首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. 软件逆向
    3. 发新帖
[讨论]ObReferenceObjectByHandleWithTag win7 64 记录一下
发表于: 2021-1-6 11:33 3083

[讨论]ObReferenceObjectByHandleWithTag win7 64 记录一下

ugvjewxf 活跃值
2021-1-6 11:33
3083

int64 usercall ObReferenceObjectByHandleWithTag@<rax>(ULONG_PTR ProcessHandle@<rcx>, int64 DesiredAccess@<rdx>, struct _OBJECT_TYPE *ObjectType@<r8>, char AccessMode@<r9b>, int a5, int64 out_Object, int64 HandleInformation)
{
signed int64 RundownProtect; // rcx
signed int64 v8; // rtt int64 v9; // rax
signed int64 _RCX; // rcx
signed int64 v11; // rtt
unsigned int64 _KTHREAD; // rdi
unsigned int return_value; // er12 int64 _KPROCESS; // r15
char v15; // bp
char v16; // r14
int64 ProcessHandle_f; // r13 int64 eprocess_ObjectTable; // rsi
int64 v19; // r8
ULONG_PTR _RBX; // rbx
signed int64 v21; // rax
signed int64 v22; // rtt
unsigned int8 ObjectHeader; // rbp
unsigned int v24; // ecx
unsigned int v25; // er11
bool v26; // zf
int v28; // ecx
int64 v29; // rsi
volatile signed int64 _RCX; // rcx
signed int64 v31; // rax
signed int64 v32; // rtt
int v33; // [rsp+0h] [rbp-C8h]
unsigned int64 v34; // [rsp+30h] [rbp-98h]
char v35; // [rsp+40h] [rbp-88h] int64 v36; // [rsp+58h] [rbp-70h]
int v37; // [rsp+74h] [rbp-54h]
char v38; // [rsp+D0h] [rbp+8h]
unsigned int DesiredAccess_copy; // [rsp+D8h] [rbp+10h]
struct _OBJECT_TYPE *ObjectType_copy; // [rsp+E0h] [rbp+18h]
char v41; // [rsp+E8h] [rbp+20h]

 

v41 = AccessMode;
ObjectType_copy = ObjectType;
DesiredAccess_copy = DesiredAccess;
_KTHREAD = readgsqword(0x188u);
return_value = 0;
_KPROCESS = (_QWORD )(_KTHREAD + 0x70); // EProcess = kThread->>ApcState.Process;
v15 = 0;
v16 = AccessMode;
(_QWORD )out_Object = 0i64;
ProcessHandle_f = ProcessHandle;
v38 = 0;
if ( (ProcessHandle & 0x80000000) == 0i64 )
{
if ( ViVerifierDriverAddedThunkListHead && !AccessMode )
VfCheckUserHandle((HANDLE)ProcessHandle);
if ( _KPROCESS == (_QWORD )(_KTHREAD + 0x210) )// _kthread +0x210 Process : Ptr64 _KPROCESS
{
eprocess_ObjectTable = (_QWORD )(_KPROCESS + 0x200);// eprocess +0x200 ObjectTable : Ptr64 _HANDLE_TABLE
}
else
{
v15 = 1;
eprocess_ObjectTable = ObReferenceProcessHandleTable(_KPROCESS);
v38 = 1;
}
if ( eprocess_ObjectTable )
{
if ( eprocess_ObjectTable != ObpKernelHandleTable )
goto LABEL_7;
if ( v15 == 1 )
{
RundownProtect = _KPROCESS + 0x178; // eprocess +0x178 RundownProtect : _EX_RUNDOWN_REF asm { prefetchw byte ptr [rcx] }
v8 = (_QWORD )(_KPROCESS + 0x178) & 0xFFFFFFFFFFFFFFFEui64;
if ( v8 != _InterlockedCompareExchange((volatile signed int64 )(_KPROCESS + 0x178), v8 - 2, v8) )
ExfReleaseRundownProtection();
}
}
return 0xC0000008i64;
}
if ( ProcessHandle == -1i64 ) // 获取当前进程对象
{
if ( ObjectType == PsProcessType || !ObjectType )
{
v29 = (_QWORD )(_KTHREAD + 0x70);
if ( !(DesiredAccess & 0xFFE00000) || !AccessMode )
{
if ( HandleInformation )
{ (_DWORD )(HandleInformation + 4) = 0x1FFFFF; (_DWORD )HandleInformation = 0;
}
if ( ObpTraceFlags && (_BYTE )(v29 - 23) & 1 )
ObpPushStackInfo((void )(v29 - 48));
_InterlockedAdd64((volatile signed int64 )(v29 - 48), 1ui64); (_QWORD )out_Object = v29;
return return_value;
}
return 0xC0000022;
}
return 0xC0000024;
}
if ( ProcessHandle == -2i64 ) // 获取当前线程对象
{
if ( ObjectType == PsThreadType || !ObjectType )
{
if ( !(DesiredAccess & 0xFFE00000) || !AccessMode )
{
if ( HandleInformation )
{ (_DWORD )(HandleInformation + 4) = 0x1FFFFF; (_DWORD )HandleInformation = 0;
}
if ( ObpTraceFlags && (_BYTE )(_KTHREAD - 23) & 1 )
ObpPushStackInfo((void )(_KTHREAD - 48));
_InterlockedAdd64((volatile signed __int64 )(_KTHREAD - 48), 1ui64); (_QWORD )out_Object = _KTHREAD;
return return_value;
}
return 0xC0000022;
}
return 0xC0000024;
}
if ( !AccessMode )
{
eprocess_ObjectTable = ObpKernelHandleTable;
ProcessHandle_f = ProcessHandle ^ 0xFFFFFFFF80000000ui64;
LABEL_7:
--(_WORD )(_KTHREAD + 0x1C4);
if ( ProcessHandle_f & 0x3FC
&& (v34 = ProcessHandle_f,
LODWORD(v34) = ProcessHandle_f & 0xFFFFFFFC,
v34 < (unsigned int )(eprocess_ObjectTable + 0x5C)) )
{
ProcessHandle = (_QWORD )eprocess_ObjectTable & 3i64;
v19 = (_QWORD )eprocess_ObjectTable - (unsigned int)ProcessHandle;
if ( (_DWORD)ProcessHandle )
{
if ( (_DWORD)ProcessHandle == 1 )
{
ProcessHandle = v34 & 0x3FF;
_RBX = (_QWORD )(((v34 - ProcessHandle) >> 7) + v19) + 4 ProcessHandle;
}
else
{
DesiredAccess = v34 & 0x3FF;
ProcessHandle = (_QWORD )((_QWORD )(((((v34 - DesiredAccess) >> 7) - (((v34 - DesiredAccess) >> 7) & 0xFFF)) >> 9)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
                                            + v19)
                                + (((v34 - DesiredAccess) >> 7) & 0xFFF));
      _RBX = ProcessHandle + 4 * DesiredAccess;
    }
  }
  else
  {
    _RBX = v19 + 4 * v34;
  }
  if ( _RBX )
  {
    while ( 1 )
    {
      __asm { prefetchw byte ptr [rbx] }
      v21 = *(_QWORD *)_RBX;
      if ( *(_QWORD *)_RBX & 1 )
      {
        v22 = *(_QWORD *)_RBX;
        if ( v22 == _InterlockedCompareExchange((volatile signed __int64 *)_RBX, v21 - 1, v21) )
        {
          ObjectHeader = (unsigned __int8 *)(*(_QWORD *)_RBX & 0xFFFFFFFFFFFFFFF8ui64);
          __asm { prefetchw byte ptr [rbp+0] }
          if ( (struct _OBJECT_TYPE *)ObTypeIndexTable[ObjectHeader[0x18]] != ObjectType_copy && ObjectType_copy )
          {
            return_value = 0xC0000024;
          }
          else
          {
            v24 = DesiredAccess_copy;
            v25 = *(_DWORD *)(_RBX + 8) & 0xFDFFFFFF;
            if ( ~v25 & DesiredAccess_copy && v41 )// if (((~GrantedAccess & DesiredAccess) != 0) && (AccessMode != KernelMode))
            {
              return_value = 0xC0000022;    // STATUS_ACCESS_DENIED
            }
            else
            {
              if ( *(_DWORD *)(eprocess_ObjectTable + 0x40) )
              {
                v9 = ExpGetHandleInfo(eprocess_ObjectTable, ProcessHandle_f, 1i64);
                v24 = DesiredAccess_copy;
                DesiredAccess = v9;
              }
              else
              {
                DesiredAccess = 0i64;
              }
              if ( HandleInformation )
              {
                *(_DWORD *)(HandleInformation + 4) = v25;
                v28 = *(_DWORD *)_RBX & 6;
                if ( _bittest((const signed __int32 *)(_RBX + 8), 0x19u) )
                  v28 |= 1u;
                *(_DWORD *)HandleInformation = v28;
                v24 = DesiredAccess_copy;
              }
              if ( *(_BYTE *)_RBX & 4 && DesiredAccess && *(_DWORD *)DesiredAccess && v24 )
                ObpAuditObjectAccess(ProcessHandle_f, DesiredAccess, ObjectHeader, v24);
              if ( ObpTraceFlags && ObjectHeader[25] & 1 )
                ObpPushStackInfo(ObjectHeader);
              _InterlockedAdd64((volatile signed __int64 *)ObjectHeader, 1ui64);
              *(_QWORD *)out_Object = ObjectHeader + 0x30;// *Object = &ObjectHeader->Body; // ObjectHeadler 的 Body 域作为 Object 参数值返回
            }
          }
          _InterlockedExchangeAdd64((volatile signed __int64 *)_RBX, 1ui64);// InterlockedIncrement(ObjectHeader->PointerCount); // 增加 object 计数
          ProcessHandle = eprocess_ObjectTable + 0x30;
          _InterlockedOr(&v33, 0);
          _mm_lfence();
          if ( *(_QWORD *)(eprocess_ObjectTable + 0x30) )
            ExfUnblockPushLock(ProcessHandle, 0i64);
          v15 = v38;
          goto LABEL_25;
        }
      }
      else if ( !v21 )
      {
        break;
      }
      _RCX = (volatile signed __int64 *)(eprocess_ObjectTable + 48);
      v37 = 2;
      __asm { prefetchw byte ptr [rcx] }
      v31 = *(_QWORD *)(eprocess_ObjectTable + 48);
      do
      {
        v36 = v31;
        v32 = v31;
        v31 = _InterlockedCompareExchange(_RCX, (signed __int64)&v35, v31);
      }
      while ( v32 != v31 );
      if ( !*(_QWORD *)_RBX || *(_QWORD *)_RBX & 1 )
      {
        _InterlockedOr(&v33, 0);
        _mm_lfence();
        ExfUnblockPushLock(_RCX, &v35);
      }
      else
      {
        ExWaitForUnblockPushLock(_RCX, &v35);
      }
    }
  }
}
else
{
  _RBX = 0i64;
}
if ( *(_QWORD *)(eprocess_ObjectTable + 56) )
{
  ExpUpdateDebugInfo(eprocess_ObjectTable, __readgsqword(0x188u), ProcessHandle_f, 3i64);
  if ( v16 == 1 )
  {
    if ( *(_BYTE *)(__readgsqword(0x188u) + 496) != 1 )
    {
      if ( _bittest(&NtGlobalFlag, 8u) )
        DbgPrintEx(
          93i64,
          0i64,
          "AVRF: Invalid handle %p in process %p \n",
          ProcessHandle_f,
          *(_QWORD *)(__readgsqword(0x188u) + 112));
      KeRaiseUserException(3221225480i64);
    }
  }
  else if ( _bittest(&NtGlobalFlag, 0x1Eu) )
  {
    KeBugCheckEx(0x93u, ProcessHandle_f, eprocess_ObjectTable, _RBX, 1ui64);
  }
}
return_value = 0xC0000008;

LABEL_25:
v26 = ((_WORD )(_KTHREAD + 0x1C4))++ == -1;
if ( v26 && (_QWORD )(_KTHREAD + 80) != _KTHREAD + 80 && !(_WORD )(_KTHREAD + 454) )
KiCheckForKernelApcDelivery(ProcessHandle, DesiredAccess);
if ( v15 == 1 )
{
_RCX = _KPROCESS + 376;
asm { prefetchw byte ptr [rcx] }
v11 = (_QWORD )(_KPROCESS + 376) & 0xFFFFFFFFFFFFFFFEui64;
if ( v11 != _InterlockedCompareExchange((volatile signed int64 *)(_KPROCESS + 376), v11 - 2, v11) )
ExfReleaseRundownProtection();
}
return return_value;
}
return 0xC0000008i64;
}


[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

收藏
免费 0
支持
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//