Today, I disclose a method to get kernel time in Microsoft Windows Operating System. In order to get kernel time, the easy way is to call KeGetCurrentPrcb routine. That's undocument native API.
Using below code segment:PKPRCB Prcb;
ULONG ulKeTime = 0;
Prcb = KeGetCurrentPrcb();
ulKeTime = Prcb->KernelTime;
The prototype of KeGetCurrentPrcb isKPRCB* KeGetCurrentPrcb ( VOID )
Now, let's take a look at its code. It mainly has three rows instruction.
{
ULONG Value;
__asm mov eax, fs:[20h]
__asm mov [Value], eax
return (struct _KPRCB *) Value;
}
Another way is to get EPROCESS structure, then to locate KPROCESS fields.
The main fields of KPROCESS are followings:
DISPATCHER_HEADER Header
ULPTR DirectoryTableBase[2]
KGDTENTRY LdtDescriptor
KIDTENTRY Int21Descriptor
USHORT IopmOffset
UCHAR Ioplvolatile
KAFFINITY ActiveProcessors
ULONG KernelTime // here is kernel time
ULONG UserTime
LIST_ENTRY ReadyListHead
SINGLE_LIST_ENTRY SwapListEntry
LIST_ENTRY ThreadListHead
KSPIN_LOCK ProcessLock
我的简介
- Ken Wang - Paladin
- Hi Everyone, I am Ken Wang, a senior security Researcher. I would like you to call me Paladin. I am interesting in research stealth technology as used by malware and protection technology. I currently focus on research and consulting in the areas of client security and virtualization security. You can contact me by email - kenmobile@sina.com
没有评论:
发表评论