首页
论坛
课程
招聘
贴段代码,需要的拿走
2010-4-16 15:40 6202

贴段代码,需要的拿走

2010-4-16 15:40
6202
//依据EPROCESS得到进程全路径
extern VOID GetFullPathByEprocess( ULONG eprocess,PCHAR ProcessImageName );
//得到当前调用函数的进程信息
extern VOID GetCurrentProcess(PULONG pid, PCHAR name, PCHAR path);
//路径解析出子进程名
extern VOID GetSonName( PCHAR ProcessPath, PCHAR ProcessName );
//根据SectionHandle得到进程全路径
extern VOID GetFullPathBySectionHandle( HANDLE SectionHandle, PCHAR ProcessImageName);
//根据ProcessHandle得到进程全路径
extern VOID GetFullPathByProcessHandle( HANDLE ProcessHandle, PCHAR ProcessImageName , PULONG pid );
//FileObject得到进程全路径
extern VOID GetFullPathByFileObject( PFILE_OBJECT FileObject, PCHAR ProcessImageName);
//KeyHandle得到注册表全路径
extern BOOLEAN GetRegKeyNameByHandle(HANDLE handle, char *realpath);
//
extern VOID UnicodeTochar(PUNICODE_STRING dst , char *src);
//
extern VOID WcharToChar(PWCHAR src,PCHAR dst);
/


extern POBJECT_TYPE *PsProcessType;

NTKERNELAPI
UCHAR *
PsGetProcessImageFileName(
						  PEPROCESS Process);

NTKERNELAPI 
NTSTATUS
ObQueryNameString(
				  IN  PVOID Object,
				  OUT POBJECT_NAME_INFORMATION ObjectNameInfo,
				  IN  ULONG Length,
				  OUT PULONG ReturnLength);

//路径解析出子进程名
VOID  GetSonName( char *ProcessPath, char *ProcessName )
{
	ULONG n = strlen( ProcessPath) - 1;
	ULONG i = n;
	//KdPrint(("%d",n));
	while( ProcessPath[i] != '\\')
	{
		i = i-1;
	}
	strncpy( ProcessName,ProcessPath+i+1,n-i);
}

//依据EPROCESS得到进程全路径
VOID GetFullPathByEprocess( ULONG eprocess,PCHAR ProcessImageName )
{
	//原理Eprocess->sectionobject(0x138)->Segment(0x014)->ControlAera(0x000)->FilePointer(0x024)->(FileObject->FileName,FileObject->DeviceObject)
	ULONG object;
	PFILE_OBJECT FileObject;
	UNICODE_STRING FilePath; 
	UNICODE_STRING DosName; 
	STRING AnsiString; 

	FileObject = NULL; 
	FilePath.Buffer = NULL; 
	FilePath.Length = 0; 
	*ProcessImageName = 0;  
	
	if(MmIsAddressValid((PULONG)(eprocess+0x138)))//Eprocess->sectionobject(0x138)
	{
		object=(*(PULONG)(eprocess+0x138));
        //KdPrint(("[GetProcessFileName] sectionobject :0x%x\n",object));
		if(MmIsAddressValid((PULONG)((ULONG)object+0x014)))
		{
			object=*(PULONG)((ULONG)object+0x014);
			//KdPrint(("[GetProcessFileName] Segment :0x%x\n",object));
			if(MmIsAddressValid((PULONG)((ULONG)object+0x0)))
			{
				object=*(PULONG)((ULONG_PTR)object+0x0);
				//KdPrint(("[GetProcessFileName] ControlAera :0x%x\n",object));
				if(MmIsAddressValid((PULONG)((ULONG)object+0x024)))
				{
					object=*(PULONG)((ULONG)object+0x024);
					//KdPrint(("[GetProcessFileName] FilePointer :0x%x\n",object));
				}
				else
					return ;
			}
			else
				return ;
		}
		else
			return ;
	}
	else
		return ;
    FileObject=(PFILE_OBJECT)object;

	FilePath.Buffer = ExAllocatePool(PagedPool,0x200);
	FilePath.MaximumLength = 0x200; 
    //KdPrint(("[GetProcessFileName] FilePointer :%wZ\n",&FilePointer->FileName));
	ObReferenceObjectByPointer((PVOID)FileObject,0,NULL,KernelMode);//引用计数+1,操作对象
	
	RtlVolumeDeviceToDosName(FileObject-> DeviceObject, &DosName); 
	RtlCopyUnicodeString(&FilePath, &DosName); 
	RtlAppendUnicodeStringToString(&FilePath, &FileObject->FileName); 
	ObDereferenceObject(FileObject); 
	 
	RtlUnicodeStringToAnsiString(&AnsiString, &FilePath, TRUE); 
	if ( AnsiString.Length >= 216 ) 
	{ 
		memcpy(ProcessImageName, AnsiString.Buffer, 0x100u); 
		*(ProcessImageName + 215) = 0; 
	} 
	else 
	{ 
		memcpy(ProcessImageName, AnsiString.Buffer, AnsiString.Length); 
		ProcessImageName[AnsiString.Length] = 0; 
	} 
	RtlFreeAnsiString(&AnsiString); 
	ExFreePool(DosName.Buffer); 
	ExFreePool(FilePath.Buffer); 
}
//
VOID GetCurrentProcess(PULONG pid, PCHAR name, PCHAR path)
{
	PEPROCESS Cprocess;
	Cprocess = PsGetCurrentProcess();
	*pid = *(PULONG)((ULONG)Cprocess+0x84);
	strcpy(name ,PsGetProcessImageFileName(Cprocess));
	GetFullPathByEprocess((ULONG)Cprocess,path);
}

//根据SectionHandle得到进程全路径
VOID GetFullPathBySectionHandle( HANDLE SectionHandle, PCHAR ProcessImageName )
{ 
	PVOID SectionObject;
	PFILE_OBJECT FileObject;
	UNICODE_STRING FilePath; 
	UNICODE_STRING DosName; 
	NTSTATUS Status;
	STRING AnsiString; 
	
	SectionObject = NULL; 
	FileObject = NULL; 
	FilePath.Buffer = NULL; 
	FilePath.Length = 0; 
	*ProcessImageName = 0; 
	Status = ObReferenceObjectByHandle(SectionHandle, 0, NULL, KernelMode, &SectionObject, NULL); 
	
	if ( NT_SUCCESS(Status) ) 
	{ 
		FilePath.Buffer = ExAllocatePool(PagedPool,0x200);
		FilePath.MaximumLength = 0x200; 
		FileObject = (PFILE_OBJECT)(*((ULONG *)SectionObject + 5)); // PSEGMENT
		FileObject = *(PFILE_OBJECT *)FileObject; // CONTROL_AREA
		FileObject = *(PFILE_OBJECT *)((ULONG)FileObject + 36); // FILE_OBJECT
		ObReferenceObjectByPointer((PVOID)FileObject, 0, NULL, KernelMode); 
		RtlVolumeDeviceToDosName(FileObject-> DeviceObject, &DosName); 
		RtlCopyUnicodeString(&FilePath, &DosName); 
		RtlAppendUnicodeStringToString(&FilePath, &FileObject->FileName); 
		ObDereferenceObject(FileObject); 
		ObDereferenceObject(SectionObject); 
		RtlUnicodeStringToAnsiString(&AnsiString, &FilePath, TRUE); 
		if ( AnsiString.Length >= 216 ) 
		{ 
			memcpy(ProcessImageName, AnsiString.Buffer, 0x100u); 
			*(ProcessImageName + 215) = 0; 
		} 
		else 
		{ 
			memcpy(ProcessImageName, AnsiString.Buffer, AnsiString.Length); 
			ProcessImageName[AnsiString.Length] = 0; 
		} 
		RtlFreeAnsiString(&AnsiString); 
		ExFreePool(DosName.Buffer); 
		ExFreePool(FilePath.Buffer); 
	} 
} 
//根据ProcessHandle得到EPROCESS  然后得到进程全路径
VOID GetFullPathByProcessHandle( HANDLE ProcessHandle, PCHAR ProcessImageName , PULONG pid )
{
	NTSTATUS status;
	PVOID ProcessObject;
	ULONG eprocess;
	/*__asm
	{
		int 3
	}*/
	status = ObReferenceObjectByHandle( ProcessHandle ,0,*PsProcessType,KernelMode, &ProcessObject, NULL);
	if(!NT_SUCCESS(status))   //失败
	{
		DbgPrint("Object Error");
		KdPrint(("[GetFullPathByProcessHandle] error status:0x%x\n",status));
		return;
	}
	//KdPrint(("[GetTerminateProcessPath] Eprocess :0x%x\n",(ULONG)ProcessObject));
	//Object转换成EPROCESS: object低二位清零
	eprocess = ((ULONG)ProcessObject) & 0xFFFFFFFC;
	*pid = *(PULONG)((ULONG)eprocess+0x84); 
	ObDereferenceObject(ProcessObject);
	GetFullPathByEprocess( eprocess ,ProcessImageName);
}
//根据FileObject得到全路径
VOID GetFullPathByFileObject( PFILE_OBJECT FileObject, PCHAR ProcessImageName)
{

	UNICODE_STRING FilePath; 
	UNICODE_STRING DosName; 
	STRING AnsiString; 

	FilePath.Buffer = NULL; 
	FilePath.Length = 0; 
	*ProcessImageName = 0;  

	FilePath.Buffer = ExAllocatePool(PagedPool,0x200);
	FilePath.MaximumLength = 0x200; 
    //KdPrint(("[GetProcessFileName] FilePointer :%wZ\n",&FilePointer->FileName));
	ObReferenceObjectByPointer((PVOID)FileObject,0,NULL,KernelMode);//引用计数+1,操作对象
	
	RtlVolumeDeviceToDosName(FileObject-> DeviceObject, &DosName); 
	RtlCopyUnicodeString(&FilePath, &DosName); 
	RtlAppendUnicodeStringToString(&FilePath, &FileObject->FileName); 
	ObDereferenceObject(FileObject); 
	 
	RtlUnicodeStringToAnsiString(&AnsiString, &FilePath, TRUE); 
	if ( AnsiString.Length >= 216 ) 
	{ 
		memcpy(ProcessImageName, AnsiString.Buffer, 0x100u); 
		*(ProcessImageName + 215) = 0; 
	} 
	else 
	{ 
		memcpy(ProcessImageName, AnsiString.Buffer, AnsiString.Length); 
		ProcessImageName[AnsiString.Length] = 0; 
	} 
	RtlFreeAnsiString(&AnsiString); 
	ExFreePool(DosName.Buffer); 
	ExFreePool(FilePath.Buffer); 
}
//解析
BOOLEAN StandardPrintHkey(char * path,char *realpath)
{

	int judgeTop;
	int judgeSecond;
	int judgeThird;
	int	i;
	int j;
	int t;
	int k;
	int lencur;
	char realname[255]={0};
	j=0;
	k=0;
	t=0;
	judgeTop=strncmp("\\REGISTRY\\USER",path,14);

	if(judgeTop==0)
	{
	
				lencur=strlen(path);
				for(i=0;i<lencur;i++)
				{ 
				  if(path[i]=='-')
				  {	
					if(path[i+1]=='5')
					{	
						if(path[i+2]=='0')
						{	
							if(path[i+3]=='0')
							{	if(path[i+4]=='_')
								{
								k=i+12;
								t=1;
								}	
								else
								{	
								j=i+4;
								t=1;
								}	
							}
						}
					}
				  }
				}

				DbgPrint("[j]%d\n",j);
				DbgPrint("[k]%d\n",k);
				if((k==0)&&(t==1))
				{
				strcpy(realname,"HKEY_CURRENT_USER");
				strncat(realname,&path[j],sizeof(path)-j);
				DbgPrint("[HKEY_CURRENT_USER]%s",path);
				}
				if((j==0)&&(t==1))
				{
				strcpy(realname,"HKEY_CLASSES_ROOT");
				strncat(realname,&path[k],sizeof(path)-k);
				DbgPrint("[HKEY_CLASSES_ROOT]%s",path);
				}
				if(t==0)
				{
				strcpy(realname,"HKEY_USERS");
				strncat(realname,&path[14],sizeof(path)-14);
				DbgPrint("[HKEY_USER]%s",path);
				}
	}
	else
	{
		judgeThird=strncmp("\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Hardware Profiles\\0001",path,61);
		if(judgeThird==0)
		{
			strcpy(realname,"HKEY_CURRENT_CONFIG");
			strncat(realname,&path[61],sizeof(path)-61);
			DbgPrint("[HKEY_CURRENT_CONFIG]%s",path);
		}
		else
		{
	
		
			strcpy(realname,"HKEY_LOCAL_MACHINE");
			strncat(realname,&path[17],sizeof(path)-17);
			DbgPrint("[HKEY_LOCAL_MACHINE]%s",path);

	
		}
	}
 strcpy(realpath,realname);
 return TRUE;
} 
//注册表根据KeyHandle得到键
BOOLEAN GetRegKeyNameByHandle(HANDLE handle, char *realpath)  
{

	ULONG uactLength;
	POBJECT_NAME_INFORMATION  pustr;
	ANSI_STRING astr;
	PVOID pObj;
	NTSTATUS ns;
	char pch[256]={0};
	ns = ObReferenceObjectByHandle( handle, 0, NULL, KernelMode, &pObj, NULL );
	if (!NT_SUCCESS(ns))
	{
		KdPrint(("111!\n"));
		KdPrint(("0x%x\n",ns));
		return FALSE;
	}
	pustr = ExAllocatePool(NonPagedPool,1024+4);

	if (pObj==NULL||pch==NULL)
		return FALSE;

	ns = ObQueryNameString(pObj,pustr,512,&uactLength);

	if (NT_SUCCESS(ns))
	{
		RtlUnicodeStringToAnsiString(&astr,(PUNICODE_STRING)pustr,TRUE);
		strncpy(pch,astr.Buffer,256);
	}
	ExFreePool(pustr);
	RtlFreeAnsiString( &astr );
	if (pObj)
	{
		ObDereferenceObject(pObj);
	}
	StandardPrintHkey(pch,realpath);
	return TRUE;
}
//UnicodeTochar
VOID UnicodeTochar(PUNICODE_STRING dst , char *src)
{
	ANSI_STRING string;
	RtlUnicodeStringToAnsiString(&string,dst, TRUE); 
	strcpy(src,string.Buffer);
	RtlFreeAnsiString(&string); 
}
//wcharTochar
VOID WcharToChar(PWCHAR src,PCHAR dst)
{
	UNICODE_STRING uString;
	ANSI_STRING aString;
	RtlInitUnicodeString(&uString,src);
	RtlUnicodeStringToAnsiString(&aString,&uString,TRUE); 
	strcpy(dst,aString.Buffer);
	RtlFreeAnsiString(&aString); 
}

《0day安全 软件漏洞分析技术(第二版)》第三次再版印刷预售开始!

收藏
点赞0
打赏
分享
最新回复 (11)
雪    币: 466
活跃值: 活跃值 (11)
能力值: ( LV6,RANK:80 )
在线值:
发帖
回帖
粉丝
fhurricane 活跃值 1 2010-4-16 16:30
2
0
不错不错,多谢了,
LZ的TDI过滤驱动,进展如何了?
雪    币: 466
活跃值: 活跃值 (11)
能力值: ( LV6,RANK:80 )
在线值:
发帖
回帖
粉丝
fhurricane 活跃值 1 2010-4-16 16:34
3
0
不错不错,多谢了,
LZ的TDI过滤驱动,进展如何了?
雪    币: 78
活跃值: 活跃值 (15)
能力值: ( LV12,RANK:210 )
在线值:
发帖
回帖
粉丝
竹君 活跃值 5 2010-4-16 16:56
4
0
继续弄啊
雪    币: 217
活跃值: 活跃值 (18)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
liein 活跃值 2010-4-16 16:59
5
0
围观中.......  
雪    币: 200
活跃值: 活跃值 (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
alwaysrun 活跃值 2010-4-16 17:07
6
0
好东西,谢谢了,收藏
雪    币: 727
活跃值: 活跃值 (22)
能力值: ( LV9,RANK:380 )
在线值:
发帖
回帖
粉丝
Winker 活跃值 8 2010-4-18 17:43
7
0
我贴一个吧,由EPROCESS得到进程全路径,网上找的:

PVOID pCurProcess;
ULONG pCurProcess_offset;
POBJECT_NAME_INFORMATION pObjNameInfo =NULL;

static size_t s_cf_proc_name_offset = 0;

void cfCurProcNameInit() //这个函数放在DriverEntry中执行才有效果
{
        ULONG i;
        PEPROCESS  curproc;
        curproc = PsGetCurrentProcess();
        // 搜索EPROCESS结构,在其中找到字符串
        for(i=0;i<3*4*1024;i++)
        {
                if(!strncmp("System",(PCHAR)curproc+i,strlen("System")))
                {
                        s_cf_proc_name_offset = i;
                        DbgPrint("s_cf_proc_name_offset: %x\n",s_cf_proc_name_offset);
                        break;
                }
        }
}

pCurProcess = PsGetCurrentProcess();
pCurProcess_offset = s_cf_proc_name_offset + 0x80; //SE_AUDIT_PROCESS_CREATION_INFO  SeAuditProcessCreationInfo = s_cf_proc_name_offset + 0x80;
pObjNameInfo = *(POBJECT_NAME_INFORMATION *)((DWORD)pCurProcess+pCurProcess_offset);
if(MmIsAddressValid(pObjNameInfo)) //地址有效,有时候,有时候pObjNameInfo会是NULL,所以要做检查
{
   DbgPrint("processoffset %x processname: %ws\r\n",pCurProcess_offset,pObjNameInfo->Name.Buffer);
}
雪    币: 248
活跃值: 活跃值 (15)
能力值: ( LV15,RANK:340 )
在线值:
发帖
回帖
粉丝
木桩 活跃值 8 2010-4-18 17:58
8
0
很实用的几个函数啊,比如那个 GetFullPathBySectionHandle()
先收下了,也许以后用得着
雪    币: 718
活跃值: 活跃值 (124)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
kagayaki 活跃值 2010-4-18 19:51
9
0
先收下了,也许以后用得着........
雪    币: 216
活跃值: 活跃值 (53)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
dayang 活跃值 2010-4-18 22:34
10
0
SHARE精神赞美一个!
雪    币: 514
活跃值: 活跃值 (10)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
xacker 活跃值 1 2010-4-18 23:53
11
0
还是用现成的函数保险
雪    币: 351
活跃值: 活跃值 (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
x敏m 活跃值 2010-4-20 23:09
12
0
不错,学习了
游客
登录 | 注册 方可回帖
返回