|
阅读:1992回复:9
关于PsSetCreateProcessNotifyRoutine获取全路经的问题
关于PsSetCreateProcessNotifyRoutine获取全路经的问题
最近用PsSetCreateProcessNotifyRoutine获得全路经时 KeAttachProcess后 无法获取EProcess->Peb->ProcessParameters好像系统还没有来得及填充 有没有好一点的办法把全路经弄出来再NotifyRoutine时 斑竹help |
|
|
沙发#
发布于:2007-09-07 14:03
 开个线程等着 |
|
|
|
板凳#
发布于:2007-09-07 15:15
SectionHandle取,或者XP以上用ZeQueryProcessInformation
|
|
|
地板#
发布于:2007-09-07 16:10
ZwQueryProcessInformation(其实是ObReferenceObjectByHandle(PROCESS_QUERY_INFORMATION) 有时候会有问题
|
|
|
|
地下室#
发布于:2007-09-08 10:09
我测试时反而是SectionHandle会经常取错路径。
ZwQueryProcessInformation有什么样的问题? |
|
|
5楼#
发布于:2007-09-08 10:21
 谢谢大家时间问题但你们给的方法好像都不太可靠哦。开线程等到。。。也是一种思路。但想尽可能的减轻内核负担。从父进程那有途径获取没有。 |
|
|
6楼#
发布于:2007-09-08 13:14
再set一个imagenotifyRoutine不就可以了么~哈哈~
|
|
|
|
7楼#
发布于:2007-09-10 11:28
在PsSetLoadImageNotifyRoutine?
 好像也不可靠哦我怎么知道ImageNotifyRoutine一定是新建立的这个进程?虽然有进程ID还要保存比对有很多问题的PsSetCreateProcessNotifyRoutine把进程ID保存起来?进程id随时进来ImageNotifyRoutine也在随时进入很难确定新建进程的完全路径 看了一下Windows源码。PEB 的PRTL_USER_PROCESS_PARAMETERS结构在第一个线程调度时才会填充PsSetCreateThreadNotifyRoutine才是目标 还在测试中  |
|
|
8楼#
发布于:2007-09-11 12:53
经过2天的折腾终于发现解决问题的关键还是PsSetLoadImageNotifyRoutine。。。失败阿!为什么问题都要这么复杂啊~~~~~~~
 公布一下研究结果 UNICODE_STRING u_targetDLL; PEPROCESS EProcess=NULL; PUNICODE_STRING ProcessName=NULL; PLDR_DATA_TABLE_ENTRY LoaderModule; PLIST_ENTRY ListHead, Current; // Setup the name of the DLL to target RtlInitUnicodeString(&u_targetDLL, L"kernel32.dll"); if (!NT_SUCCESS(PsLookupProcessByProcessId(ProcessId, &EProcess))) { DbgPrint("thread: Invalid process id!\n"); return; } DbgPrint("=========Process %s",EProcess->ImageFileName); DbgPrint("=========Module %ws",FullImageName->Buffer); if(!EProcess->Peb) { DbgPrint("Peb==NULL"); return ; } ProcessName=&(EProcess->Peb->ProcessParameters->CommandLine); DbgPrint("Path**** %ws",ProcessName->Buffer); if(!EProcess->Peb->Ldr) { DbgPrint("Ldr==NULL"); return ; } ListHead = &(EProcess->Peb->Ldr->InLoadOrderModuleList); Current = ListHead->Flink; DbgPrint("-------------------------\n"); while(Current != ListHead) { LoaderModule = CONTAINING_RECORD(Current, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks); // if (RtlCompareUnicodeString(&LoaderModule->BaseDllName, &u_targetDLL, TRUE) == 0) DbgPrint("base=%x, Module %ws\n",LoaderModule->DllBase,LoaderModule->BaseDllName.Buffer); Current = LoaderModule->InLoadOrderLinks.Flink; } DbgPrint("*************************\n"); 结果 00000000 0.00000000 =========Process 1.EXE 00000001 0.00003716 =========Module \Device\HarddiskVolume3\1.EXE 00000002 0.00010197 Ldr==NULL 00000003 0.00015812 =========Process 1.EXE 00000004 0.00019025 =========Module \SystemRoot\System32\ntdll.dll 00000005 0.00022405 Ldr==NULL 00000006 0.05044412 =========Process 1.EXE 00000007 0.05050223 =========Module \WINDOWS\system32\kernel32.dll 00000008 0.05053855 Path**** "D:\1.EXE" 00000009 0.05056565 ------------------------- 00000010 0.05059749 base=1000000, Module 1.EXE 00000011 0.05062906 base=7c920000, Module ntdll.dll 00000012 0.05066035 ************************* 00000013 0.05235526 =========Process 1.EXE 00000014 0.05238682 =========Module \WINDOWS\system32\comdlg32.dll 00000015 0.05244466 Path**** "D:\1.EXE" 00000016 0.05244996 ------------------------- 00000017 0.05248181 base=1000000, Module 1.EXE 00000018 0.05251366 base=7c920000, Module ntdll.dll 00000019 0.05254551 base=7c800000, Module kernel32.dll 00000020 0.05257680 ************************* 00000021 0.05270893 =========Process 1.EXE 00000022 0.05274218 =========Module \WINDOWS\system32\shlwapi.dll 00000023 0.05277459 Path**** "D:\1.EXE" 00000024 0.05280504 ------------------------- 00000025 0.05283660 base=1000000, Module 1.EXE 00000026 0.05286510 base=7c920000, Module ntdll.dll 00000027 0.05289723 base=7c800000, Module kernel32.dll 00000028 0.05292963 base=76320000, Module comdlg32.dll 00000029 0.05296064 ************************* 00000030 0.05309027 =========Process 1.EXE 00000031 0.05315648 =========Module \WINDOWS\system32\advapi32.dll 00000032 0.05318916 Path**** "D:\1.EXE" 00000033 0.05321961 ------------------------- 00000034 0.05325118 base=1000000, Module 1.EXE 00000035 0.05328275 base=7c920000, Module ntdll.dll 00000036 0.05331516 base=7c800000, Module kernel32.dll 00000037 0.05334756 base=76320000, Module comdlg32.dll 00000038 0.05337997 base=77f40000, Module SHLWAPI.dll 00000039 0.05341098 ************************* 00000040 0.05372610 =========Process 1.EXE 00000041 0.05375935 =========Module \WINDOWS\system32\rpcrt4.dll 00000042 0.05379203 Path**** "D:\1.EXE" 00000043 0.05382248 ------------------------- 00000044 0.05385405 base=1000000, Module 1.EXE 00000045 0.05388590 base=7c920000, Module ntdll.dll 00000046 0.05391747 base=7c800000, Module kernel32.dll 00000047 0.05394848 base=76320000, Module comdlg32.dll 00000048 0.05398507 base=77f40000, Module SHLWAPI.dll 00000049 0.05401413 base=77da0000, Module ADVAPI32.dll 00000050 0.05404709 ************************* 00000051 0.05439350 =========Process 1.EXE 00000052 0.05440105 =========Module \WINDOWS\system32\gdi32.dll 00000053 0.05445804 Path**** "D:\1.EXE" 00000054 0.05446362 ------------------------- 00000055 0.05449491 base=1000000, Module 1.EXE 00000056 0.05452676 base=7c920000, Module ntdll.dll 00000057 0.05455889 base=7c800000, Module kernel32.dll 00000058 0.05459129 base=76320000, Module comdlg32.dll 00000059 0.05462398 base=77f40000, Module SHLWAPI.dll 00000060 0.05465583 base=77da0000, Module ADVAPI32.dll 00000061 0.05468795 base=77e50000, Module RPCRT4.dll 00000062 0.05471924 ************************* 00000063 0.05497095 =========Process 1.EXE 00000064 0.05500392 =========Module \WINDOWS\system32\user32.dll 00000065 0.05503633 Path**** "D:\1.EXE" 00000066 0.05509555 ------------------------- 00000067 0.05512684 base=1000000, Module 1.EXE 00000068 0.05513354 base=7c920000, Module ntdll.dll 00000069 0.05516567 base=7c800000, Module kernel32.dll 00000070 0.05519808 base=76320000, Module comdlg32.dll 00000071 0.05523048 base=77f40000, Module SHLWAPI.dll 00000072 0.05526289 base=77da0000, Module ADVAPI32.dll 00000073 0.05529502 base=77e50000, Module RPCRT4.dll 00000074 0.05535173 base=77ef0000, Module GDI32.dll 00000075 0.05538302 ************************* 00000076 0.05589593 =========Process 1.EXE 00000077 0.05592918 =========Module \WINDOWS\system32\msvcrt.dll 00000078 0.05596158 Path**** "D:\1.EXE" 00000079 0.05599231 ------------------------- 00000080 0.05602388 base=1000000, Module 1.EXE 00000081 0.05611859 base=7c920000, Module ntdll.dll 00000082 0.05615071 base=7c800000, Module kernel32.dll 00000083 0.05618312 base=76320000, Module comdlg32.dll 00000084 0.05621552 base=77f40000, Module SHLWAPI.dll 00000085 0.05624793 base=77da0000, Module ADVAPI32.dll 00000086 0.05628034 base=77e50000, Module RPCRT4.dll 00000087 0.05631246 base=77ef0000, Module GDI32.dll 00000088 0.05634431 base=77d10000, Module USER32.dll 00000089 0.05637588 ************************* 00000090 0.05941202 =========Process 1.EXE 00000091 0.05947488 =========Module \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll 00000092 0.05956288 Path**** "D:\1.EXE" 00000093 0.05957182 ------------------------- 00000094 0.05960367 base=1000000, Module 1.EXE 00000095 0.05963551 base=7c920000, Module ntdll.dll 00000096 0.05966792 base=7c800000, Module kernel32.dll 00000097 0.05969977 base=76320000, Module comdlg32.dll 00000098 0.05973161 base=77f40000, Module SHLWAPI.dll 00000099 0.05976402 base=77da0000, Module ADVAPI32.dll 00000100 0.05979643 base=77e50000, Module RPCRT4.dll 00000101 0.05982855 base=77ef0000, Module GDI32.dll 00000102 0.05986096 base=77d10000, Module USER32.dll 00000103 0.05989337 base=77be0000, Module msvcrt.dll 00000104 0.05992465 ************************* 00000105 0.06055965 =========Process 1.EXE 00000106 0.06058982 =========Module \WINDOWS\system32\shell32.dll 00000107 0.06062586 Path**** "D:\1.EXE" 00000108 0.06065296 ------------------------- 00000109 0.06068481 base=1000000, Module 1.EXE 00000110 0.06071638 base=7c920000, Module ntdll.dll 00000111 0.06074850 base=7c800000, Module kernel32.dll 00000112 0.06078091 base=76320000, Module comdlg32.dll 00000113 0.06081359 base=77f40000, Module SHLWAPI.dll 00000114 0.06084600 base=77da0000, Module ADVAPI32.dll 00000115 0.06087841 base=77e50000, Module RPCRT4.dll 00000116 0.06091053 base=77ef0000, Module GDI32.dll 00000117 0.06097171 base=77d10000, Module USER32.dll 00000118 0.06100412 base=77be0000, Module msvcrt.dll 00000119 0.06103653 base=77180000, Module COMCTL32.dll 00000120 0.06106810 ************************* 00000121 0.06298315 =========Process 1.EXE 00000122 0.06301667 =========Module \WINDOWS\system32\winspool.drv 00000123 0.06307394 Path**** "D:\1.EXE" 00000124 0.06307953 ------------------------- 00000125 0.06311110 base=1000000, Module 1.EXE 00000126 0.06314266 base=7c920000, Module ntdll.dll 00000127 0.06317507 base=7c800000, Module kernel32.dll 00000128 0.06320748 base=76320000, Module comdlg32.dll 00000129 0.06323988 base=77f40000, Module SHLWAPI.dll 00000130 0.06327229 base=77da0000, Module ADVAPI32.dll 00000131 0.06330469 base=77e50000, Module RPCRT4.dll 00000132 0.06333682 base=77ef0000, Module GDI32.dll 00000133 0.06336895 base=77d10000, Module USER32.dll 00000134 0.06340080 base=77be0000, Module msvcrt.dll 00000135 0.06343292 base=77180000, Module COMCTL32.dll 00000136 0.06346533 base=7d590000, Module SHELL32.dll 00000137 0.06349662 ************************* 00000138 0.06929428 =========Process 1.EXE 00000139 0.06933227 =========Module \WINDOWS\system32\imm32.dll 00000140 0.06936468 Path**** "D:\1.EXE" 00000141 0.06939513 ------------------------- 00000142 0.06942698 base=1000000, Module 1.EXE 00000143 0.06945883 base=7c920000, Module ntdll.dll 00000144 0.06948760 base=7c800000, Module kernel32.dll 00000145 0.06952001 base=76320000, Module comdlg32.dll 00000146 0.06955577 base=77f40000, Module SHLWAPI.dll 00000147 0.06958789 base=77da0000, Module ADVAPI32.dll 00000148 0.06962002 base=77e50000, Module RPCRT4.dll 00000149 0.06965215 base=77ef0000, Module GDI32.dll 00000150 0.06968092 base=77d10000, Module USER32.dll 00000151 0.06974490 base=77be0000, Module msvcrt.dll 00000152 0.06977730 base=77180000, Module COMCTL32.dll 00000153 0.06980971 base=7d590000, Module SHELL32.dll 00000154 0.06984240 base=72f70000, Module WINSPOOL.DRV 00000155 0.06987368 ************************* 00000156 0.07273997 =========Process 1.EXE 00000157 0.07277685 =========Module \WINDOWS\system32\lpk.dll 00000158 0.07280897 Path**** "D:\1.EXE" 00000159 0.07283971 ------------------------- 00000160 0.07287155 base=1000000, Module 1.EXE 00000161 0.07290368 base=7c920000, Module ntdll.dll 00000162 0.07293580 base=7c800000, Module kernel32.dll 00000163 0.07296821 base=76320000, Module comdlg32.dll 00000164 0.07300034 base=77f40000, Module SHLWAPI.dll 00000165 0.07303303 base=77da0000, Module ADVAPI32.dll 00000166 0.07306543 base=77e50000, Module RPCRT4.dll 00000167 0.07309756 base=77ef0000, Module GDI32.dll 00000168 0.07312941 base=77d10000, Module USER32.dll 00000169 0.07316181 base=77be0000, Module msvcrt.dll 00000170 0.07319422 base=77180000, Module COMCTL32.dll 00000171 0.07322662 base=7d590000, Module SHELL32.dll 00000172 0.07325903 base=72f70000, Module WINSPOOL.DRV 00000173 0.07329144 base=76300000, Module IMM32.DLL 00000174 0.07332273 ************************* 00000175 0.07439996 =========Process 1.EXE 00000176 0.07443460 =========Module \WINDOWS\system32\usp10.dll 00000177 0.07446700 Path**** "D:\1.EXE" 00000178 0.07449745 ------------------------- 00000179 0.07452875 base=1000000, Module 1.EXE 00000180 0.07456059 base=7c920000, Module ntdll.dll 00000181 0.07462513 base=7c800000, Module kernel32.dll 00000182 0.07465753 base=76320000, Module comdlg32.dll 00000183 0.07468994 base=77f40000, Module SHLWAPI.dll 00000184 0.07472235 base=77da0000, Module ADVAPI32.dll 00000185 0.07475448 base=77e50000, Module RPCRT4.dll 00000186 0.07478632 base=77ef0000, Module GDI32.dll 00000187 0.07481845 base=77d10000, Module USER32.dll 00000188 0.07485057 base=77be0000, Module msvcrt.dll 00000189 0.07488298 base=77180000, Module COMCTL32.dll 00000190 0.07491567 base=7d590000, Module SHELL32.dll 00000191 0.07494751 base=72f70000, Module WINSPOOL.DRV 00000192 0.07497908 base=76300000, Module IMM32.DLL 00000193 0.07501177 base=62c20000, Module LPK.DLL 00000194 0.07504362 ************************* 00000195 0.22064117 =========Process 1.EXE 00000196 0.22067833 =========Module \WINDOWS\system32\uxtheme.dll 00000197 0.22071186 Path**** "D:\1.EXE" 00000198 0.22074342 ------------------------- 00000199 0.22077219 base=1000000, Module 1.EXE 00000200 0.22080600 base=7c920000, Module ntdll.dll 00000201 0.22083785 base=7c800000, Module kernel32.dll 00000202 0.22087026 base=76320000, Module comdlg32.dll 00000203 0.22090238 base=77f40000, Module SHLWAPI.dll 00000204 0.22093394 base=77da0000, Module ADVAPI32.dll 00000205 0.22096719 base=77e50000, Module RPCRT4.dll 00000206 0.22099876 base=77ef0000, Module GDI32.dll 00000207 0.22105491 base=77d10000, Module USER32.dll 00000208 0.22109626 base=77be0000, Module msvcrt.dll 00000209 0.22112894 base=77180000, Module COMCTL32.dll 00000210 0.22116078 base=7d590000, Module SHELL32.dll 00000211 0.22119236 base=72f70000, Module WINSPOOL.DRV 00000212 0.22122589 base=76300000, Module IMM32.DLL 00000213 0.22125717 base=62c20000, Module LPK.DLL 00000214 0.22128874 base=73fa0000, Module USP10.dll 00000215 0.22131947 ************************* 00000216 0.27595937 =========Process 1.EXE 00000217 0.27602279 =========Module \Program Files\360safe\safemon\safemon.dll 00000218 0.27605659 Path**** "D:\1.EXE" 00000219 0.27608678 ------------------------- 00000220 0.27611804 base=1000000, Module 1.EXE 00000221 0.27615103 base=7c920000, Module ntdll.dll 00000222 0.27618259 base=7c800000, Module kernel32.dll 00000223 0.27621442 base=76320000, Module comdlg32.dll 00000224 0.27627113 base=77f40000, Module SHLWAPI.dll 00000225 0.27630356 base=77da0000, Module ADVAPI32.dll 00000226 0.27633625 base=77e50000, Module RPCRT4.dll 00000227 0.27636838 base=77ef0000, Module GDI32.dll 00000228 0.27639994 base=77d10000, Module USER32.dll 00000229 0.27643150 base=77be0000, Module msvcrt.dll 00000230 0.27646476 base=77180000, Module COMCTL32.dll 00000231 0.27649632 base=7d590000, Module SHELL32.dll 00000232 0.27652845 base=72f70000, Module WINSPOOL.DRV 00000233 0.27656028 base=76300000, Module IMM32.DLL 00000234 0.27659240 base=62c20000, Module LPK.DLL 00000235 0.27662483 base=73fa0000, Module USP10.dll 00000236 0.27665722 base=5adc0000, Module uxtheme.dll 00000237 0.27668852 ************************* 00000238 0.30117488 =========Process 1.EXE 00000239 0.30123717 =========Module \WINDOWS\system32\ole32.dll 00000240 0.30126902 Path**** "D:\1.EXE" 00000241 0.30130059 ------------------------- 00000242 0.30133188 base=1000000, Module 1.EXE 00000243 0.30136344 base=7c920000, Module ntdll.dll 00000244 0.30139500 base=7c800000, Module kernel32.dll 00000245 0.30142742 base=76320000, Module comdlg32.dll 00000246 0.30145982 base=77f40000, Module SHLWAPI.dll 00000247 0.30149221 base=77da0000, Module ADVAPI32.dll 00000248 0.30152464 base=77e50000, Module RPCRT4.dll 00000249 0.30155677 base=77ef0000, Module GDI32.dll 00000250 0.30158889 base=77d10000, Module USER32.dll 00000251 0.30162072 base=77be0000, Module msvcrt.dll 00000252 0.30167830 base=77180000, Module COMCTL32.dll 00000253 0.30168584 base=7d590000, Module SHELL32.dll 00000254 0.30174199 base=72f70000, Module WINSPOOL.DRV 00000255 0.30177382 base=76300000, Module IMM32.DLL 00000256 0.30180568 base=62c20000, Module LPK.DLL 00000257 0.30183780 base=73fa0000, Module USP10.dll 00000258 0.30187020 base=5adc0000, Module uxtheme.dll 00000259 0.30190262 base=10000000, Module safemon.dll 00000260 0.30193391 ************************* 00000261 0.30264321 =========Process 1.EXE 00000262 0.30267310 =========Module \WINDOWS\system32\oleaut32.dll 00000263 0.30270860 Path**** "D:\1.EXE" 00000264 0.30273819 ------------------------- 00000265 0.30277088 base=1000000, Module 1.EXE 00000266 0.30279937 base=7c920000, Module ntdll.dll 00000267 0.30283347 base=7c800000, Module kernel32.dll 00000268 0.30286559 base=76320000, Module comdlg32.dll 00000269 0.30289772 base=77f40000, Module SHLWAPI.dll 00000270 0.30293012 base=77da0000, Module ADVAPI32.dll 00000271 0.30296254 base=77e50000, Module RPCRT4.dll 00000272 0.30299467 base=77ef0000, Module GDI32.dll 00000273 0.30302650 base=77d10000, Module USER32.dll 00000274 0.30305862 base=77be0000, Module msvcrt.dll 00000275 0.30309075 base=77180000, Module COMCTL32.dll 00000276 0.30315360 base=7d590000, Module SHELL32.dll 00000277 0.30318603 base=72f70000, Module WINSPOOL.DRV 00000278 0.30321732 base=76300000, Module IMM32.DLL 00000279 0.30327764 base=62c20000, Module LPK.DLL 00000280 0.30330643 base=73fa0000, Module USP10.dll 00000281 0.30331340 base=5adc0000, Module uxtheme.dll 00000282 0.30334470 base=10000000, Module safemon.dll 00000283 0.30337933 base=76990000, Module ole32.dll 00000284 0.30341035 ************************* 00000285 0.30976060 =========Process 1.EXE 00000286 0.30981731 =========Module \WINDOWS\system32\MSCTF.dll 00000287 0.30985001 Path**** "D:\1.EXE" 00000288 0.30988073 ------------------------- 00000289 0.30991313 base=1000000, Module 1.EXE 00000290 0.30995280 base=7c920000, Module ntdll.dll 00000291 0.30998492 base=7c800000, Module kernel32.dll 00000292 0.31001762 base=76320000, Module comdlg32.dll 00000293 0.31004974 base=77f40000, Module SHLWAPI.dll 00000294 0.31008160 base=77da0000, Module ADVAPI32.dll 00000295 0.31011316 base=77e50000, Module RPCRT4.dll 00000296 0.31014612 base=77ef0000, Module GDI32.dll 00000297 0.31017742 base=77d10000, Module USER32.dll 00000298 0.31023383 base=77be0000, Module msvcrt.dll 00000299 0.31026596 base=77180000, Module COMCTL32.dll 00000300 0.31029865 base=7d590000, Module SHELL32.dll 00000301 0.31033108 base=72f70000, Module WINSPOOL.DRV 00000302 0.31036347 base=76300000, Module IMM32.DLL 00000303 0.31039560 base=62c20000, Module LPK.DLL 00000304 0.31042773 base=73fa0000, Module USP10.dll 00000305 0.31045985 base=5adc0000, Module uxtheme.dll 00000306 0.31049198 base=10000000, Module safemon.dll 00000307 0.31052411 base=76990000, Module ole32.dll 00000308 0.31055650 base=770f0000, Module OLEAUT32.dll 00000309 0.31058753 ************************* 00000310 0.31397259 =========Process 1.EXE 00000311 0.31403124 =========Module \WINDOWS\system32\version.dll 00000312 0.31406283 Path**** "D:\1.EXE" 00000313 0.31407091 ------------------------- 00000314 0.31410220 base=1000000, Module 1.EXE 00000315 0.31413406 base=7c920000, Module ntdll.dll 00000316 0.31416619 base=7c800000, Module kernel32.dll 00000317 0.31419858 base=76320000, Module comdlg32.dll 00000318 0.31423101 base=77f40000, Module SHLWAPI.dll 00000319 0.31426340 base=77da0000, Module ADVAPI32.dll 00000320 0.31429553 base=77e50000, Module RPCRT4.dll 00000321 0.31432766 base=77ef0000, Module GDI32.dll 00000322 0.31435952 base=77d10000, Module USER32.dll 00000323 0.31439164 base=77be0000, Module msvcrt.dll 00000324 0.31442431 base=77180000, Module COMCTL32.dll 00000325 0.31445616 base=7d590000, Module SHELL32.dll 00000326 0.31448773 base=72f70000, Module WINSPOOL.DRV 00000327 0.31451902 base=76300000, Module IMM32.DLL 00000328 0.31455171 base=62c20000, Module LPK.DLL 00000329 0.31458244 base=73fa0000, Module USP10.dll 00000330 0.31461400 base=5adc0000, Module uxtheme.dll 00000331 0.31464586 base=10000000, Module safemon.dll 00000332 0.31467798 base=76990000, Module ole32.dll 00000333 0.31471011 base=770f0000, Module OLEAUT32.dll 00000334 0.31474251 base=74680000, Module MSCTF.dll 00000335 0.31477380 ************************* 00000336 0.32551929 =========Process 1.EXE 00000337 0.32561010 =========Module \WINDOWS\system32\MSCTFIME.IME 00000338 0.32564279 Path**** "D:\1.EXE" 00000339 0.32567322 ------------------------- 00000340 0.32570508 base=1000000, Module 1.EXE 00000341 0.32573721 base=7c920000, Module ntdll.dll 00000342 0.32576600 base=7c800000, Module kernel32.dll 00000343 0.32579839 base=76320000, Module comdlg32.dll 00000344 0.32583079 base=77f40000, Module SHLWAPI.dll 00000345 0.32586515 base=77da0000, Module ADVAPI32.dll 00000346 0.32589811 base=77e50000, Module RPCRT4.dll 00000347 0.32592940 base=77ef0000, Module GDI32.dll 00000348 0.32596099 base=77d10000, Module USER32.dll 00000349 0.32599282 base=77be0000, Module msvcrt.dll 00000350 0.32602525 base=77180000, Module COMCTL32.dll 00000351 0.32605764 base=7d590000, Module SHELL32.dll 00000352 0.32609004 base=72f70000, Module WINSPOOL.DRV 00000353 0.32612246 base=76300000, Module IMM32.DLL 00000354 0.32615459 base=62c20000, Module LPK.DLL 00000355 0.32618672 base=73fa0000, Module USP10.dll 00000356 0.32621855 base=5adc0000, Module uxtheme.dll 00000357 0.32625067 base=10000000, Module safemon.dll 00000358 0.32628280 base=76990000, Module ole32.dll 00000359 0.32631493 base=770f0000, Module OLEAUT32.dll 00000360 0.32634735 base=74680000, Module MSCTF.dll 00000361 0.32637891 ************************* 结论: 最终发现 PEB中的一部分结构和 LDR 的完成必须等应用程序加载 ntdll.dll 模块后结构才能填充完毕才能从PEB中获取全路经,微软就不能再一开始就填充? 最终的结果PsSetLoadImageNotifyRoutine 才是关键55555555555获取全路经,判断是不是新进程就靠前面2个结构是否填充来判断。废话不说哦~~结帖~~~~~~ |
|
|
9楼#
发布于:2007-09-11 13:04
911的日子里发帖结贴~
|
|
|