规格:Windows 7 x64,Visual C++
目标:我正在尝试从示例程序(例如 calc.exe)中获取远程PEB 。我找到了 proc ID,并且我已经打开了具有所有良好权限的进程句柄。我现在开始编写一个类来使用 PROCESS_BASIC_INFORMATION 从进程中检索 PEB 的位置。
问题:我在其他地方发现了几篇帖子,似乎表明NtQueryInformationProcess在 MS 变成了垃圾。一篇文章提出了一种从 ntdll.dll 中动态链接 NtQueryInformationProcess 的方法。但是,我认为从长远来看这将是不稳定的(MS 明天可能会删除 NtQueryInformationProcess),而无需进行广泛的错误处理。
这个想法后来在这个线程中实现,然后 Mike2343 建议应该“使用其他方法”。
问题:定位不涉及 NtQueryInformationProcess 的远程进程的 PEB 的另一种方法是什么?
感谢任何花时间看这个的人。
Method I ended up using:
I stole pretty much all of this code and fixed it up for 64-bit. I spent a ton of time wrapping my head around various documents related to all of the different headers and structs. I also ran into an issue regarding the PE32+ format, where jcopenha was kind enough to enlighten me on a few problems I might be facing. After accounting for these problems I had a functioning program that is capable of obtaining a list of all the DLL's and their respective functions loaded in by an executable along with their relative addresses.
In retrospect, I don't think I had a good handle on what I was attempting to do. I think that I thought I was going to read in a process out of memory and find the PEB related structs or something (Later I found out that image headers and the like account for the information in the PEB). Albeit that may be possible, but what I have now is an offline example that reads in exe files and works for me.