[求助]如何遍历系统的所有互斥量-编程技术-看雪-安全社区|安全招聘|kanxue.com

最新回复 (3)

achillis

雪币： 7651

活跃值： (523)

能力值：

( LV9，RANK：610 )

在线值：

发帖

回帖

2032

粉丝

关注

私信

achillis 15: 2 楼

系统所有Mutant类型的对象都在\BaseNamedObjects目录下，遍历该目录，验证对象类型是Mutant就可以了

lkd> !object \
Object: e1001348  Type: (89e62180) Directory
    ObjectHeader: e1001330 (old version)
    HandleCount: 0  PointerCount: 38
    Directory Object: 00000000  Name: \
    239 symbolic links snapped through this directory
 
    Hash Address  Type          Name
    ---- -------  ----          ----
     00  e100b4b8 Directory     ArcName
         89db17b8 Device        Ntfs
         ...
     23  e16ad330 Directory     BaseNamedObjects
         e1009f58 Directory     KernelObjects
lkd> !object e16ad330 //这个是BaseNamedObjects目录的对象地址
Object: e16ad330  Type: (89e62180) Directory
    ObjectHeader: e16ad318 (old version)
    HandleCount: 43  PointerCount: 475
    Directory Object: e1001348  Name: BaseNamedObjects
 
    Hash Address  Type          Name
    ---- -------  ----          ----
     00  890ffed0 Mutant        CTF.Layouts.MutexDefaultS-1-5-21-1645522239-1659004503-682003330-500
         891efd28 Mutant        CTF.Compart.MutexDefaultS-1-5-21-1645522239-1659004503-682003330-500
         89112838 Mutant        ZonesCacheCounterMutex
           ...
lkd> !object 890ffed0 //取一个来看看
Object: 890ffed0  Type: (89e2a040) Mutant
    ObjectHeader: 890ffeb8 (old version)
    HandleCount: 15  PointerCount: 16
    Directory Object: e16ad330  Name: CTF.Layouts.MutexDefaultS-1-5-21-1645522239-1659004503-682003330-500
lkd> dt _OBJECT_HEADER 890ffed0-0x18
nt!_OBJECT_HEADER
   +0x000 PointerCount     : 0n16
   +0x004 HandleCount      : 0n15
   +0x004 NextToFree       : 0x0000000f Void
   +0x008 Type             : 0x89e2a040 _OBJECT_TYPE  //检查这里
   +0x00c NameInfoOffset   : 0x10 ''
   +0x00d HandleInfoOffset : 0 ''
   +0x00e QuotaInfoOffset  : 0 ''
   +0x00f Flags            : 0x20 ' '
   +0x010 ObjectCreateInfo : 0x891944a8 _OBJECT_CREATE_INFORMATION
   +0x010 QuotaBlockCharged : 0x891944a8 Void
   +0x014 SecurityDescriptor : 0xe2a855fe Void
   +0x018 Body             : _QUAD
lkd> dt _OBJECT_TYPE 0x89e2a040  //看一下对象类型
nt!_OBJECT_TYPE
   +0x000 Mutex            : _ERESOURCE
   +0x038 TypeList         : _LIST_ENTRY [ 0x89e2a078 - 0x89e2a078 ]
   +0x040 Name             : _UNICODE_STRING "Mutant" //没错，是Mutant
   +0x048 DefaultObject    : (null) 
   +0x04c Index            : 0xb
   +0x050 TotalNumberOfObjects : 0x14f
   +0x054 TotalNumberOfHandles : 0x223
   +0x058 HighWaterNumberOfObjects : 0x150
   +0x05c HighWaterNumberOfHandles : 0x23d
   +0x060 TypeInfo         : _OBJECT_TYPE_INITIALIZER
   +0x0ac Key              : 0x6174754d
   +0x0b0 ObjectLocks      : [4] _ERESOURCE