如何访问Windows 7进程的.text段代码页 [英] How to access .text section code pages of a windows 7 process
问题描述
我是程序员,是Windows系统开发的新手。我想访问Windows 7及更高版本上正在运行的进程的.text部分(即代码)。基本上,我这样做是为了自学练习。我可以检查PE文件,并打印出代码反汇编。我现在想要对加载过程中的代码部分进行动态检查,迭代代码页并打印代码(或执行校验和等),而不是静态检查。如果需要,我也愿意写一个驱动程序模块。
我简单地用谷歌搜索并找到了ZwQueryInformationProcess,ReadProcessMemory,VirtualQueryEx等功能。另外,我有一个快速浏览EPROCESS结构及其成员。请建议解决此问题的最佳方法。我知道EPROCESS结构因Windows版本而异,我现在愿意使用一个特定的版本。
我也想知道当我们阅读代码页时会发生什么那些被换成磁盘。上述检查功能和结构是否会在内部生成页面错误并在物理内存中获取页面进行读取?
谢谢。
我尝试过:
尝试查看使用ZwQueryInformationProcess,ReadProcessMemory,VirtualQueryEx等的代码示例。和一些EPROCESS结构细节。
Hi,
I am a programmer, new to Windows systems development. I want to access the .text section (i.e. the code) of a running process on Windows 7 and above. Basically, I am doing this as a self-study exercise. I can inspect a PE file, and print-out the code disassembly. Instead of static inspection, I now want to perform dynamic inspection of the code section in the loaded process, iterate over the code pages and print the code (or do a checksum, etc.). I am also open to writing a driver module if need be.
I briefly googled and found functions such as ZwQueryInformationProcess, ReadProcessMemory, VirtualQueryEx, etc. Also, I had a quick look at the EPROCESS structure and its members. Please suggest the best way to approach this problem. I know that EPROCESS structure varies between Windows versions and am willing to live with one particular version for now.
I am also wondering what would happen when we read the code pages that are swapped out to the disk. Will the above inspection functions and structures generate a page fault internally and fetch the page in the physical memory for reading?
Thanks.
What I have tried:
Tried looking at code examples that use ZwQueryInformationProcess, ReadProcessMemory, VirtualQueryEx, etc. and some EPROCESS structure details.
推荐答案
ReadProcessMemory一次读取所有请求的数据。因此,请立即读取您想要的所有内容,并在每次调用后执行一些错误检查以检测问题。我想你的进程需要管理员权限。
提示:使用一些单独的代码处理每个版本的结构。您可以在Google上找到的代码示例。
ReadProcessMemory reads all requested data at once. So read all you want at once and do some error checking after each call to detect problems. I guess that you will need admin privileges for your process.
Tip: handle every version of the structures with some seperate code. Code examples you will find with Google.
这篇关于如何访问Windows 7进程的.text段代码页的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
