Windows内核驱动程序:是否执行"HANDLE UniqueThread"?在"CLIENT_ID CreationThreadId"中；加载过程中是否相同? [英] Windows Kernel Driver: Does the "HANDLE UniqueThread" in "CLIENT_ID CreatingThreadId" is the same during the process loading?

问题描述

我正在尝试编写APC dll注入驱动程序，发现代码中，作者使用 PsLookupThreadByThreadId 接收指向目标进程的ETHREAD结构的引用指针.

PsLookupThreadByThreadId(pSpi->Threads[0].ClientId.UniqueThread,&Thread)

但要获取 UniqueThread 句柄，他使用了 PS_CREATE_NOTIFY_INFO 在针对我要定位的进程调用回调时得到.

在加载ntdll之后，我要感谢 PloadImageNotifyRoutine 回调，但不要使用 UniqueThread 我来自 PS_CREATE_NOTIFY_INFO 在所有加载过程中都相同吗?

解决方案

我要使用PsSetCreateProcessNotifyRoutineEx并保存 我从PS_CREATE_NOTIFY_INFO中得到的UniqueThread 我针对的过程称为回调.

来自PS_CREATE_NOTIFY_INFO

的

关于CreatingThreadId

该进程和线程的进程ID和线程ID 创建新流程

此ID不适用于新创建的进程/线程，而适用于创建者.如果要在PloadImageNotifyRoutine回调中注入self dll，则PcreateProcessNotifyRoutineEx对您无用.

将图像映射到目标进程时调用的PloadImageNotifyRoutine-在 KeGetCurrentThread() -您完全不需要 PsLookupThreadByThreadId

我想在加载ntdll后立即加载我的dll

目前，任何正在处理的用户模式结构尚未初始化.因为它是由ntdll初始化的.结果-如果您此时注入apc并强制执行它-您将导致进程崩溃.仅此而已

我可以建议您在加载 kernel32.dll 后注入您的dll.在这里，您需要检查它是否作为dll加载，而不仅仅是图像映射-检查线程teb中的ArbitraryUserPointer-它指向L"*\\kernel32.dll": smss.exe 映射 kernel32.dll 在创建\\KnownDlls(在本例中为ArbitraryUserPointer == 0)期间，wow64使用L"WOW64_IMAGE_SECTION"或L"NOT_AN_IMAGE"名称在ArbitraryUserPointer

I'm trying to write an APC dll injection driver, I've found this example and thought to modify it to my needs.

After I understood the code, this is how I thought to modify it (and my question come from there).

In the code, the writer used PsLookupThreadByThreadId to receive a referenced pointer to the ETHREAD structure of the targeted process.

PsLookupThreadByThreadId(pSpi->Threads[0].ClientId.UniqueThread,&Thread)

but to get the SYSTEM_THREAD_INFORMATION for the UniqueThread handle, he used ZwQuerySystemInformation

I want to load my dll right after ntdll is loaded, so I want to use PsSetCreateProcessNotifyRoutineEx and save the UniqueThread from the PS_CREATE_NOTIFY_INFO I got when the callback is called for the process I'm targeting.

And after ntdll is loaded, which I'll know thanks to PsSetLoadImageNotifyRoutineEx I could inject my dll using his APC injection logic.

my goal is to inject my dll in the PloadImageNotifyRoutine callback, but don't use ZwQuerySystemInformation as he does to get the UniqueThread, but save it in the PcreateProcessNotifyRoutineEx callback.

So, my question is: Can I trust the UniqueThread I get from PS_CREATE_NOTIFY_INFO is the same during all the process loading time?

解决方案

I want to use PsSetCreateProcessNotifyRoutineEx and save the UniqueThread from the PS_CREATE_NOTIFY_INFO I got when the callback is called for the process I'm targeting.

about CreatingThreadId from PS_CREATE_NOTIFY_INFO

The process ID and thread ID of the process and thread that created the new process

this id not for new created process/thread, but for creator. if you want inject self dll in the PloadImageNotifyRoutine callback - the PcreateProcessNotifyRoutineEx is useless for you.

the PloadImageNotifyRoutine called when image is mapped to target process - inside ZwMapViewOfSection . you need check that ProcessId (second parameter of PcreateProcessNotifyRoutineEx - The process ID of the process where image is loaded) is equal to PsGetCurrentProcessId(). this mean that image loaded to the current process and you can use KeGetCurrentThread() - you not need PsLookupThreadByThreadId at all

I want to load my dll right after ntdll is loaded

at this moment any user mode structures in process yet not initialized. because it initialized by ntdll. as result - if you inject your apc and force execute it at this moment - you got crash of process. nothing more

i can advice you inject your dll when kernel32.dll is loaded. and here you need check that this is load as dll, not simply image mapping - check ArbitraryUserPointer in thread teb - are it point to L"*\\kernel32.dll": smss.exe map kernel32.dll during create \\KnownDlls (ArbitraryUserPointer == 0 in this case), wow64 process several time map kernel32.dll (32 and 64 bit) with L"WOW64_IMAGE_SECTION" or L"NOT_AN_IMAGE" names in ArbitraryUserPointer

这篇关于Windows内核驱动程序:是否执行"HANDLE UniqueThread"?在"CLIENT_ID CreationThreadId"中；加载过程中是否相同?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！