gpt4 book ai didi

NtQueryInformationProcess(ProcessBasicInformation) AV for some processes(某些进程的NtQueryInformationProcess(ProcessBasicInformation)反病毒)

转载 作者:bug小助手 更新时间:2023-10-25 11:28:05 33 4
gpt4 key购买 nike



debugger view
I'm enumerating all processes. As you can see return code is ok, UniqueProcessId shows requested process id and PebBaseAddress not null, but system throws AV on reading it.

我在列举所有进程。正如您所看到的,返回代码是OK的,UniqueProcessID显示请求的进程id和PebBaseAddress不为空,但是系统在读取它时抛出AV。


This code works most of the time, but fail for some particular processes (they seem unrelated: iexplore.exe, vcpkgsrv.exe, rdpclip.exe, etc). Win10 22H2

此代码在大多数情况下都可以工作,但在某些特定进程中会失败(它们似乎无关:iexre.exe、vcpkgsrv.exe、rdpclip.exe等)。Win10 22H2


Here is code as text

以下是文本形式的代码


// using PROCESS_ALL_ACCESS nor MAXIMUM_ALLOWED doesn't help
AutoHandleNull hProcess{ ::OpenProcess(ProcessQueryRight/*PROCESS_QUERY_LIMITED_INFORMATION*/, FALSE, procEntry.th32ProcessID) };
if (hProcess)
{
::PROCESS_BASIC_INFORMATION pbi{};
ULONG returnLength;
const NTSTATUS st = pNtQueryInformationProcess(hProcess.get(), ProcessBasicInformation, &pbi, sizeof(pbi), &returnLength);
if (NT_SUCCESS(st) && pbi.PebBaseAddress && pbi.PebBaseAddress->SessionId == sessionID)
{
return procEntry.th32ProcessID;
}
}

更多回答

If that process is not your own, you can't read it directly. Use ReadProcessMemory.

如果这个过程不是你自己的,你就不能直接阅读它。使用ReadProcessMemory。

@500-InternalServerError that process is running with the same user in the same session.

@500-InternalServerError该进程在同一会话中以同一用户运行。

@500-InternalServerError When first writing the code, I actually was wondering how it can return PEB from other process, but there is no need to deallocate memory. Ha-ha. Thanks for hint.

@500-InternalServerError当我第一次编写代码时,我实际上想知道它如何从其他进程返回PEB,但不需要释放内存。哈哈。谢谢你的提示。

优秀答案推荐

PebBaseAddress is in address space of target process, so you need to use ReadProcessMemory. Beware that PEB contains pointers, so you need check target process mode and use PEB_X86/PEB_X64 accordingly. And if you are in WoW64 process there is some hoop jumps: Get command line string of 64-bit process from 32-bit process

PebBaseAddress在目标进程的地址空间中,因此需要使用ReadProcessMemory。注意,PEB包含指针,因此需要检查目标进程模式,并相应地使用PEB_X86/PEB_X64。如果你在WOW64进程中,会有一些跳跃:从32位进程中获取64位进程的命令行字符串


更多回答

33 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com