如何从外部进程获取进程环境块 (PEB)? [英] How to get the Process Environment Block (PEB) from extern process?

问题描述

我想从notepad.exe"中获取 PEB过程.有人知道怎么做吗?

I want to get the PEB from the "notepad.exe" process. Does someone know how to do it?

我尝试了 GetModuleHandle API，但它没有返回有效的指针(每次都返回零)，因为我必须是该模块的调用者进程.

I tried the GetModuleHandle API, but it doesn't return a valid pointer (it return zero every time) because I have to be the caller process of that module.

出于这个原因，我想知道如何让它与 EnumProcessModules 或 CreateToolhelp32Snapshot 一起工作.

For that reason, I want to know how to get it to work with EnumProcessModules or CreateToolhelp32Snapshot.

推荐答案

Matt Pietrek 在 1994 Under the Hood 列.这是关于如何获取另一个进程的环境变量，其中第一步是获取指向PEB的指针.为此，他说，请调用 NtQueryInformationProcess.它填充的 PROCESS_BASIC_INFORMATION 结构包含 PEB 结构的基地址.(您需要使用 ReadProcessMemory 来读取它，因为地址将在外部进程的地址空间的上下文中，而不是您的.)

Matt Pietrek described how to do that in a 1994 Under the Hood column. It was about how to get the environment variables of another process, where the first step is to get a pointer to the PEB. To do that, he says, call NtQueryInformationProcess. The PROCESS_BASIC_INFORMATION structure it fills contains the base address of the PEB structure. (You'll need to use ReadProcessMemory to read it since the address will be in the context of the external process's address space, not yours.)

要调用NtQueryInformationProcess，您需要一个进程句柄.如果您自己启动了流程(通过调用 CreateProcess)，那么您已经拥有了一个句柄.否则，您需要找到进程 ID，然后调用 OpenProcess.要获取进程 ID，请使用 EnumProcesses 或 Process32First/Process32Next 搜索所需的进程.(我更喜欢后者，因为它以更少的工作提供更多的信息.)

To call NtQueryInformationProcess, you'll need a handle to the process. If you started the process yourself (by calling CreateProcess), then you already have a handle. Otherwise, you'll need to find the process ID and then call OpenProcess. To get the process ID, search for the process you want with EnumProcesses or Process32First/Process32Next. (I prefer the latter because it provides more information with less work.)

这篇关于如何从外部进程获取进程环境块 (PEB)?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！