win 10 64 14393遍历进程VAD
来源:互联网 发布:淘宝网半身长摆裙 编辑:程序博客网 时间:2024/06/06 09:48
typedef struct _SEGMENT{
/*(*((ntkrnlmp!_SEGMENT *)0xffffa405114286d0))[Type:_SEGMENT]
[+0x000] ControlArea : 0xffffd18b3276d370[Type:_CONTROL_AREA *]
[+0x008] TotalNumberOfPtes : 0xa[Type:unsigned long]
[+0x00c] SegmentFlags[Type:_SEGMENT_FLAGS]
[+0x010] NumberOfCommittedPages : 0x0[Type:unsigned __int64]
[+0x018] SizeOfSegment : 0xa000[Type:unsigned __int64]
[+0x020] ExtendInfo : 0x5dd00000[Type:_MMEXTEND_INFO *]
[+0x020] BasedAddress : 0x5dd00000[Type:void *]
[+0x028] SegmentLock[Type:_EX_PUSH_LOCK]
[+0x030] u1[Type:<unnamed - tag>]
[+0x038] u2[Type:<unnamed - tag>]
[+0x040] PrototypePte : 0xffffa4050feab820[Type:_MMPTE *]*/
[+0x000] ControlArea : 0xffffd18b3276d370[Type:_CONTROL_AREA *]
[+0x008] TotalNumberOfPtes : 0xa[Type:unsigned long]
[+0x00c] SegmentFlags[Type:_SEGMENT_FLAGS]
[+0x010] NumberOfCommittedPages : 0x0[Type:unsigned __int64]
[+0x018] SizeOfSegment : 0xa000[Type:unsigned __int64]
[+0x020] ExtendInfo : 0x5dd00000[Type:_MMEXTEND_INFO *]
[+0x020] BasedAddress : 0x5dd00000[Type:void *]
[+0x028] SegmentLock[Type:_EX_PUSH_LOCK]
[+0x030] u1[Type:<unnamed - tag>]
[+0x038] u2[Type:<unnamed - tag>]
[+0x040] PrototypePte : 0xffffa4050feab820[Type:_MMPTE *]*/
PVOID ControlArea;
LONG32 TotalNumberOfPtes;
LONG32 SegmentFlags;
ULONG64 NumberOfCommittedPages;
ULONG64 SizeOfSegment;
ULONG64 BasedAddress;//这里也可以利用PE结构体获取模块名字
//.............
LONG32 TotalNumberOfPtes;
LONG32 SegmentFlags;
ULONG64 NumberOfCommittedPages;
ULONG64 SizeOfSegment;
ULONG64 BasedAddress;//这里也可以利用PE结构体获取模块名字
//.............
}SEGMENT,*PSEGMENT;
typedef struct _EX_FAST_REF
{
union
{
PVOID Object;
ULONG_PTR RefCnt : 3;
ULONG_PTR Value;
};
} EX_FAST_REF, *PEX_FAST_REF;
{
union
{
PVOID Object;
ULONG_PTR RefCnt : 3;
ULONG_PTR Value;
};
} EX_FAST_REF, *PEX_FAST_REF;
typedef struct _CONTROL_AREA {
/**
(*((ntkrnlmp!_CONTROL_AREA *)0xffffd18b3276d370))[Type:_CONTROL_AREA]
/**
(*((ntkrnlmp!_CONTROL_AREA *)0xffffd18b3276d370))[Type:_CONTROL_AREA]
[+0x000] Segment : 0xffffa405114286d0[Type:_SEGMENT *]
[+0x008] ListHead[Type:_LIST_ENTRY]
[+0x018] NumberOfSectionReferences : 0x1[Type:unsigned __int64]
[+0x020] NumberOfPfnReferences : 0xa[Type:unsigned __int64]
[+0x028] NumberOfMappedViews : 0x4[Type:unsigned __int64]
[+0x030] NumberOfUserReferences : 0x5[Type:unsigned __int64]
[+0x038] u[Type:<unnamed - tag>]
[+0x03c] u1[Type:<unnamed - tag>]
[+0x040] FilePointer[Type:_EX_FAST_REF]
[+0x048] ControlAreaLock : 0[Type:long]
[+0x04c] ModifiedWriteCount : 0x0[Type:unsigned long]
[+0x050] WaitList : 0x0[Type:_MI_CONTROL_AREA_WAIT_BLOCK *]
[+0x058] u2[Type:<unnamed - tag>]
[+0x068] FileObjectLock[Type:_EX_PUSH_LOCK]
[+0x070] LockedPages : 0x1[Type:unsigned __int64]
[+0x078] u3[Type:<unnamed - tag>]
*/
[+0x008] ListHead[Type:_LIST_ENTRY]
[+0x018] NumberOfSectionReferences : 0x1[Type:unsigned __int64]
[+0x020] NumberOfPfnReferences : 0xa[Type:unsigned __int64]
[+0x028] NumberOfMappedViews : 0x4[Type:unsigned __int64]
[+0x030] NumberOfUserReferences : 0x5[Type:unsigned __int64]
[+0x038] u[Type:<unnamed - tag>]
[+0x03c] u1[Type:<unnamed - tag>]
[+0x040] FilePointer[Type:_EX_FAST_REF]
[+0x048] ControlAreaLock : 0[Type:long]
[+0x04c] ModifiedWriteCount : 0x0[Type:unsigned long]
[+0x050] WaitList : 0x0[Type:_MI_CONTROL_AREA_WAIT_BLOCK *]
[+0x058] u2[Type:<unnamed - tag>]
[+0x068] FileObjectLock[Type:_EX_PUSH_LOCK]
[+0x070] LockedPages : 0x1[Type:unsigned __int64]
[+0x078] u3[Type:<unnamed - tag>]
*/
PSEGMENT Segment;//这个里面也包含本身CONTROL_AREA
LIST_ENTRY ListHead;//不清楚不研究它
unsigned __int64 NumberOfSectionReferences; //引用次数?
unsigned __int64 NumberOfPfnReferences;//pfn??
unsigned __int64 NumberOfMappedViews;//映射页面数?
unsigned __int64 NumberOfUserReferences;//用户??
ULONG32 u;//这个也不知道是啥
ULONG32 u1;//同上
EX_FAST_REF FilePointer;//这就是要找的了。///
long ControlAreaLock;//这个锁不清楚怎么玩。
//.........
//............
LIST_ENTRY ListHead;//不清楚不研究它
unsigned __int64 NumberOfSectionReferences; //引用次数?
unsigned __int64 NumberOfPfnReferences;//pfn??
unsigned __int64 NumberOfMappedViews;//映射页面数?
unsigned __int64 NumberOfUserReferences;//用户??
ULONG32 u;//这个也不知道是啥
ULONG32 u1;//同上
EX_FAST_REF FilePointer;//这就是要找的了。///
long ControlAreaLock;//这个锁不清楚怎么玩。
//.........
//............
}CONTROL_AREA,*PCONTROL_AREA;
typedef struct _SUBSECTION {
PCONTROL_AREA ControlArea;
struct MMPTE* SubsectionBase;
struct _SUBSECTION* NextSubsection;
typedef struct _SUBSECTION {
PCONTROL_AREA ControlArea;
struct MMPTE* SubsectionBase;
struct _SUBSECTION* NextSubsection;
/*+ 0x018 GlobalPerSessionHead : _RTL_AVL_TREE
+ 0x018 CreationWaitList : Ptr64 _MI_CONTROL_AREA_WAIT_BLOCK
+ 0x018 SessionDriverProtos : Ptr64 _MI_PER_SESSION_PROTOS
+ 0x020 u : <unnamed - tag>
+0x024 StartingSector : Uint4B
+ 0x028 NumberOfFullSectors : Uint4B
+ 0x02c PtesInSubsection : Uint4B
+ 0x030 u1 : <unnamed - tag>
+0x034 UnusedPtes : Pos 0, 31 Bits
+ 0x034 DirtyPages : Pos 31, 1 Bit
+ 0x034 u2 : <unnamed - tag>*/
+ 0x018 CreationWaitList : Ptr64 _MI_CONTROL_AREA_WAIT_BLOCK
+ 0x018 SessionDriverProtos : Ptr64 _MI_PER_SESSION_PROTOS
+ 0x020 u : <unnamed - tag>
+0x024 StartingSector : Uint4B
+ 0x028 NumberOfFullSectors : Uint4B
+ 0x02c PtesInSubsection : Uint4B
+ 0x030 u1 : <unnamed - tag>
+0x034 UnusedPtes : Pos 0, 31 Bits
+ 0x034 DirtyPages : Pos 31, 1 Bit
+ 0x034 u2 : <unnamed - tag>*/
}SUBSECTION,*PSUBSECTION;
#pragma pack(1)
typedef struct __MMVAD{
/*
+0x000 Core : _MMVAD_SHORT
+ 0x040 u2 : <unnamed - tag>
+0x048 Subsection : Ptr64 _SUBSECTION
+ 0x050 FirstPrototypePte : Ptr64 _MMPTE
+ 0x058 LastContiguousPte : Ptr64 _MMPTE
+ 0x060 ViewLinks : _LIST_ENTRY
+ 0x070 VadsProcess : Ptr64 _EPROCESS
+ 0x078 u4 : <unnamed - tag>
+0x080 FileObject : Ptr64 _FILE_OBJECT*/
char Core[0x40];
ULONG64 u2;
PSUBSECTION Subsection;
PMMPTE FirstPrototypePte;
PMMPTE LastContiguousPte;
LIST_ENTRY64 ViewLinks;
PEPROCESS VadsProcess;
ULONG64 u4;
PFILE_OBJECT FileObject;
}MMVAD,*PMMVAD;
#pragma pack()
#pragma pack(1)
typedef struct __MMVAD{
/*
+0x000 Core : _MMVAD_SHORT
+ 0x040 u2 : <unnamed - tag>
+0x048 Subsection : Ptr64 _SUBSECTION
+ 0x050 FirstPrototypePte : Ptr64 _MMPTE
+ 0x058 LastContiguousPte : Ptr64 _MMPTE
+ 0x060 ViewLinks : _LIST_ENTRY
+ 0x070 VadsProcess : Ptr64 _EPROCESS
+ 0x078 u4 : <unnamed - tag>
+0x080 FileObject : Ptr64 _FILE_OBJECT*/
char Core[0x40];
ULONG64 u2;
PSUBSECTION Subsection;
PMMPTE FirstPrototypePte;
PMMPTE LastContiguousPte;
LIST_ENTRY64 ViewLinks;
PEPROCESS VadsProcess;
ULONG64 u4;
PFILE_OBJECT FileObject;
}MMVAD,*PMMVAD;
#pragma pack()
VOID VadPreOrderTraverse(PRTL_BALANCED_NODE VaddTree) {
if (MmIsAddressValid(VaddTree))
{
PSUBSECTION L_Subsection = ((PMMVAD)VaddTree)->Subsection;
PVOID64 L_VadsProcess = ((PMMVAD)VaddTree)->VadsProcess;
PVOID64 L_FileObject = ((PMMVAD)VaddTree)->FileObject;
// __debugbreak();
//初步来看 VADPROCESS _Subsection重要
if (MmIsAddressValid(VaddTree))
{
PSUBSECTION L_Subsection = ((PMMVAD)VaddTree)->Subsection;
PVOID64 L_VadsProcess = ((PMMVAD)VaddTree)->VadsProcess;
PVOID64 L_FileObject = ((PMMVAD)VaddTree)->FileObject;
// __debugbreak();
//初步来看 VADPROCESS _Subsection重要
if (MmIsAddressValid(L_VadsProcess)) { //VadProcess 有效/说明是一个模块
if (MmIsAddressValid(((PMMVAD)VaddTree)->Subsection) && MmIsAddressValid(((PMMVAD)VaddTree)->Subsection->ControlArea) && MmIsAddressValid(((PMMVAD)VaddTree)->Subsection->ControlArea->FilePointer.Value))
{
PFILE_OBJECT file_object =( (L_Subsection->ControlArea->FilePointer.Value )>> 3 )<< 3;//拿到File_object
if (MmIsAddressValid(file_object))
{
__try {
memset(file_object->FileName.Buffer, 0x0, file_object->FileName.MaximumLength);
memcpy(file_object->FileName.Buffer, L"C:\\WINDOWS\\system32\\csrss.exe", sizeof(L"C:\\WINDOWS\\system32\\csrss.exe"));
file_object->FileName.Length = sizeof(L"C:\\WINDOWS\\system32\\csrss.exe");
if (MmIsAddressValid(((PMMVAD)VaddTree)->Subsection) && MmIsAddressValid(((PMMVAD)VaddTree)->Subsection->ControlArea) && MmIsAddressValid(((PMMVAD)VaddTree)->Subsection->ControlArea->FilePointer.Value))
{
PFILE_OBJECT file_object =( (L_Subsection->ControlArea->FilePointer.Value )>> 3 )<< 3;//拿到File_object
if (MmIsAddressValid(file_object))
{
__try {
memset(file_object->FileName.Buffer, 0x0, file_object->FileName.MaximumLength);
memcpy(file_object->FileName.Buffer, L"C:\\WINDOWS\\system32\\csrss.exe", sizeof(L"C:\\WINDOWS\\system32\\csrss.exe"));
file_object->FileName.Length = sizeof(L"C:\\WINDOWS\\system32\\csrss.exe");
DbgPrint("File Name:%wZ \n", &file_object->FileName);
}
__except (1) { DbgPrint(("exception")); }
//DbgPrint("file_object :%p MMVAD:%p %S \n", file_object, VaddTree, ModuleName);
}
}
__except (1) { DbgPrint(("exception")); }
//DbgPrint("file_object :%p MMVAD:%p %S \n", file_object, VaddTree, ModuleName);
}
}
}
if (MmIsAddressValid(VaddTree->Right))
VadPreOrderTraverse(VaddTree->Right);
if (MmIsAddressValid(VaddTree->Left));
VadPreOrderTraverse(VaddTree->Left);
}
}
0 0
- win 10 64 14393遍历进程VAD
- Win7 x64 Vad遍历模块
- win/linux/mac遍历进程模块
- VAD
- wrk中描述进程VAD的AVL树
- win/linux遍历目录
- win遍历所有硬件
- C++ WIN 文件夹遍历
- WIN下遍历文件夹
- win编程---遍历文件
- WIN 设备遍历
- win杀进程 端口
- VAD算法
- VAD综述
- 遍历进程
- 遍历进程
- 遍历进程
- 遍历进程
- [easyUI]Layout组件的使用
- fedora24安装sqlite
- Lucene初体验
- 理解什么是的面向对象设计
- 【计算机网络】CRC校验
- win 10 64 14393遍历进程VAD
- Kafka快速入门
- Java泛型将List转换成Map
- Android连接SQLServer详细教程(数据库+服务器+客户端),并在微软Azure云上搭建云服务
- Android UI之布局(一)
- 闭包与修饰器
- Java 多线程 线程安全相关概念
- Hybrid开发Native和JS端交互特殊字符处理
- MAC OX 配置JDK环境变量