查看文章 |
从XPSP2后系统引入了一个特性:PEB地址随机化,每个进程的PEB地址不固定,大概有14种可能。系统创建进程时设置PEB的地址。 NtCreateProcess / NtCreateProcessEx / PspCreateProcess / MmCreatePeb / MiCreatePebOrTeb 在MiCreatePebOrTeb函数中根据当前时间计算随机值: PVOID HighestVadAddress; LARGE_INTEGER CurrentTime; HighestVadAddress = (PVOID) ((PCHAR)MM_HIGHEST_VAD_ADDRESS + 1); KeQueryTickCount (&CurrentTime); CurrentTime.LowPart &= ((X64K >> PAGE_SHIFT) - 1); if (CurrentTime.LowPart <= 1) { CurrentTime.LowPart = 2; } HighestVadAddress = (PVOID) ((PCHAR)HighestVadAddress - (CurrentTime.LowPart << PAGE_SHIFT)); 所以在XPSP2系统以后不能认为PEB就处在0x7FFDF000处,不同的进程PEB地址会不一样。 如果是本进程,可以通过下面的指令取得, mov eax,fs:[0x18] mov eax,dword ptr [eax+0x30] 先取得TEB的地址,再取得PEB的地址。 如果要取得其它进程的PEB地址,可以通过NtQueryInformationProcess函数实现。 NtQueryInformationProcess(...) { ......
case ProcessBasicInformation:
BasicInfo.ExitStatus = Process->ExitStatus; BasicInfo.PebBaseAddress = Process->Peb; BasicInfo.AffinityMask = Process->Pcb.Affinity; BasicInfo.BasePriority = Process->Pcb.BasePriority; BasicInfo.UniqueProcessId = (ULONG_PTR)Process->UniqueProcessId; BasicInfo.InheritedFromUniqueProcessId = (ULONG_PTR)Process->InheritedFromUniqueProcessId;
...... }
ULONG CEnumPebDlg::GetPebAddress(ULONG ulPID) { HANDLE hProcess = NULL; ULONG ulPebAddr = 0; PROCESS_BASIC_INFORMATION pbi = {0}; ULONG dwReturnLength = 0;
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, ulPID); if(hProcess != NULL) { if(g_lpNtQueryInformationProcess(hProcess, ProcessBasicInformation, &pbi, sizeof(PROCESS_BASIC_INFORMATION), &dwReturnLength) == 0) { ulPebAddr = (ULONG)pbi.PebBaseAddress; }
CloseHandle(hProcess); }
return ulPebAddr; } |
