-
-
[原创]也说说WIN8下的ExEnumHandleTable
-
2012-11-16 20:53
-
以前在XP和WIN7下跑得好好的代码到了WIN8下就不实用了,第一次枚举还OK,如果第二次枚举就会发现发生死锁了,IDA了一下系统自己的函数,微软自己是的回调函数是这么写的:
char __stdcall ObpEnumFindHandleProcedure(_HANDLE_TABLE *a1, _HANDLE_TABLE_ENTRY *a2, HANDLE a3, PULONG a4)
{
signed int _EDX; //
int v5; //
ULONG v6; //
char v7; //
_HANDLE_TABLE_ENTRY *_EAX; //
ULONG v15; //
int v16; //
v5 = a2->___u0.VolatileLowValue;
_EDX = 1;
if ( *a4 && *a4 != (a2->___u0.VolatileLowValue & 0xFFFFFFF8) )
goto LABEL_19;
v6 = a4[1];
if ( v6 )
{
if ( v6 != *(&ObTypeIndexTable + *(_BYTE *)((a2->___u0.VolatileLowValue & 0xFFFFFFF8) + 0xC)) )
goto LABEL_19;
}
v15 = a4[2];
if ( !v15 )
goto LABEL_20;
v16 = v5 & 6;
if ( a2->___u1.HighValue & 0x2000000 )
v16 |= 1u;
if ( *(_DWORD *)v15 != v16 || *(_DWORD *)(v15 + 4) != (a2->___u1.HighValue & 0x1FFFFFF) )
LABEL_19:
v7 = 0;
else
LABEL_20:
v7 = 1;
_EAX = a2;
//这个下面的这几句是然后续枚举不发生死锁的关键
__asm { lock xadd [eax], edx }//这个是把Entry的locked标志上锁,我不知道这个标志最后在哪里被清除……如果这个是0,下次枚举的时候就会在Entry上锁住
if ( a1->HandleContentionEvent.___u0.Value )//这个是push_lock
ExfUnblockPushLock(&a1->HandleContentionEvent, 0);//如果这个没信号,下次枚举一样会锁住。
return v7;
}我对里面的这几个锁还是不熟悉,觉得直接搞这个还是有风险,于是继续IDA一下,把ExEnumHandleTable给实现了,大部分代码是直接F5出来的,跑了一下发现没有问题,调用方式兼容WIN7和XP的参数格式,注意我这里枚举的时候没有给句柄表上锁,自己用的时候要上锁!!给有需要的人参考PHANDLE_TABLE_ENTRYWIN8
__fastcall
ExpLookupHandleTableEntry(
PHANDLE_TABLEWIN8 HandleTable,
ULONG Index)
{
ULONG TableCode;
PHANDLE_TABLE_ENTRYWIN8 Result = NULL;
if ( (Index & 0xFFFFFFFCu) >= HandleTable->NextHandleNeedingPool )
{
Result = NULL;
}
else
{
TableCode = HandleTable->TableCode;
if ( TableCode & 3 )
{
if ( (TableCode & 3) == 1 )
Result = (PHANDLE_TABLE_ENTRYWIN8)(*(PULONG)(TableCode + 4 * ((Index & 0xFFFFFFFCu) >> 11) - 1) + 2 * (Index & 0x7FC));
else
Result = (PHANDLE_TABLE_ENTRYWIN8)(*(PLONG)(*(PLONG)(TableCode + 4 * ((Index & 0xFFFFFFFCu) >> 21) - 2) + 4 * (((Index & 0xFFFFFFFCu) >> 11) & 0x3FF)) + 2 * (Index & 0x7FC));
}
else
{
Result = (PHANDLE_TABLE_ENTRYWIN8)(TableCode + 2 * (Index & 0xFFFFFFFC));
}
}
return Result;
}
BOOLEAN
__fastcall
ExpEnumHandleTable(
PHANDLE_TABLEWIN8 HandleTable,
EX_ENUMERATE_HANDLE_ROUTINE Callback,
PVOID CallbackData,
PHANDLE lpHanlde)
{
PHANDLE_TABLE_ENTRYWIN8 lpEntry = NULL;
ULONG hStart = 4;
ULONG dwFlags =0;
lpEntry = ExpLookupHandleTableEntry(HandleTable,hStart);
while (TRUE)
{
if (lpEntry==NULL)
break;
if ((ULONG)(lpEntry->LowValue)>=(ULONG)MmSystemRangeStart)
{
//call callbck
if (Callback(lpEntry,(HANDLE)hStart,CallbackData))
{
if (lpHanlde)
*lpHanlde = (HANDLE)hStart ;
break;
}
}
dwFlags = hStart^(hStart+4);
if (dwFlags>=0x800)
{
hStart+=8;
lpEntry = ExpLookupHandleTableEntry(HandleTable,hStart);
}
else
{
hStart+=4;
++lpEntry ;
}
}
return TRUE ;
}
[CTF入门培训]顶尖高校博士及硕士团队亲授《30小时教你玩转CTF》,视频+靶场+题目!助力进入CTF世界
|
|
|---|---|
|
|
|
|
|
|
|
|
|
