好久没有访问CSDN,现在都变的不太认识.
由于这几年从事驱动开发,就发一些自已的心得.
在驱动开发中,有时候我们需要取得当前进程的路径,在之前,大家都是在抄xfilt的代码(xfilt是抄osr).
#define BASE_PROCESS_PEB_OFFSET 0x01B0
#define BASE_PEB_PROCESS_PARAMETER_OFFSET 0x0010
#define BASE_PROCESS_PARAMETER_FULL_IMAGE_NAME 0x003C
PCWSTR KfGetProcessFullName()
/*++
Arguments:
pFullImageName - Pointer to get the process name, etc: "C:\WINNT\notepad.exe".
--*/
{
DWORD dwAddress;
if(KeGetCurrentIrql() != PASSIVE_LEVEL)
return NULL;
dwAddress = (DWORD)PsGetCurrentProcess();
if(dwAddress == 0 || dwAddress == 0xFFFFFFFF)
return NULL;
dwAddress += BASE_PROCESS_PEB_OFFSET;
if((dwAddress = *(DWORD*)dwAddress) == 0) return 0;
dwAddress += BASE_PEB_PROCESS_PARAMETER_OFFSET;
if((dwAddress = *(DWORD*)dwAddress) == 0) return 0;
dwAddress += BASE_PROCESS_PARAMETER_FULL_IMAGE_NAME;
if((dwAddress = *(DWORD*)dwAddress) == 0) return 0;
return (PCWSTR)dwAddress;
}
这段代码在2k/xp能正确工作,可在2003上,一执行就蓝屏,为什么呢???
首先你要理想这段代码的工作原理(知道还看什么,快关IE.)
流程:
1.取得EPROCESS(PsGetCurrentProcess();)
2. 通过偏移量取得PEB, (Address + BASE_PROCESS_PEB_OFFSET )
3.通过PEB指针的偏移量取得RTL_USER_PROCESS_PARAMETER( Address + BASE_PEB_PROCESS_PARAMETER_OFFSET)
最后是取得其ImagePathName, 得到是UNICODE_STRING结构.
知道原理后,下面演示我是如何在2003上取得:
调试心得记录:使用Windbg 分析2003的全路径存在哪儿?
1.在主机安装2003 sym,不知道,可以去死了.
2.启动2003,并开一个IE.
3. 先得到结构参数
dt nt!_EPROCESS
+0x000 Pcb : _KPROCESS
+0x06c ProcessLock : _EX_PUSH_LOCK
+0x070 CreateTime : _LARGE_INTEGER
+0x078 ExitTime : _LARGE_INTEGER
+0x080 RundownProtect : _EX_RUNDOWN_REF
+0x084 UniqueProcessId : Ptr32 Void
+0x088 ActiveProcessLinks : _LIST_ENTRY
+0x090 QuotaUsage : [3] Uint4B
+0x09c QuotaPeak : [3] Uint4B
+0x0a8 CommitCharge : Uint4B
+0x0ac PeakVirtualSize : Uint4B
+0x0b0 VirtualSize : Uint4B
+0x0b4 SessionProcessLinks : _LIST_ENTRY
+0x0bc DebugPort : Ptr32 Void
+0x0c0 ExceptionPort : Ptr32 Void
+0x0c4 ObjectTable : Ptr32 _HANDLE_TABLE
+0x0c8 Token : _EX_FAST_REF
+0x0cc WorkingSetPage : Uint4B
+0x0d0 AddressCreationLock : _KGUARDED_MUTEX
+0x0f0 HyperSpaceLock : Uint4B
+0x0f4 ForkInProgress : Ptr32 _ETHREAD
+0x0f8 HardwareTrigger : Uint4B
+0x0fc PhysicalVadRoot : Ptr32 _MM_AVL_TABLE
+0x100 CloneRoot : Ptr32 Void
+0x104 NumberOfPrivatePages : Uint4B
+0x108 NumberOfLockedPages : Uint4B
+0x10c Win32Process : Ptr32 Void
+0x110 Job : Ptr32 _EJOB
+0x114 SectionObject : Ptr32 Void
+0x118 SectionBaseAddress : Ptr32 Void
+0x11c QuotaBlock : Ptr32 _EPROCESS_QUOTA_BLOCK
+0x120 WorkingSetWatch : Ptr32 _PAGEFAULT_HISTORY
+0x124 Win32WindowStation : Ptr32 Void
+0x128 InheritedFromUniqueProcessId : Ptr32 Void
+0x12c LdtInformation : Ptr32 Void
+0x130 VadFreeHint : Ptr32 Void
+0x134 VdmObjects : Ptr32 Void
+0x138 DeviceMap : Ptr32 Void
+0x13c Spare0 : [3] Ptr32 Void
+0x148 PageDirectoryPte : _HARDWARE_PTE
+0x148 Filler : Uint8B
+0x150 Session : Ptr32 Void
+0x154 ImageFileName : [16] UChar
+0x164 JobLinks : _LIST_ENTRY
+0x16c LockedPagesList : Ptr32 Void
+0x170 ThreadListHead : _LIST_ENTRY
+0x178 SecurityPort : Ptr32 Void
+0x17c PaeTop : Ptr32 Void
+0x180 ActiveThreads : Uint4B
+0x184 GrantedAccess : Uint4B
+0x188 DefaultHardErrorProcessing : Uint4B
+0x18c LastThreadExitStatus : Int4B
+0x190 Peb : Ptr32 _PEB
+0x194 PrefetchTrace : _EX_FAST_REF
+0x198 ReadOperationCount : _LARGE_INTEGER
+0x1a0 WriteOperationCount : _LARGE_INTEGER
+0x1a8 OtherOperationCount : _LARGE_INTEGER
+0x1b0 ReadTransferCount : _LARGE_INTEGER
+0x1b8 WriteTransferCount : _LARGE_INTEGER
+0x1c0 OtherTransferCount : _LARGE_INTEGER
+0x1c8 CommitChargeLimit : Uint4B
+0x1cc CommitChargePeak : Uint4B
+0x1d0 AweInfo : Ptr32 Void
+0x1d4 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
+0x1d8 Vm : _MMSUPPORT
+0x238 MmProcessLinks : _LIST_ENTRY
+0x240 ModifiedPageCount : Uint4B
+0x244 JobStatus : Uint4B
+0x248 Flags : Uint4B
+0x248 CreateReported : Pos 0, 1 Bit
+0x248 NoDebugInherit : Pos 1, 1 Bit
+0x248 ProcessExiting : Pos 2, 1 Bit
+0x248 ProcessDelete : Pos 3, 1 Bit
+0x248 Wow64SplitPages : Pos 4, 1 Bit
+0x248 VmDeleted : Pos 5, 1 Bit
+0x248 OutswapEnabled : Pos 6, 1 Bit
+0x248 Outswapped : Pos 7, 1 Bit
+0x248 ForkFailed : Pos 8, 1 Bit
+0x248 Wow64VaSpace4Gb : Pos 9, 1 Bit
+0x248 AddressSpaceInitialized : Pos 10, 2 Bits
+0x248 SetTimerResolution : Pos 12, 1 Bit
+0x248 BreakOnTermination : Pos 13, 1 Bit
+0x248 SessionCreationUnderway : Pos 14, 1 Bit
+0x248 WriteWatch : Pos 15, 1 Bit
+0x248 ProcessInSession : Pos 16, 1 Bit
+0x248 OverrideAddressSpace : Pos 17, 1 Bit
+0x248 HasAddressSpace : Pos 18, 1 Bit
+0x248 LaunchPrefetched : Pos 19, 1 Bit
+0x248 InjectInpageErrors : Pos 20, 1 Bit
+0x248 VmTopDown : Pos 21, 1 Bit
+0x248 ImageNotifyDone : Pos 22, 1 Bit
+0x248 PdeUpdateNeeded : Pos 23, 1 Bit
+0x248 VdmAllowed : Pos 24, 1 Bit
+0x248 Unused : Pos 25, 7 Bits
+0x24c ExitStatus : Int4B
+0x250 NextPageColor : Uint2B
+0x252 SubSystemMinorVersion : UChar
+0x253 SubSystemMajorVersion : UChar
+0x252 SubSystemVersion : Uint2B
+0x254 PriorityClass : UChar
+0x258 VadRoot : _MM_AVL_TABLE
kd> dt nt!_Peb
nt!_PEB
+0x000 InheritedAddressSpace : UChar
+0x001 ReadImageFileExecOptions : UChar
+0x002 BeingDebugged : UChar
+0x003 SpareBool : UChar
+0x004 Mutant : Ptr32 Void
+0x008 ImageBaseAddress : Ptr32 Void
+0x00c Ldr : Ptr32 _PEB_LDR_DATA
+0x010 ProcessParameters : Ptr32 _RTL_USER_PROCESS_PARAMETERS
+0x014 SubSystemData : Ptr32 Void
+0x018 ProcessHeap : Ptr32 Void
+0x01c FastPebLock : Ptr32 _RTL_CRITICAL_SECTION
+0x020 SparePtr1 : Ptr32 Void
+0x024 SparePtr2 : Ptr32 Void
+0x028 EnvironmentUpdateCount : Uint4B
+0x02c KernelCallbackTable : Ptr32 Void
+0x030 SystemReserved : [1] Uint4B
+0x034 ExecuteOptions : Pos 0, 2 Bits
+0x034 SpareBits : Pos 2, 30 Bits
+0x038 FreeList : Ptr32 _PEB_FREE_BLOCK
+0x03c TlsExpansionCounter : Uint4B
+0x040 TlsBitmap : Ptr32 Void
+0x044 TlsBitmapBits : [2] Uint4B
+0x04c ReadOnlySharedMemoryBase : Ptr32 Void
+0x050 ReadOnlySharedMemoryHeap : Ptr32 Void
+0x054 ReadOnlyStaticServerData : Ptr32 Ptr32 Void
+0x058 AnsiCodePageData : Ptr32 Void
+0x05c OemCodePageData : Ptr32 Void
+0x060 UnicodeCaseTableData : Ptr32 Void
+0x064 NumberOfProcessors : Uint4B
+0x068 NtGlobalFlag : Uint4B
+0x070 CriticalSectionTimeout : _LARGE_INTEGER
+0x078 HeapSegmentReserve : Uint4B
+0x07c HeapSegmentCommit : Uint4B
+0x080 HeapDeCommitTotalFreeThreshold : Uint4B
+0x084 HeapDeCommitFreeBlockThreshold : Uint4B
+0x088 NumberOfHeaps : Uint4B
+0x08c MaximumNumberOfHeaps : Uint4B
+0x090 ProcessHeaps : Ptr32 Ptr32 Void
+0x094 GdiSharedHandleTable : Ptr32 Void
+0x098 ProcessStarterHelper : Ptr32 Void
+0x09c GdiDCAttributeList : Uint4B
+0x0a0 LoaderLock : Ptr32 _RTL_CRITICAL_SECTION
+0x0a4 OSMajorVersion : Uint4B
+0x0a8 OSMinorVersion : Uint4B
+0x0ac OSBuildNumber : Uint2B
+0x0ae OSCSDVersion : Uint2B
+0x0b0 OSPlatformId : Uint4B
+0x0b4 ImageSubsystem : Uint4B
+0x0b8 ImageSubsystemMajorVersion : Uint4B
+0x0bc ImageSubsystemMinorVersion : Uint4B
+0x0c0 ImageProcessAffinityMask : Uint4B
+0x0c4 GdiHandleBuffer : [34] Uint4B
+0x14c PostProcessInitRoutine : Ptr32
+0x150 TlsExpansionBitmap : Ptr32 Void
+0x154 TlsExpansionBitmapBits : [32] Uint4B
+0x1d4 SessionId : Uint4B
+0x1d8 AppCompatFlags : _ULARGE_INTEGER
+0x1e0 AppCompatFlagsUser : _ULARGE_INTEGER
+0x1e8 pShimData : Ptr32 Void
+0x1ec AppCompatInfo : Ptr32 Void
+0x1f0 CSDVersion : _UNICODE_STRING
+0x1f8 ActivationContextData : Ptr32 _ACTIVATION_CONTEXT_DATA
+0x1fc ProcessAssemblyStorageMap : Ptr32 _ASSEMBLY_STORAGE_MAP
+0x200 SystemDefaultActivationContextData : Ptr32 _ACTIVATION_CONTEXT_DATA
+0x204 SystemAssemblyStorageMap : Ptr32 _ASSEMBLY_STORAGE_MAP
+0x208 MinimumStackCommit : Uint4B
+0x20c FlsCallback : Ptr32 Ptr32 Void
+0x210 FlsListHead : _LIST_ENTRY
+0x218 FlsBitmap : Ptr32 Void
+0x21c FlsBitmapBits : [4] Uint4B
+0x22c FlsHighIndex : Uint4B
kd> dt nt!_RTL_USER_PROCESS_PARAMETERS
+0x000 MaximumLength : Uint4B
+0x004 Length : Uint4B
+0x008 Flags : Uint4B
+0x00c DebugFlags : Uint4B
+0x010 ConsoleHandle : Ptr32 Void
+0x014 ConsoleFlags : Uint4B
+0x018 StandardInput : Ptr32 Void
+0x01c StandardOutput : Ptr32 Void
+0x020 StandardError : Ptr32 Void
+0x024 CurrentDirectory : _CURDIR
+0x030 DllPath : _UNICODE_STRING
+0x038 ImagePathName : _UNICODE_STRING
+0x040 CommandLine : _UNICODE_STRING
+0x048 Environment : Ptr32 Void
+0x04c StartingX : Uint4B
+0x050 StartingY : Uint4B
+0x054 CountX : Uint4B
+0x058 CountY : Uint4B
+0x05c CountCharsX : Uint4B
+0x060 CountCharsY : Uint4B
+0x064 FillAttribute : Uint4B
+0x068 WindowFlags : Uint4B
+0x06c ShowWindowFlags : Uint4B
+0x070 WindowTitle : _UNICODE_STRING
+0x078 DesktopInfo : _UNICODE_STRING
+0x080 ShellInfo : _UNICODE_STRING
+0x088 RuntimeData : _UNICODE_STRING
+0x090 CurrentDirectores : [32] _RTL_DRIVE_LETTER_CURDIR
此时,不用我告诉你了吧!,去抄费尔提到用的方法.把偏移量改一改就可以.
黄森堂 2004-5-31
所有,从上面可以看出来,xfilt的第一个PEB偏移量是错的,2003里,正确是:0x0190,而不是0x01B0.
注:有人会问,从你的结构上看,最后是0x38,可上面代码是0x03C???,
老兄,0x38是UNICODE_STRING, UNICODE_STRING 的结构是:
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING *PUNICODE_STRING;
所有返回其字符串指针要加上4个字节的偏移量:
附上完整代码:
/////////////////////////////////////////////////////////////////
// 类别:
// 文件系统操作
// 功能:
// 取得当前进程名完整路径名(例:C:\WINNT\notepad.exe)
// 参数:
//
// 返回值:
// STATUS_SUCCESS 成功
// 原理:取得EPROCESS->PEB->RTL_USER_PROCESS_PARAMETER->ImagePathName
// 从这原理也可以取出Command Line
// 注意:目前只支持Windows 2000/XP/2003
/////////////////////////////////////////////////////////////////
// 修改历史:
// 黄森堂 2004.2.11
/////////////////////////////////////////////////////////////////
#define BASE_PROCESS_PEB_OFFSET 0x01B0
#define BASE_PEB_PROCESS_PARAMETER_OFFSET 0x0010
#define BASE_PROCESS_PARAMETER_FULL_IMAGE_NAME 0x003C
#define W2003_BASE_PROCESS_PEB_OFFSET 0x0190
PCWSTR FsdGetProcessFullName()
{
DWORD dwAddress;
if(KeGetCurrentIrql() != PASSIVE_LEVEL)
return NULL;
dwAddress = (DWORD)PsGetCurrentProcess();
if(dwAddress == 0 || dwAddress == 0xFFFFFFFF)
return NULL;
//目前只支持Win 2000/xp/2003
if( (g_OsMajorVersion < 5) || (g_OsMinorVersion > 2 ) )
return NULL;
//取得PEB,不同平台的位置是不同的。
if( (g_OsMajorVersion == 5) && (g_OsMinorVersion < 2) )
dwAddress += BASE_PROCESS_PEB_OFFSET;
else
dwAddress += W2003_BASE_PROCESS_PEB_OFFSET;
if((dwAddress = *(DWORD*)dwAddress) == 0) return 0;
// 通过peb取得RTL_USER_PROCESS_PARAMETERS
dwAddress += BASE_PEB_PROCESS_PARAMETER_OFFSET;
if((dwAddress = *(DWORD*)dwAddress) == 0) return 0;
//在RTL_USER_PROCESS_PARAMETERS->ImagePathName保存了路径,偏移为38,
dwAddress += BASE_PROCESS_PARAMETER_FULL_IMAGE_NAME;
if((dwAddress = *(DWORD*)dwAddress) == 0) return 0;
return (PCWSTR)dwAddress;
}
从上面原理中,同样可以得到Command line等等.
黄森堂(vcmfc) 2004-11-11
欢迎转贴/盗版,请保留原文