[讨论]解锁Irp文件占坑的方法

发表于: 2023-10-4 20:03 4529

[讨论]解锁Irp文件占坑的方法

ThanatosKer 活跃值

2023-10-4 20:03

4529

thread-257384.htm

1.很简单只用调用一个函数 NtfsDecrementCleanupCounts这个函数

上代码

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

VOID
NtfsDecrementCleanupCounts (
    IN PSCB Scb,
    IN PLCB Lcb OPTIONAL,
    IN BOOLEAN NonCachedHandle
    )
 
/*++
 
Routine Description:
 
    This procedure decrements the cleanup counts for the associated data structures
    and if necessary it also start to cleanup associated internal attribute streams
 
Arguments:
 
    Scb - Supplies the Scb used in this operation
 
    Lcb - Optionally supplies the Lcb used in this operation
 
    NonCachedHandle - Indicates this handle is for a user non-cached handle.
 
Return Value:
 
    None.
 
  翻译：
        此过程减少关联数据结构的清理计数
    如果有必要，它还会开始清理关联的内部属性流
 
论据：
 
    Scb - 提供此操作中使用的 Scb
 
    Lcb - 可选择提供此操作中使用的 Lcb
 
    NonCachedHandle - 指示此句柄用于用户非缓存句柄。
 
--*/
 
{
    PVCB Vcb = Scb->Vcb;
 
    ASSERT_SCB( Scb );
    ASSERT_FCB( Scb->Fcb );
    ASSERT_VCB( Scb->Fcb->Vcb );
    ASSERT_OPTIONAL_LCB( Lcb );
 
    //
    //  First we decrement the appropriate cleanup counts
    //
 
    if (ARGUMENT_PRESENT(Lcb)) { Lcb->CleanupCount -= 1; }
 
    InterlockedDecrement( &Scb->CleanupCount );
    Scb->Fcb->CleanupCount -= 1;
 
    if (NonCachedHandle) {
 
        Scb->NonCachedCleanupCount -= 1;
    }
 
    InterlockedDecrement( &Vcb->CleanupCount );
 
    //
    //  Now if the Fcb's cleanup count is zero that indicates that we are
    //  done with this Fcb from a user handle standpoint and we should
    //  now scan through all of the Scb's that are opened under this
    //  Fcb and shutdown any internal attributes streams we have open.
    //  For example, EAs and ACLs.  We only need to do one.  The domino effect
    //  will take of the rest.
    //
 
    if (Scb->Fcb->CleanupCount == 0) {
 
        PSCB NextScb;
 
        //
        //  Remember if we are dealing with a system file and return immediately.
        //
 
        if (NtfsSegmentNumber( &Scb->Fcb->FileReference ) < FIRST_USER_FILE_NUMBER &&
            NtfsSegmentNumber( &Scb->Fcb->FileReference ) != ROOT_FILE_NAME_INDEX_NUMBER) {
 
            return;
        }
 
        for (NextScb = CONTAINING_RECORD(Scb->Fcb->ScbQueue.Flink, SCB, FcbLinks);
             &NextScb->FcbLinks != &Scb->Fcb->ScbQueue;
             NextScb = CONTAINING_RECORD( NextScb->FcbLinks.Flink, SCB, FcbLinks )) {
 
            //
            //  Skip the root index on the volume.
            //
 
            if (SafeNodeType( NextScb ) == NTFS_NTC_SCB_ROOT_INDEX) {
 
                continue;
            }
 
            //
            //  If we have an index with children then break out.
            //
 
            if ((SafeNodeType( NextScb ) == NTFS_NTC_SCB_INDEX) &&
                !IsListEmpty( &NextScb->ScbType.Index.LcbQueue )) {
 
                break;
            }
 
            //
            //  If there is an internal stream then dereference it and get out.
            //
 
            if (NextScb->FileObject != NULL) {
 
                NtfsDeleteInternalAttributeStream( NextScb,
                                                   (BOOLEAN) (Scb->Fcb->LinkCount == 0) );
                break;
            }
        }
    }
 
    //
    //  And return to our caller
    //
 
    return;
}

IDA 的代码显示 win7x64 ntfs.sys NtfsDecrementCleanupCounts 函数

__int64 __fastcall NtfsDecrementCleanupCounts(__int64 a1, __int64 a2, __int64 a3, __int64 a4, int a5)
{
  __int64 v5; // r10
  __int64 result; // rax
  __int64 v8; // rcx
  unsigned __int16 *v9; // rdx
  __int64 v10; // rdx
 
  v5 = *(_QWORD *)(a2 + 0x78);
  if ( a3 )
    --*(_DWORD *)(a3 + 0xCC);
  if ( (*(_BYTE *)(*(_QWORD *)(a2 + 112) + 4i64) & 4) != 0 )
    return ((__int64 (__fastcall *)(__int64, __int64, __int64, __int64))sub_2A1A4)(a1, a2, a3, a4);
  _InterlockedAdd((volatile signed __int32 *)(a2 + 0x88), 0xFFFFFFFF);
  result = *(_QWORD *)(a2 + 0x70);
  _InterlockedAdd((volatile signed __int32 *)(result + 0x10), 0xFFFFFFFF);
  if ( (_DWORD)a4 )
    --*(_DWORD *)(a2 + 0x84);
  if ( a5 )
  {
    result = *(_QWORD *)(a2 + 0x70);
    --*(_DWORD *)(result + 0xEC);
  }
  _InterlockedAdd((volatile signed __int32 *)(v5 + 0xD8), 0xFFFFFFFF);
  v8 = *(_QWORD *)(a2 + 112);
  if ( !*(_DWORD *)(v8 + 16) )
  {
    v9 = 0i64;
    if ( (((unsigned int)&loc_200FF + 1) & *(_DWORD *)(v8 + 4)) == 0 || *(_DWORD *)(v8 + 8) == 5 )
    {
      while ( 1 )
      {
        v10 = v9 ? *((_QWORD *)v9 + 12) : *(_QWORD *)(v8 + 48);
        result = v8 + 48;
        if ( v10 == v8 + 48 )
          break;
        v9 = (unsigned __int16 *)(v10 - 96);
        if ( !v9 )
          break;
        result = *v9;
        if ( (_WORD)result != 1796 && *((_DWORD *)v9 + 43) != 32 )
        {
          if ( *((_DWORD *)v9 + 34) )
            return result;
          if ( (_WORD)result == 1795 )
          {
            result = (__int64)(v9 + 252);
            if ( *(_QWORD *)result != result )
              return result;
          }
          if ( *((_QWORD *)v9 + 24) && !_bittest((const signed __int32 *)v9 + 32, 0xAu) )
            return ((__int64 (__fastcall *)(__int64, unsigned __int16 *, bool, _QWORD))NtfsDeleteInternalAttributeStream)(
                     a1,
                     v9,
                     *(_WORD *)(v8 + 164) == 0,
                     0i64);
        }
      }
    }
  }
  return result;
}

3. 我的代码

typedef VOID(*__fastcall pNtfsDecrementCleanupCounts)(__int64 a1, __int64 a2, __int64* a3, int a4, int a5);
pNtfsDecrementCleanupCounts NtfsDecrementCleanupCounts = NULL;
/*****************************************************************************
* @FunctionName : brief
* @Author : Thanatos
* @Date : 2023/10/4 19:38
* @Inparam : WCHAR* szPath 路径
* @Outparam : 
*****************************************************************************/
NTSTATUS TestXCBFunction(WCHAR* szPath)
{
    NtfsDecrementCleanupCounts = 0xFFFFF88001261660;
     
 
    IO_STATUS_BLOCK ioStatus;
 
 
    HANDLE handle;
 
    WCHAR tmppath[MAX_PATH] = { 0 };
 
    wcscpy(tmppath, L"\\??\\");
    wcscat(tmppath, szPath);
 
 
    UNICODE_STRING uDeletePathName;
    RtlInitUnicodeString(&uDeletePathName, tmppath);
 
 
    OBJECT_ATTRIBUTES                 objAttributes = { 0 };
    InitializeObjectAttributes(&objAttributes, &uDeletePathName, OBJ_KERNEL_HANDLE | OBJ_CASE_INSENSITIVE, NULL, NULL);
 
 
    NTSTATUS ntStatus = ZwCreateFile(
        &handle,
        SYNCHRONIZE | FILE_READ_ATTRIBUTES | FILE_WRITE_ATTRIBUTES,
        &objAttributes,
        &ioStatus,
        NULL,
        FILE_ATTRIBUTE_NORMAL,
        FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
        FILE_OPEN,
        FILE_SYNCHRONOUS_IO_NONALERT,
        NULL,
        0);
    if (NT_SUCCESS(ntStatus))
    {
        PFILE_OBJECT FileObject;
 
        ntStatus = ObReferenceObjectByHandle(handle,
            DELETE,
            *IoFileObjectType,
            KernelMode,
            &FileObject,
            NULL);
 
        if (!NT_SUCCESS(ntStatus))
        {
            ZwClose(handle);
            return ntStatus;
        }
 
 
        if (MmIsAddressValid(NtfsDecrementCleanupCounts))
        {
 
            PVOID pSCB = FileObject->FsContext;
            PVOID pCCB = FileObject->FsContext2;
 
            NtfsDecrementCleanupCounts(0, pSCB, 0, FileObject->Flags & 8, 0);
 
        }
        else
        {
            ntStatus = STATUS_INVALID_PARAMETER;
        }
 
 
        ObDereferenceObject(FileObject);
 
        ZwClose(handle);
 
 
 
 
 
    }
 
    kprintf("ntStatus %ws %x\n", szPath, ntStatus);
    return ntStatus;
}

第一次写。。。不知道怎么去描述

[培训]Windows内核深度攻防：从Hook技术到Rootkit实战！

#系统内核

收藏・5

免费・1

支持

最新回复 (3)
mb_ifkgrbhh 雪币： 201 能力值： ( LV1，RANK：0 ) 在线值：发帖 0 回帖 10 粉丝 0 关注私信	mb_ifkgrbhh 2 楼 Mark 2025-10-17 20:33 0
qq小雨的雪币： 212 活跃值： (1469) 能力值： ( LV2，RANK：10 ) 在线值：发帖 10 回帖 41 粉丝 0 关注私信	qq小雨的 3 楼 Mark 2025-11-21 20:50 0
幸运三叶草雪币： 435 活跃值： (1703) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 18 粉丝 0 关注私信	幸运三叶草 4 楼学到了，mark一下 2025-11-24 13:58 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

ThanatosKer

发帖

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (3)
mb_ifkgrbhh 雪币： 201 能力值： ( LV1，RANK：0 ) 在线值：发帖 0 回帖 10 粉丝 0 关注私信	mb_ifkgrbhh 2 楼 Mark 2025-10-17 20:33 0
qq小雨的雪币： 212 活跃值： (1469) 能力值： ( LV2，RANK：10 ) 在线值：发帖 10 回帖 41 粉丝 0 关注私信	qq小雨的 3 楼 Mark 2025-11-21 20:50 0
幸运三叶草雪币： 435 活跃值： (1703) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 18 粉丝 0 关注私信	幸运三叶草 4 楼学到了，mark一下 2025-11-24 13:58 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

[讨论]解锁Irp文件占坑的方法

先上链接: https://bbs.kanxue.com/thread-257384.htm

1.很简单 只用调用一个函数 NtfsDecrementCleanupCounts这个函数

IDA 的代码显示 win7x64 ntfs.sys NtfsDecrementCleanupCounts 函数

3. 我的代码

第一次写。。。不知道怎么去描述

1.很简单只用调用一个函数 NtfsDecrementCleanupCounts这个函数