-
-
[原创]伪造句柄,绕过Callback保护
-
发表于:
2016-4-9 20:17
5099
-
NTSTATUS ForceTerminateProcess(IN HANDLE Processid)
{
NTSTATUS status;
HANDLE hProcess;
PEPROCESS MyProcess;
PEPROCESS TargetProcess;
MyProcess = PsGetCurrentProcess();//先取得自身的eprocess
status = PsLookupProcessByProcessId(Processid,&TargetProcess);
if(!NT_SUCCESS(status))
{
KdPrint(("PsLookupProcessByProcessId 失败 pid[%d] error 0x%08X\r\n",Processid,status));
return status;
}
//先打开自身
status = ObOpenObjectByPointer(
MyProcess,
0,
NULL,
PROCESS_ALL_ACCESS,
* PsProcessType,
KernelMode,
&hProcess
);
if(!NT_SUCCESS(status))
{
ObDereferenceObject (MyProcess);
KdPrint(("ObOpenObjectByPointer 失败 error 0x%08X\r\n",status));
return status;
}
//接下来,修改在自身进程中找出hProcess的HandleTable,修改其Object指针为目标进程指针
//改掉句柄里指向的Object
ModifyHandleObject(MyProcess, TargetProcess, hProcess);
//然后,结束吧
status = ZwTerminateProcess(hProcess,0);
if(!NT_SUCCESS(status))
{
KdPrint(("ZwTerminateProcess 失败 error 0x%08X\r\n",status));
}
//结束完,把句柄恢复回去
ModifyHandleObject(MyProcess, MyProcess, hProcess);
NtClose(hProcess);
return status;
}
ModifyHandleObject实现方法就不发了
流程是这样的
先取出自身进程的句柄表,然后取TableCode,
枚举Handle,
枚举到之后,再修改HandleTableEntry->Object值为对象的eprocess指针
HandleTableEntry->Object的值并不等价于eprocess指针
需要抹去最后一位,然后加上HandleTableList在HANDLE_TABLE里的偏移
经测试,可以直接干掉NP的进程,读写内存应该也不是问题
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
