驱动遍历句柄表

最新推荐文章于 2023-07-09 14:01:29 发布

qq_18942885

最新推荐文章于 2023-07-09 14:01:29 发布

阅读量2.1k

点赞数

分类专栏： windwos内核逆向

本文链接：https://blog.csdn.net/qq_18942885/article/details/45311377

版权

这篇博客详细介绍了如何在Windows XP系统中遍历并枚举句柄表的过程，包括涉及到的数据结构如_EX_PUSH_LOCK、_HANDLE_TABLE等，以及通过KeServiceDescriptorTable和服务表基地址获取ExEnumHandleTable函数地址的方法。文中还提供了反汇编代码，展示了句柄表的访问和遍历技巧，并给出了简单的枚举回调函数示例。

摘要由CSDN通过智能技术生成

驱动遍历句柄表附加第二个方法的反汇编代码其中还有对其拦截的方式的一些需要HOOK处比如伪造句柄表

因为大量使用硬编码所以此份代码通用性不强一切均在虚拟机XP3下操作

#include "ntddk.h"
typedef struct _EX_PUSH_LOCK {

//
// LOCK bit is set for both exclusive and shared acquires
//
#define EX_PUSH_LOCK_LOCK_V ((ULONG_PTR)0x0)
#define EX_PUSH_LOCK_LOCK ((ULONG_PTR)0x1)

//
// Waiting bit designates that the pointer has chained waiters
//

#define EX_PUSH_LOCK_WAITING ((ULONG_PTR)0x2)

//
// Waking bit designates that we are either traversing the list
// to wake threads or optimizing the list
//

#define EX_PUSH_LOCK_WAKING ((ULONG_PTR)0x4)

//
// Set if the lock is held shared by multiple owners and there are waiters
//

#define EX_PUSH_LOCK_MULTIPLE_SHARED ((ULONG_PTR)0x8)

//
// Total shared Acquires are incremented using this
//
#define EX_PUSH_LOCK_SHARE_INC ((ULONG_PTR)0x10)
#define EX_PUSH_LOCK_PTR_BITS ((ULONG_PTR)0xf)

union {
  struct {
   ULONG_PTR Locked         : 1;
   ULONG_PTR Waiting        : 1;
   ULONG_PTR Waking         : 1;
   ULONG_PTR MultipleShared : 1;
   ULONG_PTR Shared         : sizeof (ULONG_PTR) * 8 - 4;
  };
  ULONG_PTR Value;
  PVOID Ptr;
};
} EX_PUSH_LOCK, *PEX_PUSH_LOCK;

typedef struct _HANDLE_TABLE{
ULONG   TableCode;
ULONG   QuotaProcess;
ULONG   UniqueProcessId;
EX_PUSH_LOCK HandleLock;
ULONG   DebugInfo;
int    ExtraInfoPages;
ULONG   Flags;
ULONG   FirstFreeHandle;
ULONG   LastFreeHandleEntry;
ULONG   HandleCount;
ULONG   NextHandleNeedingPool;
ULONG   HandleCountHighWatermark;
}HANDLE_TABLE,*PHANDLE_TABLE;
NTSTATUS PsLookupProcessByProcessId(
    HANDLE    ProcessId,
   PEPROCESS *Process
);
#pragma pack(1)
typedef struct ServiceDescriptorEntry {

unsigned int *ServiceTableBase;

unsigned int *ServiceCounterTableBase;

unsigned int NumberOfServices;

unsigned char *ParamTableBase;

} ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t;
__declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable;
#pragma pack()
//Xp下的MOVE DEBUGPORT need of
/**8065bffb 8987bc000000    mov     dword ptr [edi+0BCh],eax
8065c015 83a7bc00000000 and     dword ptr [edi+0BCh],0
8065af6f 39bebc000000    cmp     dword ptr [esi+0BCh],edi
8065b25a 8b80bc000000    mov     eax,dword ptr [eax+0BCh]
8065b25a 8b80bc000000    mov     eax,dword ptr [eax+0BCh]
8057c1b2 399fbc000000    cmp     dword ptr [edi+0BCh],ebx
8065c64c 8b89bc000000    mov     ecx,dword ptr [ecx+0BCh]
8065b25a 8b80bc000000    mov     eax,dword ptr [eax+0BCh]
805833d5 83bbbc00000000 cmp     dword ptr [ebx+0BCh],0
8057c1b2 399fbc000000    cmp     dword ptr [edi+0BCh],ebx
8065c6cb 8b89bc000000    mov     ecx,dword ptr [ecx+0BCh]
8065b25a 8b80bc000000    mov     eax,dword ptr [eax+0BCh]
80582dc0 8dbebc000000    lea     edi,[esi+0BCh]
80581cb9 399ebc000000    cmp     dword ptr [esi+0BCh],ebx
805826d0 81c6bc000000    add     esi,0BCh
8058fa53 399ebc000000    cmp     dword ptr [esi+0BCh],ebx
8057e5db 8b89bc000000    mov     ecx,dword ptr [ecx+0BCh]
8057e5db 8b89bc000000    mov     ecx,dword ptr [ecx+0BCh]
8057e5db 8b89bc000000    mov     ecx,dword ptr [ecx+0BCh]
8057e5db 8b89bc000000    mov     ecx,dword ptr [ecx+0BCh]
8057e5db 8b89bc000000    mov     ecx,dword ptr [ecx+0BCh]
8057e63a 83b9bc00000000 cmp     dword