Ring3句柄表的枚举

由于windows并没有给出枚举所有句柄所用到的API,要获得句柄,我们必须使用未公开的Native API才可以,使用如下函数:

NTSTATUS WINAPI NtQuerySystemInformation(
  _In_      SYSTEM_INFORMATION_CLASS SystemInformationClass,
  _Inout_   PVOID                    SystemInformation,
  _In_      ULONG                    SystemInformationLength,
  _Out_opt_ PULONG                   ReturnLength
);

枚举的关键是使用NtQuerySystemInformation,注意它的第一项,是我们查询枚举信息所想要做的class集合,如下,我们在这里使用的是 SystemHandleInformation(16),这很重要,

typedef enum _SYSTEM_INFORMATION_CLASS {
    SystemBasicInformation,
    SystemProcessorInformation,
    SystemPerformanceInformation,
    SystemTimeOfDayInformation,
    SystemPathInformation,
    SystemProcessInformation,
    SystemCallCountInformation,
    SystemDeviceInformation,
    SystemProcessorPerformanceInformation,
    SystemFlagsInformation,
    SystemCallTimeInformation,
    SystemModuleInformation,
    SystemLocksInformation,
    SystemStackTraceInformation,
    SystemPagedPoolInformation,
    SystemNonPagedPoolInformation,
    SystemHandleInformation,
    SystemObjectInformation,
    SystemPageFileInformation,
    SystemVdmInstemulInformation,
    SystemVdmBopInformation,
    SystemFileCacheInformation,
    SystemPoolTagInformation,
    SystemInterruptInformation,
    SystemDpcBehaviorInformation,
    SystemFullMemoryInformation,
    SystemLoadGdiDriverInformation,
    SystemUnloadGdiDriverInformation,
    SystemTimeAdjustmentInformation,
    SystemSummaryMemoryInformation,
    SystemMirrorMemoryInformation,
    SystemPerformanceTraceInformation,
    SystemObsolete0,
    SystemExceptionInformation,
    SystemCrashDumpStateInformation,
    SystemKernelDebuggerInformation,
    SystemContextSwitchInformation,
    SystemRegistryQuotaInformation,
    SystemExtendServiceTableInformation,
    SystemPrioritySeperation,
    SystemVerifierAddDriverInformation,
    SystemVerifierRemoveDriverInformation,
    SystemProcessorIdleInformation,
    SystemLegacyDriverInformation,
    SystemCurrentTimeZoneInformation,
    SystemLookasideInformation,
    SystemTimeSlipNotification,
    SystemSessionCreate,
    SystemSessionDetach,
    SystemSessionInformation,
    SystemRangeStartInformation,
    SystemVerifierInformation,
    SystemVerifierThunkExtend,
    SystemSessionProcessInformation,
    SystemLoadGdiDriverInSystemSpace,
    SystemNumaProcessorMap,
    SystemPrefetcherInformation,
    SystemExtendedProcessInformation,
    SystemRecommendedSharedDataAlignment,
    SystemComPlusPackage,
    SystemNumaAvailableMemory,
    SystemProcessorPowerInformation,
    SystemEmulationBasicInformation,
    SystemEmulationProcessorInformation,
    SystemExtendedHandleInformation,
    SystemLostDelayedWriteInformation,
    SystemBigPoolInformation,
    SystemSessionPoolTagInformation,
    SystemSessionMappedViewInformation,
    SystemHotpatchInformation,
    SystemObjectSecurityMode,
    SystemWatchdogTimerHandler,
    SystemWatchdogTimerInformation,
    SystemLogicalProcessorInformation,
    SystemWow64SharedInformation,
    SystemRegisterFirmwareTableInformationHandler,
    SystemFirmwareTableInformation,
    SystemModuleInformationEx,
    SystemVerifierTriageInformation,
    SystemSuperfetchInformation,
    SystemMemoryListInformation,
    SystemFileCacheInformationEx,
    MaxSystemInfoClass  // MaxSystemInfoClass should always be the last enum
} SYSTEM_INFORMATION_CLASS;

第17项(枚举值16)的SystemHandleInformation,这就是我们想要的东西,通过这个值传入NtQuerySystemInformation

然后我们利用ObjectTypeInformation ObjectNameInformation(下面是他们的结构体) 去枚举对象类型和对象名字,这样我们得到这三项做信息查询枚举,做小MFC可以知道句柄和对应的对象类型,对象名字,是一个很简答的查阅工具

typedef enum OBJECT_INFORMATION_CLASS
{
ObjectBasicInformation,
ObjectNameInformation,
ObjectTypeInformation,
ObjectTypesInformation,
ObjectHandleFlagInformation,
ObjectSessionInformation,
MaxObjectInfoClass
}OBJECT_INFORMATION_CLASS;

当然我们这里为了在MFC显示要有自己的数据结构去得到这些值,然后压栈,显示等,这是我的结构体:

typedef
struct _USER_DATA_
{
HANDLE HandleValue;
uint32_t GrantedAccess = 0;//要求
uint32_t Flags = 0;
ULONG64 ObjectValue;

std::wstring ObjectTypeName;//类型
std::wstring ObjectName;//对象名字
SECTION_INFORMATION SectionInfo;
}USER_DATA, *PUSER_DATA;

接下来是枚举的代码过程:其中有注释

if ((ProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessID)) == NULL)
{
return Status;
}
if (__NtQuerySystemInformation==NULL||__NtDuplicateObject==NULL||__NtQueryObject==NULL||__NtQuerySection==NULL)
{
goto Exit;
}

BufferData = (uint8_t*)VirtualAlloc(NULL, BufferLength, MEM_COMMIT/*物理页属性*/, PAGE_READWRITE);
if (BufferData = NULL)
{
goto Exit;
}

Status = __NtQuerySystemInformation(SystemHandleInformation, BufferData, BufferLength, &ReturnLength);
//得到系统信息
while (Status == STATUS_INFO_LENGTH_MISMATCH)
{
BufferLength *= 2;
VirtualFree(BufferData, 0, MEM_RELEASE);
BufferData = (uint8_t*)VirtualAlloc(NULL, BufferLength, MEM_COMMIT, PAGE_READWRITE);
Status = __NtQuerySystemInformation(SystemHandleInformation, BufferData, BufferLength, &ReturnLength);
}
//列表获得句柄
SE_SYSTEM_EHT_INFORMATION_T* SystemEHTInfo = (SE_SYSTEM_EHT_INFORMATION_T*)BufferData;//模板定义记笔记
for (ULONG i = 0; i < SystemEHTInfo->ItemCount; i++)
{
if (SystemEHTInfo->Items[i].ProcessID != ProcessID)
{
continue;
}
//拷贝
Status = __NtDuplicateObject(ProcessHandle, reinterpret_cast<HANDLE>(SystemEHTInfo->Items[i].HandleValue/*获得句柄所以 这样*/),
GetCurrentProcess()/*给到当前*/, &DuplicatedHandle, 0, 0, DUPLICATE_SAME_ACCESS);//拷贝
if (!NT_SUCCESS(Status))
{
continue;
}
//还是结构体模板
//对象信息获得
ObjectTypeInfo = (OBJECT_TYPE_INFORMATION_T*)malloc(0x1000);
Status = __NtQueryObject(DuplicatedHandle, ObjectTypeInformation, ObjectTypeInfo, 0x1000, &ReturnLength);
if (!NT_SUCCESS(Status))
{
CloseHandle(DuplicateHandle);
continue;
}
ObjectNameInfo = malloc(0x1000);
Status = __NtQueryObject(DuplicatedHandle, ObjectNameInformation, ObjectNameInfo, 0x1000, &ReturnLength);
if (!NT_SUCCESS(Status))
{
if (Status==STATUS_INFO_LENGTH_MISMATCH)
{
ObjectNameInfo = realloc(ObjectNameInfo, ReturnLength);
Status = __NtQueryObject(DuplicatedHandle, ObjectNameInformation, ObjectNameInfo, ReturnLength/*这儿有点意思*/, &ReturnLength);
if (!NT_SUCCESS(Status))
{
goto Exit;
}
}
else
{
goto Exit;
}
}

ObjectName = *(_UNICODE_STRING_T<WCHAR*>*)ObjectNameInfo;
//赋值到用户上
v1.HandleValue = reinterpret_cast<HANDLE>(SystemEHTInfo->Items[i].HandleValue);
v1.GrantedAccess = SystemEHTInfo->Items[i].GrantedAccess;
v1.Flags = SystemEHTInfo->Items[i].Flags;
v1.ObjectValue = SystemEHTInfo->Items[i].ObjectValue;
//类型状态赋值
if (ObjectTypeInfo->ObjectTypeName.BufferLength)
v1.ObjectTypeName = (wchar_t*)ObjectTypeInfo->ObjectTypeName.BufferData;
if (ObjectName.BufferLength)
v1.ObjectName = ObjectName.BufferData;
if (_wcsicmp(v1.ObjectTypeName.c_str(), L"Section") == 0)
{
SECTION_BASIC_INFORMATION_T SectionBasicInfo = { 0 };
//结构提函数
Status = __NtQuerySection(DuplicatedHandle, SectionBasicInformation, &SectionBasicInfo,
(ULONG)sizeof(SectionBasicInfo), NULL);
if (NT_SUCCESS(Status))
{

v1.SectionInfo.SectionSize = SectionBasicInfo.SectionSize/*T*/.QuadPart;
v1.SectionInfo.SectionAttributes = SectionBasicInfo.Attributes;
}
}
ProcessHandleInfo.push_back(v1);

原文地址:https://www.cnblogs.com/L-Sunny/p/8352752.html

时间: 2024-10-17 17:37:33

Ring3句柄表的枚举的相关文章

Windbg调试(关于句柄表的获取,32位)

今天利用Windbg(x86)进行了获得句柄表的调试,从中获益良多,对调试步骤和按键又一次进行了熟悉,对于句柄表页的概念更是得到了进一步的清晰认识.windbg调试和句柄表不熟悉的朋友可以借鉴我的调试步骤l来熟悉句柄表基础知识, 调试步骤和获取部分如下. 3: kd> dt _EProcess 891ad030 nt!_EPROCESS +0x0f4 ObjectTable : 0x9eca0ef0 _HANDLE_TABLE3: kd> dt _HANDLE_TABLE 0x9eca0ef0

扫描系统句柄表(WIN7 x86)(附录源码)

PspCidTable存放着系统中所有的进程和线程对象,其索引也就是进程ID(PID)或线程ID(TID).先通过它来看看windbg里的HANDLE_TABLE结构: 可以看到地址 0x83f41bc4中存放的内容是 0x 8da010a8,这是系统的_HANDLE_TABLE的结构. 好了,现在windbg是得到HANDLE_TABLE结构了,还是要代码实现的.这里只简单用一下加偏移: //system进程的eprocess地址 PEPROCESS EProcess = (PEPROCESS

[转载]关于句柄表的一些文章

文章链接: 1> Windows内核情景分析 3.4.1 Windows 进程的句柄表 2> Windows 句柄表格式 3> Windows句柄表分配算法分析 4> 浅谈Windows句柄表 5> 句柄啊,3层表啊,ExpLookupHandleTableEntry啊... 5楼 -------------------------------------------------------------------------------------------- <E

句柄表

kd> dt_handle_Table e1931a40nt!_HANDLE_TABLE   +0x000 TableCode        : 0xe2016000   +0x004 QuotaProcess     : 0x86335020 _EPROCESS   +0x008 UniqueProcessId  : 0x00000700 Void   +0x00c HandleTableLock  : [4] _EX_PUSH_LOCK   +0x01c HandleTableList  :

句柄表(私有句柄表)

 Windows内核分析索引目录:https://www.cnblogs.com/onetrainee/p/11675224.html 句柄表(私有句柄表) 我们在R3环编程中,会接触到句柄HANDLE的概念. 比如OPENPROCESS,打开进程获取其进程句柄,这些被称为“内核句柄”. 注意,与GUI图形界面不同,那些 画刷句柄 被称为“用户句柄”,不在我们讨论范围之列. 一. 句柄表的基本概念 句柄表分为私有私有句柄表和全局句柄表,我们这一节只讨论私有句柄表. 每一个进程都有自己的私有句柄表

全局句柄表

 Windows内核分析索引目录:https://www.cnblogs.com/onetrainee/p/11675224.html 全局句柄表 在这前有一篇中我们介绍过私有句柄表. 对于私有句柄表,每个进程有一份. 全局句柄表,就一份,其所有句柄都存储在这张表中,由操作系统维护. 全局句柄表有一个好处,无论私有句柄表中再怎么隐藏,全局句柄表必须有一份,否则会造成程序的不稳定. 一.全局句柄表与私有句柄表的不同 1. 搜索位置 私有句柄表地址是在该进程的 _KPROCESS+0xc4 _HAN

零基础逆向工程39_Win32_13_进程创建_句柄表_挂起方式创建进程

1 进程的创建过程 打开系统 --> 双击要运行的程序 --> EXE开始执行 步骤一: 当系统启动后,创建一个进程:Explorer.exe(也就是桌面进程) 步骤二: 当用户双击某一个EXE时,Explorer 进程使用CreateProcess函数创建被双击的EXE,也就是说,我们在桌面上双 击创建的进程都是Explorer进程的子进程. CreateProcess BOOL CreateProcess( LPCTSTR lpApplicationName, // name of exe

2017Facebook面试题改编“一面砖墙 ”—— 通过使用哈希表进行枚举优化

题目:一面砖墙 这道题改编自网上Facebook去年的一道面试题,是hihoCoder的1494题(https://hihocoder.com/problemset/problem/1494) 这道题猛一看好像没有什么思路,枚举起来感觉挺麻烦的.为了描述方便,我们在水平方向建立一个X轴,X=0的位置设成这面墙的左边缘.X轴的长度单位与砖的长度单位保持一致: 这样对于每一个砖和砖之间交界的缝隙,都有一个X坐标.比如第一层天蓝色的缝隙,X坐标就是6,深蓝色的缝隙坐标就是10:第二层红色的缝隙坐标是8

PsLookupProcessByProcessId分析

本文是在讨论枚举进程的时候产生的,枚举进程有很多方法,Ring3就是ZwQuerySystemInformation(),传入SysProcessesAndThreadsInformation这个宏,或者用CreateToolhelp32Snapshot系统快照的方式枚举进程,还用就是用WTSOpenServer这个第三方库的函数,Ring0就是进程活动链表,系统句柄表中枚举.然后就是PsLookupProcessByProcessId了. NrOpenProcess -> PsProcessB