使用C / C ++获取正在运行Process的NT当前数据头数据 [英] Get Current NT Header Data of running Process with C/C++

问题描述

这是我的第一篇文章，我被困在这里。
我目前正在处理我的项目，并且遇到问题
我正在获取自己的模块的baseaddress并读取进程
的内存以获取 IMAGE_DOS_HEADER 在运行时
中，然后继续从BaseAddress的IMAGE_DOS_HEADER结构中添加 e_lanew 以获取 IMAGE_NT_HEADER 。
最后，我检查NT Signature是否有效，它似乎是。所以阅读我自己的过程中的PE工作我猜...我试图阅读 TimeDateStamp ，这总是返回我0，我不知道为什么..这里是我的代码

  IMAGE_DOS_HEADER pDos = {0}; 
 IMAGE_NT_HEADERS pNT = {0}; 
 void * BaseAddress; 
 
 //创建模块快照
 MODULEENTRY32 ME32; 
 HANDLE hModule = CreateToolhelp32Snapshot（TH32CS_SNAPMODULE，GetCurrentProcessId（））; 
 ME32.dwSize = sizeof（ME32）; 
 $ b $ if（Module32First（hModule，& ME32））
 {
 //获取模块的基地址
 BaseAddress = ME32.modBaseAddr; 
} 
 
 CloseHandle（hModule）; 
 
 //读取BaseAddress并设置IMAGE_DOS_HEADER结构
 if（！ReadProcessMemory（GetCurrentProcess（），BaseAddress，& pDos，sizeof（IMAGE_DOS_HEADER），0））
 return false ; 
 
 // e_magic在这里是正确的，我跳过这个
 
 // BaseAddress + e_lfanew指向NT Header struct，我在这里读到
 if（！ReadProcessMemory （GetCurrentProcess（），（void *）（（unsigned long）BaseAddress + pDos.e_lfanew），& pNT，sizeof（PIMAGE_NT_HEADERS），0））
 return false; 
 
 if（pNT.Signature == IMAGE_NT_SIGNATURE）//这个条件返回TRUE 
 {
 printf（NT Header Signature is valid \\\
）; 
 printf（Timestamp：％d \\\
，pNT.FileHeader.TimeDateStamp）; 
 // TimeDateStamp返回我0  - 为什么？ 
} 
  

我不确定如果我忘记了一些东西 - 我提示

预先致谢

PS：我很抱歉格式不对，这是我的第一个post：P

解决方案

有一个bug不确定你错过了什么，

  sizeof（PIMAGE_NT_HEADERS）
  

应该是

  sizeof（IMAGE_NT_HEADERS）。 
  

this is my first post and I am stuck here. I am currently working on my project and I have a problem, I am getting the baseaddress of my own module and read the process memory to get the IMAGE_DOS_HEADER in runtime then I continue adding e_lanew from the IMAGE_DOS_HEADER struct on the BaseAddress to get the IMAGE_NT_HEADER. Finally, I check the NT Signature if it's valid, and it seems to be. So reading the PE of my own process worked I guess ... I am trying to read TimeDateStamp and this returns me 0 always and I don't know why.. here is my code

IMAGE_DOS_HEADER pDos = {0};
IMAGE_NT_HEADERS pNT  = {0};    
void *BaseAddress;

// create module snapshot
MODULEENTRY32 ME32;
    HANDLE hModule  = CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, GetCurrentProcessId() );
    ME32.dwSize = sizeof( ME32 );

    if( Module32First( hModule, &ME32 ) )
    {
        // get base address of my module
        BaseAddress = ME32.modBaseAddr;
    }

    CloseHandle(hModule);

// read BaseAddress and set the IMAGE_DOS_HEADER struct
if( !ReadProcessMemory( GetCurrentProcess(), BaseAddress, &pDos, sizeof( IMAGE_DOS_HEADER ), 0 ) )
        return false;

// e_magic is correct here, I skipped this

// BaseAddress + e_lfanew points to the NT Header struct, I read it here
    if( !ReadProcessMemory( GetCurrentProcess(), (void*)((unsigned long)BaseAddress + pDos.e_lfanew), &pNT, sizeof(PIMAGE_NT_HEADERS), 0) )
        return false;

    if( pNT.Signature == IMAGE_NT_SIGNATURE ) // this condition returns TRUE
    {
        printf("NT Header Signature is valid\n");
        printf("Timestamp: %d\n", pNT.FileHeader.TimeDateStamp); 
        // TimeDateStamp returns me 0 - why ?
    }

I am not sure If I forgot something - would be nice if someone could give me a hint

Thanks in advance

PS: I am sorry for the bad formatting, this is my first post :P

解决方案

There is a bug not sure how you missed it,

sizeof(PIMAGE_NT_HEADERS)

should be

sizeof(IMAGE_NT_HEADERS). 

这篇关于使用C / C ++获取正在运行Process的NT当前数据头数据的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！