驱动遍历句柄表

余辉脉脉


驱动遍历句柄表附加第二个方法的反汇编代码 其中还有对其拦截的方式的一些需要HOOK处比如伪造句柄表
因为大量使用硬编码所以此份代码通用性不强一切均在虚拟机XP3下操作
#include "ntddk.h"
typedef struct _EX_PUSH_LOCK {
//
// LOCK bit is set for both exclusive and shared acquires
//
#define EX_PUSH_LOCK_LOCK_V ((ULONG_PTR)0x0)
#define EX_PUSH_LOCK_LOCK ((ULONG_PTR)0x1)
//
// Waiting bit designates that the pointer has chained waiters
//
#define EX_PUSH_LOCK_WAITING ((ULONG_PTR)0x2)
//
// Waking bit designates that we are either traversing the list
// to wake threads or optimizing the list
//
#define EX_PUSH_LOCK_WAKING ((ULONG_PTR)0x4)
//
// Set if the lock is held shared by multiple owners and there are waiters
//
#define EX_PUSH_LOCK_MULTIPLE_SHARED ((ULONG_PTR)0x8)
//
// Total shared Acquires are incremented using this
//
#define EX_PUSH_LOCK_SHARE_INC ((ULONG_PTR)0x10)
#define EX_PUSH_LOCK_PTR_BITS ((ULONG_PTR)0xf)
union {
struct {
ULONG_PTR Locked : 1;
ULONG_PTR Waiting : 1;
ULONG_PTR Waking : 1;
ULONG_PTR MultipleShared : 1;
ULONG_PTR Shared : sizeof (ULONG_PTR) * 8 - 4;
};
ULONG_PTR Value;
PVOID Ptr;
};
} EX_PUSH_LOCK, *PEX_PUSH_LOCK;
typedef struct _HANDLE_TABLE{
ULONGTableCode;
ULONGQuotaProcess;
ULONGUniqueProcessId;
EX_PUSH_LOCKHandleLock;
ULONGDebugInfo;
intExtraInfoPages;
ULONGFlags;
ULONGFirstFreeHandle;
ULONGLastFreeHandleEntry;
ULONGHandleCount;
ULONGNextHandleNeedingPool;
ULONGHandleCountHighWatermark;
}HANDLE_TABLE,*PHANDLE_TABLE;
NTSTATUS PsLookupProcessByProcessId(
HANDLE ProcessId,
PEPROCESS *Process
);
#pragma pack(1)
typedef struct ServiceDescriptorEntry {
unsigned int *ServiceTableBase;
unsigned int *ServiceCounterTableBase;
unsigned int NumberOfServices;
unsigned char *ParamTableBase;
} ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t;
__declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable;
#pragma pack()
//Xp下的MOVE DEBUGPORT need of
/**8065bffb 8987bc000000 mov dword ptr [edi+0BCh],eax
8065c015 83a7bc00000000 and dword ptr [edi+0BCh],0
8065af6f 39bebc000000 cmp dword ptr [esi+0BCh],edi
8065b25a 8b80bc000000 mov eax,dword ptr [eax+0BCh]
8065b25a 8b80bc000000 mov eax,dword ptr [eax+0BCh]
8057c1b2 399fbc000000 cmp dword ptr [edi+0BCh],ebx
8065c64c 8b89bc000000 mov ecx,dword ptr [ecx+0BCh]
8065b25a 8b80bc000000 mov eax,dword ptr [eax+0BCh]
805833d5 83bbbc00000000 cmp dword ptr [ebx+0BCh],0
8057c1b2 399fbc000000 cmp dword ptr [edi+0BCh],ebx
8065c6cb 8b89bc000000 mov ecx,dword ptr [ecx+0BCh]
8065b25a 8b80bc000000 mov eax,dword ptr [eax+0BCh]
80582dc0 8dbebc000000 lea edi,[esi+0BCh]
80581cb9 399ebc000000 cmp dword ptr [esi+0BCh],ebx
805826d0 81c6bc000000 add esi,0BCh
8058fa53 399ebc000000 cmp dword ptr [esi+0BCh],ebx
8057e5db 8b89bc000000 mov ecx,dword ptr [ecx+0BCh]
8057e5db 8b89bc000000 mov ecx,dword ptr [ecx+0BCh]
8057e5db 8b89bc000000 mov ecx,dword ptr [ecx+0BCh]
8057e5db 8b89bc000000 mov ecx,dword ptr [ecx+0BCh]
8057e5db 8b89bc000000 mov ecx,dword ptr [ecx+0BCh]
8057e63a 83b9bc00000000 cmp dword ptr [ecx+0BCh],0
8057e5db 8b89bc000000 mov ecx,dword ptr [ecx+0BCh]
8057e5db 8b89bc000000 mov ecx,dword ptr [ecx+0BCh]
8065bfed 399fbc000000 cmp dword ptr [edi+0BCh],ebx
8065bffb 8987bc000000 mov dword ptr [edi+0BCh],eax
8065af6f 39bebc000000 cmp dword ptr [esi+0BCh],edi
8058fa53 399ebc000000 cmp dword ptr [esi+0BCh],ebx
8065b25a 8b80bc000000 mov eax,dword ptr [eax+0BCh]
805040dd 39b8bc000000 cmp dword ptr [eax+0BCh],edi
8065b25a 8b80bc000000 mov eax,dword ptr [eax+0BCh]
80588e2e 8b81bc000000 mov eax,dword ptr [ecx+0BCh]
下面是写入
8065bffb 8987bc000000 mov dword ptr [edi+0BCh],eax
*/
//XP对句柄表访问处
/**
80572741 8bbec4000000 mov edi,dword ptr [esi+0C4h]
80565f1e 8b80c4000000 mov eax,dword ptr [eax+0C4h]
80565c0d 8b80c4000000 mov eax,dword ptr [eax+0C4h]
8056e346 8b80c4000000 mov eax,dword ptr [eax+0C4h]
80568881 8bbbc4000000 mov edi,dword ptr [ebx+0C4h]
80565c0d 8b80c4000000 mov eax,dword ptr [eax+0C4h]
805677b6 8b89c4000000 mov ecx,dword ptr [ecx+0C4h]
句柄表的访问*/
typedef struct _HANDLE_TABLE_ENTRY_INFO {

//
// The following field contains the audit mask for the handle if one
// exists. The purpose of the audit mask is to record all of the accesses
// that may have been audited when the handle was opened in order to
// support "per operation" based auditing. It is computed by walking the
// SACL of the object being opened and keeping a record of all of the audit
// ACEs that apply to the open operation going on. Each set bit corresponds
// to an access that would be audited. As each operation takes place, its
// corresponding access bit is removed from this mask.
//
ACCESS_MASK AuditMask;
} HANDLE_TABLE_ENTRY_INFO, *PHANDLE_TABLE_ENTRY_INFO;
typedef struct _HANDLE_TABLE_ENTRY {
//
// The pointer to the object overloaded with three ob attributes bits in
// the lower order and the high bit to denote locked or unlocked entries
//
union {
PVOID Object;
ULONG ObAttributes;
PHANDLE_TABLE_ENTRY_INFO InfoTable;
ULONG_PTR Value;
};
//
// This field either contains the granted access mask for the handle or an
// ob variation that also stores the same information. Or in the case of
// a free entry the field stores the index for the next free entry in the
// free list. This is like a FAT chain, and is used instead of pointers
// to make table duplication easier, because the entries can just be
// copied without needing to modify pointers.
//
union {
union {
ACCESS_MASK GrantedAccess;
struct {
USHORT GrantedAccessIndex;
USHORT CreatorBackTraceIndex;
};
};
LONG NextFreeTableEntry;
};
} HANDLE_TABLE_ENTRY, *PHANDLE_TABLE_ENTRY;
typedef BOOLEAN (__stdcall *EX_ENUMERATE_HANDLE_ROUTINE)(
IN PHANDLE_TABLE_ENTRY HandleTableEntry,
IN HANDLE Handle,
IN PVOID EnumParameter
);
typedef BOOLEAN
(* ExEnumHandleTable) (
__in PHANDLE_TABLE HandleTable,
__in EX_ENUMERATE_HANDLE_ROUTINE EnumHandleProcedure,
__in PVOID EnumParameter,
__out_opt PHANDLE Handle
);
ExEnumHandleTable XExEnumHandleTable=0;
//335是NTcreateTimer
void PageProtectOff()
{
__asm{
cli
mov eax,cr0
and eax,not 10000h
mov cr0,eax
}
}
void PageProtectOn()
{
__asm{
mov eax,cr0
or eax,10000h
mov cr0,eax
sti
}
}
ULONG GetAddress(ULONG uAddress,UCHAR *Signature,int flag)
{
ULONGindex;
UCHAR*p;
ULONGuRetAddress;
if(uAddress==0){return 0;}
p = (UCHAR*)uAddress;
for (index=0;index<0x3000;index++)
{
if (*p==Signature[0]&amp;&amp;
*(p+1)==Signature[1]&amp;&amp;
*(p+2)==Signature[2]&amp;&amp;
*(p+3)==Signature[3]&amp;&amp;
*(p+4)==Signature[4])
{
if (flag==0)
{
uRetAddress = (ULONG)(p+4) + *(ULONG*)(p+5) + 5;
return uRetAddress;
}else if (flag==1)
{
uRetAddress = *(ULONG*)(p+5);
return uRetAddress;
}else if(flag==2){
uRetAddress = (ULONG)(p+4);
return uRetAddress;
}else if(flag==3){
uRetAddress = (ULONG)(p+5);
return uRetAddress;
}else if(flag==4)
{
return (ULONG)p;
}else{
return 0;
}
}
p++;
}
return 0;
}
BOOLEAN __stdcall EnumCALLback(
IN PHANDLE_TABLE_ENTRY HandleTableEntry,
IN HANDLE Handle,
IN PVOID EnumParameter
){
KdPrint(("OBJECT-->>>handle: %X",HandleTableEntry->Object));
//TRUE就是不遍历FALSE反之
return FALSE;
}
void EnumHndleTable(){
//0xB73这里这个b37用作辅助搜索特征码的一个小偏移相对NtCreateTimer的一个偏移
//UCHAR code[5]={0x90,0x90,0x90,0x90,0x8b};
ULONG eProcess;
HANDLE hANDLE;
XExEnumHandleTable=(ExEnumHandleTable)(ULONG)(KeServiceDescriptorTable.ServiceTableBase[54]+0xB82);
/**
kd> dt 81a22d50 _EPROCESS
ntdll!_EPROCESS
+0x000 Pcb : _KPROCESS
+0x06c ProcessLock : _EX_PUSH_LOCK
+0x070 CreateTime : _LARGE_INTEGER 0x01d07a70`45d66f47
+0x078 ExitTime : _LARGE_INTEGER 0x0
+0x080 RundownProtect : _EX_RUNDOWN_REF
+0x084 UniqueProcessId : 0x000001d0 Void
+0x088 ActiveProcessLinks : _LIST_ENTRY [ 0x817cf0a8 - 0x81a27ad0 ]
+0x090 QuotaUsage : [3] 0xcd0
+0x09c QuotaPeak : [3] 0x1598
+0x0a8 CommitCharge : 0x25e
+0x0ac PeakVirtualSize : 0x33cf000
+0x0b0 VirtualSize : 0x2a76000
+0x0b4 SessionProcessLinks : _LIST_ENTRY [ 0x817cf0d4 - 0x81a27afc ]
+0x0bc DebugPort : (null)
+0x0c0 ExceptionPort : 0xe14f7368 Void
+0x0c4 ObjectTable : 0xe1acc610 _HANDLE_TABLE
+0x0c8 Token : _EX_FAST_REF
+0x0cc WorkingSetLock : _FAST_MUTEX
+0x0ec WorkingSetPage : 0xe5b8
+0x0f0 AddressCreationLock : _FAST_MUTEX
+0x110 HyperSpaceLock : 0
+0x114 ForkInProgress : (null)
+0x118 HardwareTrigger : 0
+0x11c VadRoot : 0x81bcbf50 Void
+0x120 VadHint : 0x81b90c28 Void
+0x124 CloneRoot : (null)
+0x128 NumberOfPrivatePages : 0x174
+0x12c NumberOfLockedPages : 0
+0x130 Win32Process : 0xe1062818 Void
+0x134 Job : (null)
+0x138 SectionObject : 0xe1d2c0f0 Void
+0x13c SectionBaseAddress : 0x00400000 Void
+0x140 QuotaBlock : 0x81950590 _EPROCESS_QUOTA_BLOCK
+0x144 WorkingSetWatch : (null)
+0x148 Win32WindowStation : 0x00000024 Void
+0x14c InheritedFromUniqueProcessId : 0x00000610 Void
+0x150 LdtInformation : (null)
+0x154 VadFreeHint : (null)
+0x158 VdmObjects : (null)
+0x15c DeviceMap : 0xe1b71008 Void
+0x160 PhysicalVadList : _LIST_ENTRY [ 0x81a22eb0 - 0x81a22eb0 ]
+0x168 PageDirectoryPte : _HARDWARE_PTE_X86
+0x168 Filler : 0
+0x170 Session : 0xf8fad000 Void
+0x174 ImageFileName : [16] "x.exe"
+0x184 JobLinks : _LIST_ENTRY [ 0x0 - 0x0 ]
+0x18c LockedPagesList : (null)
+0x190 ThreadListHead : _LIST_ENTRY [ 0x81a2bc54 - 0x81a0b524 ]
+0x198 SecurityPort : (null)
+0x19c PaeTop : (null)
+0x1a0 ActiveThreads : 2
+0x1a4 GrantedAccess : 0x1f0fff
+0x1a8 DefaultHardErrorProcessing : 0x8000
+0x1ac LastThreadExitStatus : 0n0
+0x1b0 Peb : 0x7ffdf000 _PEB
+0x1b4 PrefetchTrace : _EX_FAST_REF
+0x1b8 ReadOperationCount : _LARGE_INTEGER 0x53
+0x1c0 WriteOperationCount : _LARGE_INTEGER 0x5
+0x1c8 OtherOperationCount : _LARGE_INTEGER 0x457
+0x1d0 ReadTransferCount : _LARGE_INTEGER 0x65cc
+0x1d8 WriteTransferCount : _LARGE_INTEGER 0x168
+0x1e0 OtherTransferCount : _LARGE_INTEGER 0x5944
+0x1e8 CommitChargeLimit : 0
+0x1ec CommitChargePeak : 0x38f
+0x1f0 AweInfo : (null)
+0x1f4 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
+0x1f8 Vm : _MMSUPPORT
+0x238 LastFaultCount : 0
+0x23c ModifiedPageCount : 0x413
+0x240 NumberOfVads : 0x52
+0x244 JobStatus : 0
+0x248 Flags : 0xd0800
+0x248 CreateReported : 0y0
+0x248 NoDebugInherit : 0y0
+0x248 ProcessExiting : 0y0
+0x248 ProcessDelete : 0y0
+0x248 Wow64SplitPages : 0y0
+0x248 VmDeleted : 0y0
+0x248 OutswapEnabled : 0y0
+0x248 Outswapped : 0y0
+0x248 ForkFailed : 0y0
+0x248 HasPhysicalVad : 0y0
+0x248 AddressSpaceInitialized : 0y10
+0x248 SetTimerResolution : 0y0
+0x248 BreakOnTermination : 0y0
+0x248 SessionCreationUnderway : 0y0
+0x248 WriteWatch : 0y0
+0x248 ProcessInSession : 0y1
+0x248 OverrideAddressSpace : 0y0
+0x248 HasAddressSpace : 0y1
+0x248 LaunchPrefetched : 0y1
+0x248 InjectInpageErrors : 0y0
+0x248 VmTopDown : 0y0
+0x248 Unused3 : 0y0
+0x248 Unused4 : 0y0
+0x248 VdmAllowed : 0y0
+0x248 Unused : 0y00000 (0)
+0x248 Unused1 : 0y0
+0x248 Unused2 : 0y0
+0x24c ExitStatus : 0n259
+0x250 NextPageColor : 0xe7bd
+0x252 SubSystemMinorVersion : 0 ''
+0x253 SubSystemMajorVersion : 0x4 ''
+0x252 SubSystemVersion : 0x400
+0x254 PriorityClass : 0x4 ''
+0x255 WorkingSetAcquiredUnsafe : 0 ''
+0x258 Cookie : 0x47af0476
*/
if (XExEnumHandleTable==0)
{
KdPrint(("ExEnumHandleTable--->>>Address: %X",XExEnumHandleTable));
return;
}
KdPrint(("ExEnumHandleTable--->>>Address: %X",XExEnumHandleTable));
if (!NT_SUCCESS(PsLookupProcessByProcessId((HANDLE)1168,(PEPROCESS*)&amp;eProcess)))
{
return;
}
eProcess=+0xc4;
XExEnumHandleTable(*(PHANDLE_TABLE*)eProcess,EnumCALLback,NULL,&amp;hANDLE);

KdPrint(("ExEnumHandleTable--->>>Address: %X",*(PHANDLE_TABLE*)eProcess));


//上面那个特征码搜索有bug需要改改加一个一字节的递增的不然 都是成倍数如果不成倍数就搜不到了，所以我这里也懒得写了 直接硬编码过去了，这个地址就是ExEnumHandleTable的地址
//(ExEnumHandleTable)GetAddress((ULONG)KeServiceDescriptorTable.ServiceTableBase[54]+0xB73+0xE
//,code,2);
//ExEnumHandleTable这个函数XP下 只有4个参数，WIN7加了一个 实际不必理会~~
/**

805a016f 56 push esi
805a0170 57 push edi
805a0171 64a124010000 mov eax,dword ptr fs:[00000124h]
805a0177 8365f800 and dword ptr [ebp-8],0
805a017b ff75f8 push dword ptr [ebp-8]
805a017e 8bf8 mov edi,eax
805a0180 ff7508 push dword ptr [ebp+8]
805a0183 ff8fd4000000 dec dword ptr [edi+0D4h]
805a0189 c645ff00 mov byte ptr [ebp-1],0
805a018d e8af59fcff call nt!ExpLookupHandleTableEntry (80565b41)
805a0192 8bf0 mov esi,eax
805a0194 85f6 test esi,esi
805a0196 7420 je nt!ExEnumHandleTable+0xaf (805a01b8)
805a0198 53 push ebx
805a0199 833e00 cmp dword ptr [esi],0
805a019c 0f8559ffffff jne nt!ExEnumHandleTable+0x37 (805a00fb)
805a01a2 8345f804 add dword ptr [ebp-8],4
805a01a6 ff75f8 push dword ptr [ebp-8]
805a01a9 ff7508 push dword ptr [ebp+8]
805a01ac e89059fcff call nt!ExpLookupHandleTableEntry (80565b41)
805a01b1 8bf0 mov esi,eax
805a01b3 85f6 test esi,esi
805a01b5 75e2 jne nt!ExEnumHandleTable+0x32 (805a0199)
805a01b7 5b pop ebx
805a01b8 ff87d4000000 inc dword ptr [edi+0D4h]
805a01be 750b jne nt!ExEnumHandleTable+0xca (805a01cb)
805a01c0 8d4734 lea eax,[edi+34h]
805a01c3 3900 cmp dword ptr [eax],eax
805a01c5 0f85897f0600 jne nt!ExEnumHandleTable+0xbe (80608154)
805a01cb 8a45ff mov al,byte ptr [ebp-1]
805a01ce 5f pop edi
805a01cf 5e pop esi
805a01d0 c9 leave
805a01d1 c21000 ret 10h
///
nt!ExpLookupHandleTableEntry:
80565b41 8bff mov edi,edi
80565b43 55 push ebp
80565b44 8bec mov ebp,esp
80565b46 83650cfc and dword ptr [ebp+0Ch],0FFFFFFFCh
80565b4a 8b450c mov eax,dword ptr [ebp+0Ch]
80565b4d 8b4d08 mov ecx,dword ptr [ebp+8]
80565b50 8b550c mov edx,dword ptr [ebp+0Ch]
80565b53 c1e802 shr eax,2
80565b56 3b5138 cmp edx,dword ptr [ecx+38h]
80565b59 0f8370930000 jae nt!ExpLookupHandleTableEntry+0x1a (8056eecf)
80565b5f 56 push esi
80565b60 8b31 mov esi,dword ptr [ecx]
80565b62 8bce mov ecx,esi
80565b64 83e103 and ecx,3
80565b67 83e6fc and esi,0FFFFFFFCh
80565b6a 83e900 sub ecx,0
80565b6d 0f85c90a0000 jne nt!ExpLookupHandleTableEntry+0x2e (8056663c)
80565b73 8d04c6 lea eax,[esi+eax*8]
80565b76 5e pop esi
80565b77 5d pop ebp
80565b78 c20800 ret 8

*/

return;
}
void DriverUnolad(PDRIVER_OBJECT obj){


}
NTSTATUS DriverEntry(PDRIVER_OBJECT obj,PUNICODE_STRING regmsg){

EnumHndleTable();



obj->DriverUnload=DriverUnolad;
return STATUS_SUCCESS;
}