首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 看雪峰会 看雪商城 证书查询
  1. 社区
  2. 软件逆向
    3. 发新帖
[己解决]关于EXHANDLE的结构的几个疑问 [已解决]
发表于: 2008-1-7 16:56 5741

[己解决]关于EXHANDLE的结构的几个疑问 [已解决]

sudami 活跃值
25
2008-1-7 16:56
5741
google了很久,还是没有理解清楚。所以发帖问下 --
关于EXHANDLE的结构,XP SP2 和 W2K的结构是一样的不?怎么Windbg弄不出来呢?WRK也没得查啊。

WRK中的 ExpLookupHandleTableEntry 函数代码有个地方


EXHANDLE Handle;
Handle.Value ...


是不是W2K的EXHANDLE结构体中还多个参数Value啊?

下面这个EXHANDLE是不是XP下的呢?
typedef struct _EXHANDLE {
    union {
        struct {       
            ULONG TagBits : 2;
            ULONG Index : 30; 
        };
        HANDLE GenericHandleOverlay;
    };
} EXHANDLE, *PEXHANDLE;


句柄的值本身是个三层表的3个索引。简略的可以描述成下面这样的:

ExpLookupHandleTableEntry (
    IN PHANDLE_TABLE HandleTable,
    IN EXHANDLE Handle
    )
{
    ULONG i,j,k,l;      

    l = (Handle.Index >> 24) & 255;  
    i = (Handle.Index >> 16) & 255;
    j = (Handle.Index >> 8)  & 255;
    k = (Handle.Index)       & 255;
  
     return &(HandleTable->Table[i][j][k]);
}

GenericHandleOverlay保存传进来的进程ID
而EXHANDLE.Index = (GenericHandleOverlay/4) & 0x3FFFFFFF;
就是ID除4得到的值的后30位。

偶这样理解对不?

Index |_6_|__8_|__8_|__8_|
                  i    j    k
索引         0    1    2

下面的是WRK中关于 ExpLookupHandleTableEntry 的源码,偶看的很糊涂啊。有木有对这个函数理解很透彻的,还忘指点下子~~

PHANDLE_TABLE_ENTRY
ExpLookupHandleTableEntry (
    IN PHANDLE_TABLE HandleTable,
    IN EXHANDLE tHandle
    )
{
    ULONG_PTR i,j,k;
    ULONG_PTR CapturedTable;
    ULONG TableLevel;
    PHANDLE_TABLE_ENTRY Entry = NULL;
    EXHANDLE Handle;

    PUCHAR TableLevel1;
    PUCHAR TableLevel2;
    PUCHAR TableLevel3;

    ULONG_PTR MaxHandle;

    PAGED_CODE();

    Handle = tHandle;

    Handle.TagBits = 0;

    // nt!_HANDLE_TABLE +0x038 NextHandleNeedingPool : Uint4B
    MaxHandle = *(volatile ULONG *) &HandleTable->NextHandleNeedingPool;

    if (Handle.Value >= MaxHandle) {
        return NULL;        
    }

    CapturedTable = *(volatile ULONG_PTR *) &HandleTable->TableCode;

    TableLevel = (ULONG)(CapturedTable & LEVEL_CODE_MASK);
    CapturedTable = CapturedTable - TableLevel;

    switch (TableLevel) {
        
        case 0:
      
            TableLevel1 = (PUCHAR) CapturedTable;
            Entry = (PHANDLE_TABLE_ENTRY) &TableLevel1[Handle.Value *
                                                       (sizeof (HANDLE_TABLE_ENTRY) / HANDLE_VALUE_INC)];

            break;
        
        case 1:

            TableLevel2 = (PUCHAR) CapturedTable;

            i = Handle.Value % (LOWLEVEL_COUNT * HANDLE_VALUE_INC);

            Handle.Value -= i;
            j = Handle.Value / ((LOWLEVEL_COUNT * HANDLE_VALUE_INC) / sizeof (PHANDLE_TABLE_ENTRY));

            TableLevel1 =  (PUCHAR) *(PHANDLE_TABLE_ENTRY *) &TableLevel2[j];
            Entry = (PHANDLE_TABLE_ENTRY) &TableLevel1[i * (sizeof (HANDLE_TABLE_ENTRY) / HANDLE_VALUE_INC)];

            break;
        
        case 2:

            TableLevel3 = (PUCHAR) CapturedTable;

            i = Handle.Value  % (LOWLEVEL_COUNT * HANDLE_VALUE_INC);

            Handle.Value -= i;

            k = Handle.Value / ((LOWLEVEL_COUNT * HANDLE_VALUE_INC) / sizeof (PHANDLE_TABLE_ENTRY));

            j = k % (MIDLEVEL_COUNT * sizeof (PHANDLE_TABLE_ENTRY));

            k -= j;

            k /= MIDLEVEL_COUNT;


            TableLevel2 = (PUCHAR) *(PHANDLE_TABLE_ENTRY *) &TableLevel3[k];
            TableLevel1 = (PUCHAR) *(PHANDLE_TABLE_ENTRY *) &TableLevel2[j];
            Entry = (PHANDLE_TABLE_ENTRY) &TableLevel1[i * (sizeof (HANDLE_TABLE_ENTRY) / HANDLE_VALUE_INC)];

            break;

        default :
            _assume (0);
    }

    return Entry;
}

[课程]Linux pwn 探索篇!

收藏
免费 0
支持
分享
最新回复 (2)
笨笨雄
雪    币: 846
活跃值: (221)
能力值: (RANK:570 )
在线值:
发帖
回帖
粉丝
私信
2
typedef struct _EXHANDLE {

    union {

        struct {

            //
            //  Application available tag bits
            //

            ULONG TagBits : 2;

            //
            //  The handle table entry index
            //

            ULONG Index : 30;
        };

        HANDLE GenericHandleOverlay;
    };

} EXHANDLE, *PEXHANDLE;

PHANDLE_TABLE_ENTRY
ExpLookupHandleTableEntry (
    IN PHANDLE_TABLE HandleTable,
    IN EXHANDLE Handle
    )

/*++

Routine Description:

    This routine looks up and returns the table entry for the
    specified handle value.

Arguments:

    HandleTable - Supplies the handle table being queried

    Handle - Supplies the handle value being queried

Return Value:

    Returns a pointer to the corresponding table entry for the input
        handle.  Or NULL if the handle value is invalid (i.e., too large
        for the tables current allocation.

--*/

{
    ULONG i,j,k,l;

    PAGED_CODE();

    //
    //  Decode the handle index into its separate table indicies
    //

    l = (Handle.Index >> 24) & 255;
    i = (Handle.Index >> 16) & 255;
    j = (Handle.Index >> 8)  & 255;
    k = (Handle.Index)       & 255;

    //
    //  The last bits should be 0 into a valid handle. If a function calls
    //  ExpLookupHandleTableEntry for a kernel handle, it should decode the handle
    //  before.
    //

    if ( l != 0 ) {
        
        //
        //  Invalid handle. Return a NULL table entry.
        //

        return NULL;
    }

    //
    //  Check that the top level table is present
    //

    if (HandleTable->Table[i] == NULL) {

        return NULL;
    }

    //
    //  Check that the mid level table is present
    //

    if (HandleTable->Table[i][j] == NULL) {

        return NULL;
    }

    //
    //  Return a pointer to the table entry
    //

    return &(HandleTable->Table[i][j][k]);
}

帮你把2K的也帖出来
2008-1-7 17:17
0
sudami
雪    币: 709
活跃值: (2420)
能力值: ( LV12,RANK:1010 )
在线值:
发帖
回帖
粉丝
私信
3
呵呵,谢谢笨笨啦~~~

XP和W2K下 EXHANDLE 是有变化的。 XP 里面多了个value

typedef struct _EXHANDLE
{
union
{
struct
{
ULONG TagBits:2;
ULONG Index:30;
};
HANDLE GenericHandleOverlay;
ULONG_PTR Value;
};
} EXHANDLE, *PEXHANDLE;


[已解决]
2008-1-7 21:19
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//