这块算是基本搞明白了
...常用命令
查看所有进程基本信息:
!process 0 0
查看进程eprocess:
dt _eprocess fffffa801aaae060 含有_handle_table
typedef struct _HANDLE_TABLE // 17 elements, 0x80 bytes (sizeof)
{
/*0x000*/ ULONG32 NextHandleNeedingPool;
/*0x004*/ LONG32 ExtraInfoPages;
/*0x008*/ UINT64 TableCode; //重要成员
/*0x010*/ struct _EPROCESS* QuotaProcess;
/*0x018*/ struct _LIST_ENTRY HandleTableList; // 2 elements, 0x10 bytes (sizeof)
/*0x028*/ ULONG32 UniqueProcessId;
union // 2 elements, 0x4 bytes (sizeof)
{
/*0x02C*/ ULONG32 Flags;
struct // 5 elements, 0x1 bytes (sizeof)
{
/*0x02C*/ UINT8 StrictFIFO : 1; // 0 BitPosition
/*0x02C*/ UINT8 EnableHandleExceptions : 1; // 1 BitPosition
/*0x02C*/ UINT8 Rundown : 1; // 2 BitPosition
/*0x02C*/ UINT8 Duplicated : 1; // 3 BitPosition
/*0x02C*/ UINT8 RaiseUMExceptionOnInvalidHandleClose : 1; // 4 BitPosition
};
};
/*0x030*/ struct _EX_PUSH_LOCK HandleContentionEvent; // 7 elements, 0x8 bytes (sizeof)
/*0x038*/ struct _EX_PUSH_LOCK HandleTableLock; // 7 elements, 0x8 bytes (sizeof)
union // 2 elements, 0x40 bytes (sizeof)
{
/*0x040*/ struct _HANDLE_TABLE_FREE_LIST FreeLists[1];
struct // 2 elements, 0x40 bytes (sizeof)
{
/*0x040*/ UINT8 ActualEntry[32];
/*0x060*/ struct _HANDLE_TRACE_DEBUG_INFO* DebugInfo;
/*0x068*/ UINT8 _PADDING0_[0x18];
};
};
}HANDLE_TABLE, *PHANDLE_TABLE;
假如只有一项,TableCode指向的内容是HANDLE_TABLE_ENTRY数组,低3位表示是否是2,3级表:
typedef union _HANDLE_TABLE_ENTRY // 15 elements, 0x10 bytes (sizeof)
{
/*0x000*/ INT64 VolatileLowValue;
/*0x000*/ INT64 LowValue;
struct // 2 elements, 0x10 bytes (sizeof)
{
/*0x000*/ struct _HANDLE_TABLE_ENTRY_INFO* InfoTable;
union // 3 elements, 0x8 bytes (sizeof)
{
/*0x008*/ INT64 HighValue;
/*0x008*/ union _HANDLE_TABLE_ENTRY* NextFreeHandleEntry;
/*0x008*/ struct _EXHANDLE LeafHandleValue; // 4 elements, 0x8 bytes (sizeof)
};
};
/*0x000*/ INT64 RefCountField;
struct // 4 elements, 0x8 bytes (sizeof)
{
/*0x000*/ UINT64 Unlocked : 1; // 0 BitPosition
/*0x000*/ UINT64 RefCnt : 16; // 1 BitPosition
/*0x000*/ UINT64 Attributes : 3; // 17 BitPosition
/*0x000*/ UINT64 ObjectPointerBits : 44; // 20 BitPosition <<4|0xffff000000000000
};
struct // 3 elements, 0x4 bytes (sizeof)
{
/*0x008*/ ULONG32 GrantedAccessBits : 25; // 0 BitPosition 访问权限
/*0x008*/ ULONG32 NoRightsUpgrade : 1; // 25 BitPosition
/*0x008*/ ULONG32 Spare1 : 6; // 26 BitPosition
};
/*0x00C*/ ULONG32 Spare2;
}HANDLE_TABLE_ENTRY, *PHANDLE_TABLE_ENTRY;
一个进程的句柄值handle/4=index, handle_table[index].object=目标对象的对象头
对象头:
typedef struct _OBJECT_HEADER // 23 elements, 0x38 bytes (sizeof)
{
/*0x000*/ INT64 PointerCount;
union // 2 elements, 0x8 bytes (sizeof)
{
/*0x008*/ INT64 HandleCount;
/*0x008*/ VOID* NextToFree;
};
/*0x010*/ struct _EX_PUSH_LOCK Lock; // 7 elements, 0x8 bytes (sizeof)
/*0x018*/ UINT8 TypeIndex; //这个值不准确了
union // 2 elements, 0x1 bytes (sizeof)
{
/*0x019*/ UINT8 TraceFlags;
struct // 2 elements, 0x1 bytes (sizeof)
{
/*0x019*/ UINT8 DbgRefTrace : 1; // 0 BitPosition
/*0x019*/ UINT8 DbgTracePermanent : 1; // 1 BitPosition
};
};
/*0x01A*/ UINT8 InfoMask;
union // 2 elements, 0x1 bytes (sizeof)
{
/*0x01B*/ UINT8 Flags;
struct // 8 elements, 0x1 bytes (sizeof)
{
/*0x01B*/ UINT8 NewObject : 1; // 0 BitPosition
/*0x01B*/ UINT8 KernelObject : 1; // 1 BitPosition
/*0x01B*/ UINT8 KernelOnlyAccess : 1; // 2 BitPosition
/*0x01B*/ UINT8 ExclusiveObject : 1; // 3 BitPosition
/*0x01B*/ UINT8 PermanentObject : 1; // 4 BitPosition
/*0x01B*/ UINT8 DefaultSecurityQuota : 1; // 5 BitPosition
/*0x01B*/ UINT8 SingleHandleEntry : 1; // 6 BitPosition
/*0x01B*/ UINT8 DeletedInline : 1; // 7 BitPosition
};
};
/*0x01C*/ ULONG32 Reserved;
union // 2 elements, 0x8 bytes (sizeof)
{
/*0x020*/ struct _OBJECT_CREATE_INFORMATION* ObjectCreateInfo;
/*0x020*/ VOID* QuotaBlockCharged;
};
/*0x028*/ VOID* SecurityDescriptor;
/*0x030*/ struct _QUAD Body; // 2 elements, 0x8 bytes (sizeof) 偏移还是0x30
}OBJECT_HEADER, *POBJECT_HEADER;
类型对象
typedef struct _OBJECT_TYPE // 12 elements, 0xD0 bytes (sizeof)
{
/*0x000*/ struct _LIST_ENTRY TypeList; // 2 elements, 0x10 bytes (sizeof)
/*0x010*/ struct _UNICODE_STRING Name; // 3 elements, 0x10 bytes (sizeof) 类型名字
/*0x020*/ VOID* DefaultObject;
/*0x028*/ UINT8 Index; //在ObTypeIndexTable中的索引
/*0x029*/ UINT8 _PADDING0_[0x3];
/*0x02C*/ ULONG32 TotalNumberOfObjects;
/*0x030*/ ULONG32 TotalNumberOfHandles;
/*0x034*/ ULONG32 HighWaterNumberOfObjects;
/*0x038*/ ULONG32 HighWaterNumberOfHandles;
/*0x03C*/ UINT8 _PADDING1_[0x4];
/*0x040*/ struct _OBJECT_TYPE_INITIALIZER TypeInfo; // 25 elements, 0x70 bytes (sizeof)
/*0x0B0*/ struct _EX_PUSH_LOCK TypeLock; // 7 elements, 0x8 bytes (sizeof)
/*0x0B8*/ ULONG32 Key;
/*0x0BC*/ UINT8 _PADDING2_[0x4];
/*0x0C0*/ struct _LIST_ENTRY CallbackList; // 2 elements, 0x10 bytes (sizeof) 该类型对象的回调函数链表
}OBJECT_TYPE, *POBJECT_TYPE; 该结构未改动
每个类型对象存在一个全局变量指针POBJECT_TYPE
而且所有类型对象处于一个全局数组中:dq ObTypeIndexTable
Windows内核原理与实现的书讲到dq obpobjecttypes东西,这个和ObTypeIndexTable[2:]内容相同
windbg !object命令查看OBJECT_TYPE.
类型信息
访问掩码和回调
typedef struct _OBJECT_TYPE_INITIALIZER // 32 elements, 0x78 bytes (sizeof)
{
/*0x000*/ UINT16 Length;
union // 2 elements, 0x2 bytes (sizeof)
{
/*0x002*/ UINT16 ObjectTypeFlags;
struct // 2 elements, 0x2 bytes (sizeof)
{
struct // 8 elements, 0x1 bytes (sizeof)
{
/*0x002*/ UINT8 CaseInsensitive : 1; // 0 BitPosition
/*0x002*/ UINT8 UnnamedObjectsOnly : 1; // 1 BitPosition
/*0x002*/ UINT8 UseDefaultObject : 1; // 2 BitPosition
/*0x002*/ UINT8 SecurityRequired : 1; // 3 BitPosition
/*0x002*/ UINT8 MaintainHandleCount : 1; // 4 BitPosition
/*0x002*/ UINT8 MaintainTypeList : 1; // 5 BitPosition
/*0x002*/ UINT8 SupportsObjectCallbacks : 1; // 6 BitPosition
/*0x002*/ UINT8 CacheAligned : 1; // 7 BitPosition
};
struct // 2 elements, 0x1 bytes (sizeof)
{
/*0x003*/ UINT8 UseExtendedParameters : 1; // 0 BitPosition
/*0x003*/ UINT8 Reserved : 7; // 1 BitPosition
};
};
};
/*0x004*/ ULONG32 ObjectTypeCode;
/*0x008*/ ULONG32 InvalidAttributes;
/*0x00C*/ struct _GENERIC_MAPPING GenericMapping; // 4 elements, 0x10 bytes (sizeof)
/*0x01C*/ ULONG32 ValidAccessMask;
/*0x020*/ ULONG32 RetainAccess;
/*0x024*/ enum _POOL_TYPE PoolType;
/*0x028*/ ULONG32 DefaultPagedPoolCharge;
/*0x02C*/ ULONG32 DefaultNonPagedPoolCharge;
/*0x030*/ FUNCT_00EA_1B2C_DumpProcedure* DumpProcedure;
/*0x038*/ FUNCT_009C_1B34_OpenProcedure* OpenProcedure;
/*0x040*/ FUNCT_00EA_1B42_CloseProcedure* CloseProcedure;
/*0x048*/ FUNCT_00EA_0891_Free_InterfaceReference_InterfaceDereference_WorkerRoutine_Callback_DevicePowerRequired_DevicePowerNotRequired_DeleteCallback_DeleteProcedure_ReleaseFromLazyWrite_ReleaseFromReadAhead_DisableCallback* DeleteProcedure;
union // 2 elements, 0x8 bytes (sizeof)
{
/*0x050*/ FUNCT_009C_1B48_ParseProcedure* ParseProcedure;
/*0x050*/ FUNCT_009C_1B54_ParseProcedureEx* ParseProcedureEx;
};
/*0x058*/ FUNCT_009C_1B66_SecurityProcedure* SecurityProcedure;
/*0x060*/ FUNCT_009C_1B77_QueryNameProcedure* QueryNameProcedure;
/*0x068*/ FUNCT_00A5_1B7F_OkayToCloseProcedure* OkayToCloseProcedure;
/*0x070*/ ULONG32 WaitObjectFlagMask;
/*0x074*/ UINT16 WaitObjectFlagOffset;
/*0x076*/ UINT16 WaitObjectPointerOffset;
}OBJECT_TYPE_INITIALIZER, *POBJECT_TYPE_INITIALIZER;
兼容16299的代码
#ifndef F_HANDLE
#define F_HANDLE
#include <ntddk.h>
#define HANDLE_TABLE_OFFSET16299 0x418
#define IMAGE_FILE_NAME_OFFSET16299 0x450
#define UniqueProcessId_OFFSET16299 0x2E0
typedef struct _EXHANDLE // 4 elements, 0x8 bytes (sizeof)
{
union // 3 elements, 0x8 bytes (sizeof)
{
struct // 2 elements, 0x4 bytes (sizeof)
{
/*0x000*/ ULONG32 TagBits : 2; // 0 BitPosition
/*0x000*/ ULONG32 Index : 30; // 2 BitPosition
};
/*0x000*/ VOID* GenericHandleOverlay;
/*0x000*/ UINT64 Value;
};
}EXHANDLE, *PEXHANDLE;
typedef union _HANDLE_TABLE_ENTRY // 15 elements, 0x10 bytes (sizeof)
{
/*0x000*/ INT64 VolatileLowValue;
/*0x000*/ INT64 LowValue;
struct // 2 elements, 0x10 bytes (sizeof)
{
/*0x000*/ struct _HANDLE_TABLE_ENTRY_INFO* InfoTable;
union // 3 elements, 0x8 bytes (sizeof)
{
/*0x008*/ INT64 HighValue;
/*0x008*/ union _HANDLE_TABLE_ENTRY* NextFreeHandleEntry;
/*0x008*/ struct _EXHANDLE LeafHandleValue; // 4 elements, 0x8 bytes (sizeof)
};
};
/*0x000*/ INT64 RefCountField;
struct // 4 elements, 0x8 bytes (sizeof)
{
/*0x000*/ UINT64 Unlocked : 1; // 0 BitPosition
/*0x000*/ UINT64 RefCnt : 16; // 1 BitPosition
/*0x000*/ UINT64 Attributes : 3; // 17 BitPosition
/*0x000*/ UINT64 ObjectPointerBits : 44; // 20 BitPosition <<4|0xffff000000000000
};
struct // 3 elements, 0x4 bytes (sizeof)
{
/*0x008*/ ULONG32 GrantedAccessBits : 25; // 0 BitPosition 访问权限
/*0x008*/ ULONG32 NoRightsUpgrade : 1; // 25 BitPosition
/*0x008*/ ULONG32 Spare1 : 6; // 26 BitPosition
};
/*0x00C*/ ULONG32 Spare2;
}HANDLE_TABLE_ENTRY, *PHANDLE_TABLE_ENTRY;
typedef struct _HANDLE_TABLE // 17 elements, 0x80 bytes (sizeof)
{
/*0x000*/ ULONG32 NextHandleNeedingPool;
/*0x004*/ LONG32 ExtraInfoPages;
/*0x008*/ PHANDLE_TABLE_ENTRY TableCode; //重要成员
/*0x010*/ struct _EPROCESS* QuotaProcess;
/*0x018*/ struct _LIST_ENTRY HandleTableList; // 2 elements, 0x10 bytes (sizeof)
/*0x028*/ ULONG32 UniqueProcessId;
union // 2 elements, 0x4 bytes (sizeof)
{
/*0x02C*/ ULONG32 Flags;
struct // 5 elements, 0x1 bytes (sizeof)
{
/*0x02C*/ UINT8 StrictFIFO : 1; // 0 BitPosition
/*0x02C*/ UINT8 EnableHandleExceptions : 1; // 1 BitPosition
/*0x02C*/ UINT8 Rundown : 1; // 2 BitPosition
/*0x02C*/ UINT8 Duplicated : 1; // 3 BitPosition
/*0x02C*/ UINT8 RaiseUMExceptionOnInvalidHandleClose : 1; // 4 BitPosition
};
};
/*0x030*/ ULONG64 HandleContentionEvent; // 7 elements, 0x8 bytes (sizeof)
/*0x038*/ ULONG64 HandleTableLock; // 7 elements, 0x8 bytes (sizeof)
union // 2 elements, 0x40 bytes (sizeof)
{
/*0x040*/ // struct _HANDLE_TABLE_FREE_LIST FreeLists[1];
struct // 2 elements, 0x40 bytes (sizeof)
{
/*0x040*/ UINT8 ActualEntry[32];
/*0x060*/ struct _HANDLE_TRACE_DEBUG_INFO* DebugInfo;
/*0x068*/ UINT8 _PADDING0_[0x18];
};
};
}HANDLE_TABLE, *PHANDLE_TABLE;
typedef struct _OBJECT_HEADER // 23 elements, 0x38 bytes (sizeof)
{
/*0x000*/ INT64 PointerCount;
union // 2 elements, 0x8 bytes (sizeof)
{
/*0x008*/ INT64 HandleCount;
/*0x008*/ VOID* NextToFree;
};
/*0x010*/ ULONG64 Lock; // 7 elements, 0x8 bytes (sizeof)
/*0x018*/ UINT8 TypeIndex; //这个值不准确了
union // 2 elements, 0x1 bytes (sizeof)
{
/*0x019*/ UINT8 TraceFlags;
struct // 2 elements, 0x1 bytes (sizeof)
{
/*0x019*/ UINT8 DbgRefTrace : 1; // 0 BitPosition
/*0x019*/ UINT8 DbgTracePermanent : 1; // 1 BitPosition
};
};
/*0x01A*/ UINT8 InfoMask;
union // 2 elements, 0x1 bytes (sizeof)
{
/*0x01B*/ UINT8 Flags;
struct // 8 elements, 0x1 bytes (sizeof)
{
/*0x01B*/ UINT8 NewObject : 1; // 0 BitPosition
/*0x01B*/ UINT8 KernelObject : 1; // 1 BitPosition
/*0x01B*/ UINT8 KernelOnlyAccess : 1; // 2 BitPosition
/*0x01B*/ UINT8 ExclusiveObject : 1; // 3 BitPosition
/*0x01B*/ UINT8 PermanentObject : 1; // 4 BitPosition
/*0x01B*/ UINT8 DefaultSecurityQuota : 1; // 5 BitPosition
/*0x01B*/ UINT8 SingleHandleEntry : 1; // 6 BitPosition
/*0x01B*/ UINT8 DeletedInline : 1; // 7 BitPosition
};
};
/*0x01C*/ ULONG32 Reserved;
union // 2 elements, 0x8 bytes (sizeof)
{
/*0x020*/ struct _OBJECT_CREATE_INFORMATION* ObjectCreateInfo;
/*0x020*/ VOID* QuotaBlockCharged;
};
/*0x028*/ VOID* SecurityDescriptor;
/*0x030*/ struct _QUAD Body; // 2 elements, 0x8 bytes (sizeof) 偏移还是0x30
}OBJECT_HEADER, *POBJECT_HEADER;
typedef struct _OBJECT_TYPE_INITIALIZER // 32 elements, 0x78 bytes (sizeof)
{
/*0x000*/ UINT16 Length;
union // 2 elements, 0x2 bytes (sizeof)
{
/*0x002*/ UINT16 ObjectTypeFlags;
struct // 2 elements, 0x2 bytes (sizeof)
{
struct // 8 elements, 0x1 bytes (sizeof)
{
/*0x002*/ UINT8 CaseInsensitive : 1; // 0 BitPosition
/*0x002*/ UINT8 UnnamedObjectsOnly : 1; // 1 BitPosition
/*0x002*/ UINT8 UseDefaultObject : 1; // 2 BitPosition
/*0x002*/ UINT8 SecurityRequired : 1; // 3 BitPosition
/*0x002*/ UINT8 MaintainHandleCount : 1; // 4 BitPosition
/*0x002*/ UINT8 MaintainTypeList : 1; // 5 BitPosition
/*0x002*/ UINT8 SupportsObjectCallbacks : 1; // 6 BitPosition
/*0x002*/ UINT8 CacheAligned : 1; // 7 BitPosition
};
struct // 2 elements, 0x1 bytes (sizeof)
{
/*0x003*/ UINT8 UseExtendedParameters : 1; // 0 BitPosition
/*0x003*/ UINT8 Reserved : 7; // 1 BitPosition
};
};
};
/*0x004*/ ULONG32 ObjectTypeCode;
/*0x008*/ ULONG32 InvalidAttributes;
/*0x00C*/ struct _GENERIC_MAPPING GenericMapping; // 4 elements, 0x10 bytes (sizeof)
/*0x01C*/ ULONG32 ValidAccessMask;
/*0x020*/ ULONG32 RetainAccess;
/*0x024*/ enum _POOL_TYPE PoolType;
/*0x028*/ ULONG32 DefaultPagedPoolCharge;
/*0x02C*/ ULONG32 DefaultNonPagedPoolCharge;
/*0x030*/ VOID* DumpProcedure;
/*0x038*/ VOID* OpenProcedure;
/*0x040*/ VOID* CloseProcedure;
/*0x048*/ VOID* DeleteProcedure;
union // 2 elements, 0x8 bytes (sizeof)
{
/*0x050*/ VOID* ParseProcedure;
/*0x050*/ VOID* ParseProcedureEx;
};
/*0x058*/ VOID* SecurityProcedure;
/*0x060*/ VOID* QueryNameProcedure;
/*0x068*/ VOID* OkayToCloseProcedure;
/*0x070*/ ULONG32 WaitObjectFlagMask;
/*0x074*/ UINT16 WaitObjectFlagOffset;
/*0x076*/ UINT16 WaitObjectPointerOffset;
}OBJECT_TYPE_INITIALIZER, *POBJECT_TYPE_INITIALIZER;
typedef struct _OBJECT_TYPE16299 // 12 elements, 0xD0 bytes (sizeof)
{
/*0x000*/ struct _LIST_ENTRY TypeList; // 2 elements, 0x10 bytes (sizeof)
/*0x010*/ struct _UNICODE_STRING Name; // 3 elements, 0x10 bytes (sizeof) 类型名字
/*0x020*/ VOID* DefaultObject;
/*0x028*/ UINT8 Index; //在ObTypeIndexTable中的索引
/*0x029*/ UINT8 _PADDING0_[0x3];
/*0x02C*/ ULONG32 TotalNumberOfObjects;
/*0x030*/ ULONG32 TotalNumberOfHandles;
/*0x034*/ ULONG32 HighWaterNumberOfObjects;
/*0x038*/ ULONG32 HighWaterNumberOfHandles;
/*0x03C*/ UINT8 _PADDING1_[0x4];
/*0x040*/ struct _OBJECT_TYPE_INITIALIZER TypeInfo; // 25 elements, 0x70 bytes (sizeof)
/*0x0B0*/ ULONG64 TypeLock; // 7 elements, 0x8 bytes (sizeof)
/*0x0B8*/ ULONG32 Key;
/*0x0BC*/ UINT8 _PADDING2_[0x4];
/*0x0C0*/ struct _LIST_ENTRY CallbackList; // 2 elements, 0x10 bytes (sizeof) 该类型对象的回调函数链表
}OBJECT_TYPE16299, *POBJECT_TYPE16299;
NTKERNELAPI NTSTATUS PsLookupProcessByProcessId(HANDLE Id, PEPROCESS *Process);
NTKERNELAPI POBJECT_TYPE ObGetObjectType(PVOID Object);
NTSTATUS EnumProcessHandles(ULONG pid)
{
PEPROCESS eproc;
NTSTATUS ret;
ret = PsLookupProcessByProcessId((HANDLE)pid, &eproc);
DbgBreakPoint();
if (!NT_SUCCESS(ret))
{
return ret;
}
ObDereferenceObject(eproc);
PHANDLE_TABLE ht = (PHANDLE_TABLE)*(PULONG64)((ULONG64)eproc + HANDLE_TABLE_OFFSET16299);
ULONG64 tablecode = (ULONG64)ht->TableCode;
UINT8 level = tablecode & (0x3);
PHANDLE_TABLE_ENTRY pTable;
ULONG64* pTable2;
ULONG64* pTable3;
PHANDLE_TABLE_ENTRY pEntry;
ULONG64* pEntry2;
ULONG64* pEntry3;
POBJECT_HEADER pObjh;
POBJECT_TYPE16299 obt;
ULONG32 handle_value = 0;
ULONG count = 0;
if (level == 0)//1级表
{
pTable = (PHANDLE_TABLE_ENTRY)(tablecode & (0xfffffffffffffffc));
pEntry = pTable;
while (pEntry&&count < (PAGE_SIZE / sizeof(HANDLE_TABLE_ENTRY)))
{
if (pEntry->ObjectPointerBits)
{
pObjh = (POBJECT_HEADER)((pEntry->ObjectPointerBits << 4) | 0xffff000000000000);
if (pObjh)
{
obt = (POBJECT_TYPE16299)ObGetObjectType(&pObjh->Body);
if (obt)
{
DbgPrint("handle_value:%d, handle_type:%wZ, handle_type_index:%x, object_body:%p\n", handle_value, &obt->Name, obt->Index, &pObjh->Body);
}
}
}
handle_value += 4;
pEntry++;
count++;
}
}
else if (level == 1)//2级表
{
pTable2 = (ULONG64*)(tablecode & (0xfffffffffffffffc));
pEntry2 = pTable2;
while (*pEntry2)
{
pEntry = (PHANDLE_TABLE_ENTRY)*pEntry2;
while (pEntry&&count < (PAGE_SIZE / sizeof(HANDLE_TABLE_ENTRY)))
{
if (pEntry->ObjectPointerBits)
{
pObjh = (POBJECT_HEADER)((pEntry->ObjectPointerBits << 4) | 0xffff000000000000);
if (pObjh)
{
obt = (POBJECT_TYPE16299)ObGetObjectType(&pObjh->Body);
if (obt)
{
DbgPrint("handle_value:%d, handle_type:%wZ, handle_type_index:%x, object_body:%p\n", handle_value, &obt->Name, obt->Index, &pObjh->Body);
}
}
}
handle_value += 4;
pEntry++;
count++;
}
count = 0;
pEntry2++;
}
}
else if (level == 2)//3级表
{
pTable3 = (ULONG64*)(tablecode & (0xfffffffffffffffc));
pEntry3 = pTable3;
while (*pEntry3)
{
DbgBreakPoint();
pEntry2 = (PULONG64)*pEntry3;
while (*pEntry2)
{
pEntry = (PHANDLE_TABLE_ENTRY)*pEntry2;
while (pEntry&&count < (PAGE_SIZE / sizeof(HANDLE_TABLE_ENTRY)))
{
if (pEntry->ObjectPointerBits)
{
pObjh = (POBJECT_HEADER)((pEntry->ObjectPointerBits << 4) | 0xffff000000000000);
if (pObjh)
{
obt = (POBJECT_TYPE16299)ObGetObjectType(&pObjh->Body);
if (obt)
{
DbgPrint("handle_value:%d, handle_type:%wZ, handle_type_index:%x, object_body:%p\n", handle_value, &obt->Name, obt->Index, &pObjh->Body);
}
}
}
handle_value += 4;
pEntry++;
count++;
}
count = 0;
pEntry2++;
}
pEntry3++;
}
}
return ret;
}
NTSTATUS GetProcessHandle(ULONG pid, ULONG tarpid, PHANDLE_TABLE_ENTRY* buffer)
{
PEPROCESS eproc;
NTSTATUS ret;
ret = PsLookupProcessByProcessId((HANDLE)pid, &eproc);
if (!NT_SUCCESS(ret))
{
return ret;
}
ObDereferenceObject(eproc);
PHANDLE_TABLE ht = (PHANDLE_TABLE)*(PULONG64)((ULONG64)eproc + HANDLE_TABLE_OFFSET16299);
ULONG64 tablecode = (ULONG64)ht->TableCode;
UINT8 level = tablecode & (0x3);
PHANDLE_TABLE_ENTRY pTable;
ULONG64* pTable2;
ULONG64* pTable3;
PHANDLE_TABLE_ENTRY pEntry;
ULONG64* pEntry2;
ULONG64* pEntry3;
POBJECT_HEADER pObjh;
POBJECT_TYPE16299 obt;
ULONG32 handle_value = 0;
ULONG count = 0;
ULONG64 PID;
if (level == 0)//1级表
{
pTable = (PHANDLE_TABLE_ENTRY)(tablecode & (0xfffffffffffffffc));
pEntry = pTable;
while (pEntry&&count < (PAGE_SIZE / sizeof(HANDLE_TABLE_ENTRY)))
{
if (pEntry->ObjectPointerBits)
{
pObjh = (POBJECT_HEADER)((pEntry->ObjectPointerBits << 4) | 0xffff000000000000);
if (pObjh)
{
obt = (POBJECT_TYPE16299)ObGetObjectType(&pObjh->Body);
if (obt)
{
//DbgPrint("handle_value:%d, handle_type:%wZ, handle_type_index:%x, object_body:%p\n", handle_value, &obt->Name, obt->Index, &pObjh->Body);
if (obt->Index == 0x7)
{
PID = *(ULONG64*)(UniqueProcessId_OFFSET16299 + (ULONG64)(&pObjh->Body));
if (PID == tarpid)
{
*buffer = pEntry;
DbgPrint("handle:%d\n", handle_value);
return ret;
}
}
}
}
}
handle_value += 4;
pEntry++;
count++;
}
}
else if (level == 1)//2级表
{
pTable2 = (ULONG64*)(tablecode & (0xfffffffffffffffc));
pEntry2 = pTable2;
while (*pEntry2)
{
pEntry = (PHANDLE_TABLE_ENTRY)*pEntry2;
while (pEntry&&count < (PAGE_SIZE / sizeof(HANDLE_TABLE_ENTRY)))
{
if (pEntry->ObjectPointerBits)
{
pObjh = (POBJECT_HEADER)((pEntry->ObjectPointerBits << 4) | 0xffff000000000000);
if (pObjh)
{
obt = (POBJECT_TYPE16299)ObGetObjectType(&pObjh->Body);
if (obt)
{
//DbgPrint("handle_value:%d, handle_type:%wZ, handle_type_index:%x, object_body:%p\n", handle_value, &obt->Name, obt->Index, &pObjh->Body);
if (obt->Index == 0x7)
{
PID = *(ULONG64*)(UniqueProcessId_OFFSET16299 + (ULONG64)(&pObjh->Body));
if (PID == tarpid)
{
*buffer = pEntry;
DbgPrint("handle:%d\n", handle_value);
return ret;
}
}
}
}
}
handle_value += 4;
pEntry++;
count++;
}
count = 0;
pEntry2++;
}
}
else if (level == 2)//3级表
{
pTable3 = (ULONG64*)(tablecode & (0xfffffffffffffffc));
pEntry3 = pTable3;
while (*pEntry3)
{
DbgBreakPoint();
pEntry2 = (PULONG64)*pEntry3;
while (*pEntry2)
{
pEntry = (PHANDLE_TABLE_ENTRY)*pEntry2;
while (pEntry&&count < (PAGE_SIZE / sizeof(HANDLE_TABLE_ENTRY)))
{
if (pEntry->ObjectPointerBits)
{
pObjh = (POBJECT_HEADER)((pEntry->ObjectPointerBits << 4) | 0xffff000000000000);
if (pObjh)
{
obt = (POBJECT_TYPE16299)ObGetObjectType(&pObjh->Body);
if (obt)
{
//DbgPrint("handle_value:%d, handle_type:%wZ, handle_type_index:%x, object_body:%p\n", handle_value, &obt->Name, obt->Index, &pObjh->Body);
if (obt->Index == 0x7)
{
PID = *(ULONG64*)(UniqueProcessId_OFFSET16299 + (ULONG64)(&pObjh->Body));
if (PID == tarpid)
{
*buffer = pEntry;
DbgPrint("handle:%d\n", handle_value);
return ret;
}
}
}
}
}
handle_value += 4;
pEntry++;
count++;
}
count = 0;
pEntry2++;
}
pEntry3++;
}
}
return ret;
}
void EnumSystemHandles(ULONG64* PspCidTable)
{
PEPROCESS eproc;
NTSTATUS ret;
PHANDLE_TABLE ht = (PHANDLE_TABLE)*PspCidTable;
ULONG64 tablecode = (ULONG64)ht->TableCode;
UINT8 level = tablecode & (0x3);
PHANDLE_TABLE_ENTRY pTable;
ULONG64* pTable2;
ULONG64* pTable3;
PHANDLE_TABLE_ENTRY pEntry;
ULONG64* pEntry2;
ULONG64* pEntry3;
POBJECT_HEADER pObjh;
POBJECT_TYPE16299 obt;
ULONG32 handle_value = 0;
ULONG count = 0;
//在系统句柄表中,pObjh直接就是对象体,而不是对象头
if (level == 0)//1级表
{
pTable = (PHANDLE_TABLE_ENTRY)(tablecode & (0xfffffffffffffffc));
pEntry = pTable;
while (pEntry&&count < (PAGE_SIZE / sizeof(HANDLE_TABLE_ENTRY)))
{
if (pEntry->ObjectPointerBits)
{
pObjh = (POBJECT_HEADER)((pEntry->ObjectPointerBits << 4) | 0xffff000000000000);
if (pObjh)
{
obt = (POBJECT_TYPE16299)ObGetObjectType(pObjh);
if (obt)
{
DbgPrint("handle_value:%d, handle_type:%wZ, handle_type_index:%x, object_body:%p\n", handle_value, &obt->Name, obt->Index, pObjh);
}
}
}
handle_value += 4;
pEntry++;
count++;
}
}
else if (level == 1)//2级表
{
pTable2 = (ULONG64*)(tablecode & (0xfffffffffffffffc));
pEntry2 = pTable2;
while (*pEntry2)
{
pEntry = (PHANDLE_TABLE_ENTRY)*pEntry2;
while (pEntry&&count < (PAGE_SIZE / sizeof(HANDLE_TABLE_ENTRY)))
{
if (pEntry->ObjectPointerBits)
{
pObjh = (POBJECT_HEADER)((pEntry->ObjectPointerBits << 4) | 0xffff000000000000);
if (pObjh)
{
obt = (POBJECT_TYPE16299)ObGetObjectType(pObjh);
if (obt)
{
DbgPrint("handle_value:%d, handle_type:%wZ, handle_type_index:%x, object_body:%p\n", handle_value, &obt->Name, obt->Index, pObjh);
}
}
}
handle_value += 4;
pEntry++;
count++;
}
count = 0;
pEntry2++;
}
}
else if (level == 2)//3级表
{
pTable3 = (ULONG64*)(tablecode & (0xfffffffffffffffc));
pEntry3 = pTable3;
while (*pEntry3)
{
DbgBreakPoint();
pEntry2 = (PULONG64)*pEntry3;
while (*pEntry2)
{
pEntry = (PHANDLE_TABLE_ENTRY)*pEntry2;
while (pEntry&&count < (PAGE_SIZE / sizeof(HANDLE_TABLE_ENTRY)))
{
if (pEntry->ObjectPointerBits)
{
pObjh = (POBJECT_HEADER)((pEntry->ObjectPointerBits << 4) | 0xffff000000000000);
if (pObjh)
{
obt = (POBJECT_TYPE16299)ObGetObjectType(pObjh);
if (obt)
{
DbgPrint("handle_value:%d, handle_type:%wZ, handle_type_index:%x, object_body:%p\n", handle_value, &obt->Name, obt->Index, pObjh);
}
}
}
handle_value += 4;
pEntry++;
count++;
}
count = 0;
pEntry2++;
}
pEntry3++;
}
}
}
#endif // !F_HANDLE
···
网友评论