首页 > 代码库 > CreateProcessEx创建进程
CreateProcessEx创建进程
NTSYSCALLAPINTSTATUSNTAPINtCreateProcess( OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN HANDLE ParentProcess, IN BOOLEAN InheritObjectTable, IN HANDLE SectionHandle OPTIONAL, IN HANDLE DebugPort OPTIONAL, IN HANDLE ExceptionPort OPTIONAL);
在这些参数里面,SectionHandle代表了可执行文件,因为对于System进程来说,不存在可执行文件,所以这里是optional,但是对于其他进程来说是必需的。
通过ObReferenceObjectByHandle来获取到SECTION_OBJECT的引用
//// Section Object//typedef struct _SECTION_OBJECT{ PVOID StartingVa; PVOID EndingVa; PVOID LeftChild; PVOID RightChild; PSEGMENT_OBJECT Segment;} SECTION_OBJECT, *PSECTION_OBJECT;
这里很奇怪,明明第5个成员类型是PSEGMENT_OBJECT,
//// Segment Object//typedef struct _SEGMENT_OBJECT{ PVOID BaseAddress; ULONG TotalNumberOfPtes; LARGE_INTEGER SizeOfSegment; ULONG NonExtendedPtes; ULONG ImageCommitment; PCONTROL_AREA ControlArea; PSUBSECTION Subsection; PLARGE_CONTROL_AREA LargeControlArea; PMMSECTION_FLAGS MmSectionFlags; PMMSUBSECTION_FLAGS MmSubSectionFlags;} SEGMENT_OBJECT, *PSEGMENT_OBJECT;
但是实际上却是
typedef struct _SEGMENT{ struct _CONTROL_AREA *ControlArea; ULONG TotalNumberOfPtes; ULONG NonExtendedPtes; ULONG Spare0; ULONGLONG SizeOfSegment; MMPTE SegmentPteTemplate; ULONG NumberOfCommittedPages; PMMEXTEND_INFO ExtendInfo; SEGMENT_FLAGS SegmentFlags; PVOID BasedAddress; union { SIZE_T ImageCommitment; PEPROCESS CreatingProcess; } u1; union { PSECTION_IMAGE_INFORMATION ImageInformation; PVOID FirstMappedVa; } u2; PMMPTE PrototypePte; MMPTE ThePtes[1];} SEGMENT, *PSEGMENT;
//// Control Area Structures//typedef struct _CONTROL_AREA{ PSEGMENT Segment; LIST_ENTRY DereferenceList; ULONG NumberOfSectionReferences; ULONG NumberOfPfnReferences; ULONG NumberOfMappedViews; ULONG NumberOfSystemCacheViews; ULONG NumberOfUserReferences; union { ULONG LongFlags; MMSECTION_FLAGS Flags; } u; PFILE_OBJECT FilePointer; PEVENT_COUNTER WaitingForDeletion; USHORT ModifiedWriteCount; USHORT FlushInProgressCount; ULONG WritableUserReferences; ULONG QuadwordPad;} CONTROL_AREA, *PCONTROL_AREA;
最终我们终于找到了
PFILE_OBJECT FilePointer;
即SectionHandle是对应于哪个文件。
CreateProcessEx创建进程
声明:以上内容来自用户投稿及互联网公开渠道收集整理发布,本网站不拥有所有权,未作人工编辑处理,也不承担相关法律责任,若内容有误或涉及侵权可进行投诉: 投诉/举报 工作人员会在5个工作日内联系你,一经查实,本站将立刻删除涉嫌侵权内容。