Eprocess for the process
Release Date: 2004-06-02
Abstract:
Digest:
http://www.xfocus.net/articles/200406/706.html
Create time: 2004-06-01
Article attribute: original
Article submission: Mustbe (zf35_at_citiz.net)
By [i.t.s] system32
Welcome to Our Web Site
Http://itaq.ynpc.com/itsbbs/
Thanks to Sobeit: P
-------------------------------------------------- -------------------------------------------
Each Windows process has a corresponding executive process (EPRocess, which is kteb). EPRocess includes not only many properties of the process, but also a plurality of pointers pointing to other data structures, which contains a lot of useful information. This article only describes how to get the EPRocess, EPROCESS and the data structure of EPROCESS are not within the scope of this article.
The Green Element Master Flier mentioned in his article, using the ZwQuerySystemInformation function to get all the core handles, linearly search the process handle, the kernel object pointing to the EPRocess.
The ZwQuerySystemInformation function is as follows
NTSYSAPI
NTSTATUS
NTAPI
ZWQuerySystemInformation
(
In system_information_class systeminformationclass,
In Out Pvoid SystemInformation,
In Ulong SystemInformationLength,
OUT Pulong ReturnLength Optional
);
The meanings are as follows
SystemInformationClass: One of the types of system information, system_information_class's enumeration type
SystemInformation: Pointing to a buffer of a system information
SystemInformationLength: Buffer length
ReturnLength: Points to a variable that accepts the actual return byout, can be 0
To get EPRocess, we use system_handle_information as the first parameter to call ZWQuerySystemInformation
The structure of system_information_class is as follows
Typedef struct _system_handle_information
{
Ulong processid;
Uchar ObjectTypenumber;
Uchar flags;
Ushort handle;
PVOID Object;
Access_mask grantedAccess;
} System_handle_information, * psystem_handle_information;
ProcessID: Process Identifier
ObjectTypenumber; Type of Opened Objects
Flags: Handle Index
Handle: Handle value, uniquely identify a handle in the handle of the process
Object: This is the address of EPRocess corresponding to the handle.
GrantedAccess: Access to the handle object
Below I wrote a small program to get eProcess (getkteb.cpp)
Comparing FAINT is that the program is written and found that it is not as expected to obtain EPROCESS, and the handle of the process itself is not found by debugging the handle of the process returned by zwquryysysteminformation ().
How can this be? Is the program wrong? * _ *
Now I have to give an answer by Softice, Ctrl D calls Softice, just choose a process - QQ, let's take a look at Softice's output: Proc -O QQ
Process Kpeb Pid Threads Pri User Time Krnl Time Status
QQ 827CD520 11C 2A 8 00000B90 000008D4 Ready
---- Handle Table Information ----
Handle Table: FFAD93C8 Handle Array: E2BEB000 ENTRIES: 590
Handle OB HDR * Object * Type
0000 00000000 00000018?
0004 E2DA5E58 E2DA5E70 Section
0008 FFAB35C8 FFAB35E0 EVENT
000c FFAB3B08 FFAB3B20 EVENT
0010 85c70188 85c701a0 Event
0014 81515778 81515790 Directory
0018 FFAB7BB2 FFAB7BCA?
001C 814A1858 814A1870 DIRECTORY
0020 80288c88 80288ca0 Event
0024 E2CFE7F9 E2CFE811?
0028 842D7B08 842D7B20 Event
002C 80E9B989 80E9B9A1?
0030 E1372198 E13721B0 Section
0034 814602C0 814602D8 WindowStation
0038 81455CE0 81455CF8 desktop
003c 814602c0 814602d8 WindowStation
0040 E2B3C1A8 E2B3C1C0 KEY
0044 E286D6E8 E286D700 KEY
0048 E2B3C0E8 E2B3C100 Key
004C E2B3C068 E2B3C080 Key
0050 E2BEE688 E2Bee6a0 Key
0054 8147C998 8147C9B0 DIRECTORY
0058 829D1128 829D1140 Event
005C 83F991E8 83F99200 EVENT
0060 E2BEE608 E2BEE620 Key
0064 ffb07568 ffb07580 EVENT
0068 801747E8 80174800 EVENT
006c 80174828 80174840 Event
0070 845E8808 845E8820 EVENT
0074 81448798 814487B0 Event
0078 E2B9A888 E2B9A8A0 KEY
007c 845e8648 845e8660 Event
0080 FF9E2DB8 FF9E2DD0 MUTANT
0084 FF9E2D58 FF9E2D70 MUTANT
0088 83CFC378 83CFC390 MUTANT
008c 801749b0 801749c8 file
0090 E2C48668 E2C48680 Section
0094 ff965168 ff965180 Event
0098 FF9E7D88 FF9E7DA0 Event
009c FFAD3DE8 FFAD3E00 EVENT00A0 80AD63C8 80AD63E0 EVENT
00A4 E28073A8 E28073C0 Key
00A8 FF955588 FF9555A0 Thread
00ac E2770728 E2770740 Key
00b0 ff923438 ff923450 mutant
00b4 FFAE3B38 FFAE3B50 MUTANT
00b8 83b80728 83b80740 Event
00bc 83b80668 83b80680 Event
00c0 E2E3C448 E2E3C460 Section
00c4 83776a08 83776a20 thread
00c8 81489e48 81489e60 Event
00cc 83776cc8 83776CE0 Event
00D0 83776c88 83776ca0 Event
00D4 83776768 83776780 Event
00d8 e2837d88 e2837da0 key
00DC 8146B3A8 8146B3C0 Event
00> ff908308 ff908320 Event
00e4 81494868 81494880 Event
00e8 FF9064C8 FF9064E0 Event
00ec FF908FC8 FF908FE0 EVENT
00f0 ff908f88 ff908fa0 Event
00F4 ff955588 ff9555a0 thread
00f8 ff908f48 ff908f60 Event
00FC E2CB1558 E2CB1570 Port
0100 FF90A2C8 FF90A2E0 IOCOMPLETION
0104 E2CFE708 E2CFE720 Port
0108 FF90A2C8 FF90A2E0 IOCOMPLETION
010C 837762A8 837762C0 Thread
0110 8103BBC8 8103BBE0 Event
0114 813dbdb8 813dbdd0 Event
0118 FF814788 FF8147A0 Event
011C E1358DA8 E1358DC0 Key
0120 E2CFC428 E2CFC440 Key
0124 8103B9C8 8103B9E0 Event
0128 E2C9A968 E2C9A980 Key
012C 83B34E88 83B34EA0 Event
0130 E2CFD948 E2CFD960 Key
0134 83b34e08 83b34e20 Event
....
.......................
I saw a while, I didn't have a QQ itself's process of Handle, so what should I do?
I want to have a while ... Since the Win32 subsystem is managed by CSRSS.exe, the handle of the process created by the user should be found in CSRSS.exe, and then find that it is true after being verified with Softice.
However, this can't get the handle of the specified process, and it is far from I need, only select it.
Later, I finally thought of the solution, since there is no handle of the process, create one, openprocess () This function can open a handle of a process, which is required.
Sure enough, after this, ZwQuerySysteminformation () won the EPRocess
The modified program code is as follows, get the eProcess address of your own process, slightly modified to get any process
#include
#include
#include
/ *
* You'll Find A List of Ntstatus Status Codes in The Ddk Header
* ntstatus.h (/Winddk/2600.1106/inc/ddk/wXP/)
* /
#define nt_success (status) (status)> = 0)
#DEFINE STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS) 0xC0000004L)
#define status_access_denied ((ntstatus) 0xc0000022L)
/ *
*********************************************************** **********************
* NTDDK.H
* /
TypedEf long NTSTATUS;
TypedEf Ulong Access_mask;
/ *
* NTDEF.H
*********************************************************** **********************
* /
/ *
*********************************************************** **********************
* << Windows NT / 2000 Native API Reference >> - Gary Nebbett
* /
Typedef enum _system_information_class
{
SystemHandleInformation = 16
} System_information_class;
/ *
* Information Class 16
* /
Typedef struct _system_handle_information
{
Ulong processid;
Uchar ObjectTypenumber;
Uchar flags;
Ushort handle;
PVOID Object;
Access_mask grantedAccess;
} System_handle_information, * psystem_handle_information;
#define InitializeObjectAttributes (p, n, a, r, s) {(p) -> length = sizeof (object_attributes); (P) -> rootdirectory = r; (p) -> attributes = a; (p) -> Objectname = n; (p) -> securityDescriptor = s; (p) -> securityQualityofService = null;}
/ *
*********************************************************** **********************
* << Windows NT / 2000 Native API Reference >> - Gary Nebbett
*********************************************************** **********************
* /
typedef ULONG (__stdcall * RTLNTSTATUSTODOSERROR) (IN NTSTATUS Status); typedef NTSTATUS (__stdcall * ZWQUERYSYSTEMINFORMATION) (IN SYSTEM_INFORMATION_CLASS SystemInformationClass, IN OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength OPTIONAL);
/ ************************************************** **********************
* *
* Function Prototype *
* *
*********************************************************** ********************* /
Static DWORD GETEPROCESSFROMPID (ULONG PID);
Static Bool LocatedllenTry (Void);
/ ************************************************** **********************
* *
* Static global var *
* *
*********************************************************** ********************* /
Static RTLNTSTATASERROR RTLNTSTATASERROR = NULL;
STATIC ZWQUERYSYSTEMINFORMATION ZWQUERYSYSTEMINFORMATION = NULL;
Static hmodule hmodule = null;
/ ************************************************** ********************** /
Static DWORD GETEPROCESSFROMPID (ULONG PID)
{
NTSTATUS STATUS;
PVOID BUF = NULL;
Ulong size = 1;
Ulong Numofhandle = 0;
Ulong i;
Psystem_handle_information h_info = null;
For (size = 1; size * = 2) {
IF (null == (buf = Calloc (size, 1))))
{
FPRINTF (stderr, "Calloc (% U, 1) Failed / N", size);
Goto geteprocessFromPid_exit;
}
Status = ZwQuerySystemInformation (SystemHandleinformation, BUF, SIZE, NULL);
IF (! NT_Success (status))
{
IF (status_info_length_mismatch == status)
{
Free (BUF);
BUF = NULL;
}
Else
{
Printf ("ZwQuerySystemInformation () failed");
Goto geteprocessFromPid_exit;
}
}
Else
{
Break;
}
} / * End of for * /
// Return to the buffer first is a ULong type data, indicating how many groups
Numofhandle = (ulong) BUF;
H_INFO = (psystem_handle_information) ((Ulong) BUF 4);
For (i = 0; i { IF ((h_info [i] .processid == PID) && (H_INFO [i] .ObjectTypenumber == 5)) // && (h_info [i] .handle == 0x3d8)) { Printf ("Handle: 0x% x, Object 0x% x / N / R", H_INFO [i] .handle, H_INFO [i] .Object); Return ((DWORD) (H_INFO [i] .Object); } } GeteprocessFromPid_exit: IF (buf! = NULL) { Free (BUF); BUF = NULL; } Return (False); } / * * NTDLL.DLL * / Static Bool LocatedllenTry (Void) { BOOL RET = FALSE; Char NTDLL_DLL [] = "ntdll.dll"; HModule NTDLL_DLL = NULL; IF ((NTDLL_DLL = getModuleHandle (NTDLL_DLL)) == NULL) { Printf ("GetModuleHandle () Failed"); Return (False); } IF (! (zwQuerySystemInformation) getProcadDress (NTDLL_DLL, ZWQUERYSYSTEMINFORMATION))))) { Goto LocatedllenTry_Exit; } Ret = true; LocatentdllenTry_exit: IF (false == RET) { PRINTF ("GetProcadDress () Failed"); } NTDLL_DLL = NULL; Return (RET);} / * end of locatedllentry * / INT main (int Argc, char ** argv) { Locatentdllentry (); // Open your own handle, so you can find yourself in the Handle list, Process corresponds to ObjectTypenum 5 OpenProcess (Process_All_Access, false, getcurrentprocessid ()); DWORD AddR = geteProcessFromPid ((DWORD) getCurrentProcessId ()); Printf ("Result: Current Eprocess's Address IS 0x% X / N / R", ADDR); Return True; }
