_HandleTableListHead
kd> dd HandleTableListHead
80563648 e1001cbc e1d4d1ac 00000000 00000000
80563658 00000000 00000000 867eb648 8055c1e0
80563668 00000000 00000000 00000000 00000000
80563678 00000000 00000000 00000000 00000000
80563688 00000000 00000000 00000000 00000000
80563698 bf8c1b60 bf8bf4dc bf919f94 bf919efd
805636a8 bf8c08ed bf8c0bb2 bf8bf49b bf8c0a21
805636b8 bf8c0bf6 867b1ad0 867b1ca0 00000000
是在CREATEPROCCESS创建一个 HANDLETABLE时将其插入挂接用的
该HANDLETABLE 中包含了该进程所使用的所有对象的,利用对象的HANDLE在该表中搜索对应的OBJECT
PROCESS 865849e8 SessionId: 0 Cid: 079c Peb: 7ffdf000 ParentCid: 077c
DirBase: 0ed23000 ObjectTable: e175bc48 HandleCount: 743.
Image: Explorer.EXE
kd> !handle 984 7 079c //查找HANDLE为984 的OBJECT PID为079c
Searching for Process with Cid == 79c
PROCESS 865849e8 SessionId: 0 Cid: 079c Peb: 7ffdf000 ParentCid: 077c
DirBase: 0ed23000 ObjectTable: e175bc48 HandleCount: 743.
Image: Explorer.EXE
Handle table at e11d1000 with 743 entries in use
0984: Object: e1e85700 GrantedAccess: 000f003f Entry: e11d4308
Object: e1e85700 Type: (867ae980) Key
ObjectHeader: e1e856e8 (old version)
HandleCount: 1 PointerCount: 1
Directory Object: 00000000 Name: \REGISTRY\USER\S-1-5-21-515967899-839522115-1343024091-500\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED
kd> dt _eprocess 865849e8
nt!_EPROCESS
+0x000 Pcb : _KPROCESS
+0x06c ProcessLock : _EX_PUSH_LOCK
+0x070 CreateTime : _LARGE_INTEGER 0x1ce2b64`058695a0
+0x078 ExitTime : _LARGE_INTEGER 0x0
+0x080 RundownProtect : _EX_RUNDOWN_REF
+0x084 UniqueProcessId : 0x0000079c Void
+0x088 ActiveProcessLinks : _LIST_ENTRY [ 0x8659c4d0 - 0x8658c7e0 ]
+0x090 QuotaUsage : [3] 0x4c18
+0x09c QuotaPeak : [3] 0x5dc8
+0x0a8 CommitCharge : 0x12a5
+0x0ac PeakVirtualSize : 0x7e78000
+0x0b0 VirtualSize : 0x73bb000
+0x0b4 SessionProcessLinks : _LIST_ENTRY [ 0x8659c4fc - 0x8658c80c ]
+0x0bc DebugPort : (null)
+0x0c0 ExceptionPort : 0xe1628810 Void
+0x0c4 ObjectTable : 0xe175bc48 _HANDLE_TABLE
+0x0c8 Token : _EX_FAST_REF
+0x0cc WorkingSetLock : _FAST_MUTEX
+0x0ec WorkingSetPage : 0xed66
+0x0f0 AddressCreationLock : _FAST_MUTEX
+0x110 HyperSpaceLock : 0
+0x114 ForkInProgress : (null)
+0x118 HardwareTrigger : 0
+0x11c VadRoot : 0x867c99a0 Void
+0x120 VadHint : 0x867c99a0 Void
+0x124 CloneRoot : (null)
+0x128 NumberOfPrivatePages : 0xb47
+0x12c NumberOfLockedPages : 0
+0x130 Win32Process : 0xe1d8a008 Void
+0x134 Job : (null)
+0x138 SectionObject : 0xe1873940 Void
+0x13c SectionBaseAddress : 0x01000000 Void
+0x140 QuotaBlock : 0x865cb250 _EPROCESS_QUOTA_BLOCK
+0x144 WorkingSetWatch : (null)
+0x148 Win32WindowStation : 0x00000038 Void
+0x14c InheritedFromUniqueProcessId : 0x0000077c Void
+0x150 LdtInformation : (null)
+0x154 VadFreeHint : (null)
+0x158 VdmObjects : (null)
+0x15c DeviceMap : 0xe187b0b0 Void
+0x160 PhysicalVadList : _LIST_ENTRY [ 0x86584b48 - 0x86584b48 ]
+0x168 PageDirectoryPte : _HARDWARE_PTE
+0x168 Filler : 0
+0x170 Session : 0xf7d44000 Void
+0x174 ImageFileName : [16] "Explorer.EXE"
+0x184 JobLinks : _LIST_ENTRY [ 0x0 - 0x0 ]
+0x18c LockedPagesList : (null)
+0x190 ThreadListHead : _LIST_ENTRY [ 0x8658467c - 0x8652dc24 ]
+0x198 SecurityPort : 0xe104b970 Void
+0x19c PaeTop : (null)
+0x1a0 ActiveThreads : 0x13
+0x1a4 GrantedAccess : 0x1f0fff
+0x1a8 DefaultHardErrorProcessing : 0x8000
+0x1ac LastThreadExitStatus : 0n0
+0x1b0 Peb : 0x7ffdf000 _PEB
+0x1b4 PrefetchTrace : _EX_FAST_REF
+0x1b8 ReadOperationCount : _LARGE_INTEGER 0xf1c
+0x1c0 WriteOperationCount : _LARGE_INTEGER 0x77
+0x1c8 OtherOperationCount : _LARGE_INTEGER 0x8a355
+0x1d0 ReadTransferCount : _LARGE_INTEGER 0x435b4c
+0x1d8 WriteTransferCount : _LARGE_INTEGER 0x27494
+0x1e0 OtherTransferCount : _LARGE_INTEGER 0x255870a
+0x1e8 CommitChargeLimit : 0
+0x1ec CommitChargePeak : 0x170c
+0x1f0 AweInfo : (null)
+0x1f4 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
+0x1f8 Vm : _MMSUPPORT
+0x238 LastFaultCount : 0
+0x23c ModifiedPageCount : 0x3007
+0x240 NumberOfVads : 0x195
+0x244 JobStatus : 0
+0x248 Flags : 0xd0800
+0x248 CreateReported : 0y0
+0x248 NoDebugInherit : 0y0
+0x248 ProcessExiting : 0y0
+0x248 ProcessDelete : 0y0
+0x248 Wow64SplitPages : 0y0
+0x248 VmDeleted : 0y0
+0x248 OutswapEnabled : 0y0
+0x248 Outswapped : 0y0
+0x248 ForkFailed : 0y0
+0x248 HasPhysicalVad : 0y0
+0x248 AddressSpaceInitialized : 0y10
+0x248 SetTimerResolution : 0y0
+0x248 BreakOnTermination : 0y0
+0x248 SessionCreationUnderway : 0y0
+0x248 WriteWatch : 0y0
+0x248 ProcessInSession : 0y1
+0x248 OverrideAddressSpace : 0y0
+0x248 HasAddressSpace : 0y1
+0x248 LaunchPrefetched : 0y1
+0x248 InjectInpageErrors : 0y0
+0x248 VmTopDown : 0y0
+0x248 Unused3 : 0y0
+0x248 Unused4 : 0y0
+0x248 VdmAllowed : 0y0
+0x248 Unused : 0y00000 (0)
+0x248 Unused1 : 0y0
+0x248 Unused2 : 0y0
+0x24c ExitStatus : 0n259
+0x250 NextPageColor : 0xd44e
+0x252 SubSystemMinorVersion : 0xa ''
+0x253 SubSystemMajorVersion : 0x4 ''
+0x252 SubSystemVersion : 0x40a
+0x254 PriorityClass : 0x2 ''
+0x255 WorkingSetAcquiredUnsafe : 0 ''
+0x258 Cookie : 0x445567f
kd> dt !_handle_table 0xe175bc48
nt!_HANDLE_TABLE
+0x000 TableCode : 0xe11d1001
+0x004 QuotaProcess : 0x865849e8 _EPROCESS
+0x008 UniqueProcessId : 0x0000079c Void
+0x00c HandleTableLock : [4] _EX_PUSH_LOCK
+0x01c HandleTableList : _LIST_ENTRY [ 0xe1e308a4 - 0xe1762434 ]
+0x024 HandleContentionEvent : _EX_PUSH_LOCK
+0x028 DebugInfo : (null)
+0x02c ExtraInfoPages : 0n0
+0x030 FirstFree : 0xb90
+0x034 LastFree : 0
+0x038 NextHandleNeedingPool : 0x1000
+0x03c HandleCount : 0n743
+0x040 Flags : 0
+0x040 StrictFIFO : 0y0
现在利用ExpLookupHandleTableEntry() 中提供的算法来验证该结果
---------------------------------------------------------------------------------------------------------------
这个 TagBit 值占两位(bit 0 到 bit 1),被清为 0 值。因此:tHandle.Value 值就是对齐在 4 bytes 边界上(也反映了 HANDLE_TABLE_ENTRY 结构的每个成员为 4 bytes 宽)。
TagBit 值占两位为O,只是表示HANDLE_TABLE_ENTRY的刻度为4,HANDLE_TABLE_ENTRY有2个成员函数,所以HANDLE_TABLE_ENTRY的大小为8个字
TableCode
如果LEVEL为0表示单表结构
如果LEVEL为1表示2层结构
TableOffset 的求值为:TableOffset = (tHandle.Value & 0xFFFFF800) >> 9,注意结果值是 4 bytes 对齐的。(DIRECTORY存放的是HANDLE—TABLE——ENTRY的指针,以4字节偏移,需要*4,左移11,右移2位)
Scale 的求值为:Sacle = tHandle.Value & 0x7FF,注意结果值也是 4 bytes 对齐的。
Table 基址的求值为:Table = *(PULONG)(Base + TableOffset),从 [Base + TableOffset] 地址里取出 HANDLE_TABLE_ENTRY 表的基址值。
如果LEVEL为1表示3层结构
它们各级基址的求值为:
ULONG TableOffset = ((tHandle.Value & 0xFFFFFF800) >> 9) & 0xFFF;
ULONG DirectoryOffset = ((tHandle.Value & 0xFFFFFF800) >> 9) & 0xFFFFF000) >> 10;
ULONG Directory = *((PULONG)(Base + DirectoryOffset));// 得到 Diectory 基址
Table = *((PULONG)(Directory + TableOffset));// 得到 Table 基址
Scale = tHandle.Value & 0x7FF;
+0x038 NextHandleNeedingPool : 0x1000 //解释
说明当HANDLE的值达到所少以上时,需要再建一个新表(最终表)
最终表中存放的是HANDLE_TABLE_ENTRY(8字节)
最终表的大小为1PAGE(4K)
所以最多能存放的为512个表项,但中间表中存放的是HANDLE_TABLE_ENTRY对应的地址为4字节,对应的索引以4为偏移 512个项,512*4 最大为0X800
4 8 12。。。。。。512*4个
上面例子中dt !_handle_table 0xe175bc48
+0x000 TableCode : 0xe11d1001
按TableCode图解,是2层表
handle =0x984
BASE=0xe11d1000
TABLEOFFSET=(0x984& 0xFFFFF800) >> 9=4
Sacle = tHandle.Value & 0x7FF=0X184
Table 基址的求值为 [0xe11d1000+4]=e11d4000
kd> dd 0xe11d1000+4
e11d1004 e11d4000 00000000 00000000 00000000
e11d1014 00000000 00000000 00000000 00000000
HANDLE_TABLE_ENTRY 对应的表中的 e11d4000+0X184*2
kd> dd e11d4000+0X184*2
e11d4308 e1e856e9 000f003f e122b999 000f003f
e11d4318 e12925a9 000f003f e1ef6fa1 000f003f
e11d4328 865bb129 001f0003 865bb0f9 001f0003
e11d4338 86540381 001f0003 86540351 001f0003
e11d4348 86540321 001f0003 865402f1 001f0003
e11d4358 86692c81 00100000 86692ae1 00100000
e11d4368 864f3769 001f03ff e1103a21 00020019
e11d4378 86512d41 001f0003 86512d11 001f0003
对应的OBJECT—HEADER(注意和PSPCIDTABLE区分) 为 e1e856e9 ,HEADER8字节对齐,低3位为0 SO OBJECT—HEADER 为 e1e856e8
kd> dt !_object_header
nt!_OBJECT_HEADER
+0x000 PointerCount : 0n1
+0x004 HandleCount : 0n1
+0x004 NextToFree : 0x00000001 Void
+0x008 Type : 0x867ae980 _OBJECT_TYPE
+0x00c NameInfoOffset : 0 ''
+0x00d HandleInfoOffset : 0 ''
+0x00e QuotaInfoOffset : 0 ''
+0x00f Flags : 0 ''
+0x010 ObjectCreateInfo : 0x865cb250 _OBJECT_CREATE_INFORMATION
+0x010 QuotaBlockCharged : 0x865cb250 Void
+0x014 SecurityDescriptor : (null)
+0x018 Body : _QUAD
OBJECT e1e856e8+18=E1E85700
0984: Object: e1e85700 GrantedAccess: 000f003f Entry: e11d4308
Object: e1e85700 Type: (867ae980) Key
ObjectHeader: e1e856e8 (old version)
HandleCount: 1 PointerCount: 1
Directory Object: 00000000 Name: \REGISTRY\USER\S-1-5-21-515967899-839522115-1343024091-500\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\DISALLOWED
证明OK
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
PSPCIDTABLE的说明
PSPCIDTABLE 中存放的对象是系统中所有进程对象的指针,索引为PID 和CID
其中存放的为对象体,而上面涉及到进程私有的HANDLE—TABLE中防的为 OBJECT—HEADER
查找的算法可以参照进程内部OBJECT的查找
kd> dd pspcidtable
80562460 e1001840 00000002 00000000 00000000
80562470 00000000 00000000 00000000 00000000
80562480 00000000 00000000 00000000 00000000
80562490 00000000 00000000 00000000 00000000
805624a0 00000000 00000000 00000000 00000000
805624b0 00000000 00000000 00000000 00000000
805624c0 00000000 00000000 00000000 00000000
805624d0 00000000 00000000 00000000 00000000
kd> dt !_handle_table e1001840
nt!_HANDLE_TABLE
+0x000 TableCode : 0xe1003000
+0x004 QuotaProcess : (null)
+0x008 UniqueProcessId : (null)
+0x00c HandleTableLock : [4] _EX_PUSH_LOCK
+0x01c HandleTableList : _LIST_ENTRY [ 0xe100185c - 0xe100185c ]
+0x024 HandleContentionEvent : _EX_PUSH_LOCK
+0x028 DebugInfo : (null)
+0x02c ExtraInfoPages : 0n0
+0x030 FirstFree : 0x7a0
+0x034 LastFree : 0x7e0
+0x038 NextHandleNeedingPool : 0x800
+0x03c HandleCount : 0n316
+0x040 Flags : 1
+0x040 StrictFIFO : 0y1
PROCESS 865849e8 SessionId: 0 Cid: 079c Peb: 7ffdf000 ParentCid: 077c
DirBase: 0ed23000 ObjectTable: e175bc48 HandleCount: 743.
Image: Explorer.EXE
CID 079C 通过pspcidtable 查找
0xe1003000 表示为0层结构
按上提算法 HANDLE_TABLE_ENTRY 的地址为 0xe1003000+079C*2
kd> dd 0xe1003000+079C*2
e1003f38 865849e9 00000000 00000000 000006e4
e1003f48 86584451 00000000 00000000 000000ac
e1003f58 864f39f9 00000000 86530021 00000000
e1003f68 8656e861 00000000 8656e4e1 00000000
e1003f78 865b34f9 00000000 8656bda9 00000000
e1003f88 8658d021 00000000 86569da9 00000000
e1003f98 865a0da9 00000000 86568da9 00000000
e1003fa8 00000000 000003d0 86567021 00000000
对应的OBJECT(注意pspcidtable中放的是OBJECT)8字节对齐
865849e8
PROCESS 865849e8
正好查到该进程的EPROCESS结构
对应的OBJECT—HEADER =865849e8-0X18=865849D0
kd> !object 865849e8
Object: 865849e8 Type: (867b7e38) Process
ObjectHeader: 865849d0 (old version)
HandleCount: 7 PointerCount: 362
OK
《http://hi.baidu.com/k273811702/item/1a90a5f3a625201be2e3bd2c 》检测