win 10 64 14393遍历进程VAD_C/C++技术分享_看流星社区 www.kanliuxing.com

夜影小子 发表于 2017-6-3 11:03:21

win 10 64 14393遍历进程VAD

typedef struct _SEGMENT{
/*(*((ntkrnlmp!_SEGMENT *)0xffffa405114286d0))
[+0x000] ControlArea : 0xffffd18b3276d370
[+0x008] TotalNumberOfPtes : 0xa
[+0x00c] SegmentFlags
[+0x010] NumberOfCommittedPages : 0x0
[+0x018] SizeOfSegment : 0xa000
[+0x020] ExtendInfo : 0x5dd00000
[+0x020] BasedAddress : 0x5dd00000
[+0x028] SegmentLock
[+0x030] u1
[+0x038] u2
[+0x040] PrototypePte : 0xffffa4050feab820*/
PVOID ControlArea;
LONG32 TotalNumberOfPtes;
LONG32 SegmentFlags;
ULONG64 NumberOfCommittedPages;
ULONG64 SizeOfSegment;
ULONG64 BasedAddress;//这里也可以利用PE结构体获取模块名字
//.............

}SEGMENT,*PSEGMENT;
typedef struct _EX_FAST_REF
{
union
{
PVOID Object;
ULONG_PTR RefCnt : 3;
ULONG_PTR Value;
};
} EX_FAST_REF, *PEX_FAST_REF;
typedef struct _CONTROL_AREA {
/**
(*((ntkrnlmp!_CONTROL_AREA *)0xffffd18b3276d370))
[+0x000] Segment : 0xffffa405114286d0
[+0x008] ListHead
[+0x018] NumberOfSectionReferences : 0x1
[+0x020] NumberOfPfnReferences : 0xa
[+0x028] NumberOfMappedViews : 0x4
[+0x030] NumberOfUserReferences : 0x5
[+0x038] u
[+0x03c] u1
[+0x040] FilePointer
[+0x048] ControlAreaLock : 0
[+0x04c] ModifiedWriteCount : 0x0
[+0x050] WaitList : 0x0
[+0x058] u2
[+0x068] FileObjectLock
[+0x070] LockedPages : 0x1
[+0x078] u3
*/
PSEGMENT Segment;//这个里面也包含本身CONTROL_AREA
LIST_ENTRY ListHead;//不清楚不研究它
unsigned __int64 NumberOfSectionReferences; //引用次数？
unsigned __int64 NumberOfPfnReferences;//pfn??
unsigned __int64 NumberOfMappedViews;//映射页面数？
unsigned __int64 NumberOfUserReferences;//用户？？
ULONG32 u;//这个也不知道是啥
ULONG32 u1;//同上
EX_FAST_REF FilePointer;//这就是要找的了。///
long ControlAreaLock;//这个锁不清楚怎么玩。
//.........
//............
}CONTROL_AREA,*PCONTROL_AREA;
typedef struct _SUBSECTION {

PCONTROL_AREA ControlArea;
struct MMPTE* SubsectionBase;
struct _SUBSECTION* NextSubsection;
/*+ 0x018 GlobalPerSessionHead : _RTL_AVL_TREE
+ 0x018 CreationWaitList : Ptr64 _MI_CONTROL_AREA_WAIT_BLOCK
+ 0x018 SessionDriverProtos : Ptr64 _MI_PER_SESSION_PROTOS
+ 0x020 u : <unnamed - tag>
+0x024 StartingSector : Uint4B
+ 0x028 NumberOfFullSectors : Uint4B
+ 0x02c PtesInSubsection : Uint4B
+ 0x030 u1 : <unnamed - tag>
+0x034 UnusedPtes : Pos 0, 31 Bits
+ 0x034 DirtyPages : Pos 31, 1 Bit
+ 0x034 u2 : <unnamed - tag>*/

}SUBSECTION,*PSUBSECTION;
#pragma pack(1)
typedef struct __MMVAD{
/*
+0x000 Core : _MMVAD_SHORT
+ 0x040 u2 : <unnamed - tag>
+0x048 Subsection : Ptr64 _SUBSECTION
+ 0x050 FirstPrototypePte : Ptr64 _MMPTE
+ 0x058 LastContiguousPte : Ptr64 _MMPTE
+ 0x060 ViewLinks : _LIST_ENTRY
+ 0x070 VadsProcess : Ptr64 _EPROCESS
+ 0x078 u4 : <unnamed - tag>
+0x080 FileObject : Ptr64 _FILE_OBJECT*/
char Core;
ULONG64 u2;
PSUBSECTION Subsection;
PMMPTE FirstPrototypePte;
PMMPTE LastContiguousPte;
LIST_ENTRY64 ViewLinks;
PEPROCESS VadsProcess;
ULONG64 u4;
PFILE_OBJECT FileObject;
}MMVAD,*PMMVAD;
#pragma pack()

VOID VadPreOrderTraverse(PRTL_BALANCED_NODE VaddTree) {
if (MmIsAddressValid(VaddTree))
{

PSUBSECTION L_Subsection = ((PMMVAD)VaddTree)->Subsection;
PVOID64 L_VadsProcess = ((PMMVAD)VaddTree)->VadsProcess;
PVOID64 L_FileObject = ((PMMVAD)VaddTree)->FileObject;
//__debugbreak();
//初步来看 VADPROCESS _Subsection重要

if (MmIsAddressValid(L_VadsProcess)) { //VadProcess 有效/说明是一个模块
if (MmIsAddressValid(((PMMVAD)VaddTree)->Subsection) && MmIsAddressValid(((PMMVAD)VaddTree)->Subsection->ControlArea) && MmIsAddressValid(((PMMVAD)VaddTree)->Subsection->ControlArea->FilePointer.Value))
{
PFILE_OBJECT file_object =( (L_Subsection->ControlArea->FilePointer.Value )>> 3 )<< 3;//拿到File_object
if (MmIsAddressValid(file_object))
{
__try {
memset(file_object->FileName.Buffer, 0x0, file_object->FileName.MaximumLength);
memcpy(file_object->FileName.Buffer, L"C:\\WINDOWS\\system32\\csrss.exe", sizeof(L"C:\\WINDOWS\\system32\\csrss.exe"));
file_object->FileName.Length = sizeof(L"C:\\WINDOWS\\system32\\csrss.exe");
DbgPrint("File Name:%wZ \n", &file_object->FileName);
}
__except (1) { DbgPrint(("exception")); }
//DbgPrint("file_object :%p MMVAD:%p %S \n", file_object, VaddTree, ModuleName);
}

}
}

if (MmIsAddressValid(VaddTree->Right))
VadPreOrderTraverse(VaddTree->Right);
if (MmIsAddressValid(VaddTree->Left));
VadPreOrderTraverse(VaddTree->Left);
}
}

页: [1]

看流星社区's Archiver

win 10 64 14393遍历进程VAD