CreateProcessEx创建进程 

NTSYSCALLAPI
NTSTATUS
NTAPI
NtCreateProcess(
    OUT PHANDLE ProcessHandle,
    IN ACCESS_MASK DesiredAccess,
    IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
    IN HANDLE ParentProcess,
    IN BOOLEAN InheritObjectTable,
    IN HANDLE SectionHandle OPTIONAL,
    IN HANDLE DebugPort OPTIONAL,
    IN HANDLE ExceptionPort OPTIONAL
);

  

在这些参数里面,SectionHandle代表了可执行文件,因为对于System进程来说,不存在可执行文件,所以这里是optional,但是对于其他进程来说是必需的。

通过ObReferenceObjectByHandle来获取到SECTION_OBJECT的引用

//
// Section Object
//
typedef struct _SECTION_OBJECT
{
    PVOID StartingVa;
    PVOID EndingVa;
    PVOID LeftChild;
    PVOID RightChild;
    PSEGMENT_OBJECT Segment;
} SECTION_OBJECT, *PSECTION_OBJECT;

  

这里很奇怪,明明第5个成员类型是PSEGMENT_OBJECT,

//
// Segment Object
//
typedef struct _SEGMENT_OBJECT
{
    PVOID BaseAddress;
    ULONG TotalNumberOfPtes;
    LARGE_INTEGER SizeOfSegment;
    ULONG NonExtendedPtes;
    ULONG ImageCommitment;
    PCONTROL_AREA ControlArea;
    PSUBSECTION Subsection;
    PLARGE_CONTROL_AREA LargeControlArea;
    PMMSECTION_FLAGS MmSectionFlags;
    PMMSUBSECTION_FLAGS MmSubSectionFlags;
} SEGMENT_OBJECT, *PSEGMENT_OBJECT;

  

但是实际上却是

typedef struct _SEGMENT
{
    struct _CONTROL_AREA *ControlArea;
    ULONG TotalNumberOfPtes;
    ULONG NonExtendedPtes;
    ULONG Spare0;
    ULONGLONG SizeOfSegment;
    MMPTE SegmentPteTemplate;
    ULONG NumberOfCommittedPages;
    PMMEXTEND_INFO ExtendInfo;
    SEGMENT_FLAGS SegmentFlags;
    PVOID BasedAddress;
    union
    {
        SIZE_T ImageCommitment;
        PEPROCESS CreatingProcess;
    } u1;
    union
    {
        PSECTION_IMAGE_INFORMATION ImageInformation;
        PVOID FirstMappedVa;
    } u2;
    PMMPTE PrototypePte;
    MMPTE ThePtes[1];
} SEGMENT, *PSEGMENT;

  

//
// Control Area Structures
//
typedef struct _CONTROL_AREA
{
    PSEGMENT Segment;
    LIST_ENTRY DereferenceList;
    ULONG NumberOfSectionReferences;
    ULONG NumberOfPfnReferences;
    ULONG NumberOfMappedViews;
    ULONG NumberOfSystemCacheViews;
    ULONG NumberOfUserReferences;
    union
    {
        ULONG LongFlags;
        MMSECTION_FLAGS Flags;
    } u;
    PFILE_OBJECT FilePointer;
    PEVENT_COUNTER WaitingForDeletion;
    USHORT ModifiedWriteCount;
    USHORT FlushInProgressCount;
    ULONG WritableUserReferences;
    ULONG QuadwordPad;
} CONTROL_AREA, *PCONTROL_AREA;

  

最终我们终于找到了

PFILE_OBJECT FilePointer;

即SectionHandle是对应于哪个文件。
posted @ 2014-08-26 14:50  Daniel King  阅读(968)  评论(0编辑  收藏  举报