X64-R3层通过PEB获取进程命令行参数

【X64-R3层通过PEB获取进程命令行参数】关于命令行参数
进程创建进程时,会传一个命令行给它,一般其第一个内容是其可执行文件的名称,因为在调用时,若参数为空(大多数情况都为空),则将会去解析命令行参数以此获得进程映像文件的完整路径.一般应用双引号 ""将完整路径包括起来,否则应用空格与其余命令行参数隔开,具体解析方式这里不详述
获取命令行参数by PEB
文章插图
其实64位与32位通过PEB获取进程信息并无太大区别,这里就当练练手,其余如加载模块,环境变量等值都可以通过这种方法获得,下面上代码:
首先是头文件,一些结构体的定义:(适用于64位)
#pragma once#include #include#includeusing namespace std;#ifdef _WIN64typedef unsigned long __w64 duint;typedef signed long __w64dsint;#endif // _WIN64#define RTL_MAX_DRIVE_LETTERS 32BOOL EnableSeDebugPrivilege(IN const CHAR*PriviledgeName, BOOL IsEnable);typedef struct _PROCESS_BASIC_INFORMATION{PVOID Reserved1;PVOID PebBaseAddress;PVOID Reserved2[2];ULONG_PTR UniqueProcessId;PVOID Reserved3;} PROCESS_BASIC_INFORMATION;typedef PROCESS_BASIC_INFORMATION* PPROCESS_BASIC_INFORMATION;typedef struct _UNICODE_STRING{USHORT Length;USHORT MaximumLength;PWSTR Buffer;} UNICODE_STRING, *PUNICODE_STRING;typedef struct _CURDIR{UNICODE_STRING DosPath;HANDLE Handle;} CURDIR, *PCURDIR;typedef struct _RTL_DRIVE_LETTER_CURDIR{USHORT Flags;USHORT Length;ULONG TimeStamp;UNICODE_STRING DosPath;} RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR;typedef enum _PROCESSINFOCLASS{ProcessBasicInformation,ProcessQuotaLimits,ProcessIoCounters,ProcessVmCounters,ProcessTimes,ProcessBasePriority,ProcessRaisePriority,ProcessDebugPort,ProcessExceptionPort,ProcessAccessToken,ProcessLdtInformation,ProcessLdtSize,ProcessDefaultHardErrorMode,ProcessIoPortHandlers,// Note: this is kernel mode onlyProcessPooledUsageAndLimits,ProcessWorkingSetWatch,ProcessUserModeIOPL,ProcessEnableAlignmentFaultFixup,ProcessPriorityClass,ProcessWx86Information,ProcessHandleCount,ProcessAffinityMask,ProcessPriorityBoost,ProcessDeviceMap,ProcessSessionInformation,ProcessForegroundInformation,ProcessWow64Information,ProcessImageFileName,ProcessLUIDDeviceMapsEnabled,ProcessBreakOnTermination,ProcessDebugObjectHandle,ProcessDebugFlags,ProcessHandleTracing,ProcessIoPriority,ProcessExecuteFlags,ProcessResourceManagement,ProcessCookie,ProcessImageInformation,MaxProcessInfoClass// MaxProcessInfoClass should always be the last enum} PROCESSINFOCLASS;typedef struct _RTL_USER_PROCESS_PARAMETERS{ULONG MaximumLength;ULONG Length;ULONG Flags;ULONG DebugFlags;HANDLE ConsoleHandle;ULONG ConsoleFlags;HANDLE StandardInput;HANDLE StandardOutput;HANDLE StandardError;CURDIR CurrentDirectory;UNICODE_STRING DllPath;UNICODE_STRING ImagePathName;UNICODE_STRING CommandLine;PWCHAR Environment;ULONG StartingX;ULONG StartingY;ULONG CountX;ULONG CountY;ULONG CountCharsX;ULONG CountCharsY;ULONG FillAttribute;ULONG WindowFlags;ULONG ShowWindowFlags;UNICODE_STRING WindowTitle;UNICODE_STRING DesktopInfo;UNICODE_STRING ShellInfo;UNICODE_STRING RuntimeData;RTL_DRIVE_LETTER_CURDIR CurrentDirectories[RTL_MAX_DRIVE_LETTERS];ULONG_PTR EnvironmentSize;ULONG_PTR EnvironmentVersion;PVOID PackageDependencyData;ULONG ProcessGroupId;ULONG LoaderThreads;} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;typedef struct _PEB_LDR_DATA{ULONG Length;BOOLEAN Initialized;HANDLE SsHandle;LIST_ENTRY InLoadOrderModuleList;LIST_ENTRY InMemoryOrderModuleList;LIST_ENTRY InInitializationOrderModuleList;PVOID EntryInProgress;BOOLEAN ShutdownInProgress;HANDLE ShutdownThreadId;} PEB_LDR_DATA, *PPEB_LDR_DATA;typedef ULONG GDI_HANDLE_BUFFER[60];typedef struct _PEB{BOOLEAN InheritedAddressSpace;BOOLEAN ReadImageFileExecOptions;BOOLEAN BeingDebugged;union{BOOLEAN BitField;struct{BOOLEAN ImageUsesLargePages : 1;BOOLEAN IsProtectedProcess : 1;BOOLEAN IsImageDynamicallyRelocated : 1;BOOLEAN SkipPatchingUser32Forwarders : 1;BOOLEAN IsPackagedProcess : 1;BOOLEAN IsAppContainer : 1;BOOLEAN IsProtectedProcessLight : 1;BOOLEAN IsLongPathAwareProcess : 1;} s1;} u1;HANDLE Mutant;PVOID ImageBaseAddress;PPEB_LDR_DATA Ldr;PRTL_USER_PROCESS_PARAMETERS ProcessParameters;PVOID SubSystemData;PVOID ProcessHeap;PRTL_CRITICAL_SECTION FastPebLock;PVOID AtlThunkSListPtr;PVOID IFEOKey;union{ULONG CrossProcessFlags;struct{ULONG ProcessInJob : 1;ULONG ProcessInitializing : 1;ULONG ProcessUsingVEH : 1;ULONG ProcessUsingVCH : 1;ULONG ProcessUsingFTH : 1;ULONG ProcessPreviouslyThrottled : 1;ULONG ProcessCurrentlyThrottled : 1;ULONG ReservedBits0 : 25;} s2;} u2;union{PVOID KernelCallbackTable;PVOID UserSharedInfoPtr;} u3;ULONG SystemReserved[1];ULONG AtlThunkSListPtr32;PVOID ApiSetMap;ULONG TlsExpansionCounter;PVOID TlsBitmap;ULONG TlsBitmapBits[2];PVOID ReadOnlySharedMemoryBase;PVOID SharedData; // HotpatchInformationPVOID* ReadOnlyStaticServerData;PVOID AnsiCodePageData; // PCPTABLEINFOPVOID OemCodePageData; // PCPTABLEINFOPVOID UnicodeCaseTableData; // PNLSTABLEINFOULONG NumberOfProcessors;ULONG NtGlobalFlag;LARGE_INTEGER CriticalSectionTimeout;SIZE_T HeapSegmentReserve;SIZE_T HeapSegmentCommit;SIZE_T HeapDeCommitTotalFreeThreshold;SIZE_T HeapDeCommitFreeBlockThreshold;ULONG NumberOfHeaps;ULONG MaximumNumberOfHeaps;PVOID* ProcessHeaps; // PHEAPPVOID GdiSharedHandleTable;PVOID ProcessStarterHelper;ULONG GdiDCAttributeList;PRTL_CRITICAL_SECTION LoaderLock;ULONG OSMajorVersion;ULONG OSMinorVersion;USHORT OSBuildNumber;USHORT OSCSDVersion;ULONG OSPlatformId;ULONG ImageSubsystem;ULONG ImageSubsystemMajorVersion;ULONG ImageSubsystemMinorVersion;ULONG_PTR ActiveProcessAffinityMask;GDI_HANDLE_BUFFER GdiHandleBuffer;PVOID PostProcessInitRoutine;PVOID TlsExpansionBitmap;ULONG TlsExpansionBitmapBits[32];ULONG SessionId;ULARGE_INTEGER AppCompatFlags;ULARGE_INTEGER AppCompatFlagsUser;PVOID pShimData;PVOID AppCompatInfo; // APPCOMPAT_EXE_DATAUNICODE_STRING CSDVersion;PVOID ActivationContextData; // ACTIVATION_CONTEXT_DATAPVOID ProcessAssemblyStorageMap; // ASSEMBLY_STORAGE_MAPPVOID SystemDefaultActivationContextData; // ACTIVATION_CONTEXT_DATAPVOID SystemAssemblyStorageMap; // ASSEMBLY_STORAGE_MAPSIZE_T MinimumStackCommit;PVOID* FlsCallback;LIST_ENTRY FlsListHead;PVOID FlsBitmap;ULONG FlsBitmapBits[FLS_MAXIMUM_AVAILABLE / (sizeof(ULONG) * 8)];ULONG FlsHighIndex;PVOID WerRegistrationData;PVOID WerShipAssertPtr;PVOID pUnused; // pContextDataPVOID pImageHeaderHash;union{ULONG TracingFlags;struct{ULONG HeapTracingEnabled : 1;ULONG CritSecTracingEnabled : 1;ULONG LibLoaderTracingEnabled : 1;ULONG SpareTracingBits : 29;} s3;} u4;ULONGLONG CsrServerReadOnlySharedMemoryBase;PVOID TppWorkerpListLock;LIST_ENTRY TppWorkerpList;PVOID WaitOnAddressHashTable[128];PVOID TelemetryCoverageHeader; // REDSTONE3ULONG CloudFileFlags;} PEB, *PPEB;//以上为64位下的结构体,摘自开源调试器x64dbg的代码typedef NTSTATUS(NTAPI *pfn)(__in HANDLE ProcessHandle,__in PROCESSINFOCLASS ProcessInformationClass,__out_bcount(ProcessInformationLength) PVOID ProcessInformation,__in ULONG ProcessInformationLength,__out_opt PULONG ReturnLength);void*GetPEBLocation(HANDLE hProcess);BOOL getcommandlineaddr(duint* addr, HANDLE hProcess);BOOL MemoryReadSafe(HANDLE hProcess, LPVOID lpBaseAddress, LPVOID lpBuffer, SIZE_T nSize, SIZE_T* lpNumberOfBytesRead);
上一页
1
2
3
下一页
		  	









vcs中-F -f用法梳理 

stm32通过NTC采集温度，二分法查表，精度0.1℃ 

如何通过id获取数组的下标？ 

通过easyBCD将linux的启动菜单加入到Windows 的启动菜单 

三  Linux 网络驱动-MAC、PHY层驱动框架 

利用调整图层填充图案制作简单老照片实例 

怎么找回icloud的照片 

如何通过QQ打开微云 

如何通过手机进入QQ安全中心 

如何通过CMD添加用户