使用C / C ++获取正在运行Process的NT当前数据头数据 [英] Get Current NT Header Data of running Process with C/C++
问题描述
这是我的第一篇文章,我被困在这里。
我目前正在处理我的项目,并且遇到问题
我正在获取自己的模块的baseaddress并读取进程
的内存以获取 IMAGE_DOS_HEADER 在运行时
中,然后继续从BaseAddress的IMAGE_DOS_HEADER结构中添加 e_lanew 以获取 IMAGE_NT_HEADER 。
最后,我检查NT Signature是否有效,它似乎是。所以阅读我自己的过程中的PE工作我猜...我试图阅读 TimeDateStamp ,这总是返回我0,我不知道为什么..这里是我的代码
IMAGE_DOS_HEADER pDos = {0};
IMAGE_NT_HEADERS pNT = {0};
void * BaseAddress;
//创建模块快照
MODULEENTRY32 ME32;
HANDLE hModule = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,GetCurrentProcessId());
ME32.dwSize = sizeof(ME32);
$ b $ if(Module32First(hModule,& ME32))
{
//获取模块的基地址
BaseAddress = ME32.modBaseAddr;
}
CloseHandle(hModule);
//读取BaseAddress并设置IMAGE_DOS_HEADER结构
if(!ReadProcessMemory(GetCurrentProcess(),BaseAddress,& pDos,sizeof(IMAGE_DOS_HEADER),0))
return false ;
// e_magic在这里是正确的,我跳过这个
// BaseAddress + e_lfanew指向NT Header struct,我在这里读到
if(!ReadProcessMemory (GetCurrentProcess(),(void *)((unsigned long)BaseAddress + pDos.e_lfanew),& pNT,sizeof(PIMAGE_NT_HEADERS),0))
return false;
if(pNT.Signature == IMAGE_NT_SIGNATURE)//这个条件返回TRUE
{
printf(NT Header Signature is valid \\\
);
printf(Timestamp:%d \\\
,pNT.FileHeader.TimeDateStamp);
// TimeDateStamp返回我0 - 为什么?
}
我不确定如果我忘记了一些东西 - 我提示
预先致谢
PS:我很抱歉格式不对,这是我的第一个post:P
有一个bug不确定你错过了什么,
sizeof(PIMAGE_NT_HEADERS)
应该是
sizeof(IMAGE_NT_HEADERS)。
this is my first post and I am stuck here. I am currently working on my project and I have a problem, I am getting the baseaddress of my own module and read the process memory to get the IMAGE_DOS_HEADER in runtime then I continue adding e_lanew from the IMAGE_DOS_HEADER struct on the BaseAddress to get the IMAGE_NT_HEADER. Finally, I check the NT Signature if it's valid, and it seems to be. So reading the PE of my own process worked I guess ... I am trying to read TimeDateStamp and this returns me 0 always and I don't know why.. here is my code
IMAGE_DOS_HEADER pDos = {0};
IMAGE_NT_HEADERS pNT = {0};
void *BaseAddress;
// create module snapshot
MODULEENTRY32 ME32;
HANDLE hModule = CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, GetCurrentProcessId() );
ME32.dwSize = sizeof( ME32 );
if( Module32First( hModule, &ME32 ) )
{
// get base address of my module
BaseAddress = ME32.modBaseAddr;
}
CloseHandle(hModule);
// read BaseAddress and set the IMAGE_DOS_HEADER struct
if( !ReadProcessMemory( GetCurrentProcess(), BaseAddress, &pDos, sizeof( IMAGE_DOS_HEADER ), 0 ) )
return false;
// e_magic is correct here, I skipped this
// BaseAddress + e_lfanew points to the NT Header struct, I read it here
if( !ReadProcessMemory( GetCurrentProcess(), (void*)((unsigned long)BaseAddress + pDos.e_lfanew), &pNT, sizeof(PIMAGE_NT_HEADERS), 0) )
return false;
if( pNT.Signature == IMAGE_NT_SIGNATURE ) // this condition returns TRUE
{
printf("NT Header Signature is valid\n");
printf("Timestamp: %d\n", pNT.FileHeader.TimeDateStamp);
// TimeDateStamp returns me 0 - why ?
}
I am not sure If I forgot something - would be nice if someone could give me a hint
Thanks in advance
PS: I am sorry for the bad formatting, this is my first post :P
There is a bug not sure how you missed it,
sizeof(PIMAGE_NT_HEADERS)
should be
sizeof(IMAGE_NT_HEADERS).
这篇关于使用C / C ++获取正在运行Process的NT当前数据头数据的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!