网上很多方法都是Ring0内核进程和句柄互相转换的方法,查了一下没怎么看到说怎么将用户模式句柄转换为内核句柄的。如果内核获取到的是目标进程的句柄,拷贝到内核模式是不能直接使用的,会引发异常。
目前想到的实现思路是:
本人是菜鸟,各位师傅如果知道其他的方法跪求指点!!!
实现代码:
伪句柄转换为真实句柄,可以调用复制对象句柄的DuplicateHandle。
微软官方在对此函数的解释中,说明了如果 hSourceHandle 是伪句柄, 会将其转换为进程或线程的实际句柄。
ObOpenObjectByPointer 函数 (ntifs.h) - Windows drivers | Microsoft Learn
ObReferenceObjectByHandle 函数 (wdm.h) - Windows drivers | Microsoft Learn
DuplicateHandle 函数 (handleapi.h) - Win32 apps | Microsoft Learn
伪句柄转换为真正的句柄 - 沉疴 - 博客园 (cnblogs.com)
NTSTATUS ConvertKernelHandle(
IN HANDLE UserHandle,
OUT PHANDLE KernelHandle,
POBJECT_TYPE ObjectType
)
{
NTSTATUS Status = STATUS_SUCCESS;
PVOID Object = NULL;
LONG v1 = (LONG)UserHandle;
if (KernelHandle == NULL)
{
Status = STATUS_INVALID_PARAMETER;
goto Exit;
}
if (v1 <= 0)
{
*KernelHandle = UserHandle;
Status = STATUS_SUCCESS;
goto Exit;
}
Status = ObReferenceObjectByHandle(
UserHandle,
0,
ObjectType,
UserMode,
&Object,
NULL
);
if (Status != STATUS_SUCCESS)
{
goto Exit;
}
Status = ObOpenObjectByPointer(
Object,
OBJ_KERNEL_HANDLE,
0,
0,
NULL,
KernelMode,
KernelHandle
);
if (*KernelHandle == UserHandle) {
Status = STATUS_UNSUCCESSFUL;
}
Exit:
if (Object != NULL) {
ObDereferenceObject(Object);
}
return Status;
}
NTSTATUS ConvertKernelHandle(
IN HANDLE UserHandle,
OUT PHANDLE KernelHandle,
POBJECT_TYPE ObjectType
)
{
NTSTATUS Status = STATUS_SUCCESS;
PVOID Object = NULL;
LONG v1 = (LONG)UserHandle;
if (KernelHandle == NULL)
{
Status = STATUS_INVALID_PARAMETER;
goto Exit;
}
if (v1 <= 0)
{
*KernelHandle = UserHandle;
Status = STATUS_SUCCESS;
goto Exit;
}
Status = ObReferenceObjectByHandle(
UserHandle,
0,
ObjectType,
UserMode,
&Object,
NULL
);
[注意]看雪招聘,专注安全领域的专业人才平台!
