win 10 64 14393遍历进程VAD

发布于 2017-04-01  400 次阅读


typedef struct _SEGMENT{
/*(*((ntkrnlmp!_SEGMENT *)0xffffa405114286d0))[Type:_SEGMENT] [+0x000] ControlArea : 0xffffd18b3276d370[Type:_CONTROL_AREA *] [+0x008] TotalNumberOfPtes : 0xa[Type:unsigned long] [+0x00c] SegmentFlags[Type:_SEGMENT_FLAGS] [+0x010] NumberOfCommittedPages : 0x0[Type:unsigned __int64] [+0x018] SizeOfSegment : 0xa000[Type:unsigned __int64] [+0x020] ExtendInfo : 0x5dd00000[Type:_MMEXTEND_INFO *] [+0x020] BasedAddress : 0x5dd00000[Type:void *] [+0x028] SegmentLock[Type:_EX_PUSH_LOCK] [+0x030] u1[Type:] [+0x038] u2[Type:] [+0x040] PrototypePte : 0xffffa4050feab820[Type:_MMPTE *]*/
PVOID ControlArea;
LONG32 TotalNumberOfPtes;
LONG32 SegmentFlags;
ULONG64 NumberOfCommittedPages;
ULONG64 SizeOfSegment;
ULONG64 BasedAddress;//这里也可以利用PE结构体获取模块名字
//.............

}SEGMENT,*PSEGMENT;
typedef struct _EX_FAST_REF
{
union
{
PVOID Object;
ULONG_PTR RefCnt : 3;
ULONG_PTR Value;
};
} EX_FAST_REF, *PEX_FAST_REF;
typedef struct _CONTROL_AREA {
/**
(*((ntkrnlmp!_CONTROL_AREA *)0xffffd18b3276d370))[Type:_CONTROL_AREA] [+0x000] Segment : 0xffffa405114286d0[Type:_SEGMENT *] [+0x008] ListHead[Type:_LIST_ENTRY] [+0x018] NumberOfSectionReferences : 0x1[Type:unsigned __int64] [+0x020] NumberOfPfnReferences : 0xa[Type:unsigned __int64] [+0x028] NumberOfMappedViews : 0x4[Type:unsigned __int64] [+0x030] NumberOfUserReferences : 0x5[Type:unsigned __int64] [+0x038] u[Type:] [+0x03c] u1[Type:] [+0x040] FilePointer[Type:_EX_FAST_REF] [+0x048] ControlAreaLock : 0[Type:long] [+0x04c] ModifiedWriteCount : 0x0[Type:unsigned long] [+0x050] WaitList : 0x0[Type:_MI_CONTROL_AREA_WAIT_BLOCK *] [+0x058] u2[Type:] [+0x068] FileObjectLock[Type:_EX_PUSH_LOCK] [+0x070] LockedPages : 0x1[Type:unsigned __int64] [+0x078] u3[Type:] */
PSEGMENT Segment;//这个里面也包含本身CONTROL_AREA
LIST_ENTRY ListHead;//不清楚不研究它
unsigned __int64 NumberOfSectionReferences; //引用次数?
unsigned __int64 NumberOfPfnReferences;//pfn??
unsigned __int64 NumberOfMappedViews;//映射页面数?
unsigned __int64 NumberOfUserReferences;//用户??
ULONG32 u;//这个也不知道是啥
ULONG32 u1;//同上
EX_FAST_REF FilePointer;//这就是要找的了。///
long ControlAreaLock;//这个锁不清楚怎么玩。
//.........
//............
}CONTROL_AREA,*PCONTROL_AREA;
typedef struct _SUBSECTION {

PCONTROL_AREA ControlArea;
struct MMPTE* SubsectionBase;
struct _SUBSECTION* NextSubsection;
/*+ 0x018 GlobalPerSessionHead : _RTL_AVL_TREE
+ 0x018 CreationWaitList : Ptr64 _MI_CONTROL_AREA_WAIT_BLOCK
+ 0x018 SessionDriverProtos : Ptr64 _MI_PER_SESSION_PROTOS
+ 0x020 u :
+0x024 StartingSector : Uint4B
+ 0x028 NumberOfFullSectors : Uint4B
+ 0x02c PtesInSubsection : Uint4B
+ 0x030 u1 :
+0x034 UnusedPtes : Pos 0, 31 Bits
+ 0x034 DirtyPages : Pos 31, 1 Bit
+ 0x034 u2 : */

}SUBSECTION,*PSUBSECTION;
#pragma pack(1)
typedef struct __MMVAD{
/*
+0x000 Core : _MMVAD_SHORT
+ 0x040 u2 :
+0x048 Subsection : Ptr64 _SUBSECTION
+ 0x050 FirstPrototypePte : Ptr64 _MMPTE
+ 0x058 LastContiguousPte : Ptr64 _MMPTE
+ 0x060 ViewLinks : _LIST_ENTRY
+ 0x070 VadsProcess : Ptr64 _EPROCESS
+ 0x078 u4 :
+0x080 FileObject : Ptr64 _FILE_OBJECT*/
char Core[0x40];
ULONG64 u2;
PSUBSECTION Subsection;
PMMPTE FirstPrototypePte;
PMMPTE LastContiguousPte;
LIST_ENTRY64 ViewLinks;
PEPROCESS VadsProcess;
ULONG64 u4;
PFILE_OBJECT FileObject;
}MMVAD,*PMMVAD;
#pragma pack()

VOID VadPreOrderTraverse(PRTL_BALANCED_NODE VaddTree) {
if (MmIsAddressValid(VaddTree))
{

PSUBSECTION L_Subsection = ((PMMVAD)VaddTree)->Subsection;
PVOID64 L_VadsProcess = ((PMMVAD)VaddTree)->VadsProcess;
PVOID64 L_FileObject = ((PMMVAD)VaddTree)->FileObject;
// __debugbreak();
//初步来看 VADPROCESS _Subsection重要

if (MmIsAddressValid(L_VadsProcess)) { //VadProcess 有效/说明是一个模块
if (MmIsAddressValid(((PMMVAD)VaddTree)->Subsection) && MmIsAddressValid(((PMMVAD)VaddTree)->Subsection->ControlArea) && MmIsAddressValid(((PMMVAD)VaddTree)->Subsection->ControlArea->FilePointer.Value))
{
PFILE_OBJECT file_object =( (L_Subsection->ControlArea->FilePointer.Value )>> 3 )<< 3;//拿到File_object if (MmIsAddressValid(file_object)) { __try { memset(file_object->FileName.Buffer, 0x0, file_object->FileName.MaximumLength);
memcpy(file_object->FileName.Buffer, L"C:\\WINDOWS\\system32\\csrss.exe", sizeof(L"C:\\WINDOWS\\system32\\csrss.exe"));
file_object->FileName.Length = sizeof(L"C:\\WINDOWS\\system32\\csrss.exe");
DbgPrint("File Name:%wZ \n", &file_object->FileName);
}
__except (1) { DbgPrint(("exception")); }
//DbgPrint("file_object :%p MMVAD:%p %S \n", file_object, VaddTree, ModuleName);
}

}
}

if (MmIsAddressValid(VaddTree->Right))
VadPreOrderTraverse(VaddTree->Right);
if (MmIsAddressValid(VaddTree->Left));
VadPreOrderTraverse(VaddTree->Left);
}
}

本站文章基于国际协议BY-NA-SA 4.0协议共享;
如未特殊说明,本站文章皆为原创文章,请规范转载。

0

博客管理员