[原创]win11遍历进程定时器方法逆向 | 宜武汇-ag真人国际厅网站

auto query_timer_count(plist_entry head,handle tid) -> unsigned int {

 

        unsigned int count = 0;

        pethread thread{ 0 };

        auto status = pslookupthreadbythreadid(tid, &thread);

        if (!nt_success(status)) {

            return 0;

        }

        obdereferenceobject(thread);

 

 

        auto volatile gtmrlisthead = (plist_entry)

            _utils::find_module_export(_utils::find_module_base("win32kbase.sys"),

                "gtmrlisthead"

            );

        if (gtmrlisthead == nullptr) return 0;//这个不是hash链表

 

        for (auto entry = gtmrlisthead->flink;

                entry != gtmrlisthead; entry = entry->flink) {

 

                auto item = containing_record(entry, timer_t, list1);

                //这个地方疑似不能解引用 有时候pagefault

                //注意 这里的定时器有可能属于hwnd==0的 因此最好判断threadinfo

                if ((*(pethread*)(item->head.threadinfo)) == thread

                    ) {

 

                    if (find(head, item)) {

                        continue;

                    }

                    else {

                        auto _item = (pfind_list_t)exallocatepoolwithtag(pagedpool, sizeof find_list_t,

                            'list');

                        if (item == nullptr) {

 

                            only_debug_break;

                        }

                        _item->timer = item;

                        insertheadlist(head, (plist_entry)(_item));

                        count ;

                    }

 

                }

 

        }

 

        return count;

 

    }

原文链接:https://bbs.kanxue.com/thread-277213.htm

网络摘文,本文作者:15h,如若转载,请注明出处:https://www.15cov.cn/2023/08/27/原创win11遍历进程定时器方法逆向/

发表评论

邮箱地址不会被公开。 必填项已用*标注

网站地图