GetModuleHandle

本文介绍了一种在64位环境下读取进程基本信息的方法,包括使用NtWow64QueryInformationProcess64获取进程退出状态、PEB基地址等信息,以及通过NtWow64ReadVirtualMemory64读取虚拟内存,最终实现跨进程获取模块句柄的功能。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >


#pragma pack(8)
typedef struct _PROCESS_BASIC_INFORMATION64 {
	NTSTATUS ExitStatus;
	UINT32 Reserved0;
	UINT64 PebBaseAddress;
	UINT64 AffinityMask;
	UINT32 BasePriority;
	UINT32 Reserved1;
	UINT64 UniqueProcessId;
	UINT64 InheritedFromUniqueProcessId;
} PROCESS_BASIC_INFORMATION64;
#pragma pack()
typedef
NTSTATUS(WINAPI *pfnNtWow64QueryInformationProcess64)
(HANDLE ProcessHandle, UINT32 ProcessInformationClass,
	PVOID ProcessInformation, UINT32 ProcessInformationLength,
	UINT32* ReturnLength);
typedef
NTSTATUS(WINAPI *pfnNtWow64ReadVirtualMemory64)
(HANDLE ProcessHandle, PVOID64 BaseAddress,
	PVOID BufferData, UINT64 BufferLength,
	PUINT64 ReturnLength);
typedef
NTSTATUS(WINAPI *pfnNtWow64ReadVirtualMemory64_Bin)
(HANDLE ProcessHandle, PVOID BufferData,
	LPCTSTR ModuleName, UINT64 BufferLength,
	PUINT64 ReturnLength);
long long GetModuleHandle64(HANDLE processHandle,LPCTSTR ModuleName)
{
	PROCESS_BASIC_INFORMATION64 pbi64;
	int ret;
	long long ldr;
	long long ModuleHandle;
	long long pName;
	HMODULE NtdllModule = GetModuleHandle(L"ntdll.dll");
	pfnNtWow64QueryInformationProcess64 NtWow64QueryInformationProcess64 = (pfnNtWow64QueryInformationProcess64)GetProcAddress(NtdllModule, "NtWow64QueryInformationProcess64");
	pfnNtWow64ReadVirtualMemory64 NtWow64ReadVirtualMemory64 = (pfnNtWow64ReadVirtualMemory64)GetProcAddress(NtdllModule, "NtWow64ReadVirtualMemory64");
	pfnNtWow64ReadVirtualMemory64_Bin NtWow64ReadVirtualMemory64_Bin = (pfnNtWow64ReadVirtualMemory64_Bin)GetProcAddress(NtdllModule, "NtWow64ReadVirtualMemory64_Bin");
	ret = NtWow64QueryInformationProcess64(processHandle, 0, &pbi64, 48, 0);
	if (ret == 0)
	{
		return 0;
	}
	NtWow64ReadVirtualMemory64(processHandle, (PVOID64)(pbi64.PebBaseAddress + 24), &ldr, 8, 0);
	NtWow64ReadVirtualMemory64(processHandle, (PVOID64)(ldr + 24), &ldr, 8, 0);
	do
	{
		NtWow64ReadVirtualMemory64(processHandle, (PVOID64)(ldr + 48), &ModuleHandle, 8, 0);
		if (ModuleHandle != 0)
		{
			break;
		}
		NtWow64ReadVirtualMemory64(processHandle, (PVOID64)(ldr + 96), &pName, 8, 0);
		NtWow64ReadVirtualMemory64_Bin(processHandle, &pName, ModuleName, sizeof(ModuleName), 0);

	} while (ModuleHandle != 0);
	return ModuleHandle;
}

 

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值