一.
Google了半天.找到了以下资料:http://topic.csdn.net/t/20041029/16/3504037.html这个资料里,提级了一个思路:"
1. 枚举进程的每个线程,利用GetThreadContext得到线程的EIP(当前运行地址)
2. 枚举进程的模块,如果哪个模块的地址空间包含上面的EIP,则该DLL为线程所在的DLL
.....
"同时提到:"
如果thread刚好调用了api,可能是会在KERNEL32.dll里,那你再试试下面的
NtQueryInformationThread(http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/NT%20Objects/Thread/NtQueryInformationThread.html)
得到THREAD_INFORMATION_CLASS结构(http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/NT%20Objects/Thread/THREAD_INFORMATION_CLASS.html)
ThreadQuerySetWin32StartAddress参数应该是CreateThread时的入口,所以用它代替上面的EIP,你再试试
"
二.
根据这些资料再Google,找到以下一个关于TEB的资料:https://www.xfocus.net/bbs/index.php?act=ST&f=2&t=48527&view=old三.
现在,我感觉,我离我想要的东西已经越来越近了.可我却非常菜,不知道什么是EIP,什么是TEB. 他们之间是什么关系? :(
并且如何作到"枚举进程的模块,如果哪个模块的地址空间包含上面的EIP,则该DLL为线程所在的DLL"
Google了半天.找到了以下资料:http://topic.csdn.net/t/20041029/16/3504037.html这个资料里,提级了一个思路:"
1. 枚举进程的每个线程,利用GetThreadContext得到线程的EIP(当前运行地址)
2. 枚举进程的模块,如果哪个模块的地址空间包含上面的EIP,则该DLL为线程所在的DLL
.....
"同时提到:"
如果thread刚好调用了api,可能是会在KERNEL32.dll里,那你再试试下面的
NtQueryInformationThread(http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/NT%20Objects/Thread/NtQueryInformationThread.html)
得到THREAD_INFORMATION_CLASS结构(http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/NT%20Objects/Thread/THREAD_INFORMATION_CLASS.html)
ThreadQuerySetWin32StartAddress参数应该是CreateThread时的入口,所以用它代替上面的EIP,你再试试
"
二.
根据这些资料再Google,找到以下一个关于TEB的资料:https://www.xfocus.net/bbs/index.php?act=ST&f=2&t=48527&view=old三.
现在,我感觉,我离我想要的东西已经越来越近了.可我却非常菜,不知道什么是EIP,什么是TEB. 他们之间是什么关系? :(
并且如何作到"枚举进程的模块,如果哪个模块的地址空间包含上面的EIP,则该DLL为线程所在的DLL"
解决方案 »
- CListCtrl 设置了某行=0隐藏起来,如何限制鼠标再拖动改行?
- 冷啊。。。请问还有这ATL的吗
- 郁闷,老大用惯了dos,要让datagrid和以前的一样
- 请问为什么这样做得不到本进程的句柄呢?
- 一个对于初学者来说很难,对于高手来说很容易的问题,为什么这么长时间了还没解决?
- emf为何仍然失真?
- 高难度,高难度,散分100。
- 关于动态演示
- 为什么我的执行如下代码,我的CSTATIC 背景色成黑色了,请大侠帮忙,本人是超级菜鸟.
- 请问类似于vc集成环境下的docking view的是什么东东 怎么才能做出来?
- 我如何通过软件操作网络接口设备
- 如何在 vc6.0 的程序中调用 vb.net 做成的 DLL ?
至于枚举模块,看Module32First/Module32Next说明
看了楼主的前几篇帖子里面目的了,个人认为不太容易实现(即使实现,也仅对以DLL远线程注入方式有效,如果使用完全代码注入,就查不到Module,或者你查到的也是合法的程序exe的module, 那时候你又该终止哪个线程呢?)。
而不考虑那些代码注入的问题.
以下的微软的关于MODULEENTRY32的结构定义:typedef struct tagMODULEENTRY32
{
DWORD dwSize;
DWORD th32ModuleID; // This module
DWORD th32ProcessID; // owning process
DWORD GlblcntUsage; // Global usage count on the module
DWORD ProccntUsage; // Module usage count in th32ProcessID's context
BYTE * modBaseAddr; // Base address of module in th32ProcessID's context
DWORD modBaseSize; // Size in bytes of module starting at modBaseAddr
HMODULE hModule; // The hModule of this module in th32ProcessID's context
char szModule[MAX_MODULE_NAME32 + 1];
char szExePath[MAX_PATH];
} MODULEENTRY32;
typedef MODULEENTRY32 * PMODULEENTRY32;
typedef MODULEENTRY32 * LPMODULEENTRY32;
按我所推想的,其中的modBaseAddr和modBaseSize和我们这次讨论的议题有关.
接下来,是一些undocument的TEB结构体:
typedef struct _CLIENT_ID
{
DWORD UniqueProcess;
DWORD UniqueThread;
}CLIENT_ID,*PCLIENT_ID;typedef struct _UNICODE_STRING
{
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
}_UNICODE_STRING,*PUNICODE_STRING;
typedef _UNICODE_STRING UNICODE_STRING, *PUNICODE_STRING;typedef struct _PEB_LDR_DATA {
ULONG Length;
BOOLEAN Initialized;
PVOID SsHandle;
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
} PEB_LDR_DATA, *PPEB_LDR_DATA;typedef struct _RTL_DRIVE_LETTER_CURDIR {
USHORT Flags;
USHORT Length;
ULONG TimeStamp;
UNICODE_STRING DosPath;
} RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR;typedef struct _PEB_FREE_BLOCK {
_PEB_FREE_BLOCK *Next;
ULONG Size;
} PEB_FREE_BLOCK, *PPEB_FREE_BLOCK;typedef void (*PPEBLOCKROUTINE)(PVOID PebLock);
typedef struct _RTL_USER_PROCESS_PARAMETERS { ULONG MaximumLength;
ULONG Length;
ULONG Flags;
ULONG DebugFlags;
PVOID ConsoleHandle;
ULONG ConsoleFlags;
HANDLE StdInputHandle;
HANDLE StdOutputHandle;
HANDLE StdErrorHandle;
UNICODE_STRING CurrentDirectoryPath;
HANDLE CurrentDirectoryHandle;
UNICODE_STRING DllPath;
UNICODE_STRING ImagePathName;
UNICODE_STRING CommandLine;
PVOID Environment;
ULONG StartingPositionLeft;
ULONG StartingPositionTop;
ULONG Width;
ULONG Height;
ULONG CharWidth;
ULONG CharHeight;
ULONG ConsoleTextAttributes;
ULONG WindowFlags;
ULONG ShowWindowFlags;
UNICODE_STRING WindowTitle;
UNICODE_STRING DesktopName;
UNICODE_STRING ShellInfo;
UNICODE_STRING RuntimeData;
RTL_DRIVE_LETTER_CURDIR DLCurrentDirectory[0x20];} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;typedef void **PPVOID;typedef struct _PEB { BOOLEAN InheritedAddressSpace;
BOOLEAN ReadImageFileExecOptions;
BOOLEAN BeingDebugged;
BOOLEAN Spare;
HANDLE Mutant;
PVOID ImageBaseAddress;
PPEB_LDR_DATA LoaderData;
PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
PVOID SubSystemData;
PVOID ProcessHeap;
PVOID FastPebLock;
PPEBLOCKROUTINE FastPebLockRoutine;
PPEBLOCKROUTINE FastPebUnlockRoutine;
ULONG EnvironmentUpdateCount;
PPVOID KernelCallbackTable;
PVOID EventLogSection;
PVOID EventLog;
PPEB_FREE_BLOCK FreeList;
ULONG TlsExpansionCounter;
PVOID TlsBitmap;
ULONG TlsBitmapBits[0x2];
PVOID ReadOnlySharedMemoryBase;
PVOID ReadOnlySharedMemoryHeap;
PPVOID ReadOnlyStaticServerData;
PVOID AnsiCodePageData;
PVOID OemCodePageData;
PVOID UnicodeCaseTableData;
ULONG NumberOfProcessors;
ULONG NtGlobalFlag;
BYTE Spare2[0x4];
LARGE_INTEGER CriticalSectionTimeout;
ULONG HeapSegmentReserve;
ULONG HeapSegmentCommit;
ULONG HeapDeCommitTotalFreeThreshold;
ULONG HeapDeCommitFreeBlockThreshold;
ULONG NumberOfHeaps;
ULONG MaximumNumberOfHeaps;
PPVOID *ProcessHeaps;
PVOID GdiSharedHandleTable;
PVOID ProcessStarterHelper;
PVOID GdiDCAttributeList;
PVOID LoaderLock;
ULONG OSMajorVersion;
ULONG OSMinorVersion;
ULONG OSBuildNumber;
ULONG OSPlatformId;
ULONG ImageSubSystem;
ULONG ImageSubSystemMajorVersion;
ULONG ImageSubSystemMinorVersion;
ULONG GdiHandleBuffer[0x22];
ULONG PostProcessInitRoutine;
ULONG TlsExpansionBitmap;
BYTE TlsExpansionBitmapBits[0x80];
ULONG SessionId;} PEB, *PPEB;typedef struct _TEB { NT_TIB Tib;
PVOID EnvironmentPointer;
CLIENT_ID Cid;
PVOID ActiveRpcInfo;
PVOID ThreadLocalStoragePointer;
PPEB Peb;
ULONG LastErrorValue;
ULONG CountOfOwnedCriticalSections;
PVOID CsrClientThread;
PVOID Win32ThreadInfo;
ULONG Win32ClientInfo[0x1F];
PVOID WOW32Reserved;
ULONG CurrentLocale;
ULONG FpSoftwareStatusRegister;
PVOID SystemReserved1[0x36];
PVOID Spare1;
ULONG ExceptionCode;
ULONG SpareBytes1[0x28];
PVOID SystemReserved2[0xA];
ULONG GdiRgn;
ULONG GdiPen;
ULONG GdiBrush;
CLIENT_ID RealClientId;
PVOID GdiCachedProcessHandle;
ULONG GdiClientPID;
ULONG GdiClientTID;
PVOID GdiThreadLocaleInfo;
PVOID UserReserved[5];
PVOID GlDispatchTable[0x118];
ULONG GlReserved1[0x1A];
PVOID GlReserved2;
PVOID GlSectionInfo;
PVOID GlSection;
PVOID GlTable;
PVOID GlCurrentRC;
PVOID GlContext;
NTSTATUS LastStatusValue;
UNICODE_STRING StaticUnicodeString;
WCHAR StaticUnicodeBuffer[0x105];
PVOID DeallocationStack;
PVOID TlsSlots[0x40];
LIST_ENTRY TlsLinks;
PVOID Vdm;
PVOID ReservedForNtRpc;
PVOID DbgSsReserved[0x2];
ULONG HardErrorDisabled;
PVOID Instrumentation[0x10];
PVOID WinSockData;
ULONG GdiBatchCount;
ULONG Spare2;
ULONG Spare3;
ULONG Spare4;
PVOID ReservedForOle;
ULONG WaitingOnLoaderLock;
PVOID StackCommit;
PVOID StackCommitMax;
PVOID StackReserved;} TEB, *PTEB;
ULONG Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor; // Points to type SECURITY_DESCRIPTOR
PVOID SecurityQualityOfService; // Points to type SECURITY_QUALITY_OF_SERVICE
} OBJECT_ATTRIBUTES;
typedef OBJECT_ATTRIBUTES *POBJECT_ATTRIBUTES;
typedef struct _THREAD_BASIC_INFORMATION { // Information Class 0
NTSTATUS ExitStatus;
PNT_TIB TebBaseAddress;
CLIENT_ID ClientId;
DWORD AffinityMask;
DWORD Priority;
DWORD BasePriority;
} THREAD_BASIC_INFORMATION, *PTHREAD_BASIC_INFORMATION;
我就是想知道,到底怎么根据这些结构体的数据,来实现:
"枚举进程的模块,如果哪个模块的地址空间包含上面的EIP,则该DLL为线程所在的DLL"