驱动遍历句柄表
驱动遍历句柄表附加第二个方法的反汇编代码 其中还有对其拦截的方式的一些需要HOOK处比如伪造句柄表
因为大量使用硬编码所以此份代码通用性不强一切均在虚拟机XP3下操作
#include "ntddk.h"
typedef struct _EX_PUSH_LOCK {
//
// LOCK bit is set for both exclusive and shared acquires
//
#define EX_PUSH_LOCK_LOCK_V ((ULONG_PTR)0x0)
#define EX_PUSH_LOCK_LOCK ((ULONG_PTR)0x1)
//
// Waiting bit designates that the pointer has chained waiters
//
#define EX_PUSH_LOCK_WAITING ((ULONG_PTR)0x2)
//
// Waking bit designates that we are either traversing the list
// to wake threads or optimizing the list
//
#define EX_PUSH_LOCK_WAKING ((ULONG_PTR)0x4)
//
// Set if the lock is held shared by multiple owners and there are waiters
//
#define EX_PUSH_LOCK_MULTIPLE_SHARED ((ULONG_PTR)0x8)
//
// Total shared Acquires are incremented using this
//
#define EX_PUSH_LOCK_SHARE_INC ((ULONG_PTR)0x10)
#define EX_PUSH_LOCK_PTR_BITS ((ULONG_PTR)0xf)
union {
struct {
ULONG_PTR Locked : 1;
ULONG_PTR Waiting : 1;
ULONG_PTR Waking : 1;
ULONG_PTR MultipleShared : 1;
ULONG_PTR Shared : sizeof (ULONG_PTR) * 8 - 4;
};
ULONG_PTR Value;
PVOID Ptr;
};
} EX_PUSH_LOCK, *PEX_PUSH_LOCK;
typedef struct _HANDLE_TABLE{
ULONGTableCode;
ULONGQuotaProcess;
ULONGUniqueProcessId;
EX_PUSH_LOCKHandleLock;
ULONGDebugInfo;
intExtraInfoPages;
ULONGFlags;
ULONGFirstFreeHandle;
ULONGLastFreeHandleEntry;
ULONGHandleCount;
ULONGNextHandleNeedingPool;
ULONGHandleCountHighWatermark;
}HANDLE_TABLE,*PHANDLE_TABLE;
NTSTATUS PsLookupProcessByProcessId(
HANDLE ProcessId,
PEPROCESS *Process
);
#pragma pack(1)
typedef struct ServiceDescriptorEntry {
unsigned int *ServiceTableBase;
unsigned int *ServiceCounterTableBase;
unsigned int NumberOfServices;
unsigned char *ParamTableBase;
} ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t;
__declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable;
#pragma pack()
//Xp下的MOVE DEBUGPORT need of
/**8065bffb 8987bc000000 mov dword ptr ,eax
8065c015 83a7bc00000000 and dword ptr ,0
8065af6f 39bebc000000 cmp dword ptr ,edi
8065b25a 8b80bc000000 mov eax,dword ptr
8065b25a 8b80bc000000 mov eax,dword ptr
8057c1b2 399fbc000000 cmp dword ptr ,ebx
8065c64c 8b89bc000000 mov ecx,dword ptr
8065b25a 8b80bc000000 mov eax,dword ptr
805833d5 83bbbc00000000 cmp dword ptr ,0
8057c1b2 399fbc000000 cmp dword ptr ,ebx
8065c6cb 8b89bc000000 mov ecx,dword ptr
8065b25a 8b80bc000000 mov eax,dword ptr
80582dc0 8dbebc000000 lea edi,
80581cb9 399ebc000000 cmp dword ptr ,ebx
805826d0 81c6bc000000 add esi,0BCh
8058fa53 399ebc000000 cmp dword ptr ,ebx
8057e5db 8b89bc000000 mov ecx,dword ptr
8057e5db 8b89bc000000 mov ecx,dword ptr
8057e5db 8b89bc000000 mov ecx,dword ptr
8057e5db 8b89bc000000 mov ecx,dword ptr
8057e5db 8b89bc000000 mov ecx,dword ptr
8057e63a 83b9bc00000000 cmp dword ptr ,0
8057e5db 8b89bc000000 mov ecx,dword ptr
8057e5db 8b89bc000000 mov ecx,dword ptr
8065bfed 399fbc000000 cmp dword ptr ,ebx
8065bffb 8987bc000000 mov dword ptr ,eax
8065af6f 39bebc000000 cmp dword ptr ,edi
8058fa53 399ebc000000 cmp dword ptr ,ebx
8065b25a 8b80bc000000 mov eax,dword ptr
805040dd 39b8bc000000 cmp dword ptr ,edi
8065b25a 8b80bc000000 mov eax,dword ptr
80588e2e 8b81bc000000 mov eax,dword ptr
下面是写入
8065bffb 8987bc000000 mov dword ptr ,eax
*/
//XP对句柄表访问处
/**
80572741 8bbec4000000 mov edi,dword ptr
80565f1e 8b80c4000000 mov eax,dword ptr
80565c0d 8b80c4000000 mov eax,dword ptr
8056e346 8b80c4000000 mov eax,dword ptr
80568881 8bbbc4000000 mov edi,dword ptr
80565c0d 8b80c4000000 mov eax,dword ptr
805677b6 8b89c4000000 mov ecx,dword ptr
句柄表的访问*/
typedef struct _HANDLE_TABLE_ENTRY_INFO {
//
// The following field contains the audit mask for the handle if one
// exists. The purpose of the audit mask is to record all of the accesses
// that may have been audited when the handle was opened in order to
// support "per operation" based auditing. It is computed by walking the
// SACL of the object being opened and keeping a record of all of the audit
// ACEs that apply to the open operation going on. Each set bit corresponds
// to an access that would be audited. As each operation takes place, its
// corresponding access bit is removed from this mask.
//
ACCESS_MASK AuditMask;
} HANDLE_TABLE_ENTRY_INFO, *PHANDLE_TABLE_ENTRY_INFO;
typedef struct _HANDLE_TABLE_ENTRY {
//
// The pointer to the object overloaded with three ob attributes bits in
// the lower order and the high bit to denote locked or unlocked entries
//
union {
PVOID Object;
ULONG ObAttributes;
PHANDLE_TABLE_ENTRY_INFO InfoTable;
ULONG_PTR Value;
};
//
// This field either contains the granted access mask for the handle or an
// ob variation that also stores the same information. Or in the case of
// a free entry the field stores the index for the next free entry in the
// free list. This is like a FAT chain, and is used instead of pointers
// to make table duplication easier, because the entries can just be
// copied without needing to modify pointers.
//
union {
union {
ACCESS_MASK GrantedAccess;
struct {
USHORT GrantedAccessIndex;
USHORT CreatorBackTraceIndex;
};
};
LONG NextFreeTableEntry;
};
} HANDLE_TABLE_ENTRY, *PHANDLE_TABLE_ENTRY;
typedef BOOLEAN (__stdcall *EX_ENUMERATE_HANDLE_ROUTINE)(
IN PHANDLE_TABLE_ENTRY HandleTableEntry,
IN HANDLE Handle,
IN PVOID EnumParameter
);
typedef BOOLEAN
(* ExEnumHandleTable) (
__in PHANDLE_TABLE HandleTable,
__in EX_ENUMERATE_HANDLE_ROUTINE EnumHandleProcedure,
__in PVOID EnumParameter,
__out_opt PHANDLE Handle
);
ExEnumHandleTable XExEnumHandleTable=0;
//335是NTcreateTimer
void PageProtectOff()
{
__asm{
cli
mov eax,cr0
and eax,not 10000h
mov cr0,eax
}
}
void PageProtectOn()
{
__asm{
mov eax,cr0
or eax,10000h
mov cr0,eax
sti
}
}
ULONG GetAddress(ULONG uAddress,UCHAR *Signature,int flag)
{
ULONGindex;
UCHAR*p;
ULONGuRetAddress;
if(uAddress==0){return 0;}
p = (UCHAR*)uAddress;
for (index=0;index<0x3000;index++)
{
if (*p==Signature&&
*(p+1)==Signature&&
*(p+2)==Signature&&
*(p+3)==Signature&&
*(p+4)==Signature)
{
if (flag==0)
{
uRetAddress = (ULONG)(p+4) + *(ULONG*)(p+5) + 5;
return uRetAddress;
}else if (flag==1)
{
uRetAddress = *(ULONG*)(p+5);
return uRetAddress;
}else if(flag==2){
uRetAddress = (ULONG)(p+4);
return uRetAddress;
}else if(flag==3){
uRetAddress = (ULONG)(p+5);
return uRetAddress;
}else if(flag==4)
{
return (ULONG)p;
}else{
return 0;
}
}
p++;
}
return 0;
}
BOOLEAN __stdcall EnumCALLback(
IN PHANDLE_TABLE_ENTRY HandleTableEntry,
IN HANDLE Handle,
IN PVOID EnumParameter
){
KdPrint(("OBJECT-->>>handle: %X",HandleTableEntry->Object));
//TRUE就是不遍历FALSE反之
return FALSE;
}
void EnumHndleTable(){
//0xB73这里这个b37用作辅助搜索特征码的一个小偏移相对NtCreateTimer的一个偏移
//UCHAR code={0x90,0x90,0x90,0x90,0x8b};
ULONG eProcess;
HANDLE hANDLE;
XExEnumHandleTable=(ExEnumHandleTable)(ULONG)(KeServiceDescriptorTable.ServiceTableBase+0xB82);
/**
kd> dt 81a22d50 _EPROCESS
ntdll!_EPROCESS
+0x000 Pcb : _KPROCESS
+0x06c ProcessLock : _EX_PUSH_LOCK
+0x070 CreateTime : _LARGE_INTEGER 0x01d07a70`45d66f47
+0x078 ExitTime : _LARGE_INTEGER 0x0
+0x080 RundownProtect : _EX_RUNDOWN_REF
+0x084 UniqueProcessId : 0x000001d0 Void
+0x088 ActiveProcessLinks : _LIST_ENTRY [ 0x817cf0a8 - 0x81a27ad0 ]
+0x090 QuotaUsage : 0xcd0
+0x09c QuotaPeak : 0x1598
+0x0a8 CommitCharge : 0x25e
+0x0ac PeakVirtualSize : 0x33cf000
+0x0b0 VirtualSize : 0x2a76000
+0x0b4 SessionProcessLinks : _LIST_ENTRY [ 0x817cf0d4 - 0x81a27afc ]
+0x0bc DebugPort : (null)
+0x0c0 ExceptionPort : 0xe14f7368 Void
+0x0c4 ObjectTable : 0xe1acc610 _HANDLE_TABLE
+0x0c8 Token : _EX_FAST_REF
+0x0cc WorkingSetLock : _FAST_MUTEX
+0x0ec WorkingSetPage : 0xe5b8
+0x0f0 AddressCreationLock : _FAST_MUTEX
+0x110 HyperSpaceLock : 0
+0x114 ForkInProgress : (null)
+0x118 HardwareTrigger : 0
+0x11c VadRoot : 0x81bcbf50 Void
+0x120 VadHint : 0x81b90c28 Void
+0x124 CloneRoot : (null)
+0x128 NumberOfPrivatePages : 0x174
+0x12c NumberOfLockedPages : 0
+0x130 Win32Process : 0xe1062818 Void
+0x134 Job : (null)
+0x138 SectionObject : 0xe1d2c0f0 Void
+0x13c SectionBaseAddress : 0x00400000 Void
+0x140 QuotaBlock : 0x81950590 _EPROCESS_QUOTA_BLOCK
+0x144 WorkingSetWatch : (null)
+0x148 Win32WindowStation : 0x00000024 Void
+0x14c InheritedFromUniqueProcessId : 0x00000610 Void
+0x150 LdtInformation : (null)
+0x154 VadFreeHint : (null)
+0x158 VdmObjects : (null)
+0x15c DeviceMap : 0xe1b71008 Void
+0x160 PhysicalVadList : _LIST_ENTRY [ 0x81a22eb0 - 0x81a22eb0 ]
+0x168 PageDirectoryPte : _HARDWARE_PTE_X86
+0x168 Filler : 0
+0x170 Session : 0xf8fad000 Void
+0x174 ImageFileName : "x.exe"
+0x184 JobLinks : _LIST_ENTRY [ 0x0 - 0x0 ]
+0x18c LockedPagesList : (null)
+0x190 ThreadListHead : _LIST_ENTRY [ 0x81a2bc54 - 0x81a0b524 ]
+0x198 SecurityPort : (null)
+0x19c PaeTop : (null)
+0x1a0 ActiveThreads : 2
+0x1a4 GrantedAccess : 0x1f0fff
+0x1a8 DefaultHardErrorProcessing : 0x8000
+0x1ac LastThreadExitStatus : 0n0
+0x1b0 Peb : 0x7ffdf000 _PEB
+0x1b4 PrefetchTrace : _EX_FAST_REF
+0x1b8 ReadOperationCount : _LARGE_INTEGER 0x53
+0x1c0 WriteOperationCount : _LARGE_INTEGER 0x5
+0x1c8 OtherOperationCount : _LARGE_INTEGER 0x457
+0x1d0 ReadTransferCount : _LARGE_INTEGER 0x65cc
+0x1d8 WriteTransferCount : _LARGE_INTEGER 0x168
+0x1e0 OtherTransferCount : _LARGE_INTEGER 0x5944
+0x1e8 CommitChargeLimit : 0
+0x1ec CommitChargePeak : 0x38f
+0x1f0 AweInfo : (null)
+0x1f4 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
+0x1f8 Vm : _MMSUPPORT
+0x238 LastFaultCount : 0
+0x23c ModifiedPageCount : 0x413
+0x240 NumberOfVads : 0x52
+0x244 JobStatus : 0
+0x248 Flags : 0xd0800
+0x248 CreateReported : 0y0
+0x248 NoDebugInherit : 0y0
+0x248 ProcessExiting : 0y0
+0x248 ProcessDelete : 0y0
+0x248 Wow64SplitPages : 0y0
+0x248 VmDeleted : 0y0
+0x248 OutswapEnabled : 0y0
+0x248 Outswapped : 0y0
+0x248 ForkFailed : 0y0
+0x248 HasPhysicalVad : 0y0
+0x248 AddressSpaceInitialized : 0y10
+0x248 SetTimerResolution : 0y0
+0x248 BreakOnTermination : 0y0
+0x248 SessionCreationUnderway : 0y0
+0x248 WriteWatch : 0y0
+0x248 ProcessInSession : 0y1
+0x248 OverrideAddressSpace : 0y0
+0x248 HasAddressSpace : 0y1
+0x248 LaunchPrefetched : 0y1
+0x248 InjectInpageErrors : 0y0
+0x248 VmTopDown : 0y0
+0x248 Unused3 : 0y0
+0x248 Unused4 : 0y0
+0x248 VdmAllowed : 0y0
+0x248 Unused : 0y00000 (0)
+0x248 Unused1 : 0y0
+0x248 Unused2 : 0y0
+0x24c ExitStatus : 0n259
+0x250 NextPageColor : 0xe7bd
+0x252 SubSystemMinorVersion : 0 ''
+0x253 SubSystemMajorVersion : 0x4 ''
+0x252 SubSystemVersion : 0x400
+0x254 PriorityClass : 0x4 ''
+0x255 WorkingSetAcquiredUnsafe : 0 ''
+0x258 Cookie : 0x47af0476
*/
if (XExEnumHandleTable==0)
{
KdPrint(("ExEnumHandleTable--->>>Address: %X",XExEnumHandleTable));
return;
}
KdPrint(("ExEnumHandleTable--->>>Address: %X",XExEnumHandleTable));
if (!NT_SUCCESS(PsLookupProcessByProcessId((HANDLE)1168,(PEPROCESS*)&eProcess)))
{
return;
}
eProcess=+0xc4;
XExEnumHandleTable(*(PHANDLE_TABLE*)eProcess,EnumCALLback,NULL,&hANDLE);
KdPrint(("ExEnumHandleTable--->>>Address: %X",*(PHANDLE_TABLE*)eProcess));
//上面那个特征码搜索有bug需要改改加一个一字节的递增的不然 都是成倍数如果不成倍数就搜不到了,所以我这里也懒得写了 直接硬编码过去了,这个地址就是ExEnumHandleTable的地址
//(ExEnumHandleTable)GetAddress((ULONG)KeServiceDescriptorTable.ServiceTableBase+0xB73+0xE
//,code,2);
//ExEnumHandleTable这个函数XP下 只有4个参数,WIN7加了一个 实际不必理会~~
/**
805a016f 56 push esi
805a0170 57 push edi
805a0171 64a124010000 mov eax,dword ptr fs:
805a0177 8365f800 and dword ptr ,0
805a017b ff75f8 push dword ptr
805a017e 8bf8 mov edi,eax
805a0180 ff7508 push dword ptr
805a0183 ff8fd4000000 dec dword ptr
805a0189 c645ff00 mov byte ptr ,0
805a018d e8af59fcff call nt!ExpLookupHandleTableEntry (80565b41)
805a0192 8bf0 mov esi,eax
805a0194 85f6 test esi,esi
805a0196 7420 je nt!ExEnumHandleTable+0xaf (805a01b8)
805a0198 53 push ebx
805a0199 833e00 cmp dword ptr ,0
805a019c 0f8559ffffff jne nt!ExEnumHandleTable+0x37 (805a00fb)
805a01a2 8345f804 add dword ptr ,4
805a01a6 ff75f8 push dword ptr
805a01a9 ff7508 push dword ptr
805a01ac e89059fcff call nt!ExpLookupHandleTableEntry (80565b41)
805a01b1 8bf0 mov esi,eax
805a01b3 85f6 test esi,esi
805a01b5 75e2 jne nt!ExEnumHandleTable+0x32 (805a0199)
805a01b7 5b pop ebx
805a01b8 ff87d4000000 inc dword ptr
805a01be 750b jne nt!ExEnumHandleTable+0xca (805a01cb)
805a01c0 8d4734 lea eax,
805a01c3 3900 cmp dword ptr ,eax
805a01c5 0f85897f0600 jne nt!ExEnumHandleTable+0xbe (80608154)
805a01cb 8a45ff mov al,byte ptr
805a01ce 5f pop edi
805a01cf 5e pop esi
805a01d0 c9 leave
805a01d1 c21000 ret 10h
///
nt!ExpLookupHandleTableEntry:
80565b41 8bff mov edi,edi
80565b43 55 push ebp
80565b44 8bec mov ebp,esp
80565b46 83650cfc and dword ptr ,0FFFFFFFCh
80565b4a 8b450c mov eax,dword ptr
80565b4d 8b4d08 mov ecx,dword ptr
80565b50 8b550c mov edx,dword ptr
80565b53 c1e802 shr eax,2
80565b56 3b5138 cmp edx,dword ptr
80565b59 0f8370930000 jae nt!ExpLookupHandleTableEntry+0x1a (8056eecf)
80565b5f 56 push esi
80565b60 8b31 mov esi,dword ptr
80565b62 8bce mov ecx,esi
80565b64 83e103 and ecx,3
80565b67 83e6fc and esi,0FFFFFFFCh
80565b6a 83e900 sub ecx,0
80565b6d 0f85c90a0000 jne nt!ExpLookupHandleTableEntry+0x2e (8056663c)
80565b73 8d04c6 lea eax,
80565b76 5e pop esi
80565b77 5d pop ebp
80565b78 c20800 ret 8
*/
return;
}
void DriverUnolad(PDRIVER_OBJECT obj){
}
NTSTATUS DriverEntry(PDRIVER_OBJECT obj,PUNICODE_STRING regmsg){
EnumHndleTable();
obj->DriverUnload=DriverUnolad;
return STATUS_SUCCESS;
}
页:
[1]