-
x64内核实验6-进程
x64内核实验6-进程
进程结构体头文件(很长可以直接看后面的重要属性介绍)
首先来看一下进程结构体完整的定义,然后我会介绍几个比较重要的字段属性
下面是我从pdb文件导出的头文件,这个头文件可以直接复制到ida里导入成结构体使用的,其他结构体的头文件后面我会一起放出来给大家下载
KEPROCESS.htypedef struct _KPROCESS // 54 elements, 0x438 bytes (sizeof) { /*0x000*/ struct _DISPATCHER_HEADER Header; // 59 elements, 0x18 bytes (sizeof) /*0x018*/ struct _LIST_ENTRY ProfileListHead; // 2 elements, 0x10 bytes (sizeof) /*0x028*/ UINT64 DirectoryTableBase; /*0x030*/ struct _LIST_ENTRY ThreadListHead; // 2 elements, 0x10 bytes (sizeof) /*0x040*/ ULONG32 ProcessLock; /*0x044*/ ULONG32 ProcessTimerDelay; /*0x048*/ UINT64 DeepFreezeStartTime; /*0x050*/ struct _KAFFINITY_EX Affinity; // 4 elements, 0xA8 bytes (sizeof) /*0x0F8*/ UINT64 AffinityPadding[12]; /*0x158*/ struct _LIST_ENTRY ReadyListHead; // 2 elements, 0x10 bytes (sizeof) /*0x168*/ struct _SINGLE_LIST_ENTRY SwapListEntry; // 1 elements, 0x8 bytes (sizeof) /*0x170*/ struct _KAFFINITY_EX ActiveProcessors; // 4 elements, 0xA8 bytes (sizeof) /*0x218*/ UINT64 ActiveProcessorsPadding[12]; union // 2 elements, 0x4 bytes (sizeof) { struct // 10 elements, 0x4 bytes (sizeof) { /*0x278*/ ULONG32 AutoAlignment : 1; // 0 BitPosition /*0x278*/ ULONG32 DisableBoost : 1; // 1 BitPosition /*0x278*/ ULONG32 DisableQuantum : 1; // 2 BitPosition /*0x278*/ ULONG32 DeepFreeze : 1; // 3 BitPosition /*0x278*/ ULONG32 TimerVirtualization : 1; // 4 BitPosition /*0x278*/ ULONG32 CheckStackExtents : 1; // 5 BitPosition /*0x278*/ ULONG32 CacheIsolationEnabled : 1; // 6 BitPosition /*0x278*/ ULONG32 PpmPolicy : 3; // 7 BitPosition /*0x278*/ ULONG32 VaSpaceDeleted : 1; // 10 BitPosition /*0x278*/ ULONG32 ReservedFlags : 21; // 11 BitPosition }; /*0x278*/ LONG32 ProcessFlags; }; /*0x27C*/ ULONG32 ActiveGroupsMask; /*0x280*/ CHAR BasePriority; /*0x281*/ CHAR QuantumReset; /*0x282*/ CHAR Visited; /*0x283*/ union _KEXECUTE_OPTIONS Flags; // 10 elements, 0x1 bytes (sizeof) /*0x284*/ UINT16 ThreadSeed[20]; /*0x2AC*/ UINT16 ThreadSeedPadding[12]; /*0x2C4*/ UINT16 IdealProcessor[20]; /*0x2EC*/ UINT16 IdealProcessorPadding[12]; /*0x304*/ UINT16 IdealNode[20]; /*0x32C*/ UINT16 IdealNodePadding[12]; /*0x344*/ UINT16 IdealGlobalNode; /*0x346*/ UINT16 Spare1; /*0x348*/ union _KSTACK_COUNT StackCount; // 3 elements, 0x4 bytes (sizeof) /*0x34C*/ UINT8 _PADDING0_[0x4]; /*0x350*/ struct _LIST_ENTRY ProcessListEntry; // 2 elements, 0x10 bytes (sizeof) /*0x360*/ UINT64 CycleTime; /*0x368*/ UINT64 ContextSwitches; /*0x370*/ struct _KSCHEDULING_GROUP* SchedulingGroup; /*0x378*/ ULONG32 FreezeCount; /*0x37C*/ ULONG32 KernelTime; /*0x380*/ ULONG32 UserTime; /*0x384*/ ULONG32 ReadyTime; /*0x388*/ UINT64 UserDirectoryTableBase; /*0x390*/ UINT8 AddressPolicy; /*0x391*/ UINT8 Spare2[71]; /*0x3D8*/ VOID* InstrumentationCallback; /*0x3E0*/ union _SecureState; // 2 elements, 0x8 bytes (sizeof) /*0x3E8*/ UINT64 KernelWaitTime; /*0x3F0*/ UINT64 UserWaitTime; /*0x3F8*/ UINT64 EndPadding[8]; }KPROCESS, *PKPROCESS; - 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
EPROCESS.h
typedef struct _EPROCESS // 235 elements, 0xA40 bytes (sizeof) { /*0x000*/ struct _KPROCESS Pcb; // 54 elements, 0x438 bytes (sizeof) /*0x438*/ struct _EX_PUSH_LOCK ProcessLock; // 7 elements, 0x8 bytes (sizeof) /*0x440*/ VOID* UniqueProcessId; /*0x448*/ struct _LIST_ENTRY ActiveProcessLinks; // 2 elements, 0x10 bytes (sizeof) /*0x458*/ struct _EX_RUNDOWN_REF RundownProtect; // 2 elements, 0x8 bytes (sizeof) union // 2 elements, 0x4 bytes (sizeof) { /*0x460*/ ULONG32 Flags2; struct // 28 elements, 0x4 bytes (sizeof) { /*0x460*/ ULONG32 JobNotReallyActive : 1; // 0 BitPosition /*0x460*/ ULONG32 AccountingFolded : 1; // 1 BitPosition /*0x460*/ ULONG32 NewProcessReported : 1; // 2 BitPosition /*0x460*/ ULONG32 ExitProcessReported : 1; // 3 BitPosition /*0x460*/ ULONG32 ReportCommitChanges : 1; // 4 BitPosition /*0x460*/ ULONG32 LastReportMemory : 1; // 5 BitPosition /*0x460*/ ULONG32 ForceWakeCharge : 1; // 6 BitPosition /*0x460*/ ULONG32 CrossSessionCreate : 1; // 7 BitPosition /*0x460*/ ULONG32 NeedsHandleRundown : 1; // 8 BitPosition /*0x460*/ ULONG32 RefTraceEnabled : 1; // 9 BitPosition /*0x460*/ ULONG32 PicoCreated : 1; // 10 BitPosition /*0x460*/ ULONG32 EmptyJobEvaluated : 1; // 11 BitPosition /*0x460*/ ULONG32 DefaultPagePriority : 3; // 12 BitPosition /*0x460*/ ULONG32 PrimaryTokenFrozen : 1; // 15 BitPosition /*0x460*/ ULONG32 ProcessVerifierTarget : 1; // 16 BitPosition /*0x460*/ ULONG32 RestrictSetThreadContext : 1; // 17 BitPosition /*0x460*/ ULONG32 AffinityPermanent : 1; // 18 BitPosition /*0x460*/ ULONG32 AffinityUpdateEnable : 1; // 19 BitPosition /*0x460*/ ULONG32 PropagateNode : 1; // 20 BitPosition /*0x460*/ ULONG32 ExplicitAffinity : 1; // 21 BitPosition /*0x460*/ ULONG32 ProcessExecutionState : 2; // 22 BitPosition /*0x460*/ ULONG32 EnableReadVmLogging : 1; // 24 BitPosition /*0x460*/ ULONG32 EnableWriteVmLogging : 1; // 25 BitPosition /*0x460*/ ULONG32 FatalAccessTerminationRequested : 1; // 26 BitPosition /*0x460*/ ULONG32 DisableSystemAllowedCpuSet : 1; // 27 BitPosition /*0x460*/ ULONG32 ProcessStateChangeRequest : 2; // 28 BitPosition /*0x460*/ ULONG32 ProcessStateChangeInProgress : 1; // 30 BitPosition /*0x460*/ ULONG32 InPrivate : 1; // 31 BitPosition }; }; union // 2 elements, 0x4 bytes (sizeof) { /*0x464*/ ULONG32 Flags; struct // 29 elements, 0x4 bytes (sizeof) { /*0x464*/ ULONG32 CreateReported : 1; // 0 BitPosition /*0x464*/ ULONG32 NoDebugInherit : 1; // 1 BitPosition /*0x464*/ ULONG32 ProcessExiting : 1; // 2 BitPosition /*0x464*/ ULONG32 ProcessDelete : 1; // 3 BitPosition /*0x464*/ ULONG32 ManageExecutableMemoryWrites : 1; // 4 BitPosition /*0x464*/ ULONG32 VmDeleted : 1; // 5 BitPosition /*0x464*/ ULONG32 OutswapEnabled : 1; // 6 BitPosition /*0x464*/ ULONG32 Outswapped : 1; // 7 BitPosition /*0x464*/ ULONG32 FailFastOnCommitFail : 1; // 8 BitPosition /*0x464*/ ULONG32 Wow64VaSpace4Gb : 1; // 9 BitPosition /*0x464*/ ULONG32 AddressSpaceInitialized : 2; // 10 BitPosition /*0x464*/ ULONG32 SetTimerResolution : 1; // 12 BitPosition /*0x464*/ ULONG32 BreakOnTermination : 1; // 13 BitPosition /*0x464*/ ULONG32 DeprioritizeViews : 1; // 14 BitPosition /*0x464*/ ULONG32 WriteWatch : 1; // 15 BitPosition /*0x464*/ ULONG32 ProcessInSession : 1; // 16 BitPosition /*0x464*/ ULONG32 OverrideAddressSpace : 1; // 17 BitPosition /*0x464*/ ULONG32 HasAddressSpace : 1; // 18 BitPosition /*0x464*/ ULONG32 LaunchPrefetched : 1; // 19 BitPosition /*0x464*/ ULONG32 Background : 1; // 20 BitPosition /*0x464*/ ULONG32 VmTopDown : 1; // 21 BitPosition /*0x464*/ ULONG32 ImageNotifyDone : 1; // 22 BitPosition /*0x464*/ ULONG32 PdeUpdateNeeded : 1; // 23 BitPosition /*0x464*/ ULONG32 VdmAllowed : 1; // 24 BitPosition /*0x464*/ ULONG32 ProcessRundown : 1; // 25 BitPosition /*0x464*/ ULONG32 ProcessInserted : 1; // 26 BitPosition /*0x464*/ ULONG32 DefaultIoPriority : 3; // 27 BitPosition /*0x464*/ ULONG32 ProcessSelfDelete : 1; // 30 BitPosition /*0x464*/ ULONG32 SetTimerResolutionLink : 1; // 31 BitPosition }; }; /*0x468*/ union _LARGE_INTEGER CreateTime; // 4 elements, 0x8 bytes (sizeof) /*0x470*/ UINT64 ProcessQuotaUsage[2]; /*0x480*/ UINT64 ProcessQuotaPeak[2]; /*0x490*/ UINT64 PeakVirtualSize; /*0x498*/ UINT64 VirtualSize; /*0x4A0*/ struct _LIST_ENTRY SessionProcessLinks; // 2 elements, 0x10 bytes (sizeof) union // 3 elements, 0x8 bytes (sizeof) { /*0x4B0*/ VOID* ExceptionPortData; /*0x4B0*/ UINT64 ExceptionPortValue; /*0x4B0*/ UINT64 ExceptionPortState : 3; // 0 BitPosition }; /*0x4B8*/ struct _EX_FAST_REF Token; // 3 elements, 0x8 bytes (sizeof) /*0x4C0*/ UINT64 MmReserved; /*0x4C8*/ struct _EX_PUSH_LOCK AddressCreationLock; // 7 elements, 0x8 bytes (sizeof) /*0x4D0*/ struct _EX_PUSH_LOCK PageTableCommitmentLock; // 7 elements, 0x8 bytes (sizeof) /*0x4D8*/ struct _ETHREAD* RotateInProgress; /*0x4E0*/ struct _ETHREAD* ForkInProgress; /*0x4E8*/ struct _EJOB* CommitChargeJob; /*0x4F0*/ struct _RTL_AVL_TREE CloneRoot; // 1 elements, 0x8 bytes (sizeof) /*0x4F8*/ UINT64 NumberOfPrivatePages; /*0x500*/ UINT64 NumberOfLockedPages; /*0x508*/ VOID* Win32Process; /*0x510*/ struct _EJOB* Job; /*0x518*/ VOID* SectionObject; /*0x520*/ VOID* SectionBaseAddress; /*0x528*/ ULONG32 Cookie; /*0x52C*/ UINT8 _PADDING0_[0x4]; /*0x530*/ struct _PAGEFAULT_HISTORY* WorkingSetWatch; /*0x538*/ VOID* Win32WindowStation; /*0x540*/ VOID* InheritedFromUniqueProcessId; /*0x548*/ UINT64 OwnerProcessId; /*0x550*/ struct _PEB* Peb; /*0x558*/ struct _MM_SESSION_SPACE* Session; /*0x560*/ VOID* Spare1; /*0x568*/ struct _EPROCESS_QUOTA_BLOCK* QuotaBlock; /*0x570*/ struct _HANDLE_TABLE* ObjectTable; /*0x578*/ VOID* DebugPort; /*0x580*/ struct _EWOW64PROCESS* WoW64Process; /*0x588*/ VOID* DeviceMap; /*0x590*/ VOID* EtwDataSource; /*0x598*/ UINT64 PageDirectoryPte; /*0x5A0*/ struct _FILE_OBJECT* ImageFilePointer; /*0x5A8*/ UINT8 ImageFileName[15]; /*0x5B7*/ UINT8 PriorityClass; /*0x5B8*/ VOID* SecurityPort; /*0x5C0*/ struct _SE_AUDIT_PROCESS_CREATION_INFO SeAuditProcessCreationInfo; // 1 elements, 0x8 bytes (sizeof) /*0x5C8*/ struct _LIST_ENTRY JobLinks; // 2 elements, 0x10 bytes (sizeof) /*0x5D8*/ VOID* HighestUserAddress; /*0x5E0*/ struct _LIST_ENTRY ThreadListHead; // 2 elements, 0x10 bytes (sizeof) /*0x5F0*/ ULONG32 ActiveThreads; /*0x5F4*/ ULONG32 ImagePathHash; /*0x5F8*/ ULONG32 DefaultHardErrorProcessing; /*0x5FC*/ LONG32 LastThreadExitStatus; /*0x600*/ struct _EX_FAST_REF PrefetchTrace; // 3 elements, 0x8 bytes (sizeof) /*0x608*/ VOID* LockedPagesList; /*0x610*/ union _LARGE_INTEGER ReadOperationCount; // 4 elements, 0x8 bytes (sizeof) /*0x618*/ union _LARGE_INTEGER WriteOperationCount; // 4 elements, 0x8 bytes (sizeof) /*0x620*/ union _LARGE_INTEGER OtherOperationCount; // 4 elements, 0x8 bytes (sizeof) /*0x628*/ union _LARGE_INTEGER ReadTransferCount; // 4 elements, 0x8 bytes (sizeof) /*0x630*/ union _LARGE_INTEGER WriteTransferCount; // 4 elements, 0x8 bytes (sizeof) /*0x638*/ union _LARGE_INTEGER OtherTransferCount; // 4 elements, 0x8 bytes (sizeof) /*0x640*/ UINT64 CommitChargeLimit; /*0x648*/ UINT64 CommitCharge; /*0x650*/ UINT64 CommitChargePeak; /*0x658*/ UINT8 _PADDING1_[0x28]; /*0x680*/ struct _MMSUPPORT_FULL Vm; // 2 elements, 0x140 bytes (sizeof) /*0x7C0*/ struct _LIST_ENTRY MmProcessLinks; // 2 elements, 0x10 bytes (sizeof) /*0x7D0*/ ULONG32 ModifiedPageCount; /*0x7D4*/ LONG32 ExitStatus; /*0x7D8*/ struct _RTL_AVL_TREE VadRoot; // 1 elements, 0x8 bytes (sizeof) /*0x7E0*/ VOID* VadHint; /*0x7E8*/ UINT64 VadCount; /*0x7F0*/ UINT64 VadPhysicalPages; /*0x7F8*/ UINT64 VadPhysicalPagesLimit; /*0x800*/ struct _ALPC_PROCESS_CONTEXT AlpcContext; // 3 elements, 0x20 bytes (sizeof) /*0x820*/ struct _LIST_ENTRY TimerResolutionLink; // 2 elements, 0x10 bytes (sizeof) /*0x830*/ struct _PO_DIAG_STACK_RECORD* TimerResolutionStackRecord; /*0x838*/ ULONG32 RequestedTimerResolution; /*0x83C*/ ULONG32 SmallestTimerResolution; /*0x840*/ union _LARGE_INTEGER ExitTime; // 4 elements, 0x8 bytes (sizeof) /*0x848*/ struct _INVERTED_FUNCTION_TABLE* InvertedFunctionTable; /*0x850*/ struct _EX_PUSH_LOCK InvertedFunctionTableLock; // 7 elements, 0x8 bytes (sizeof) /*0x858*/ ULONG32 ActiveThreadsHighWatermark; /*0x85C*/ ULONG32 LargePrivateVadCount; /*0x860*/ struct _EX_PUSH_LOCK ThreadListLock; // 7 elements, 0x8 bytes (sizeof) /*0x868*/ VOID* WnfContext; /*0x870*/ struct _EJOB* ServerSilo; /*0x878*/ UINT8 SignatureLevel; /*0x879*/ UINT8 SectionSignatureLevel; /*0x87A*/ struct _PS_PROTECTION Protection; // 4 elements, 0x1 bytes (sizeof) struct // 3 elements, 0x1 bytes (sizeof) { /*0x87B*/ UINT8 HangCount : 3; // 0 BitPosition /*0x87B*/ UINT8 GhostCount : 3; // 3 BitPosition /*0x87B*/ UINT8 PrefilterException : 1; // 6 BitPosition }; union // 2 elements, 0x4 bytes (sizeof) { /*0x87C*/ ULONG32 Flags3; struct // 28 elements, 0x4 bytes (sizeof) { /*0x87C*/ ULONG32 Minimal : 1; // 0 BitPosition /*0x87C*/ ULONG32 ReplacingPageRoot : 1; // 1 BitPosition /*0x87C*/ ULONG32 Crashed : 1; // 2 BitPosition /*0x87C*/ ULONG32 JobVadsAreTracked : 1; // 3 BitPosition /*0x87C*/ ULONG32 VadTrackingDisabled : 1; // 4 BitPosition /*0x87C*/ ULONG32 AuxiliaryProcess : 1; // 5 BitPosition /*0x87C*/ ULONG32 SubsystemProcess : 1; // 6 BitPosition /*0x87C*/ ULONG32 IndirectCpuSets : 1; // 7 BitPosition /*0x87C*/ ULONG32 RelinquishedCommit : 1; // 8 BitPosition /*0x87C*/ ULONG32 HighGraphicsPriority : 1; // 9 BitPosition /*0x87C*/ ULONG32 CommitFailLogged : 1; // 10 BitPosition /*0x87C*/ ULONG32 ReserveFailLogged : 1; // 11 BitPosition /*0x87C*/ ULONG32 SystemProcess : 1; // 12 BitPosition /*0x87C*/ ULONG32 HideImageBaseAddresses : 1; // 13 BitPosition /*0x87C*/ ULONG32 AddressPolicyFrozen : 1; // 14 BitPosition /*0x87C*/ ULONG32 ProcessFirstResume : 1; // 15 BitPosition /*0x87C*/ ULONG32 ForegroundExternal : 1; // 16 BitPosition /*0x87C*/ ULONG32 ForegroundSystem : 1; // 17 BitPosition /*0x87C*/ ULONG32 HighMemoryPriority : 1; // 18 BitPosition /*0x87C*/ ULONG32 EnableProcessSuspendResumeLogging : 1; // 19 BitPosition /*0x87C*/ ULONG32 EnableThreadSuspendResumeLogging : 1; // 20 BitPosition /*0x87C*/ ULONG32 SecurityDomainChanged : 1; // 21 BitPosition /*0x87C*/ ULONG32 SecurityFreezeComplete : 1; // 22 BitPosition /*0x87C*/ ULONG32 VmProcessorHost : 1; // 23 BitPosition /*0x87C*/ ULONG32 VmProcessorHostTransition : 1; // 24 BitPosition /*0x87C*/ ULONG32 AltSyscall : 1; // 25 BitPosition /*0x87C*/ ULONG32 TimerResolutionIgnore : 1; // 26 BitPosition /*0x87C*/ ULONG32 DisallowUserTerminate : 1; // 27 BitPosition }; }; /*0x880*/ LONG32 DeviceAsid; /*0x884*/ UINT8 _PADDING2_[0x4]; /*0x888*/ VOID* SvmData; /*0x890*/ struct _EX_PUSH_LOCK SvmProcessLock; // 7 elements, 0x8 bytes (sizeof) /*0x898*/ UINT64 SvmLock; /*0x8A0*/ struct _LIST_ENTRY SvmProcessDeviceListHead; // 2 elements, 0x10 bytes (sizeof) /*0x8B0*/ UINT64 LastFreezeInterruptTime; /*0x8B8*/ struct _PROCESS_DISK_COUNTERS* DiskCounters; /*0x8C0*/ VOID* PicoContext; /*0x8C8*/ VOID* EnclaveTable; /*0x8D0*/ UINT64 EnclaveNumber; /*0x8D8*/ struct _EX_PUSH_LOCK EnclaveLock; // 7 elements, 0x8 bytes (sizeof) /*0x8E0*/ ULONG32 HighPriorityFaultsAllowed; /*0x8E4*/ UINT8 _PADDING3_[0x4]; /*0x8E8*/ struct _PO_PROCESS_ENERGY_CONTEXT* EnergyContext; /*0x8F0*/ VOID* VmContext; /*0x8F8*/ UINT64 SequenceNumber; /*0x900*/ UINT64 CreateInterruptTime; /*0x908*/ UINT64 CreateUnbiasedInterruptTime; /*0x910*/ UINT64 TotalUnbiasedFrozenTime; /*0x918*/ UINT64 LastAppStateUpdateTime; struct // 2 elements, 0x8 bytes (sizeof) { /*0x920*/ UINT64 LastAppStateUptime : 61; // 0 BitPosition /*0x920*/ UINT64 LastAppState : 3; // 61 BitPosition }; /*0x928*/ UINT64 SharedCommitCharge; /*0x930*/ struct _EX_PUSH_LOCK SharedCommitLock; // 7 elements, 0x8 bytes (sizeof) /*0x938*/ struct _LIST_ENTRY SharedCommitLinks; // 2 elements, 0x10 bytes (sizeof) union // 2 elements, 0x10 bytes (sizeof) { struct // 2 elements, 0x10 bytes (sizeof) { /*0x948*/ UINT64 AllowedCpuSets; /*0x950*/ UINT64 DefaultCpuSets; }; struct // 2 elements, 0x10 bytes (sizeof) { /*0x948*/ UINT64* AllowedCpuSetsIndirect; /*0x950*/ UINT64* DefaultCpuSetsIndirect; }; }; /*0x958*/ VOID* DiskIoAttribution; /*0x960*/ VOID* DxgProcess; /*0x968*/ ULONG32 Win32KFilterSet; /*0x96C*/ UINT8 _PADDING4_[0x4]; /*0x970*/ union _PS_INTERLOCKED_TIMER_DELAY_VALUES ProcessTimerDelay; // 7 elements, 0x8 bytes (sizeof) /*0x978*/ ULONG32 KTimerSets; /*0x97C*/ ULONG32 KTimer2Sets; /*0x980*/ ULONG32 ThreadTimerSets; /*0x984*/ UINT8 _PADDING5_[0x4]; /*0x988*/ UINT64 VirtualTimerListLock; /*0x990*/ struct _LIST_ENTRY VirtualTimerListHead; // 2 elements, 0x10 bytes (sizeof) union // 2 elements, 0x30 bytes (sizeof) { /*0x9A0*/ struct _WNF_STATE_NAME WakeChannel; // 1 elements, 0x8 bytes (sizeof) /*0x9A0*/ struct _PS_PROCESS_WAKE_INFORMATION WakeInfo; // 4 elements, 0x30 bytes (sizeof) }; union // 2 elements, 0x4 bytes (sizeof) { /*0x9D0*/ ULONG32 MitigationFlags; /*0x9D0*/ struct _MitigationFlagsValues; // 32 elements, 0x4 bytes (sizeof) }; union // 2 elements, 0x4 bytes (sizeof) { /*0x9D4*/ ULONG32 MitigationFlags2; /*0x9D4*/ struct _ MitigationFlags2Values; // 32 elements, 0x4 bytes (sizeof) }; /*0x9D8*/ VOID* PartitionObject; /*0x9E0*/ UINT64 SecurityDomain; /*0x9E8*/ UINT64 ParentSecurityDomain; /*0x9F0*/ VOID* CoverageSamplerContext; /*0x9F8*/ VOID* MmHotPatchContext; /*0xA00*/ struct _RTL_AVL_TREE DynamicEHContinuationTargetsTree; // 1 elements, 0x8 bytes (sizeof) /*0xA08*/ struct _EX_PUSH_LOCK DynamicEHContinuationTargetsLock; // 7 elements, 0x8 bytes (sizeof) /*0xA10*/ struct _PS_DYNAMIC_ENFORCED_ADDRESS_RANGES DynamicEnforcedCetCompatibleRanges; // 2 elements, 0x10 bytes (sizeof) /*0xA20*/ ULONG32 DisabledComponentFlags; /*0xA24*/ UINT8 _PADDING6_[0x4]; /*0xA28*/ ULONG32* PathRedirectionHashes; /*0xA30*/ UINT8 _PADDING7_[0x10]; }EPROCESS, *PEPROCESS; - 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
- 99
- 100
- 101
- 102
- 103
- 104
- 105
- 106
- 107
- 108
- 109
- 110
- 111
- 112
- 113
- 114
- 115
- 116
- 117
- 118
- 119
- 120
- 121
- 122
- 123
- 124
- 125
- 126
- 127
- 128
- 129
- 130
- 131
- 132
- 133
- 134
- 135
- 136
- 137
- 138
- 139
- 140
- 141
- 142
- 143
- 144
- 145
- 146
- 147
- 148
- 149
- 150
- 151
- 152
- 153
- 154
- 155
- 156
- 157
- 158
- 159
- 160
- 161
- 162
- 163
- 164
- 165
- 166
- 167
- 168
- 169
- 170
- 171
- 172
- 173
- 174
- 175
- 176
- 177
- 178
- 179
- 180
- 181
- 182
- 183
- 184
- 185
- 186
- 187
- 188
- 189
- 190
- 191
- 192
- 193
- 194
- 195
- 196
- 197
- 198
- 199
- 200
- 201
- 202
- 203
- 204
- 205
- 206
- 207
- 208
- 209
- 210
- 211
- 212
- 213
- 214
- 215
- 216
- 217
- 218
- 219
- 220
- 221
- 222
- 223
- 224
- 225
- 226
- 227
- 228
- 229
- 230
- 231
- 232
- 233
- 234
- 235
- 236
- 237
- 238
- 239
- 240
- 241
- 242
- 243
- 244
- 245
- 246
- 247
- 248
- 249
- 250
- 251
- 252
- 253
- 254
- 255
- 256
- 257
- 258
- 259
- 260
- 261
- 262
- 263
- 264
- 265
- 266
- 267
- 268
- 269
- 270
- 271
- 272
- 273
- 274
- 275
- 276
- 277
- 278
- 279
- 280
- 281
- 282
- 283
- 284
- 285
- 286
- 287
- 288
- 289
- 290
- 291
进程结构体主要属性的介绍
这两个结构体非常大,我们简单介绍一下比较重要的几个字段
首先就是EPROCESS的第一个成员KPROCESS里的一些字段 KPROCESS + 0x0 _DISPATCHER_HEADER Header; 这是内核对象中可等待对象都有的一个头 KPROCESS + 0x18 struct _LIST_ENTRY ProfileListHead; KPROCESS + 0x28 UINT64 DirectoryTableBase; 这个成员在xp时候是个int32[2]数组,现在是一个int64的cr3的值,是内核cr3 KPROCESS + 0x388 UINT64 UserDirectoryTableBase; 这个则是当前进程3环时候的cr3的值,如果没开启kpit的话这个是0 KPROCESS + 0x050 struct _KAFFINITY_EX Affinity; 这个跟xp时候一样控制当前进程可以在那个核心执行 KPROCESS + 0x37C ULONG32 KernelTime; KPROCESS + 0x380 ULONG32 UserTime; 这两个time跟xp时候一样是统计信息 然后再看一下EPROCESS EPROCESS + 0x440 VOID* UniqueProcessId; 这个就是我们平时看到的pid,这个值也是全局句柄表里的索引 EPROCESS + 0x448 struct _LIST_ENTRY ActiveProcessLinks; 这个成员跟xp时候作用一样用于串联所有的活动进程对象结构体,PsActiveProcessHead这个全局变量则指向这个链表的头,可以通过这个试一下xp下都会做的一个实验,进程断链看一下 EPROCESS + 0x5A8 UINT8 ImageFileName[15]; 这个位置存储了进程名也是镜像名 EPROCESS + 0x7D8 struct _RTL_AVL_TREE VadRoot; 这个位置存储的是跟内存管理相关的一个二叉树标识那些地址可用 EPROCESS + 0x578 VOID* DebugPort; 这个值跟调试相关,当进程被调试的时候这里会存储调试时使用的对象地址,xp时候有些反调试会创建线程或者定时器循环清空这个位置 EPROCESS + 0x570 struct _HANDLE_TABLE* ObjectTable; 这里存储的是进程的局部句柄表,这里也有些人会用来反调试,在内核查看其他进程的句柄表寻找有没有自己有的话就是被别人打开了如果打开了就给他关掉或者关掉自己 EPROCESS + 0x550 struct _PEB* Peb; 这里存储了PEB的位置,这个地址一般是在三环,有基础的会记得xp里在三环的fs:0存储的是teb然后teb里能找到peb,64位时候只是fs变为了gs,peb里0x2的位置有个BeingDebugged记录了当前进程是否被调试,然后在peb+0x018的位置有个Ldr这个结构体里有双向链表串起了当前进程使用的模块- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
常见的差不多就这些了
下面可以做几个实验(最近比较忙我这边还是先把知识点整理出来,代码后面有空了写一份贴上来,大家可以先自己尝试这做一下)
实验1:0环断链隐藏进程
实验2:0环清空debugport反调试
实验3:通过三环peb查找自己加载的所有模块
实验4:通过修改peb里的begindebug达到反调试 -
相关阅读:
AUTOSAR从入门到精通100讲(150)-SOA架构及应用
【Linux】Jetson nano 使用记录,安装torch1.8、yolov5 tensorrt加速、java等
arp欺骗
朴实无华的三天每日一题
uni-app —— 小程序登录功能的相关实现
VS实用调式技巧
【Linux】shell脚本+cron定时任务实现“当程序报错时,发送邮件”
微信云开发AI短视频一键换脸小程序源码
Mongodb操作与Java(四)MongoTemplate的使用
OPENCHAT: ADVANCING OPEN-SOURCE LANGUAGE MODELS WITH MIXED-QUALITY DATA
- 原文地址:https://blog.csdn.net/qq_43147121/article/details/133637061
