通过PEB枚举进程中所有模块

背景知识网上可搜到

这儿有个视频讲得比较详细：http://www.52pojie.cn/thread-178258-1-1.html

废话不说，上代码

首先是一些结构体的定义：

typedef LONG KPRIORITY;
typedef void** PPVOID;

typedef struct _LDR_DATA_TABLE_ENTRY
{
    LIST_ENTRY InLoadOrderLinks;
    LIST_ENTRY InMemoryOrderLinks;
    LIST_ENTRY InInitializationOrderLinks;
    PVOID DllBase;
    PVOID EntryPoint;
    ULONG SizeOfImage;
    UNICODE_STRING FullDllName;
    UNICODE_STRING BaseDllName;
    ULONG Flags;
    WORD LoadCount;
    WORD TlsIndex;
    union
    {
        LIST_ENTRY HashLinks;
        struct
        {
            PVOID SectionPointer;
            ULONG CheckSum;
        };
    };
    union
    {
        ULONG TimeDateStamp;
        PVOID LoadedImports;
    };
    DWORD EntryPointActivationContext; //_ACTIVATION_CONTEXT * EntryPointActivationContext;
    PVOID PatchInformation;
    LIST_ENTRY ForwarderLinks;
    LIST_ENTRY ServiceTagLinks;
    LIST_ENTRY StaticLinks;
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;


typedef struct _PEB_LDR_DATA {
    ULONG Length; 
    BOOLEAN Initialized; 
    PVOID SsHandle; 
    LIST_ENTRY InLoadOrderModulevector; 
    LIST_ENTRY InMemoryOrderModulevector; 
    LIST_ENTRY InInitializationOrderModulevector;
} PEB_LDR_DATA, *PPEB_LDR_DATA;


typedef struct _PEB
{
    BOOLEAN InheritedAddressSpace; 
    BOOLEAN ReadImageFileExecOptions; 
    BOOLEAN BeingDebugged; 
    BOOLEAN Spare; 
    HANDLE Mutant; 
    PVOID ImageBaseAddress; 
    PPEB_LDR_DATA LoaderData; 
    PVOID ProcessParameters; //PRTL_USER_PROCESS_PARAMETERS ProcessParameters; 
    PVOID SubSystemData; 
    PVOID ProcessHeap; 
    PVOID FastPebLock; 
    PVOID FastPebLockRoutine; //PPEBLOCKROUTINE FastPebLockRoutine; 
    PVOID FastPebUnlockRoutine; //PPEBLOCKROUTINE FastPebUnlockRoutine; 
    ULONG EnvironmentUpdateCount; 
    PPVOID KernelCallbackTable; 
    PVOID EventLogSection; 
    PVOID EventLog; 
    DWORD Freevector; //PPEB_FREE_BLOCK Freevector; 
    ULONG TlsExpansionCounter; 
    PVOID TlsBitmap; 
    ULONG TlsBitmapBits[0x2]; 
    PVOID ReadOnlySharedMemoryBase; 
    PVOID ReadOnlySharedMemoryHeap; 
    PPVOID ReadOnlyStaticServerData; 
    PVOID AnsiCodePageData; 
    PVOID OemCodePageData; 
    PVOID UnicodeCaseTableData; 
    ULONG NumberOfProcessors; 
    ULONG NtGlobalFlag; 
    BYTE Spare2[0x4]; 
    LARGE_INTEGER CriticalSectionTimeout; 
    ULONG HeapSegmentReserve; 
    ULONG HeapSegmentCommit; 
    ULONG HeapDeCommitTotalFreeThreshold; 
    ULONG HeapDeCommitFreeBlockThreshold; 
    ULONG NumberOfHeaps; 
    ULONG MaximumNumberOfHeaps; 
    PPVOID *ProcessHeaps; 
    PVOID GdiSharedHandleTable; 
    PVOID ProcessStarterHelper; 
    PVOID GdiDCAttributevector; 
    PVOID LoaderLock; 
    ULONG OSMajorVersion; 
    ULONG OSMinorVersion; 
    ULONG OSBuildNumber; 
    ULONG OSPlatformId; 
    ULONG ImageSubSystem; 
    ULONG ImageSubSystemMajorVersion; 
    ULONG ImageSubSystemMinorVersion; 
    ULONG GdiHandleBuffer[0x22]; 
    ULONG PostProcessInitRoutine; 
    ULONG TlsExpansionBitmap; 
    BYTE TlsExpansionBitmapBits[0x80]; 
    ULONG SessionId;
} PEB, *PPEB;

用到一个读内存的函数：

int readMemory(const void * adresseBase, void * adresseDestination, size_t longueur, HANDLE handleProcess)
{
    if(handleProcess == INVALID_HANDLE_VALUE)
    {
        return (memcpy_s(adresseDestination, longueur, adresseBase, longueur) == 0);
    }
    else
    {
        SIZE_T dwBytesRead = 0;
        return ((ReadProcessMemory(handleProcess, adresseBase, adresseDestination, longueur, &dwBytesRead) != 0) && (dwBytesRead == longueur));
    }
}

获取PEB的方法，网上大都是用汇编，读fs寄存器获得TEB，通过偏移获取PEB。

这里用Windows在ntdll中一个未公开的函数：NtQueryInformationProcess

函数指针定义如下：

typedef NTSTATUS (WINAPI * PNT_QUERY_INFORMATION_PROCESS)    (__in HANDLE ProcessHandle, __in PROCESSINFOCLASS ProcessInformationClass, __out PVOID ProcessInformation, __in ULONG ProcessInformationLength, __out_opt  PULONG ReturnLength);

其中第二个参数可取如下值：

typedef enum _PROCESSINFOCLASS {
    ProcessBasicInformation,
    ProcessQuotaLimits,
    ProcessIoCounters,
    ProcessVmCounters,
    ProcessTimes,
    ProcessBasePriority,
    ProcessRaisePriority,
    ProcessDebugPort,
    ProcessExceptionPort,
    ProcessAccessToken,
    ProcessLdtInformation,
    ProcessLdtSize,
    ProcessDefaultHardErrorMode,
    ProcessIoPortHandlers,          // Note: this is kernel mode only
    ProcessPooledUsageAndLimits,
    ProcessWorkingSetWatch,
    ProcessUserModeIOPL,
    ProcessEnableAlignmentFaultFixup,
    ProcessPriorityClass,
    ProcessWx86Information,
    ProcessHandleCount,
    ProcessAffinityMask,
    ProcessPriorityBoost,
    ProcessDeviceMap,
    ProcessSessionInformation,
    ProcessForegroundInformation,
    ProcessWow64Information,
    ProcessImageFileName,
    ProcessLUIDDeviceMapsEnabled,
    ProcessBreakOnTermination,
    ProcessDebugObjectHandle,
    ProcessDebugFlags,
    ProcessHandleTracing,
    ProcessIoPriority,
    ProcessExecuteFlags,
    ProcessTlsInformation,
    ProcessCookie,
    ProcessImageInformation,
    ProcessCycleTime,
    ProcessPagePriority,
    ProcessInstrumentationCallback,
    ProcessThreadStackAllocation,
    ProcessWorkingSetWatchEx,
    ProcessImageFileNameWin32,
    ProcessImageFileMapping,
    ProcessAffinityUpdateMode,
    ProcessMemoryAllocationMode,
    ProcessGroupInformation,
    ProcessTokenVirtualizationEnabled,
    ProcessConsoleHostProcess,
    ProcessWindowInformation,
    MaxProcessInfoClass             // MaxProcessInfoClass should always be the last enum
} PROCESSINFOCLASS;

这里用ProcessBasicInformation，获得信息的结构如下：

typedef struct _PROCESS_BASIC_INFORMATION {
    NTSTATUS ExitStatus;
    PPEB PebBaseAddress;
    ULONG_PTR AffinityMask;
    KPRIORITY BasePriority;
    ULONG_PTR UniqueProcessId;
    ULONG_PTR InheritedFromUniqueProcessId;
} PROCESS_BASIC_INFORMATION,*PPROCESS_BASIC_INFORMATION;

下面是具体的获取PEB的代码：

    PEB this_peb;
    PROCESS_BASIC_INFORMATION mesInfos;
    HANDLE thisHandle = GetCurrentProcess();    //本进程的HANDLE
    ULONG sizeReturn;
    PNT_QUERY_INFORMATION_PROCESS NtQueryInformationProcess = (PNT_QUERY_INFORMATION_PROCESS)(GetProcAddress(GetModuleHandle(TEXT("ntdll")), "NtQueryInformationProcess"));
    NtQueryInformationProcess(thisHandle, ProcessBasicInformation, &mesInfos, sizeof(PROCESS_BASIC_INFORMATION), &sizeReturn);
    readMemory(mesInfos.PebBaseAddress, &this_peb, sizeof(PEB), thisHandle);

下面要用到一个很奇怪的技巧（上面那个视频中讲得很好）：

PEB中有个LoaderData，类型为PPEB_LDR_DATA。而PEB_LDR_DATA与LDR_DATA_TABLE_ENTRY两种结构的三个InLoadOrderLinks、InMemoryOrderLinks、InInitializationOrderLinks是共用的。（PS：我的理解，就是本来是一个结构体，然后被人们用两个结构体表示了）

然后是根据peb中的LoaderData中的某个双向链表找到LDR_DATA_TABLE_ENTRY结构体里面的成员，其中有模块的名字——BaseDllName。它是UNICODE_STRING类型的，打印出来就是了。

下面是自己写的代码，写的很挫，没有注释，但是应该不难理解：

PEB_LDR_DATA my_Ldr;
    readMemory(&this_peb.LoaderData, &my_Ldr, sizeof(PEB_LDR_DATA), thisHandle);
    LIST_ENTRY* tmp = this_peb.LoaderData->InLoadOrderModulevector.Flink;
    LDR_DATA_TABLE_ENTRY* pLdr_table = (LDR_DATA_TABLE_ENTRY*)(unsigned char *)(tmp);
    //取出模块名字
    wchar_t* module_name = (wchar_t*)malloc(pLdr_table->BaseDllName.Length+2);
    ZeroMemory(module_name, pLdr_table->BaseDllName.Length+2);
    readMemory(pLdr_table->BaseDllName.Buffer, module_name, pLdr_table->BaseDllName.Length, thisHandle);
    wprintf(L"%s\n", module_name);
    free(module_name);

    LIST_ENTRY* bianli = tmp->Flink;
    while (bianli->Flink != tmp)
    {
        pLdr_table = (LDR_DATA_TABLE_ENTRY*)(bianli);
        wchar_t* module_name = (wchar_t*)malloc(pLdr_table->BaseDllName.Length+2);
        ZeroMemory(module_name, pLdr_table->BaseDllName.Length+2);
        readMemory(pLdr_table->BaseDllName.Buffer, module_name, pLdr_table->BaseDllName.Length, thisHandle);
        wprintf(L"%s\n", module_name);
        free(module_name);
        bianli = bianli->Flink;
    }

总结：

貌似PEB很强大的（看里面的变量就能知道），这里仅仅用来枚举所有的模块了。做安全的话，不得不知道这些。。