快捷導(dǎo)航

C語言驅(qū)動開發(fā)之內(nèi)核通過PEB獲取進(jìn)程參數(shù)

更新時(shí)間：2022年10月11日 11:39:07 作者：lyshark

PEB結(jié)構(gòu)(Process Envirorment Block Structure)其中文名是進(jìn)程環(huán)境塊信息。本文將通過PEB實(shí)現(xiàn)獲取進(jìn)程參數(shù)，感興趣的小伙伴可以了解一下

PEB結(jié)構(gòu)(Process Envirorment Block Structure)其中文名是進(jìn)程環(huán)境塊信息，進(jìn)程環(huán)境塊內(nèi)部包含了進(jìn)程運(yùn)行的詳細(xì)參數(shù)信息，每一個進(jìn)程在運(yùn)行后都會存在一個特有的PEB結(jié)構(gòu)，通過附加進(jìn)程并遍歷這段結(jié)構(gòu)即可得到非常多的有用信息。

在應(yīng)用層下，如果想要得到PEB的基地址只需要取fs:[0x30]即可，TEB線程環(huán)境塊則是fs:[0x18]，如果在內(nèi)核層想要得到應(yīng)用層進(jìn)程的PEB信息我們需要調(diào)用特定的內(nèi)核函數(shù)來獲取，如下案例將教大家如何在內(nèi)核層取到應(yīng)用層進(jìn)程的PEB結(jié)構(gòu)。

首先在開始寫代碼之前需要先定義好PEB進(jìn)程環(huán)境快結(jié)構(gòu)體，用于對內(nèi)存指針解析，新建peb.h文件并保存如下代碼，這些是微軟的結(jié)構(gòu)定義分為32位與64位，官方定義規(guī)范而已不需要費(fèi)工夫。

#pragma once
#include <ntifs.h>

typedef struct _CURDIR              // 2 elements, 0x18 bytes (sizeof) 
{
	/*0x000*/     struct _UNICODE_STRING DosPath; // 3 elements, 0x10 bytes (sizeof) 
	/*0x010*/     VOID*        Handle;
}CURDIR, *PCURDIR;

typedef struct _RTL_DRIVE_LETTER_CURDIR // 4 elements, 0x18 bytes (sizeof) 
{
	/*0x000*/     UINT16       Flags;
	/*0x002*/     UINT16       Length;
	/*0x004*/     ULONG32      TimeStamp;
	/*0x008*/     struct _STRING DosPath;             // 3 elements, 0x10 bytes (sizeof) 
}RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR;

typedef enum _SYSTEM_DLL_TYPE  // 7 elements, 0x4 bytes
{
	PsNativeSystemDll = 0 /*0x0*/,
	PsWowX86SystemDll = 1 /*0x1*/,
	PsWowArm32SystemDll = 2 /*0x2*/,
	PsWowAmd64SystemDll = 3 /*0x3*/,
	PsWowChpeX86SystemDll = 4 /*0x4*/,
	PsVsmEnclaveRuntimeDll = 5 /*0x5*/,
	PsSystemDllTotalTypes = 6 /*0x6*/
}SYSTEM_DLL_TYPE, *PSYSTEM_DLL_TYPE;

typedef struct _EWOW64PROCESS        // 3 elements, 0x10 bytes (sizeof) 
{
	/*0x000*/     VOID*        Peb;
	/*0x008*/     UINT16       Machine;
	/*0x00A*/     UINT8        _PADDING0_[0x2];
	/*0x00C*/     enum _SYSTEM_DLL_TYPE NtdllType;
}EWOW64PROCESS, *PEWOW64PROCESS;

typedef struct _RTL_USER_PROCESS_PARAMETERS                // 37 elements, 0x440 bytes (sizeof) 
{
	/*0x000*/     ULONG32      MaximumLength;
	/*0x004*/     ULONG32      Length;
	/*0x008*/     ULONG32      Flags;
	/*0x00C*/     ULONG32      DebugFlags;
	/*0x010*/     VOID*        ConsoleHandle;
	/*0x018*/     ULONG32      ConsoleFlags;
	/*0x01C*/     UINT8        _PADDING0_[0x4];
	/*0x020*/     VOID*        StandardInput;
	/*0x028*/     VOID*        StandardOutput;
	/*0x030*/     VOID*        StandardError;
	/*0x038*/     struct _CURDIR CurrentDirectory;                       // 2 elements, 0x18 bytes (sizeof)   
	/*0x050*/     struct _UNICODE_STRING DllPath;                        // 3 elements, 0x10 bytes (sizeof)   
	/*0x060*/     struct _UNICODE_STRING ImagePathName;                  // 3 elements, 0x10 bytes (sizeof)   
	/*0x070*/     struct _UNICODE_STRING CommandLine;                    // 3 elements, 0x10 bytes (sizeof)   
	/*0x080*/     VOID*        Environment;
	/*0x088*/     ULONG32      StartingX;
	/*0x08C*/     ULONG32      StartingY;
	/*0x090*/     ULONG32      CountX;
	/*0x094*/     ULONG32      CountY;
	/*0x098*/     ULONG32      CountCharsX;
	/*0x09C*/     ULONG32      CountCharsY;
	/*0x0A0*/     ULONG32      FillAttribute;
	/*0x0A4*/     ULONG32      WindowFlags;
	/*0x0A8*/     ULONG32      ShowWindowFlags;
	/*0x0AC*/     UINT8        _PADDING1_[0x4];
	/*0x0B0*/     struct _UNICODE_STRING WindowTitle;                    // 3 elements, 0x10 bytes (sizeof)   
	/*0x0C0*/     struct _UNICODE_STRING DesktopInfo;                    // 3 elements, 0x10 bytes (sizeof)   
	/*0x0D0*/     struct _UNICODE_STRING ShellInfo;                      // 3 elements, 0x10 bytes (sizeof)   
	/*0x0E0*/     struct _UNICODE_STRING RuntimeData;                    // 3 elements, 0x10 bytes (sizeof)   
	/*0x0F0*/     struct _RTL_DRIVE_LETTER_CURDIR CurrentDirectores[32];
	/*0x3F0*/     UINT64       EnvironmentSize;
	/*0x3F8*/     UINT64       EnvironmentVersion;
	/*0x400*/     VOID*        PackageDependencyData;
	/*0x408*/     ULONG32      ProcessGroupId;
	/*0x40C*/     ULONG32      LoaderThreads;
	/*0x410*/     struct _UNICODE_STRING RedirectionDllName;             // 3 elements, 0x10 bytes (sizeof)   
	/*0x420*/     struct _UNICODE_STRING HeapPartitionName;              // 3 elements, 0x10 bytes (sizeof)   
	/*0x430*/     UINT64*      DefaultThreadpoolCpuSetMasks;
	/*0x438*/     ULONG32      DefaultThreadpoolCpuSetMaskCount;
	/*0x43C*/     UINT8        _PADDING2_[0x4];
}RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;

typedef struct _PEB_LDR_DATA                            // 9 elements, 0x58 bytes (sizeof) 
{
	/*0x000*/     ULONG32      Length;
	/*0x004*/     UINT8        Initialized;
	/*0x005*/     UINT8        _PADDING0_[0x3];
	/*0x008*/     VOID*        SsHandle;
	/*0x010*/     struct _LIST_ENTRY InLoadOrderModuleList;           // 2 elements, 0x10 bytes (sizeof) 
	/*0x020*/     struct _LIST_ENTRY InMemoryOrderModuleList;         // 2 elements, 0x10 bytes (sizeof) 
	/*0x030*/     struct _LIST_ENTRY InInitializationOrderModuleList; // 2 elements, 0x10 bytes (sizeof) 
	/*0x040*/     VOID*        EntryInProgress;
	/*0x048*/     UINT8        ShutdownInProgress;
	/*0x049*/     UINT8        _PADDING1_[0x7];
	/*0x050*/     VOID*        ShutdownThreadId;
}PEB_LDR_DATA, *PPEB_LDR_DATA;

typedef struct _PEB64
{
	UCHAR InheritedAddressSpace;
	UCHAR ReadImageFileExecOptions;
	UCHAR BeingDebugged;
	UCHAR BitField;
	ULONG64 Mutant;
	ULONG64 ImageBaseAddress;
	PPEB_LDR_DATA Ldr;
	PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
	ULONG64 SubSystemData;
	ULONG64 ProcessHeap;
	ULONG64 FastPebLock;
	ULONG64 AtlThunkSListPtr;
	ULONG64 IFEOKey;
	ULONG64 CrossProcessFlags;
	ULONG64 UserSharedInfoPtr;
	ULONG SystemReserved;
	ULONG AtlThunkSListPtr32;
	ULONG64 ApiSetMap;
} PEB64, *PPEB64;

#pragma pack(4)
typedef struct _PEB32
{
	UCHAR InheritedAddressSpace;
	UCHAR ReadImageFileExecOptions;
	UCHAR BeingDebugged;
	UCHAR BitField;
	ULONG Mutant;
	ULONG ImageBaseAddress;
	ULONG Ldr;
	ULONG ProcessParameters;
	ULONG SubSystemData;
	ULONG ProcessHeap;
	ULONG FastPebLock;
	ULONG AtlThunkSListPtr;
	ULONG IFEOKey;
	ULONG CrossProcessFlags;
	ULONG UserSharedInfoPtr;
	ULONG SystemReserved;
	ULONG AtlThunkSListPtr32;
	ULONG ApiSetMap;
} PEB32, *PPEB32;

typedef struct _PEB_LDR_DATA32
{
	ULONG Length;
	BOOLEAN Initialized;
	ULONG SsHandle;
	LIST_ENTRY32 InLoadOrderModuleList;
	LIST_ENTRY32 InMemoryOrderModuleList;
	LIST_ENTRY32 InInitializationOrderModuleList;
	ULONG EntryInProgress;
} PEB_LDR_DATA32, *PPEB_LDR_DATA32;

typedef struct _LDR_DATA_TABLE_ENTRY32
{
	LIST_ENTRY32 InLoadOrderLinks;
	LIST_ENTRY32 InMemoryOrderModuleList;
	LIST_ENTRY32 InInitializationOrderModuleList;
	ULONG DllBase;
	ULONG EntryPoint;
	ULONG SizeOfImage;
	UNICODE_STRING32 FullDllName;
	UNICODE_STRING32 BaseDllName;
	ULONG Flags;
	USHORT LoadCount;
	USHORT TlsIndex;
	union
	{
		LIST_ENTRY32 HashLinks;
		ULONG SectionPointer;
	}u1;
	ULONG CheckSum;
	union
	{
		ULONG TimeDateStamp;
		ULONG LoadedImports;
	}u2;
	ULONG EntryPointActivationContext;
	ULONG PatchInformation;
} LDR_DATA_TABLE_ENTRY32, *PLDR_DATA_TABLE_ENTRY32;

#pragma pack()

接著就來實(shí)現(xiàn)對PEB的獲取操作，以64位為例，我們需要調(diào)用PsGetProcessPeb()這個內(nèi)核函數(shù)，因?yàn)樵搩?nèi)核函數(shù)沒有被公開所以調(diào)用之前需要頭部導(dǎo)出，該函數(shù)需要傳入用戶進(jìn)程的EProcess結(jié)構(gòu)，該結(jié)構(gòu)可用PsLookupProcessByProcessId函數(shù)動態(tài)獲取到，獲取到以后直接KeStackAttachProcess()附加到應(yīng)用層進(jìn)程上，即可直接輸出進(jìn)程的PEB結(jié)構(gòu)信息，如下代碼。

#include "peb.h"
#include <ntifs.h>

// 定義導(dǎo)出
NTKERNELAPI PVOID NTAPI PsGetProcessPeb(_In_ PEPROCESS Process);

VOID UnDriver(PDRIVER_OBJECT driver)
{
	DbgPrint(("Uninstall Driver Is OK \n"));
}
// LyShark
NTSTATUS DriverEntry(IN PDRIVER_OBJECT Driver, PUNICODE_STRING RegistryPath)
{
	DbgPrint("hello lyshark \n");

	NTSTATUS status = STATUS_UNSUCCESSFUL;
	PEPROCESS eproc = NULL;
	KAPC_STATE kpc = { 0 };

	PPEB64 pPeb64 = NULL;

	__try
	{
		// HANDLE)4656 進(jìn)程PID
		status = PsLookupProcessByProcessId((HANDLE)4656, &eproc);

		// 得到64位PEB
		pPeb64 = (PPEB64)PsGetProcessPeb(eproc);

		DbgPrint("PEB64 = %p \n", pPeb64);

		if (pPeb64 != 0)
		{
			// 驗(yàn)證可讀性
			ProbeForRead(pPeb64, sizeof(PEB32), 1);

			// 附加進(jìn)程
			KeStackAttachProcess(eproc, &kpc);

			DbgPrint("進(jìn)程基地址: 0x%p \n", pPeb64->ImageBaseAddress);
			DbgPrint("ProcessHeap = 0x%p \n", pPeb64->ProcessHeap);
			DbgPrint("BeingDebugged = %d \n", pPeb64->BeingDebugged);

			// 脫離進(jìn)程
			KeUnstackDetachProcess(&kpc);
		}
	}
	__except (EXCEPTION_EXECUTE_HANDLER)
	{
		Driver->DriverUnload = UnDriver;
		return STATUS_SUCCESS;
	}

	Driver->DriverUnload = UnDriver;
	return STATUS_SUCCESS;
}

PEB64代碼運(yùn)行后，我們加載驅(qū)動即可看到如下結(jié)果:

而相對于64位進(jìn)程來說，獲取32位進(jìn)程的PEB信息可以直接調(diào)用PsGetProcessWow64Process()函數(shù)得到，該函數(shù)已被導(dǎo)出可以任意使用，獲取PEB代碼如下。

#include "peb.h"
#include <ntifs.h>

// 定義導(dǎo)出
NTKERNELAPI PVOID NTAPI PsGetProcessPeb(_In_ PEPROCESS Process);

VOID UnDriver(PDRIVER_OBJECT driver)
{
	DbgPrint(("Uninstall Driver Is OK \n"));
}

// LyShark
NTSTATUS DriverEntry(IN PDRIVER_OBJECT Driver, PUNICODE_STRING RegistryPath)
{
	DbgPrint("hello lyshark \n");

	NTSTATUS status = STATUS_UNSUCCESSFUL;
	PEPROCESS eproc = NULL;
	KAPC_STATE kpc = { 0 };

	PPEB32 pPeb32 = NULL;

	__try
	{
		// HANDLE)4656 進(jìn)程PID
		status = PsLookupProcessByProcessId((HANDLE)6164, &eproc);

		// 得到32位PEB
		pPeb32 = (PPEB32)PsGetProcessWow64Process(eproc);

		DbgPrint("PEB32 = %p \n", pPeb32);

		if (pPeb32 != 0)
		{
			// 驗(yàn)證可讀性
			ProbeForRead(pPeb32, sizeof(PEB32), 1);

			// 附加進(jìn)程
			KeStackAttachProcess(eproc, &kpc);

			DbgPrint("進(jìn)程基地址: 0x%p \n", pPeb32->ImageBaseAddress);
			DbgPrint("ProcessHeap = 0x%p \n", pPeb32->ProcessHeap);
			DbgPrint("BeingDebugged = %d \n", pPeb32->BeingDebugged);

			// 脫離進(jìn)程
			KeUnstackDetachProcess(&kpc);
		}
		
	}
	__except (EXCEPTION_EXECUTE_HANDLER)
	{
		Driver->DriverUnload = UnDriver;
		return STATUS_SUCCESS;
	}

	Driver->DriverUnload = UnDriver;
	return STATUS_SUCCESS;
}

PEB32代碼運(yùn)行后，我們加載驅(qū)動即可看到如下結(jié)果:

到此這篇關(guān)于C語言驅(qū)動開發(fā)之內(nèi)核通過PEB獲取進(jìn)程參數(shù)的文章就介紹到這了,更多相關(guān)C語言驅(qū)動開發(fā)獲取進(jìn)程參數(shù)內(nèi)容請搜索腳本之家以前的文章或繼續(xù)瀏覽下面的相關(guān)文章希望大家以后多多支持腳本之家！

您可能感興趣的文章: