X64-R3层通过PEB获取进程命令行参数( 二 )


X64-R3层通过PEB获取进程命令行参数

文章插图
然后是cpp文件c++
#include "CMD.h"pfn NtQueryInformationProcess = NULL;BOOL EnableSeDebugPrivilege(IN const CHAR*PriviledgeName, BOOL IsEnable){// 打开权限令牌HANDLEProcessHandle = GetCurrentProcess();HANDLETokenHandle = NULL;TOKEN_PRIVILEGES TokenPrivileges = { 0 };if (!OpenProcessToken(ProcessHandle, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &TokenHandle)){return FALSE;}LUIDv1;if (!LookupPrivilegeValueA(NULL, PriviledgeName, &v1))// 通过权限名称查找uID{CloseHandle(TokenHandle);TokenHandle = NULL;return FALSE;}TokenPrivileges.PrivilegeCount = 1;// 要提升的权限个数TokenPrivileges.Privileges[0].Attributes = IsEnable == TRUE ? SE_PRIVILEGE_ENABLED : 0;// 动态数组,数组大小根据Count的数目TokenPrivileges.Privileges[0].Luid = v1;if (!AdjustTokenPrivileges(TokenHandle, FALSE, &TokenPrivileges,sizeof(TOKEN_PRIVILEGES), NULL, NULL)){CloseHandle(TokenHandle);TokenHandle = NULL;return FALSE;}CloseHandle(TokenHandle);TokenHandle = NULL;return TRUE;}void*GetPEBLocation(HANDLE hProcess)//获得PEB的VA{ULONG RequiredLen = 0;void* PebAddress = 0;PROCESS_BASIC_INFORMATION myProcessBasicInformation[5] = { 0 };if (NtQueryInformationProcess(hProcess, ProcessBasicInformation, myProcessBasicInformation, sizeof(PROCESS_BASIC_INFORMATION), &RequiredLen) == STATUS_SUCCESS){PebAddress = (void*)myProcessBasicInformation->PebBaseAddress;}else{if (NtQueryInformationProcess(hProcess, ProcessBasicInformation, myProcessBasicInformation, RequiredLen, &RequiredLen) == STATUS_SUCCESS){PebAddress = (void*)myProcessBasicInformation->PebBaseAddress;}}return PebAddress;}BOOLMemoryReadSafe(HANDLE hProcess, LPVOID lpBaseAddress, LPVOID lpBuffer, SIZE_T nSize, SIZE_T* lpNumberOfBytesRead)//非常便捷的函数,可以记下来{SIZE_T ueNumberOfBytesRead = 0;SIZE_T* pNumBytes = 0;DWORD dwProtect = 0;BOOL retValue = http://www.kingceram.com/post/false;//read memoryif ((hProcess == 0) || (lpBaseAddress == 0) || (lpBuffer == 0) || (nSize == 0)){return false;}if (!lpNumberOfBytesRead){pNumBytes = &ueNumberOfBytesRead;}else{pNumBytes = lpNumberOfBytesRead;}if (!ReadProcessMemory(hProcess, lpBaseAddress, lpBuffer, nSize, pNumBytes)){if (VirtualProtectEx(hProcess, lpBaseAddress, nSize, PAGE_EXECUTE_READWRITE, &dwProtect))//修改保护属性{if (ReadProcessMemory(hProcess, lpBaseAddress, lpBuffer, nSize, pNumBytes)){retValue = TRUE;}VirtualProtectEx(hProcess, lpBaseAddress, nSize, dwProtect, &dwProtect);}}else{retValue = TRUE;}return retValue;}BOOL getcommandlineaddr(duint* addr,HANDLE hProcess){duint pprocess_parameters;duint Addr = (duint)GetPEBLocation(hProcess);//获得PEB地址if (Addr == 0){return false;}if (!hProcess) { return FALSE; }SIZE_T NumberOfBytesRead;if (!MemoryReadSafe(hProcess, (LPVOID)((Addr) + offsetof(PEB, ProcessParameters)),&pprocess_parameters, sizeof(duint), &NumberOfBytesRead))//根据偏移获得命令行地址{return false;}*addr = (pprocess_parameters)+offsetof(RTL_USER_PROCESS_PARAMETERS, CommandLine);return TRUE;}void main() {duint* CmdAddr = NULL;HANDLE hProcess = NULL;DWORD ProcessId = 0;HMODULE NtdllModuleBase = NULL;PUNICODE_STRING CmdLine;WCHAR* CmdLineBuffer = NULL;SIZE_T NumberOfBytesRead = 0;if (EnableSeDebugPrivilege("SeDebugPrivilege", TRUE) == FALSE){goto EXIT;}NtdllModuleBase = GetModuleHandle(L"Ntdll.dll");if (NtdllModuleBase == NULL){goto EXIT;}NtQueryInformationProcess = (pfn)GetProcAddress(NtdllModuleBase, "NtQueryInformationProcess");if (NtQueryInformationProcess == NULL){int a = GetLastError();goto EXIT;}cout << "输入进程id" << endl;cin >> ProcessId;hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessId);CmdAddr = (duint*)malloc(sizeof(duint*));CmdLine = (PUNICODE_STRING)malloc(sizeof(UNICODE_STRING));CmdLineBuffer = (WCHAR*)malloc(1024);getcommandlineaddr(CmdAddr,hProcess);if (!MemoryReadSafe(hProcess, (LPVOID)*CmdAddr, (LPVOID)CmdLine, sizeof(UNICODE_STRING), &NumberOfBytesRead))//获得命令行地址{printf("ERROR\n");goto EXIT;}if (!MemoryReadSafe(hProcess, (LPVOID)CmdLine->Buffer, (LPVOID)CmdLineBuffer, 1024, &NumberOfBytesRead))//命令行是一个UNICODE_STRING结构,还要读取一次读取命令行的BUFEER{printf("ERROR\n");goto EXIT;}printf("%S", CmdLineBuffer);EXIT:if (CmdAddr != NULL){free(CmdAddr);}if (CmdLine!= NULL){free(CmdLine);}if (CmdLineBuffer != NULL){free(CmdLineBuffer);}EnableSeDebugPrivilege("SeDebugPrivilege", FALSE);getchar();return;}