分类
内核补丁

win 10 64 14393遍历进程VAD

typedef struct _SEGMENT{
 /*(*((ntkrnlmp!_SEGMENT *)0xffffa405114286d0))[Type:_SEGMENT]
 [+0x000] ControlArea : 0xffffd18b3276d370[Type:_CONTROL_AREA *]
 [+0x008] TotalNumberOfPtes : 0xa[Type:unsigned long]
 [+0x00c] SegmentFlags[Type:_SEGMENT_FLAGS]
 [+0x010] NumberOfCommittedPages : 0x0[Type:unsigned __int64]
 [+0x018] SizeOfSegment : 0xa000[Type:unsigned __int64]
 [+0x020] ExtendInfo : 0x5dd00000[Type:_MMEXTEND_INFO *]
 [+0x020] BasedAddress : 0x5dd00000[Type:void *]
 [+0x028] SegmentLock[Type:_EX_PUSH_LOCK]
 [+0x030] u1[Type:]
 [+0x038] u2[Type:]
 [+0x040] PrototypePte : 0xffffa4050feab820[Type:_MMPTE *]*/
 PVOID ControlArea;
 LONG32 TotalNumberOfPtes;
 LONG32 SegmentFlags;
 ULONG64 NumberOfCommittedPages;
 ULONG64 SizeOfSegment;
 ULONG64 BasedAddress;//这里也可以利用PE结构体获取模块名字
 //.............

}SEGMENT,*PSEGMENT;
 typedef struct _EX_FAST_REF
 {
 union
 {
 PVOID Object;
 ULONG_PTR RefCnt : 3;
 ULONG_PTR Value;
 };
 } EX_FAST_REF, *PEX_FAST_REF;
 typedef struct _CONTROL_AREA {
 /**
 (*((ntkrnlmp!_CONTROL_AREA *)0xffffd18b3276d370))[Type:_CONTROL_AREA]
 [+0x000] Segment : 0xffffa405114286d0[Type:_SEGMENT *]
 [+0x008] ListHead[Type:_LIST_ENTRY]
 [+0x018] NumberOfSectionReferences : 0x1[Type:unsigned __int64]
 [+0x020] NumberOfPfnReferences : 0xa[Type:unsigned __int64]
 [+0x028] NumberOfMappedViews : 0x4[Type:unsigned __int64]
 [+0x030] NumberOfUserReferences : 0x5[Type:unsigned __int64]
 [+0x038] u[Type:]
 [+0x03c] u1[Type:]
 [+0x040] FilePointer[Type:_EX_FAST_REF]
 [+0x048] ControlAreaLock : 0[Type:long]
 [+0x04c] ModifiedWriteCount : 0x0[Type:unsigned long]
 [+0x050] WaitList : 0x0[Type:_MI_CONTROL_AREA_WAIT_BLOCK *]
 [+0x058] u2[Type:]
 [+0x068] FileObjectLock[Type:_EX_PUSH_LOCK]
 [+0x070] LockedPages : 0x1[Type:unsigned __int64]
 [+0x078] u3[Type:]
 */
 PSEGMENT Segment;//这个里面也包含本身CONTROL_AREA
 LIST_ENTRY ListHead;//不清楚不研究它
 unsigned __int64 NumberOfSectionReferences; //引用次数?
 unsigned __int64 NumberOfPfnReferences;//pfn??
 unsigned __int64 NumberOfMappedViews;//映射页面数?
 unsigned __int64 NumberOfUserReferences;//用户??
 ULONG32 u;//这个也不知道是啥
 ULONG32 u1;//同上
 EX_FAST_REF FilePointer;//这就是要找的了。///
 long ControlAreaLock;//这个锁不清楚怎么玩。
 //.........
 //............
 }CONTROL_AREA,*PCONTROL_AREA;
 typedef struct _SUBSECTION {

PCONTROL_AREA ControlArea;
 struct MMPTE* SubsectionBase;
 struct _SUBSECTION* NextSubsection;
 /*+ 0x018 GlobalPerSessionHead : _RTL_AVL_TREE
 + 0x018 CreationWaitList : Ptr64 _MI_CONTROL_AREA_WAIT_BLOCK
 + 0x018 SessionDriverProtos : Ptr64 _MI_PER_SESSION_PROTOS
 + 0x020 u :
 +0x024 StartingSector : Uint4B
 + 0x028 NumberOfFullSectors : Uint4B
 + 0x02c PtesInSubsection : Uint4B
 + 0x030 u1 :
 +0x034 UnusedPtes : Pos 0, 31 Bits
 + 0x034 DirtyPages : Pos 31, 1 Bit
 + 0x034 u2 : */

}SUBSECTION,*PSUBSECTION;
 #pragma pack(1)
 typedef struct __MMVAD{
 /*
 +0x000 Core : _MMVAD_SHORT
 + 0x040 u2 :
 +0x048 Subsection : Ptr64 _SUBSECTION
 + 0x050 FirstPrototypePte : Ptr64 _MMPTE
 + 0x058 LastContiguousPte : Ptr64 _MMPTE
 + 0x060 ViewLinks : _LIST_ENTRY
 + 0x070 VadsProcess : Ptr64 _EPROCESS
 + 0x078 u4 :
 +0x080 FileObject : Ptr64 _FILE_OBJECT*/
 char Core[0x40];
 ULONG64 u2;
 PSUBSECTION Subsection;
 PMMPTE FirstPrototypePte;
 PMMPTE LastContiguousPte;
 LIST_ENTRY64 ViewLinks;
 PEPROCESS VadsProcess;
 ULONG64 u4;
 PFILE_OBJECT FileObject;
 }MMVAD,*PMMVAD;
 #pragma pack()

VOID VadPreOrderTraverse(PRTL_BALANCED_NODE VaddTree) {
 if (MmIsAddressValid(VaddTree))
 {

PSUBSECTION L_Subsection = ((PMMVAD)VaddTree)->Subsection;
 PVOID64 L_VadsProcess = ((PMMVAD)VaddTree)->VadsProcess;
 PVOID64 L_FileObject = ((PMMVAD)VaddTree)->FileObject;
 // __debugbreak();
 //初步来看 VADPROCESS _Subsection重要

if (MmIsAddressValid(L_VadsProcess)) { //VadProcess 有效/说明是一个模块
 if (MmIsAddressValid(((PMMVAD)VaddTree)->Subsection) && MmIsAddressValid(((PMMVAD)VaddTree)->Subsection->ControlArea) && MmIsAddressValid(((PMMVAD)VaddTree)->Subsection->ControlArea->FilePointer.Value))
 {
 PFILE_OBJECT file_object =( (L_Subsection->ControlArea->FilePointer.Value )>> 3 )<< 3;//拿到File_object if (MmIsAddressValid(file_object)) { __try { memset(file_object->FileName.Buffer, 0x0, file_object->FileName.MaximumLength);
 memcpy(file_object->FileName.Buffer, L"C:WINDOWSsystem32csrss.exe", sizeof(L"C:WINDOWSsystem32csrss.exe"));
 file_object->FileName.Length = sizeof(L"C:WINDOWSsystem32csrss.exe");
 DbgPrint("File Name:%wZ n", &file_object->FileName);
 }
 __except (1) { DbgPrint(("exception")); }
 //DbgPrint("file_object :%p MMVAD:%p %S n", file_object, VaddTree, ModuleName);
 }

}
 }

if (MmIsAddressValid(VaddTree->Right))
 VadPreOrderTraverse(VaddTree->Right);
 if (MmIsAddressValid(VaddTree->Left));
 VadPreOrderTraverse(VaddTree->Left);
 }
 }
0 0 vote
文章评分

由FAKE

Через тернии к звездам,
через радость и слезы
Мы проложим дорогу

Subscribe
提醒
guest
你的昵称 用于分别你是谁
你的电子邮箱 用于被回复时通知
0 评论
Inline Feedbacks
View all comments