win10 1909 解析内核句柄表----ObpKernelHandleTable【目前只考虑两层句柄表的解析,因为懒】
程序员文章站
2024-01-31 16:10:04
...
因为win10将句柄表加密了,写个小工具来实现解密(因为本人电脑句柄表是二层结构,所以只写了二层结构实现,一层和三层可以自己实现):
#include <ntddk.h>
#include "Handle.h"
VOID Unload(PDRIVER_OBJECT pDriverObject)
{
KdPrint(("end\n"));
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegPath)
{
NTSTATUS status = STATUS_SUCCESS;
KdPrint(("start\n"));
pDriverObject->DriverUnload = Unload;
HANDLE hThread;
PUCHAR System = (PUCHAR)PsInitialSystemProcess;
//第一步得到内核句柄表
PHANDLE_TABLE ObpKernelHandleTable;
ObpKernelHandleTable = (PHANDLE_TABLE)(*(PUINT64)(System + 0x418));
//第二步通过硬编码搜索ObTypeIndexTable,ObTypeIndexTable是个指针数组,每个成员指向一个object_type
PUCHAR var = (PUCHAR)ObGetObjectType;
for (int i = 0; i < 50; i++)
{
if (*var == 0x48 && *(var + 2) == 0x0d)
{
ObTypeIndexTable = *(PLONG32)(var + 3) & 0xFFFFFFFF;
ObTypeIndexTable = var + 7 + (LONG32)ObTypeIndexTable;
}
var++;
}
//第二步解析
AnalyticHandle(ObpKernelHandleTable);
return status;
}
PVOID NTAPI AnalyticHandle(IN PHANDLE_TABLE HandleTable)
{
INT64 TableBase = 0;
INT64 TableLevel = 0;
PUINT64 varTableEntry = 0;
PHANDLE_TABLE varHandleTable = HandleTable;
TableBase = varHandleTable->TableCode;
TableLevel = TableBase & 3;
TableBase = TableBase & 0xFFFFFFFFFFFFFFFC;
int var_i = 0;
int var_j = 0;
PUCHAR ObjectHeader = 0;
if (TableLevel == 1)
{
for (; *(PUINT64)TableBase && ((var_i++)<0x200); TableBase += 8)
{
varTableEntry = *(PUINT64)TableBase;
//因为第一个和最后一个不用
varTableEntry += 2;
var_j = 0;
while((var_j++) < 0xFF)
{
if (*varTableEntry)
{
ObjectHeader=(((INT64)*varTableEntry) >> 0x10) & 0xFFFFFFFFFFFFFFF0;
Object = ObjectHeader + 0x30;
//得到Object_Type
pObjectType=ObGetObjectType(Object);
KdPrint(("varTableEntry=%llx,ObjectHeader=%llx,ObjectType=%wZ\n", *varTableEntry,ObjectHeader, &pObjectType->Name));
//不让系统卡死
KSleep(10);
}
varTableEntry += 2;
}
}
}
return 0;
}
VOID KSleep(LONG MilliSecond)
{
LARGE_INTEGER Interval = { 0 };
Interval.QuadPart = DELAY_ONE_MILLISECOND;
Interval.QuadPart *= MilliSecond;
KeDelayExecutionThread(KernelMode, 0, &Interval);
}下面是头函数:
#include <ntddk.h>
#define DELAY_ONE_MICROSECOND (-10)
#define DELAY_ONE_MILLISECOND (DELAY_ONE_MICROSECOND*1000)
typedef struct _HANDLE_TABLE
{
ULONG NextHandleNeedingPool;
LONG ExtraInfoPages;
ULONG64 TableCode;
PEPROCESS QuotaProcess;
LIST_ENTRY HandleTableList;
ULONG UniqueProcessId;
ULONG Flags;
ULONG64 HandleContentionEvent;
}HANDLE_TABLE, *PHANDLE_TABLE;
typedef struct _OBJECT_TYPE
{
LIST_ENTRY TypeList;
UNICODE_STRING Name;
PVOID DefaultObject;
UCHAR Index;
ULONG TotalNumberOfObjects;
ULONG TotalNumberOfHandles;
ULONG HighWaterNumberOfObjects;
ULONG HighWaterNumberOfHandles;
//后面暂时用不到,省略
}OBJECT_TYPE, *POBJECT_TYPE;
PVOID NTAPI AnalyticHandle(IN PHANDLE_TABLE HandleTable);
NTKERNELAPI PVOID NTAPI ObGetObjectType(IN PVOID pObject);
PSHORT ObHeaderCookie = 0;
PINT64 ObTypeIndexTable = 0;
UCHAR TypeIndex;
NTKERNELAPI PEPROCESS PsInitialSystemProcess;
PVOID Object;
POBJECT_TYPE pObjectType;
VOID KSleep(LONG MilliSecond);效果图:
上一篇: Minimum Size Subarray Sum
下一篇: office文档转换为pdf