Object Type Number 在是个硬编码,在不同版本的 NT 下不尽相同。
(不知道有何用?google:NtQuerySystemInformation SystemHandleInformation)
翻了不少资料,终于实现了动态获取(直截、高效)。
Win 7 SP1 32位、Win XP SP3 32位下通过测试,跟大家分享一下代码:
//---------------------------------------------------------------------------
DWORD GetWindowsMajorVersion(void)
{
return GetVersion() & 0xFF;
}
//---------------------------------------------------------------------------
UCHAR GetObjectTypeNumberW(WCHAR *pszObjectTypeNameW)
{
UCHAR nObjectType = 0;
ULONG nBufferSize = PAGE_SIZE;
OBJECT_ALL_TYPES_INFORMATION *poati = (OBJECT_ALL_TYPES_INFORMATION *)malloc(nBufferSize);
Loop:
if (poati)
{
NTSTATUS status = NtQueryObject(NULL, ObjectAllTypesInformation, poati, nBufferSize, NULL);
if (!status)
{
OBJECT_TYPE_INFORMATION *poti = &poati->TypeInformation;
for (USHORT i = 0; i < poati->NumberOfTypes; i++)
{
if (!wcscmp(pszObjectTypeNameW, poti->TypeName.Buffer))
{
nObjectType = i + 1;
if (GetWindowsMajorVersion() > 5)
{
nObjectType += 1;
}
break;
}
USHORT n = poti->TypeName.MaximumLength / sizeof (WCHAR);
poti = (OBJECT_TYPE_INFORMATION *)(poti->TypeName.Buffer + n + n % 2);
}
}
else
{
if (status == STATUS_INFO_LENGTH_MISMATCH)
{
free(poati);
nBufferSize *= 2;
poati = (OBJECT_ALL_TYPES_INFORMATION *)malloc(nBufferSize);
goto Loop;
}
}
free(poati);
}
return nObjectType;
}
//---------------------------------------------------------------------------
UCHAR GetObjectTypeNumberA(char *pszObjectTypeNameA)
{
UCHAR nObjectType = 0;
USHORT nObjectTypeNameLength = strlen(pszObjectTypeNameA);
WCHAR *pszObjectTypeNameW = (WCHAR *)malloc((nObjectTypeNameLength + 1) * sizeof (WCHAR));
if (pszObjectTypeNameW)
{
if (wsprintfW(pszObjectTypeNameW, L"%S", pszObjectTypeNameA) == nObjectTypeNameLength)
{
if (GetObjectTypeNumberW(pszObjectTypeNameW))
{
nObjectType = (UCHAR)_AL;
}
}
free(pszObjectTypeNameW);
}
return nObjectType;
}
[课程]Linux pwn 探索篇!