else if (bTarget == TRUE && bSource == TRUE){HMODULE NtdllModule = GetModuleHandle("ntdll.dll");pfnNtQueryInformationProcess NtQueryInformationProcess = (pfnNtQueryInformationProcess)GetProcAddress(NtdllModule,"NtQueryInformationProcess");PROCESS_BASIC_INFORMATION32 pbi = { 0 };UINT32 ReturnLength = 0;NTSTATUS Status = NtQueryInformationProcess(ProcessHandle,ProcessBasicInformation, &pbi, (UINT32)sizeof(pbi), (UINT32*)&ReturnLength);if (NT_SUCCESS(Status)){_PEB32* Peb = (_PEB32*)malloc(sizeof(_PEB32));Status = ReadProcessMemory(ProcessHandle, (PVOID)pbi.PebBaseAddress, (_PEB32*)Peb, sizeof(_PEB32), NULL);_RTL_USER_PROCESS_PARAMETERS32 Parameters32;Status = ReadProcessMemory(ProcessHandle, (PVOID)Peb->ProcessParameters, &Parameters32, sizeof(_RTL_USER_PROCESS_PARAMETERS32), NULL);BYTE* Environment = new BYTE[Parameters32.EnvironmentSize*2];Status = ReadProcessMemory(ProcessHandle, (PVOID)Parameters32.Environment, Environment, Parameters32.EnvironmentSize, NULL);//赋值PebInfo.ImageBaseAddress = Peb->ImageBaseAddress;PebInfo.Ldr = Peb->Ldr;PebInfo.ProcessHeap = Peb->ProcessHeap;PebInfo.ProcessParameters = Peb->ProcessParameters;PebInfo.Environment = Parameters32.Environment;printf("ImageBaseAddress:0x%x\r\n", PebInfo.ImageBaseAddress);printf("Ldr:0x%x\r\n", PebInfo.Ldr);printf("ProcessHeap:0x%x\r\n", PebInfo.ProcessHeap);printf("ProcessParameters:0x%x\r\n", PebInfo.ProcessParameters);printf("Environment:0x%x\r\n", PebInfo.Environment);while (Environment !=NULL){char* v1 = NULL;int DataLength = WideCharToMultiByte(CP_ACP, NULL, (WCHAR*)Environment, -1, NULL, 0, NULL, FALSE);v1 = new char[DataLength + 1];WideCharToMultiByte(CP_OEMCP, NULL, (WCHAR*)Environment, -1, v1, Parameters32.EnvironmentSize * 2, NULL, FALSE);printf("%s\r\n", v1);// 指针移动到字符串末尾 while (*(WCHAR*)Environment != '\0')Environment +=2;Environment += 2;// 是否是最后一个字符串 if (*Environment == '\0')break;}BYTE* CommandLine = new BYTE[Parameters32.CommandLine.Length];Status = ReadProcessMemory(ProcessHandle, (PVOID)Parameters32.CommandLine.Buffer, CommandLine, Parameters32.CommandLine.Length, NULL);if (CommandLine != NULL){char* v1 = NULL;int DataLength = WideCharToMultiByte(CP_ACP, NULL, (WCHAR*)CommandLine, -1, NULL, 0, NULL, FALSE);v1 = new char[DataLength];WideCharToMultiByte(CP_OEMCP, NULL, (WCHAR*)CommandLine, -1, v1, Parameters32.CommandLine.Length, NULL, FALSE);printf("CommandLine:%s\r\n", v1);}BYTE* ImagePathName = new BYTE[Parameters32.ImagePathName.Length];Status = ReadProcessMemory(ProcessHandle, (PVOID)Parameters32.ImagePathName.Buffer, ImagePathName, Parameters32.ImagePathName.Length, NULL);if (ImagePathName != NULL){char* v1 = NULL;int DataLength = WideCharToMultiByte(CP_ACP, NULL, (WCHAR*)ImagePathName, -1, NULL, 0, NULL, FALSE);v1 = new char[DataLength];WideCharToMultiByte(CP_OEMCP, NULL, (WCHAR*)ImagePathName, -1, v1, Parameters32.ImagePathName.Length, NULL, FALSE);printf("ImagePathName:%s\r\n", v1);}}}}
0 0
- 获得目标进程PEB,并获得进程各种信息
- 进程peb结构、获得peb的方法
- x64进程如何获得wow64进程的PEB
- zwCreateProcess获得目标进程名
- 如何获得系统进程信息
- 各种脚本获得自己的进程号
- 获得当前进程所有者的信息
- 获得当前进程所有者的信息
- 进程线程 --获得制定进程中的所有模块信息--
- linux获得进程id号并迅速杀死进程
- Delphi6 获得当前进程ID与句柄并终止进程。
- 获得各种目录信息
- 获得进程ID,关闭进程。
- 获得进程的EPROCESS
- 获得进程的EPROCESS
- 获得进程句柄
- 获得当前进程名
- Java获得系统进程
- Java之反射机制
- Eclipse 插件开发之 树形视图展示要点
- iOS-常见编程规范汇总
- servlet的一个小项目(一)
- 工厂方法模式
- 获得目标进程PEB,并获得进程各种信息
- hdu 5769后缀数组 求含有某个字母的某个字符串的不同子串的个数
- Fiddler教程(Web调试工具)
- HDU 1213 并查集
- Mac和Linux系统的:Arp欺骗源码
- ubuntu 关机,重启,注销命令
- 文章标题
- android 工具类 集合
- 菜单开源库装逼大全