DuplicateHandle这个API网上资料很多,应用资料很少,主要就是这个东西。
多开这个东西如果完全是关句柄能搞定,那就是暴利啊。
代码:(关闭外部进程中 一个字符串带有Client进程名的 句柄。这个句柄类型是Event 句柄名称中带有 '外传'字符串)
这里用到了2次DuplicateHandle ,第一次是查询。如果合成一次执行,若不是目标句柄,则会句柄泄漏导致硬件再给力也会卡的BUG,所以,要2次
#include "tlhelp32.h "
#include <vector>
using namespace std;
vector<DWORD> processArray;
DWORD GetProcessIdByName(LPCTSTR pName)
{
processArray.clear();
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (INVALID_HANDLE_VALUE == hSnapshot)
{
return 0;
}
PROCESSENTRY32 pe = { sizeof(pe) };
BOOL fOk;
for (fOk = Process32First(hSnapshot, &pe); fOk; fOk = Process32Next(hSnapshot, &pe))
{
if (strstr(pe.szExeFile, pName) != NULL)
{
processArray.push_back(pe.th32ProcessID);
//return pe.th32ProcessID;
}
}
CloseHandle(hSnapshot);
return 0;
}
bool GetObjectNameByHandle(HANDLE handle, char* retName)
{
NTSTATUS ntStatus;
_NtQueryObject ZwQueryObject;
HMODULE hHanlde = GetModuleHandle("ntdll.dll");
ZwQueryObject = (_NtQueryObject)GetProcAddress(hHanlde, "ZwQueryObject");
POBJECT_NAME_INFORMATION ObjName;
ObjName =(POBJECT_NAME_INFORMATION)malloc(0x200 );
ntStatus = ZwQueryObject(handle, ObjectNameInformation, ObjName, 0x200, NULL);
if(!NT_SUCCESS(ntStatus))
{
free(ObjName);
//查询对象失败,进行下一个
return false;
}
//将unicode 字串转换为 ansi字串
SHUnicodeToAnsi( ObjName->Name.Buffer,retName,256);
free(ObjName);
return true;
}
bool CloseOtherProcessHandle(HANDLE& srcHandle, HANDLE& srcProcess)
{
HANDLE h_tar = NULL;
if (DuplicateHandle(srcProcess,
srcHandle,
GetCurrentProcess(),
&h_tar,
0,
FALSE,
DUPLICATE_SAME_ACCESS | DUPLICATE_CLOSE_SOURCE))
{
CloseHandle(h_tar);
return true;
}
return false;
}
int main(int argc, char* argv[])
{
EnableDebugPrivilege();
while (true)
{
GetProcessIdByName("Client");
if (processArray.size() > 0)
{
for (auto v : processArray)
{
HANDLE h_another_proc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, v);
char NameBuf[256];
for (int x = 0x100; x < 0x2048; x = x + 4)
{
HANDLE h_src = (HANDLE)x;
HANDLE h_tar = NULL;
if (DuplicateHandle(h_another_proc,
h_src,
GetCurrentProcess(),
&h_tar,
0,
FALSE,
DUPLICATE_SAME_ACCESS))
{
if (GetObjectNameByHandle(h_tar, NameBuf))
{
if (NameBuf != NULL&&strlen(NameBuf) > 0)
{
if (strstr(NameBuf, "外传"))
{
if (CloseOtherProcessHandle(h_src, h_another_proc))
{
printf("关闭句柄:%s %x %d\n", NameBuf, x, x);
}
}
}
}
CloseHandle(h_tar);
}
}
CloseHandle(h_another_proc);
}
}
Sleep(1111);
}
}
[课程]Android-CTF解题方法汇总!