Windows内核驱动程序:是否执行"HANDLE UniqueThread"?在"CLIENT_ID CreationThreadId"中;加载过程中是否相同? [英] Windows Kernel Driver: Does the "HANDLE UniqueThread" in "CLIENT_ID CreatingThreadId" is the same during the process loading?
问题描述
我正在尝试编写APC dll注入驱动程序,发现代码中,作者使用 PsLookupThreadByThreadId 接收指向目标进程的ETHREAD结构的引用指针.
PsLookupThreadByThreadId(pSpi->Threads[0].ClientId.UniqueThread,&Thread)
但要获取 UniqueThread 句柄,他使用了 PsSetCreateProcessNotifyRoutineEx 并保存 PS_CREATE_NOTIFY_INFO 在针对我要定位的进程调用回调时得到.
在加载ntdll之后,我要感谢 PloadImageNotifyRoutine 回调,但不要使用 UniqueThread ,但将其保存在 UniqueThread 我来自 PS_CREATE_NOTIFY_INFO 在所有加载过程中都相同吗?
我要使用
PsSetCreateProcessNotifyRoutineEx
并保存 我从PS_CREATE_NOTIFY_INFO
中得到的UniqueThread
我针对的过程称为回调.
来自PS_CREATE_NOTIFY_INFO
关于CreatingThreadId
该进程和线程的进程ID和线程ID 创建新流程
此ID不适用于新创建的进程/线程,而适用于创建者.如果要在PloadImageNotifyRoutine
回调中注入self dll,则PcreateProcessNotifyRoutineEx
对您无用.
将图像映射到目标进程时调用的PloadImageNotifyRoutine
-在 PsGetCurrentProcessId()
.这意味着图像已加载到当前进程,您可以使用 KeGetCurrentThread()
-您完全不需要 PsLookupThreadByThreadId
我想在加载ntdll后立即加载我的dll
目前,任何正在处理的用户模式结构尚未初始化.因为它是由ntdll初始化的.结果-如果您此时注入apc并强制执行它-您将导致进程崩溃.仅此而已
我可以建议您在加载 kernel32.dll 后注入您的dll.在这里,您需要检查它是否作为dll加载,而不仅仅是图像映射-检查线程teb中的ArbitraryUserPointer
-它指向L"*\\kernel32.dll"
: smss.exe 映射 kernel32.dll 在创建\\KnownDlls
(在本例中为ArbitraryUserPointer == 0
)期间,wow64使用L"WOW64_IMAGE_SECTION"
或L"NOT_AN_IMAGE"
名称在ArbitraryUserPointer
I'm trying to write an APC dll injection driver, I've found this example and thought to modify it to my needs.
After I understood the code, this is how I thought to modify it (and my question come from there).
In the code, the writer used PsLookupThreadByThreadId to receive a referenced pointer to the ETHREAD structure of the targeted process.
PsLookupThreadByThreadId(pSpi->Threads[0].ClientId.UniqueThread,&Thread)
but to get the SYSTEM_THREAD_INFORMATION for the UniqueThread handle, he used ZwQuerySystemInformation
I want to load my dll right after ntdll is loaded, so I want to use PsSetCreateProcessNotifyRoutineEx and save the UniqueThread from the PS_CREATE_NOTIFY_INFO I got when the callback is called for the process I'm targeting.
And after ntdll is loaded, which I'll know thanks to PsSetLoadImageNotifyRoutineEx I could inject my dll using his APC injection logic.
my goal is to inject my dll in the PloadImageNotifyRoutine callback, but don't use ZwQuerySystemInformation as he does to get the UniqueThread, but save it in the PcreateProcessNotifyRoutineEx callback.
So, my question is: Can I trust the UniqueThread I get from PS_CREATE_NOTIFY_INFO is the same during all the process loading time?
I want to use
PsSetCreateProcessNotifyRoutineEx
and save theUniqueThread
from thePS_CREATE_NOTIFY_INFO
I got when the callback is called for the process I'm targeting.
about CreatingThreadId
from PS_CREATE_NOTIFY_INFO
The process ID and thread ID of the process and thread that created the new process
this id not for new created process/thread, but for creator. if you want inject self dll in the PloadImageNotifyRoutine
callback - the PcreateProcessNotifyRoutineEx
is useless for you.
the PloadImageNotifyRoutine
called when image is mapped to target process - inside ZwMapViewOfSection
. you need check that ProcessId
(second parameter of PcreateProcessNotifyRoutineEx
- The process ID of the process where image is loaded) is equal to PsGetCurrentProcessId()
. this mean that image loaded to the current process and you can use KeGetCurrentThread()
- you not need PsLookupThreadByThreadId
at all
I want to load my dll right after ntdll is loaded
at this moment any user mode structures in process yet not initialized. because it initialized by ntdll. as result - if you inject your apc and force execute it at this moment - you got crash of process. nothing more
i can advice you inject your dll when kernel32.dll is loaded. and here you need check that this is load as dll, not simply image mapping - check ArbitraryUserPointer
in thread teb - are it point to L"*\\kernel32.dll"
: smss.exe map kernel32.dll during create \\KnownDlls
(ArbitraryUserPointer == 0
in this case), wow64 process several time map kernel32.dll (32 and 64 bit) with L"WOW64_IMAGE_SECTION"
or L"NOT_AN_IMAGE"
names in ArbitraryUserPointer
这篇关于Windows内核驱动程序:是否执行"HANDLE UniqueThread"?在"CLIENT_ID CreationThreadId"中;加载过程中是否相同?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!