抱歉,您的浏览器无法访问本站
本页面需要浏览器支持(启用)JavaScript
了解详情 >

Windows内核-全局句柄表

Windows内核

发布于:2024年11月21日

全局句柄表

知识点

句柄的种类

全局句柄表: 进程、线程句柄;

私有句柄表: 进程私有的;

窗口句柄

ObTypeIndexTable: 对象类型数组
_OBJECT_TYPE: 对象类型 类型
_HANDLE_TABLE: 句柄表类型

如何通过进程ID在句柄表中找到进程对象

通过OpenPorcess中的参数进程ID(pid, 唯一编号), 通过pid去全局句柄表中找到对应的进程对象, 然后把进程对象插入到进程的私有句柄表中, 从而返回一个索引号交给三环, 这就是句柄了;

进程和线程存在一张表中, 无论进程还是线程中的id都是全局句柄表中的索引号;

句柄表的地址不完全是一个地址; 当地址的尾数为0时代表它就是一张表, 默认大小为4096, 每一项为8个字节, 共能存储512项; 当地址尾数为1时代表它是一个目录, 其中共1024项, 每一项指向一张表; 当地址的尾数为2时新创建的表中每一项指向一个目录;

PspCidTable不导出, 可通过IDA进行定位;

查找Dbgview进程句柄

Dbgview进程ID为600, 在任务管理器中看到的是十进制;

第一次查找(行不通)

  • 600 / 4 = 150 => 150 / 512 = 0(代表在第一张表中);
  • 600 % 512 = 88(在表中的索引号);
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
kd> x nt!Psp*cid*
83fa0d94          nt!PspCidTable = <no type information>
kd> dd PspCidTable
83fa0d94  89201080 00000000 80000020 00000101
83fa0da4  800002ac 80000024 00000000 00000000
83fa0db4  00000000 00000000 00000000 00000113
83fa0dc4  00000000 00000000 83f4e8a4 00000000
83fa0dd4  00000000 00000000 00000000 00000008
83fa0de4  00000000 83fa0de8 83fa0de8 00000000
83fa0df4  00000000 00000000 00000000 00000000
83fa0e04  00000000 807c8c28 807c4c28 00000000
kd> dt _HANDLE_TABLE 89201080
ntdll!_HANDLE_TABLE
   +0x000 TableCode        : 0x984fb001     // 代表有两层
   +0x004 QuotaProcess     : (null)         // 全局句柄表为null, 私有句柄表表示哪个进程
   +0x008 UniqueProcessId  : (null)         // 全局句柄表为null, 私有句柄表表示哪个进程id
   +0x00c HandleLock       : _EX_PUSH_LOCK
   +0x010 HandleTableList  : _LIST_ENTRY [ 0x89201090 - 0x89201090 ]
   +0x018 HandleContentionEvent : _EX_PUSH_LOCK
   +0x01c DebugInfo        : (null) 
   +0x020 ExtraInfoPages   : 0n0
   +0x024 Flags            : 1
   +0x024 StrictFIFO       : 0y1
   +0x028 FirstFreeHandle  : 0x324
   +0x02c LastFreeHandleEntry : 0x89204220 _HANDLE_TABLE_ENTRY
   +0x030 HandleCount      : 0x269
   +0x034 NextHandleNeedingPool : 0x1000
   +0x038 HandleCountHighWatermark : 0x2b0
kd> dd 0x984fb000     // 取尾数为0这张表
ReadVirtual: 984fb000 not properly sign extended
984fb000  89204000 984fc000 00000000 00000000
984fb010  00000000 00000000 00000000 00000000
984fb020  00000000 00000000 00000000 00000000
984fb030  00000000 00000000 00000000 00000000
984fb040  00000000 00000000 00000000 00000000
984fb050  00000000 00000000 00000000 00000000
984fb060  00000000 00000000 00000000 00000000
984fb070  00000000 00000000 00000000 00000000

第二次查找

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
kd> dd PspCidTable
83fa0d94  89201080 00000000 80000020 00000101
83fa0da4  800002ac 80000024 00000000 00000000
83fa0db4  00000000 00000000 00000000 00000113
83fa0dc4  00000000 00000000 83f4e8a4 00000000
83fa0dd4  00000000 00000000 00000000 00000008
83fa0de4  00000000 83fa0de8 83fa0de8 00000000
83fa0df4  00000000 00000000 00000000 00000000
83fa0e04  00000000 807c8c28 807c4c28 00000000
kd> dt _HANDLE_TABLE 89201080
ntdll!_HANDLE_TABLE
   +0x000 TableCode        : 0x984fb001
   +0x004 QuotaProcess     : (null) 
   +0x008 UniqueProcessId  : (null) 
   +0x00c HandleLock       : _EX_PUSH_LOCK
   +0x010 HandleTableList  : _LIST_ENTRY [ 0x89201090 - 0x89201090 ]
   +0x018 HandleContentionEvent : _EX_PUSH_LOCK
   +0x01c DebugInfo        : (null) 
   +0x020 ExtraInfoPages   : 0n0
   +0x024 Flags            : 1
   +0x024 StrictFIFO       : 0y1
   +0x028 FirstFreeHandle  : 0xa78
   +0x02c LastFreeHandleEntry : 0x984fca70 _HANDLE_TABLE_ENTRY
   +0x030 HandleCount      : 0x27b
   +0x034 NextHandleNeedingPool : 0x1000
   +0x038 HandleCountHighWatermark : 0x2b0
kd> dq 984fb000+0x3D0*8
984fce80  00000000`85d0e939 00000000`85dd09f1
984fce90  00000d1c`00000000 00000f48`00000000
984fcea0  00000bb8`00000000 00000ff0`00000000
984fceb0  00000000`86b7a359 00000d30`00000000
984fcec0  00000d18`00000000 00000000`86cd2631
984fced0  00000720`00000000 00000000`86fb3331
984fcee0  00000000`86d0e561 00000730`00000000
984fcef0  00000adc`00000000 00000120`00000000
kd> dt _EPROCESS 00000000`85d0e939
ntdll!_EPROCESS
   +0x000 Pcb              : _KPROCESS
   +0x098 ProcessLock      : _EX_PUSH_LOCK
   +0x0a0 CreateTime       : _LARGE_INTEGER 0x0001db40`e097dfa6
   +0x0a8 ExitTime         : _LARGE_INTEGER 0x0
   +0x0b0 RundownProtect   : _EX_RUNDOWN_REF
   +0x0b4 UniqueProcessId  : 0x7000000f Void
   +0x0b8 ActiveProcessLinks : _LIST_ENTRY [ 0x7883fa0d - 0xdc860192 ]
   +0x0c0 ProcessQuotaUsage : [2] 0x4c000016
   +0x0c8 ProcessQuotaPeak : [2] 0x64000018
   +0x0d0 CommitCharge     : 0x40000001
   +0x0d4 QuotaBlock       : 0x0086a700 _EPROCESS_QUOTA_BLOCK
   +0x0d8 CpuQuotaBlock    : (null) 
   +0x0dc PeakVirtualSize  : 0x559a0
   +0x0e0 VirtualSize      : 0x10055800
   +0x0e4 SessionProcessLinks : _LIST_ENTRY [ 0x8c8d64a0 - 0x85dde8 ]
   +0x0ec DebugPort        : 0xb0000000 Void
   +0x0f0 ExceptionPortData : 0x68869e9b Void
   +0x0f0 ExceptionPortValue : 0x68869e9b
   +0x0f0 ExceptionPortState : 0y011
   +0x0f4 ObjectTable      : 0x37a7c976 _HANDLE_TABLE
   +0x0f8 Token            : _EX_FAST_REF
   +0x0fc WorkingSetPage   : 0x2e4
   +0x100 AddressCreationLock : _EX_PUSH_LOCK
   +0x104 RotateInProgress : (null) 
   +0x108 ForkInProgress   : (null) 
   +0x10c HardwareTrigger  : 0x18000000
   +0x110 PhysicalVadRoot  : 0x0086df05 _MM_AVL_TABLE
   +0x114 CloneRoot        : 0x8b000000 Void
   +0x118 NumberOfPrivatePages : 1
   +0x11c NumberOfLockedPages : 0xc0000000
   +0x120 Win32Process     : 0xc0ffa2db Void
   +0x124 Job              : 0xa885cc24 _EJOB
   +0x128 SectionObject    : 0x00ab5b01 Void
   +0x12c SectionBaseAddress : 0x7b00c300 Void
   +0x130 Cookie           : 0x2b0cf7
   +0x134 Spare8           : 0
   +0x138 WorkingSetWatch  : 0x40000000 _PAGEFAULT_HISTORY
   +0x13c Win32WindowStation : 0xac000000 Void
   +0x140 InheritedFromUniqueProcessId : 0x00000009 Void
   +0x144 LdtInformation   : (null) 
   +0x148 VdmObjects       : (null) 
   +0x14c ConsoleHostProcess : 0xe0000000
   +0x150 DeviceMap        : 0x008ee2f1 Void
   +0x154 EtwDataSource    : (null) 
   +0x158 FreeTebHint      : 0x007ffdd0 Void
   +0x160 PageDirectoryPte : 0
   +0x168 Session          : 0x448d64a0 Void
   +0x16c ImageFileName    : [15]  "bgview.exe"

判断是进程还是线程(失败)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
kd> dt _OBJECT_HEADER 00000000`85d0e930-0x18
nt!_OBJECT_HEADER
   +0x000 PointerCount     : 0n108
   +0x004 HandleCount      : 0n-2080816192
   +0x004 NextToFree       : 0x83f943c0 Void
   +0x008 Lock             : _EX_PUSH_LOCK
   +0x00c TypeIndex        : 0x4 ''
   +0x00d TraceFlags       : 0 ''
   +0x00e InfoMask         : 0 ''
   +0x00f Flags            : 0 ''
   +0x010 ObjectCreateInfo : (null) 
   +0x010 QuotaBlockCharged : (null) 
   +0x014 SecurityDescriptor : 0x00080007 Void
   +0x018 Body             : _QUAD
kd> dd ObTypeIndexTable+0x4*4
83fa2770  85533638 855c2040 855c2f40 855c2e78
83fa2780  855c2db0 855c2ce8 855c2c20 855c2548
83fa2790  855ddb50 855d6418 855d6350 855d7418
83fa27a0  855d7350 855d8418 855d8350 855e1758
83fa27b0  855e1690 855e1da0 855e1cd8 855e1388
83fa27c0  855e12c0 855e5930 855e5868 855daf78
83fa27d0  855daeb0 855da950 855da888 855da7c0
83fa27e0  855da6f8 855da528 855da460 855df7f0
kd> dt _OBJECT_TYPE 85533638
ntdll!_OBJECT_TYPE
   +0x000 TypeList         : _LIST_ENTRY [ 0x85533638 - 0x85533638 ]
   +0x008 Name             : _UNICODE_STRING "SymbolicLink"
   +0x010 DefaultObject    : 0x83fa1a40 Void
   +0x014 Index            : 0x4 ''
   +0x018 TotalNumberOfObjects : 0x121
   +0x01c TotalNumberOfHandles : 5
   +0x020 HighWaterNumberOfObjects : 0x121
   +0x024 HighWaterNumberOfHandles : 6
   +0x028 TypeInfo         : _OBJECT_TYPE_INITIALIZER
   +0x078 TypeLock         : _EX_PUSH_LOCK
   +0x07c Key              : 0x626d7953
   +0x080 CallbackList     : _LIST_ENTRY [ 0x855336b8 - 0x855336b8 ]

保护进程

PsLookupProcessByProcessId

PsLookupProcessByProcessId如何遍历进程;

调用链: PsLookupProcessByProcessId => ExMapHandleToPointer => ExpLookupHandleTableEntry

蓝屏错误分析

在保护进程后, 如果不把进程pid设置为0会导致蓝屏;

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
kd> kv
 # ChildEBP RetAddr      Args to Child              
00 8d45f6f4 83f27407     00000003 7a0c3854 00000065 nt!RtlpBreakWithStatusInstruction (FPO: [1,0,0])
01 8d45f744 83f27f04     00000003 857ced20 00000000 nt!KiBugCheckDebugBreak+0x1c
02 8d45fb0c 83f2727b     00000017 00000000 00000000 nt!KeBugCheck2+0x68a
03 8d45fb2c 840c6ca2     00000017 855d5eb0 857ced08 nt!KeBugCheck+0x14
04 8d45fb64 84074b30     857ced20 857ced20 857ced08 nt!PspProcessDelete+0x185         // 此函数会进行判断然后调用ExDestroyHandle函数导致蓝屏
05 8d45fb7c 83eaa1e0     00000000 00000f08 857ced08 nt!ObpRemoveObjectRoutine+0x59
06 8d45fb90 83eaa150     857ced20 84097eb1 99901950 nt!ObfDereferenceObjectWithTag+0x88 (FPO: [0,0,3])
07 8d45fb98 84097eb1     99901950 86b11778 00000f08 nt!ObfDereferenceObject+0xd (FPO: [0,1,0])
08 8d45fbdc 84097bc5     99901950 97ffbe10 86a3fd20 nt!ObpCloseHandleTableEntry+0x22f
09 8d45fc0c 84097f71     86a3fd20 86b11701 00c3f7e8 nt!ObpCloseHandle+0x7f
0a 8d45fc28 83e84a3a     00000f08 00c3f7ec 76e66b94 nt!NtClose+0x4e

// PspProcessDelete函数中导致蓝屏代码处
...
  if ( *(_DWORD *)&PROCESS[1].LdtDescriptor.LimitLow
    && !ExDestroyHandle(0, (int *)PspCidTable, *(_DWORD *)&PROCESS[1].LdtDescriptor.LimitLow) )
  {
    KeBugCheck(0x17u);
  }
...

利用小漏洞

ExpLookupHandleTableEntry函数中存在判断如果pid & 0xFFFFFFFC >= this[13];

1
2
3
// ExpLookupHandleTableEntry函数中判断处
  if ( (a2 & 0xFFFFFFFC) >= this[13] )
    return 0;

实验代码

ProcessProtection.h

1
2
3
4
5
6
7
8
9
10
#pragma once
#include <ntifs.h>

// PVOID GetPspCidTable();
// ULONG_PTR GetExpLookupHandleTableEntry();

PVOID MyExpLookupHandleTableEntry(HANDLE pid);
// 保护进程
BOOLEAN ProcessProtection(HANDLE pid);

Search.h

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
#pragma once

#include <ntifs.h>

typedef struct _FindCode
{
	UCHAR code[0x200];
	ULONG len;
	int offset;
	ULONG lastAddressOffset;
}FindCode, *PFindCode;

typedef enum _SYSTEM_INFORMATION_CLASS {
	SystemBasicInformation,
	SystemProcessorInformation,             // obsolete...delete
	SystemPerformanceInformation,
	SystemTimeOfDayInformation,
	SystemPathInformation,
	SystemProcessInformation,
	SystemCallCountInformation,
	SystemDeviceInformation,
	SystemProcessorPerformanceInformation,
	SystemFlagsInformation,
	SystemCallTimeInformation,
	SystemModuleInformation,
	SystemLocksInformation,
	SystemStackTraceInformation,
	SystemPagedPoolInformation,
	SystemNonPagedPoolInformation,
	SystemHandleInformation,
	SystemObjectInformation,
	SystemPageFileInformation,
	SystemVdmInstemulInformation,
	SystemVdmBopInformation,
	SystemFileCacheInformation,
	SystemPoolTagInformation,
	SystemInterruptInformation,
	SystemDpcBehaviorInformation,
	SystemFullMemoryInformation,
	SystemLoadGdiDriverInformation,
	SystemUnloadGdiDriverInformation,
	SystemTimeAdjustmentInformation,
	SystemSummaryMemoryInformation,
	SystemMirrorMemoryInformation,
	SystemPerformanceTraceInformation,
	SystemObsolete0,
	SystemExceptionInformation,
	SystemCrashDumpStateInformation,
	SystemKernelDebuggerInformation,
	SystemContextSwitchInformation,
	SystemRegistryQuotaInformation,
	SystemExtendServiceTableInformation,
	SystemPrioritySeperation,
	SystemVerifierAddDriverInformation,
	SystemVerifierRemoveDriverInformation,
	SystemProcessorIdleInformation,
	SystemLegacyDriverInformation,
	SystemCurrentTimeZoneInformation,
	SystemLookasideInformation,
	SystemTimeSlipNotification,
	SystemSessionCreate,
	SystemSessionDetach,
	SystemSessionInformation,
	SystemRangeStartInformation,
	SystemVerifierInformation,
	SystemVerifierThunkExtend,
	SystemSessionProcessInformation,
	SystemLoadGdiDriverInSystemSpace,
	SystemNumaProcessorMap,
	SystemPrefetcherInformation,
	SystemExtendedProcessInformation,
	SystemRecommendedSharedDataAlignment,
	SystemComPlusPackage,
	SystemNumaAvailableMemory,
	SystemProcessorPowerInformation,
	SystemEmulationBasicInformation,
	SystemEmulationProcessorInformation,
	SystemExtendedHandleInformation,
	SystemLostDelayedWriteInformation,
	SystemBigPoolInformation,
	SystemSessionPoolTagInformation,
	SystemSessionMappedViewInformation,
	SystemHotpatchInformation,
	SystemObjectSecurityMode,
	SystemWatchdogTimerHandler,
	SystemWatchdogTimerInformation,
	SystemLogicalProcessorInformation,
	SystemWow64SharedInformation,
	SystemRegisterFirmwareTableInformationHandler,
	SystemFirmwareTableInformation,
	SystemModuleInformationEx,
	SystemVerifierTriageInformation,
	SystemSuperfetchInformation,
	SystemMemoryListInformation,
	SystemFileCacheInformationEx,
	MaxSystemInfoClass  // MaxSystemInfoClass should always be the last enum
} SYSTEM_INFORMATION_CLASS;

typedef struct _RTL_PROCESS_MODULE_INFORMATION {
	HANDLE Section;                 // Not filled in
	PVOID MappedBase;
	PVOID ImageBase;
	ULONG ImageSize;
	ULONG Flags;
	USHORT LoadOrderIndex;
	USHORT InitOrderIndex;
	USHORT LoadCount;
	USHORT OffsetToFileName;
	UCHAR  FullPathName[256];
} RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION;

typedef struct _RTL_PROCESS_MODULES {
	ULONG NumberOfModules;
	RTL_PROCESS_MODULE_INFORMATION Modules[1];
} RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES;

NTSTATUS ZwQuerySystemInformation(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength);
ULONG searchOtherCode(ULONG_PTR startAddr, ULONG_PTR endAddr, char* code, int offset);

ProcessProtection.c

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
#include "ProcessProtection.h"
#include "Search.h"

PVOID GetPspCidTable()
{
	static PVOID scidTable = NULL;
	if (scidTable) return scidTable;

	UNICODE_STRING unName = { 0 };
	RtlInitUnicodeString(&unName, L"PsLookupProcessByProcessId");
	PUCHAR startFunc = MmGetSystemRoutineAddress(&unName);

	scidTable = (PVOID)searchOtherCode(startFunc, startFunc + 0x100, "8B*****E8****8BF885FF74*8B1F", 2);

	if (scidTable)
	{
		scidTable = **(PVOID ***)scidTable;
	}

	return scidTable;
}

ULONG_PTR GetExpLookupHandleTableEntry()
{
	static PVOID ExpLookupHandleTableEntry = NULL;
	if (ExpLookupHandleTableEntry) return ExpLookupHandleTableEntry;

	UNICODE_STRING unName = { 0 };
	RtlInitUnicodeString(&unName, L"ExEnumHandleTable");
	PUCHAR startFunc = MmGetSystemRoutineAddress(&unName);

	PUCHAR searchFunc = (PVOID)searchOtherCode(startFunc, startFunc + 0x200, "FF75*8B4D*E8****8BF085F675*EB", 6);

	if (searchFunc)
	{
		ExpLookupHandleTableEntry = (searchFunc + 5) + *(PULONG)(searchFunc + 1);
	}

	return ExpLookupHandleTableEntry;
}

PVOID MyExpLookupHandleTableEntry(HANDLE pid)
{
	// handleTable参数压栈至ecx, xxx压栈到edx, id参数push到栈上, 模拟__thiscall
	// x64 不需要这样来定义调用堆栈, 原函数并非3个参数, 原为2个参数
	typedef PVOID (__fastcall * ExpLookupHandleTableEntryProc)(PVOID handleTable, ULONG xxx, HANDLE id);
	PVOID pspTable = GetPspCidTable();
	ExpLookupHandleTableEntryProc func = (ExpLookupHandleTableEntryProc)GetExpLookupHandleTableEntry();
	if (!pspTable || !func) return NULL;

	return func(pspTable, 0, pid);
}

ULONG GetProcessIdOffset()
{
	UNICODE_STRING unName = { 0 };
	RtlInitUnicodeString(&unName, L"PsGetProcessId");
	PUCHAR startFunc = MmGetSystemRoutineAddress(&unName);

	return *(PULONG)(startFunc + 11);
}

BOOLEAN ProcessProtection(HANDLE pid)
{
	PEPROCESS Process = NULL;
	NTSTATUS status = PsLookupProcessByProcessId(pid, &Process);
	if (!NT_SUCCESS(status)) return FALSE;

	ObDereferenceObject(Process);

	PVOID pHandleEntry = MyExpLookupHandleTableEntry(pid);
	// 抹除相关信息(_HANDLE_TABLE_ENTRY)
	memset(pHandleEntry, 0, 8);
	// ULONG offset = GetProcessIdOffset();
	*(PHANDLE)((PUCHAR)Process + 0xb4) = 0;

	return TRUE;

}

Search.c

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
#include "Search.h"
#include <ntimage.h>

// 将字节转换成16进制
UCHAR Char2Hex(UCHAR * szCh)
{
	unsigned char temp[2] = { 0 };
	for (int i = 0; i < 2; i++)
	{
		if (szCh[i] >= '0' && szCh[i] <= '9')
		{
			temp[i] = (szCh[i] - '0');
		}
		else if (szCh[i] >= 'A' && szCh[i] <= 'F')
		{
			temp[i] = (szCh[i] - 'A') + 0xA;
		}
		else if (szCh[i] >= 'a' && szCh[i] <= 'f')
		{
			temp[i] = (szCh[i] - 'a') + 0xA;
		}
	}
	return ((temp[0] << 4) & 0xf0) | (temp[1] & 0xf);
}

// 初始化结构
void initFindCodeStruct(PFindCode findCode, PCHAR code, ULONG_PTR offset, ULONG_PTR lastAddressOffset)
{
	memset(findCode, 0, sizeof(FindCode));

	findCode->lastAddressOffset = lastAddressOffset;
	findCode->offset = offset;

	PCHAR pTemp = code;
	ULONG_PTR i = 0;
	for (i = 0; *pTemp != '\0'; i++)
	{
		if (*pTemp == '*' || *pTemp == '?')
		{
			findCode->code[i] = *pTemp;
			pTemp++;
			continue;
		}
		findCode->code[i] = Char2Hex(pTemp);
		pTemp += 2;
	}
	findCode->len = i;
}

ULONG_PTR findAddressByCode(ULONG_PTR beginAddr, ULONG_PTR endAddr, PFindCode findCode, ULONG size)
{
	ULONG64 j = 0;
	LARGE_INTEGER rtna = { 0 };
	for (ULONG_PTR i = beginAddr; i <= endAddr; i++)
	{
		if (!MmIsAddressValid((PVOID)i))
		{
			i = i & (~0xfff) + PAGE_SIZE - 1;
			continue;
		}

		for (j = 0; j < size; j++)
		{
			FindCode fc = findCode[j];
			ULONG_PTR tempAddress = i;

			UCHAR * code = (UCHAR *)(tempAddress + fc.offset);
			BOOLEAN isFlags = FALSE;

			for (ULONG_PTR k = 0; k < fc.len; k++)
			{
				if (!MmIsAddressValid((PVOID)(code + k)))
				{
					isFlags = TRUE;
					break;
				}
				if (fc.code[k] == '*' || fc.code[k] == '?') continue;

				if (code[k] != fc.code[k])
				{
					isFlags = TRUE;
					break;
				}
			}
			if (isFlags) break;
		}
		if (j == size)
		{
			rtna.QuadPart = i;
			rtna.LowPart += findCode[0].lastAddressOffset;
			break;
		}
	}
	return rtna.QuadPart;
}

//ULONG_PTR findAddressByCode(ULONG_PTR beginAddr, ULONG_PTR endAddr, PFindCode  findCode, ULONG numbers)
//{
//	ULONG64 j = 0;
//	LARGE_INTEGER rtna = { 0 };
//
//	for (ULONG_PTR i = beginAddr; i <= endAddr; i++)
//	{
//		if (!MmIsAddressValid((PVOID)i))
//		{
//			i = i & (~0xfff) + PAGE_SIZE - 1;
//			continue;
//		}
//
//
//
//		for (j = 0; j < numbers; j++)
//		{
//			FindCode  fc = findCode[j];
//			ULONG_PTR tempAddress = i;
//
//			UCHAR * code = (UCHAR *)(tempAddress + fc.offset);
//			BOOLEAN isFlags = FALSE;
//
//			for (ULONG_PTR k = 0; k < fc.len; k++)
//			{
//				if (!MmIsAddressValid((PVOID)(code + k)))
//				{
//					isFlags = TRUE;
//					break;
//				}
//
//				if (fc.code[k] == '*' || fc.code[k] == '?') continue;
//
//				if (code[k] != fc.code[k])
//				{
//					isFlags = TRUE;
//					break;
//				}
//			}
//
//			if (isFlags) break;
//
//		}
//
//		//找到了
//		if (j == numbers)
//		{
//			rtna.QuadPart = i;
//			rtna.LowPart += findCode[0].lastAddressOffset;
//			break;
//		}
//
//	}
//
//	return rtna.QuadPart;
//}

char * Char2Uper(char * wstr, BOOLEAN isAllocateMemory)
{
	char * ret = NULL;

	if (isAllocateMemory)
	{
		int len = strlen(wstr) + 2;
		ret = ExAllocatePool(PagedPool, len);
		memset(ret, 0, len);
		memcpy(ret, wstr, len - 2);
	}
	else
	{
		ret = wstr;
	}
	_strupr(ret);
	return ret;
}

ULONG_PTR QueryModule(PUCHAR pModuleName, ULONG_PTR * pModuleSize)
{
	if (pModuleName == NULL) return 0;

	RTL_PROCESS_MODULES RtlModules = { 0 };
	PRTL_PROCESS_MODULES pRtlModules = &RtlModules;
	BOOLEAN bFlags = FALSE;
	// 测量长度
	ULONG * ReturnLength = 0;		// 需要申请内存的实际大小
	NTSTATUS status = ZwQuerySystemInformation(SystemModuleInformation, pRtlModules, sizeof(RTL_PROCESS_MODULES), &ReturnLength);
	// 判断长度不匹配
	if (status == STATUS_INFO_LENGTH_MISMATCH)
	{
		pRtlModules = ExAllocatePool(PagedPool, ReturnLength + sizeof(RTL_PROCESS_MODULES));
		if (!pRtlModules) return 0;
		memset(pRtlModules, 0, ReturnLength + sizeof(RTL_PROCESS_MODULES));
		status = ZwQuerySystemInformation(SystemModuleInformation, pRtlModules, ReturnLength + sizeof(RTL_PROCESS_MODULES), &ReturnLength);
		if (!NT_SUCCESS(status))
		{
			ExFreePool(pRtlModules);
			return 0;
		}
		bFlags = TRUE;
	}

	PUCHAR pKernelModuleName = NULL;
	ULONG_PTR pModuleBase = 0;
	do
	{
		if (_stricmp(pModuleName, "ntkrnlpa.exe") == 0 || _stricmp(pModuleName, "ntoskrnl.exe") == 0)
		{
			PRTL_PROCESS_MODULE_INFORMATION pModuleInformation = &pRtlModules->Modules[0];
			pModuleBase = pModuleInformation->ImageBase;
			if (pModuleSize) *pModuleSize = pModuleInformation->ImageSize;
			break;
		}

		pKernelModuleName = ExAllocatePool(PagedPool, strlen(pModuleName) + 1);
		memset(pKernelModuleName, 0, strlen(pModuleName) + 1);
		memcpy(pKernelModuleName, pModuleName, strlen(pModuleName));
		_strupr(pKernelModuleName);

		for (int i = 0; i < pRtlModules->NumberOfModules; i++)
		{
			PRTL_PROCESS_MODULE_INFORMATION pModuleInformation = &pRtlModules->Modules[i];
			PUCHAR FullPathName = _strupr(pModuleInformation->FullPathName);
			DbgPrintEx(77, 0, "BaseName = %s, FullName = %s\r\n", pModuleInformation->FullPathName + pModuleInformation->OffsetToFileName, pModuleInformation->FullPathName);
			if (strstr(FullPathName, pKernelModuleName))
			{
				pModuleBase = pModuleInformation->ImageBase;
				if (pModuleSize) *pModuleSize = pModuleInformation->ImageSize;
				break;
			}
		}

	} while (0);


	if (pKernelModuleName)
	{
		ExFreePool(pKernelModuleName);
	}
	if (bFlags)
	{
		ExFreePool(pRtlModules);
	}
	return pModuleBase;
}
//
//ULONG searchOtherCode(ULONG_PTR startAddr, ULONG_PTR endAddr, char* code, int offset)
//{
//	FindCode fc[1] = { 0 };
//	initFindCodeStruct(&fc[0], code, 0, offset);
//
//	//SIZE_T moduleBase = 0;
//	//ULONG size = QueryModule("ntoskrnl.exe", &moduleBase);
//
//	ULONG_PTR func = findAddressByCode(startAddr, endAddr, fc, 1);
//	return func;
//}

ULONG searchOtherCode(ULONG_PTR startAdd, ULONG_PTR endAddr, char * code, int offset)
{
	FindCode fs[1] = { 0 };
	initFindCodeStruct(&fs[0], code, 0, offset);


	ULONG_PTR func = findAddressByCode(startAdd, endAddr, fs, 1);

	return func;
}

ULONG searchNtCode(char* code, int offset)
{
	FindCode fc[1] = { 0 };
	initFindCodeStruct(&fc[0], code, 0, offset);

	SIZE_T moduleBase = 0;
	ULONG size = QueryModule("ntoskrnl.exe", &moduleBase);

	ULONG_PTR func = findAddressByCode(moduleBase, size + moduleBase, fc, 1);
	return func;
}

ULONG searchCode(char * moduleName, char* segmentName, char* code, int offset)
{
	FindCode fc[1] = { 0 };
	initFindCodeStruct(&fc[0], code, 0, offset);

	SIZE_T moduleBase = 0;
	ULONG size = QueryModule(moduleName, &moduleBase);
	if (!moduleBase)
	{
		return 0;
	}
	PIMAGE_DOS_HEADER pDos = (PIMAGE_DOS_HEADER)moduleBase;
	PIMAGE_NT_HEADERS pNts = (PIMAGE_NT_HEADERS)(moduleBase + pDos->e_lfanew);
	PIMAGE_SECTION_HEADER pSection = IMAGE_FIRST_SECTION(pNts);
	PIMAGE_SECTION_HEADER pTemp = NULL;
	for (int i = 0; i < pNts->FileHeader.NumberOfSections; i++)
	{
		char bufName[9] = { 0 };
		memcpy(bufName, pSection->Name, 8);
		if (_stricmp(bufName, segmentName) == 0)
		{
			pTemp = pSection;
			break;
		}
		pSection++;
	}
	if (pTemp)
	{
		moduleBase = pSection->VirtualAddress + moduleBase;
		size = pSection->SizeOfRawData;
	}

	ULONG_PTR func = findAddressByCode(moduleBase, size + moduleBase, fc, 1);
	return func;
}

DriverEntry.c

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
#include <ntifs.h>
#include "ProcessProtection.h"

void DriverUnload(PDRIVER_OBJECT pDriver)
{
	DbgPrintEx(77, 0, "[db]: DriverUnload Running\r\n");
}

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING pReg)
{
	DbgPrintEx(77, 0, "[db]: DriverEntry Running\r\n");
	/*PVOID pspTable = GetPspCidTable();
	ULONG_PTR funcAddr = GetExpLookupHandleTableEntry();
	DbgPrintEx(77, 0, "[db]: %x, %x\r\n", pspTable, funcAddr);*/

	// PVOID pHandleEntry = MyExpLookupHandleTableEntry((HANDLE)3140);
	// DbgPrintEx(77, 0, "[db]: %x\r\n", pHandleEntry);

	ProcessProtection((HANDLE)2932);

	pDriver->DriverUnload = DriverUnload;

	return STATUS_SUCCESS;
}

vm3dmp.sys会导致蓝屏, 可摘除钩子

更新于:2024年11月30日

Windows内核

评论