[求助]Ring0 如何通过进程名称获取基地址-付费问答-看雪-安全社区|安全招聘|kanxue.com

最新回复 (1)
jamp 雪币： 39 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 7 粉丝 0 关注私信	jamp 2 楼在网上查了一下,解决了这个问题了 480K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3u0T1M7#2)9J5k6h3u0&6M7W2)9J5k6h3y4F1i4K6u0r3i4K6t1K6i4K6t1I4j5i4u0@1K9h3y4D9k6g2)9J5c8W2y4W2j5%4g2J5K9i4c8&6i4K6u0r3y4U0R3J5z5l9`.`. 发现该进程EPROCESS偏移0c4h处的_HANDLE_TABLE . _HANDLE_TABLE +0x4 就是进程的基地 VOID LoadExeRoutine ( IN HANDLE hParentId, IN HANDLE PId,IN BOOLEAN bCreate ) { PEPROCESS EProcess; NTSTATUS status; status = PsLookupProcessByProcessId( (ULONG)PId, &EProcess); if (!NT_SUCCESS( status )) { DbgPrint("PsLookupProcessByProcessId()\n"); return ; } if ( bCreate ) { if( _stricmp((char )((ULONG)(EProcess)+0x174),"Client.exe")==TRUE) { ULONG aa =(ULONG)((ULONG)EProcess+0x0c4); KdPrint(("Client的基地址为%x \n",(ULONG*)(aa+4))); DbgPrint(("\n\n+++++++++++++++++++++++++++++++Client.exe++++++++++++++++++++++++++\n\n")); } } return; } 用windbg 验证了一下 PROCESS 83621da0 SessionId: 0 Cid: 0514 Peb: 7ffdb000 ParentCid: 06ac DirBase: 1418e000 ObjectTable: e1877760 HandleCount: 494. Image: Client.exe 这是调试的信息: Client的基地址为83621da0 +++++++++++++++++++++++++++++++Client.exe++++++++++++++++++++++++++ 2013-5-15 17:24 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

最新回复 (1)

jamp

雪币： 39

活跃值： (10)

能力值：

( LV2，RANK：10 )

在线值：

发帖

回帖

粉丝

关注

私信

jamp: 2 楼

在网上查了一下,解决了这个问题了 480K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8X3u0T1M7#2)9J5k6h3u0&6M7W2)9J5k6h3y4F1i4K6u0r3i4K6t1K6i4K6t1I4j5i4u0@1K9h3y4D9k6g2)9J5c8W2y4W2j5%4g2J5K9i4c8&6i4K6u0r3y4U0R3J5z5l9`.`.
发现该进程EPROCESS偏移0c4h处的_HANDLE_TABLE .
_HANDLE_TABLE +0x4 就是进程的基地

VOID LoadExeRoutine (
IN HANDLE hParentId, IN HANDLE PId,IN BOOLEAN bCreate
)
{
PEPROCESS EProcess;
NTSTATUS status;

status = PsLookupProcessByProcessId( (ULONG)PId, &EProcess);
if (!NT_SUCCESS( status ))
{
DbgPrint("PsLookupProcessByProcessId()\n");
return ;
}

if ( bCreate )
{
if( _stricmp((char *)((ULONG)(EProcess)+0x174),"Client.exe")==TRUE)
{
ULONG aa =*(ULONG*)((ULONG)EProcess+0x0c4);
KdPrint(("Client的基地址为%x \n",*(ULONG*)(aa+4)));
DbgPrint(("\n\n+++++++++++++++++++++++++++++++Client.exe++++++++++++++++++++++++++\n\n"));

}
}
return;
}

用windbg 验证了一下
PROCESS 83621da0 SessionId: 0 Cid: 0514 Peb: 7ffdb000 ParentCid: 06ac
DirBase: 1418e000 ObjectTable: e1877760 HandleCount: 494.
Image: Client.exe

这是调试的信息:
Client的基地址为83621da0

+++++++++++++++++++++++++++++++Client.exe++++++++++++++++++++++++++

2013-5-15 17:24

[旧帖] [求助]Ring0 如何通过进程名称获取基地址 0.00雪花