-
-
[讨论]ObReferenceObjectByHandleWithTag win7 64 记录一下
-
发表于: 2021-1-6 11:33 3109
-
int64 usercall ObReferenceObjectByHandleWithTag@<rax>(ULONG_PTR ProcessHandle@<rcx>, int64 DesiredAccess@<rdx>, struct _OBJECT_TYPE *ObjectType@<r8>, char AccessMode@<r9b>, int a5, int64 out_Object, int64 HandleInformation)
{
signed int64 RundownProtect; // rcx
signed int64 v8; // rtt
int64 v9; // rax
signed int64 _RCX; // rcx
signed int64 v11; // rtt
unsigned int64 _KTHREAD; // rdi
unsigned int return_value; // er12
int64 _KPROCESS; // r15
char v15; // bp
char v16; // r14
int64 ProcessHandle_f; // r13
int64 eprocess_ObjectTable; // rsi
int64 v19; // r8
ULONG_PTR _RBX; // rbx
signed int64 v21; // rax
signed int64 v22; // rtt
unsigned int8 ObjectHeader; // rbp
unsigned int v24; // ecx
unsigned int v25; // er11
bool v26; // zf
int v28; // ecx
int64 v29; // rsi
volatile signed int64 _RCX; // rcx
signed int64 v31; // rax
signed int64 v32; // rtt
int v33; // [rsp+0h] [rbp-C8h]
unsigned int64 v34; // [rsp+30h] [rbp-98h]
char v35; // [rsp+40h] [rbp-88h]
int64 v36; // [rsp+58h] [rbp-70h]
int v37; // [rsp+74h] [rbp-54h]
char v38; // [rsp+D0h] [rbp+8h]
unsigned int DesiredAccess_copy; // [rsp+D8h] [rbp+10h]
struct _OBJECT_TYPE *ObjectType_copy; // [rsp+E0h] [rbp+18h]
char v41; // [rsp+E8h] [rbp+20h]
v41 = AccessMode;
ObjectType_copy = ObjectType;
DesiredAccess_copy = DesiredAccess;
_KTHREAD = readgsqword(0x188u);
return_value = 0;
_KPROCESS = (_QWORD )(_KTHREAD + 0x70); // EProcess = kThread->>ApcState.Process;
v15 = 0;
v16 = AccessMode;
(_QWORD )out_Object = 0i64;
ProcessHandle_f = ProcessHandle;
v38 = 0;
if ( (ProcessHandle & 0x80000000) == 0i64 )
{
if ( ViVerifierDriverAddedThunkListHead && !AccessMode )
VfCheckUserHandle((HANDLE)ProcessHandle);
if ( _KPROCESS == (_QWORD )(_KTHREAD + 0x210) )// _kthread +0x210 Process : Ptr64 _KPROCESS
{
eprocess_ObjectTable = (_QWORD )(_KPROCESS + 0x200);// eprocess +0x200 ObjectTable : Ptr64 _HANDLE_TABLE
}
else
{
v15 = 1;
eprocess_ObjectTable = ObReferenceProcessHandleTable(_KPROCESS);
v38 = 1;
}
if ( eprocess_ObjectTable )
{
if ( eprocess_ObjectTable != ObpKernelHandleTable )
goto LABEL_7;
if ( v15 == 1 )
{
RundownProtect = _KPROCESS + 0x178; // eprocess +0x178 RundownProtect : _EX_RUNDOWN_REF
asm { prefetchw byte ptr [rcx] }
v8 = (_QWORD )(_KPROCESS + 0x178) & 0xFFFFFFFFFFFFFFFEui64;
if ( v8 != _InterlockedCompareExchange((volatile signed int64 )(_KPROCESS + 0x178), v8 - 2, v8) )
ExfReleaseRundownProtection();
}
}
return 0xC0000008i64;
}
if ( ProcessHandle == -1i64 ) // 获取当前进程对象
{
if ( ObjectType == PsProcessType || !ObjectType )
{
v29 = (_QWORD )(_KTHREAD + 0x70);
if ( !(DesiredAccess & 0xFFE00000) || !AccessMode )
{
if ( HandleInformation )
{
(_DWORD )(HandleInformation + 4) = 0x1FFFFF;
(_DWORD )HandleInformation = 0;
}
if ( ObpTraceFlags && (_BYTE )(v29 - 23) & 1 )
ObpPushStackInfo((void )(v29 - 48));
_InterlockedAdd64((volatile signed int64 )(v29 - 48), 1ui64);
(_QWORD )out_Object = v29;
return return_value;
}
return 0xC0000022;
}
return 0xC0000024;
}
if ( ProcessHandle == -2i64 ) // 获取当前线程对象
{
if ( ObjectType == PsThreadType || !ObjectType )
{
if ( !(DesiredAccess & 0xFFE00000) || !AccessMode )
{
if ( HandleInformation )
{
(_DWORD )(HandleInformation + 4) = 0x1FFFFF;
(_DWORD )HandleInformation = 0;
}
if ( ObpTraceFlags && (_BYTE )(_KTHREAD - 23) & 1 )
ObpPushStackInfo((void )(_KTHREAD - 48));
_InterlockedAdd64((volatile signed __int64 )(_KTHREAD - 48), 1ui64);
(_QWORD )out_Object = _KTHREAD;
return return_value;
}
return 0xC0000022;
}
return 0xC0000024;
}
if ( !AccessMode )
{
eprocess_ObjectTable = ObpKernelHandleTable;
ProcessHandle_f = ProcessHandle ^ 0xFFFFFFFF80000000ui64;
LABEL_7:
--(_WORD )(_KTHREAD + 0x1C4);
if ( ProcessHandle_f & 0x3FC
&& (v34 = ProcessHandle_f,
LODWORD(v34) = ProcessHandle_f & 0xFFFFFFFC,
v34 < (unsigned int )(eprocess_ObjectTable + 0x5C)) )
{
ProcessHandle = (_QWORD )eprocess_ObjectTable & 3i64;
v19 = (_QWORD )eprocess_ObjectTable - (unsigned int)ProcessHandle;
if ( (_DWORD)ProcessHandle )
{
if ( (_DWORD)ProcessHandle == 1 )
{
ProcessHandle = v34 & 0x3FF;
_RBX = (_QWORD )(((v34 - ProcessHandle) >> 7) + v19) + 4 ProcessHandle;
}
else
{
DesiredAccess = v34 & 0x3FF;
ProcessHandle = (_QWORD )((_QWORD )(((((v34 - DesiredAccess) >> 7) - (((v34 - DesiredAccess) >> 7) & 0xFFF)) >> 9)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 | + v19) + (((v34 - DesiredAccess) >> 7 ) & 0xFFF )); _RBX = ProcessHandle + 4 * DesiredAccess; } } else { _RBX = v19 + 4 * v34; } if ( _RBX ) { while ( 1 ) { __asm { prefetchw byte ptr [rbx] } v21 = * (_QWORD * )_RBX; if ( * (_QWORD * )_RBX & 1 ) { v22 = * (_QWORD * )_RBX; if ( v22 = = _InterlockedCompareExchange((volatile signed __int64 * )_RBX, v21 - 1 , v21) ) { ObjectHeader = (unsigned __int8 * )( * (_QWORD * )_RBX & 0xFFFFFFFFFFFFFFF8ui64 ); __asm { prefetchw byte ptr [rbp + 0 ] } if ( (struct _OBJECT_TYPE * )ObTypeIndexTable[ObjectHeader[ 0x18 ]] ! = ObjectType_copy && ObjectType_copy ) { return_value = 0xC0000024 ; } else { v24 = DesiredAccess_copy; v25 = * (_DWORD * )(_RBX + 8 ) & 0xFDFFFFFF ; if ( ~v25 & DesiredAccess_copy && v41 ) / / if (((~GrantedAccess & DesiredAccess) ! = 0 ) && (AccessMode ! = KernelMode)) { return_value = 0xC0000022 ; / / STATUS_ACCESS_DENIED } else { if ( * (_DWORD * )(eprocess_ObjectTable + 0x40 ) ) { v9 = ExpGetHandleInfo(eprocess_ObjectTable, ProcessHandle_f, 1i64 ); v24 = DesiredAccess_copy; DesiredAccess = v9; } else { DesiredAccess = 0i64 ; } if ( HandleInformation ) { * (_DWORD * )(HandleInformation + 4 ) = v25; v28 = * (_DWORD * )_RBX & 6 ; if ( _bittest((const signed __int32 * )(_RBX + 8 ), 0x19u ) ) v28 | = 1u ; * (_DWORD * )HandleInformation = v28; v24 = DesiredAccess_copy; } if ( * (_BYTE * )_RBX & 4 && DesiredAccess && * (_DWORD * )DesiredAccess && v24 ) ObpAuditObjectAccess(ProcessHandle_f, DesiredAccess, ObjectHeader, v24); if ( ObpTraceFlags && ObjectHeader[ 25 ] & 1 ) ObpPushStackInfo(ObjectHeader); _InterlockedAdd64((volatile signed __int64 * )ObjectHeader, 1ui64 ); * (_QWORD * )out_Object = ObjectHeader + 0x30 ; / / * Object = &ObjectHeader - >Body; / / ObjectHeadler 的 Body 域作为 Object 参数值返回 } } _InterlockedExchangeAdd64((volatile signed __int64 * )_RBX, 1ui64 ); / / InterlockedIncrement(ObjectHeader - >PointerCount); / / 增加 object 计数 ProcessHandle = eprocess_ObjectTable + 0x30 ; _InterlockedOr(&v33, 0 ); _mm_lfence(); if ( * (_QWORD * )(eprocess_ObjectTable + 0x30 ) ) ExfUnblockPushLock(ProcessHandle, 0i64 ); v15 = v38; goto LABEL_25; } } else if ( !v21 ) { break ; } _RCX = (volatile signed __int64 * )(eprocess_ObjectTable + 48 ); v37 = 2 ; __asm { prefetchw byte ptr [rcx] } v31 = * (_QWORD * )(eprocess_ObjectTable + 48 ); do { v36 = v31; v32 = v31; v31 = _InterlockedCompareExchange(_RCX, (signed __int64)&v35, v31); } while ( v32 ! = v31 ); if ( ! * (_QWORD * )_RBX || * (_QWORD * )_RBX & 1 ) { _InterlockedOr(&v33, 0 ); _mm_lfence(); ExfUnblockPushLock(_RCX, &v35); } else { ExWaitForUnblockPushLock(_RCX, &v35); } } } } else { _RBX = 0i64 ; } if ( * (_QWORD * )(eprocess_ObjectTable + 56 ) ) { ExpUpdateDebugInfo(eprocess_ObjectTable, __readgsqword( 0x188u ), ProcessHandle_f, 3i64 ); if ( v16 = = 1 ) { if ( * (_BYTE * )(__readgsqword( 0x188u ) + 496 ) ! = 1 ) { if ( _bittest(&NtGlobalFlag, 8u ) ) DbgPrintEx( 93i64 , 0i64 , "AVRF: Invalid handle %p in process %p \n" , ProcessHandle_f, * (_QWORD * )(__readgsqword( 0x188u ) + 112 )); KeRaiseUserException( 3221225480i64 ); } } else if ( _bittest(&NtGlobalFlag, 0x1Eu ) ) { KeBugCheckEx( 0x93u , ProcessHandle_f, eprocess_ObjectTable, _RBX, 1ui64 ); } } return_value = 0xC0000008 ; |
LABEL_25:
v26 = ((_WORD )(_KTHREAD + 0x1C4))++ == -1;
if ( v26 && (_QWORD )(_KTHREAD + 80) != _KTHREAD + 80 && !(_WORD )(_KTHREAD + 454) )
KiCheckForKernelApcDelivery(ProcessHandle, DesiredAccess);
if ( v15 == 1 )
{
_RCX = _KPROCESS + 376;
asm { prefetchw byte ptr [rcx] }
v11 = (_QWORD )(_KPROCESS + 376) & 0xFFFFFFFFFFFFFFFEui64;
if ( v11 != _InterlockedCompareExchange((volatile signed int64 *)(_KPROCESS + 376), v11 - 2, v11) )
ExfReleaseRundownProtection();
}
return return_value;
}
return 0xC0000008i64;
}
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!