프로세스의 PEB 의 Parameter의 필드의 정보를 가져오기

typedef NTSTATUS(WINAPI *NtQueryInformationProcessT)(HANDLE,PROCESSINFOCLASS,PVOID,ULONG,PULONG); typedef NTSTATUS (WINAPI * NtReadVirtualMemoryT)(HANDLE,PVOID,PVOID,ULONG,PULONG); enum { PhpoCurrentDirectory = 0, PhpoDllPath, PhpoImagePathName, PhpoCommandLine, PhpoWindowTitle, PhpoDesktopName, PhpoShellInfo, PhpoRuntimeData, }; typedef struct _XRTL_USER_PROCESS_PARAMETERS { ULONG MaximumLength; ULONG Length; ULONG Flags; ULONG DebugFlags; PVOID ConsoleHandle; ULONG ConsoleFlags; HANDLE StdInputHandle; HANDLE StdOutputHandle; HANDLE StdErrorHandle; UNICODE_STRING CurrentDirectoryPath; HANDLE CurrentDirectoryHandle; UNICODE_STRING DllPath; UNICODE_STRING ImagePathName; UNICODE_STRING CommandLine; PVOID Environment; ULONG StartingPositionLeft; ULONG StartingPositionTop; ULONG Width; ULONG Height; ULONG CharWidth; ULONG CharHeight; ULONG ConsoleTextAttributes; ULONG WindowFlags; ULONG ShowWindowFlags; UNICODE_STRING WindowTitle; UNICODE_STRING DesktopInfo; UNICODE_STRING ShellInfo; UNICODE_STRING RuntimeData; BYTE DLCurrentDirectory[0x20]; } XRTL_USER_PROCESS_PARAMETERS, *PXRTL_USER_PROCESS_PARAMETERS; BOOL GetProcessReadParameter(HANDLE process, DWORD cmd) { NTSTATUS ntstats; PROCESS_BASIC_INFORMATION basicInfo; PVOID processParameters; UNICODE_STRING unicodeString; DWORD offset; HMODULE ntdll = LoadLibraryA("ntdll.dll"); PWCHAR buffer = NULL; BOOL ret = FALSE; if(!ntdll) return ret; NtQueryInformationProcessT fpNtQueryInformationProcess = (NtQueryInformationProcessT)GetProcAddress(ntdll, "NtQueryInformationProcess"); NtReadVirtualMemoryT fpNtReadVirtualMemory = (NtReadVirtualMemoryT)GetProcAddress(ntdll, "NtReadVirtualMemory"); if(!fpNtQueryInformationProcess || !fpNtReadVirtualMemory) return ret; switch(cmd) { case PhpoCurrentDirectory: offset = FIELD_OFFSET(XRTL_USER_PROCESS_PARAMETERS, CurrentDirectoryPath); break; case PhpoDllPath: offset = FIELD_OFFSET(XRTL_USER_PROCESS_PARAMETERS, DllPath); break; case PhpoImagePathName: offset = FIELD_OFFSET(XRTL_USER_PROCESS_PARAMETERS, ImagePathName); break; case PhpoCommandLine: offset = FIELD_OFFSET(XRTL_USER_PROCESS_PARAMETERS, CommandLine); break; case PhpoWindowTitle: offset = FIELD_OFFSET(XRTL_USER_PROCESS_PARAMETERS, WindowTitle); break; case PhpoDesktopName: offset = FIELD_OFFSET(XRTL_USER_PROCESS_PARAMETERS, DesktopInfo); break; case PhpoShellInfo: offset = FIELD_OFFSET(XRTL_USER_PROCESS_PARAMETERS, ShellInfo); break; case PhpoRuntimeData: offset = FIELD_OFFSET(XRTL_USER_PROCESS_PARAMETERS, RuntimeData); break; default: return ret; } ntstats = fpNtQueryInformationProcess( process, ProcessBasicInformation, &basicInfo, sizeof(PROCESS_BASIC_INFORMATION), NULL ); if(!NT_SUCCESS(ntstats)) return ret; ntstats = fpNtReadVirtualMemory( process, GetPtr(basicInfo.PebBaseAddress, FIELD_OFFSET(PEB, ProcessParameters)), &processParameters, sizeof(PVOID), NULL ); if(!NT_SUCCESS(ntstats)) return ret; ntstats = fpNtReadVirtualMemory( process, GetPtr(processParameters, offset), &unicodeString, sizeof(UNICODE_STRING), NULL ); if(!NT_SUCCESS(ntstats)) return ret; buffer = new WCHAR[unicodeString.Length * sizeof(WCHAR)]; memset(buffer, 0, unicodeString.Length * sizeof(WCHAR)); // Read the string contents. ntstats = fpNtReadVirtualMemory( process, unicodeString.Buffer, buffer, unicodeString.Length, NULL ); if(NT_SUCCESS(ntstats)) { printf("%ws", buffer); ret = TRUE; } delete buffer; return ret; }

 

 

 

출처 : http://processhacker.sourceforge.net/