[原创]枚举系统句柄-编程技术-看雪-安全社区|安全招聘|kanxue.com

[原创]枚举系统句柄

发表于: 2008-10-17 15:33 10490

[原创]枚举系统句柄

nightxie

2008-10-17 15:33

10490

之前我在这儿问了关于这个驱动的问题。感谢sudami的回复。。。问题解决了，这里把我的代码贴出来。。

原来问的问题：

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

一直在使用一个小工具叫unlocker。知道它是用关闭句柄的方法来删除文件的，但是自己也没有怎么研究过这东西。传说中更厉害的方法是直接向磁盘写0和Xcb大法，最近准备好好研究这些删除方法。那么就从句柄开始吧。这里我只做枚举句柄的工作，因为关闭句柄就是把ZwDuplicateObject 的Options 这个参数赋值为DUPLICATE_CLOSE_SOURCE 。这里还要感谢一下sudami和NetRoc同学。。。O(∩_∩)O哈哈~
 
#include <ntddk.h>
 
 
#define AYA_DEVICE L"\\Device\\EnumHandle"
#define AYA_LINK L"\\DosDevices\\EnumHandle"
 
#define SystemHandleInformation 16
 
#define OB_TYPE_PROCESS                 5
 
typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO
{
    USHORT UniqueProcessId;
    USHORT CreatorBackTraceIndex;
    UCHAR ObjectTypeIndex;
    UCHAR HandleAttributes;
    USHORT HandleValue;
    PVOID Object;
    ULONG GrantedAccess;
} SYSTEM_HANDLE_TABLE_ENTRY_INFO, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO;
 
typedef struct _SYSTEM_HANDLE_INFORMATION
{
    ULONG NumberOfHandles;
    SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[];
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
 
typedef enum _OBJECT_INFORMATION_CLASS { 
ObjectBasicInformation,
ObjectNameInformation,
ObjectTypeInformation,
ObjectAllInformation,
ObjectDataInformation
} OBJECT_INFORMATION_CLASS, *POBJECT_INFORMATION_CLASS;
 
typedef struct _OBJECT_BASIC_INFORMATION {
ULONG                   Attributes;
ACCESS_MASK             DesiredAccess;
ULONG                   HandleCount;
ULONG                   ReferenceCount;
ULONG                   PagedPoolUsage;
ULONG                   NonPagedPoolUsage;
ULONG                   Reserved[3];
ULONG                   NameInformationLength;
ULONG                   TypeInformationLength;
ULONG                   SecurityDescriptorLength;
LARGE_INTEGER           CreationTime;
} OBJECT_BASIC_INFORMATION, *POBJECT_BASIC_INFORMATION;
 
typedef struct _KOBJECT_NAME_INFORMATION { 
UNICODE_STRING          Name;
WCHAR                   NameBuffer[];
} KOBJECT_NAME_INFORMATION, *PKOBJECT_NAME_INFORMATION;
 
typedef struct _OBJECT_TYPE_INFORMATION { 
UNICODE_STRING          TypeName;
ULONG                   TotalNumberOfHandles;
ULONG                   TotalNumberOfObjects;
WCHAR                   Unused1[8];
ULONG                   HighWaterNumberOfHandles;
ULONG                   HighWaterNumberOfObjects;
WCHAR                   Unused2[8];
ACCESS_MASK             InvalidAttributes;
GENERIC_MAPPING         GenericMapping;
ACCESS_MASK             ValidAttributes;
BOOLEAN                 SecurityRequired;
BOOLEAN                 MaintainHandleCount;
USHORT                  MaintainTypeList;
POOL_TYPE               PoolType;
ULONG                   DefaultPagedPoolCharge;
ULONG                   DefaultNonPagedPoolCharge;
} OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION;
 
 
NTSYSAPI
NTSTATUS
NTAPI
ZwQueryObject(
     IN HANDLE Handle,
     IN OBJECT_INFORMATION_CLASS ObjectInformationClass,
     OUT PVOID ObjectInformation,
     IN ULONG ObjectInformationLength,
     OUT PULONG ReturnLength OPTIONAL
     );
 
 
NTSYSAPI
NTSTATUS
NTAPI
ZwQuerySystemInformation(    
       ULONG    SystemInformationClass,
       PVOID    SystemInformation,
       ULONG    SystemInformationLength,
       PULONG    ReturnLength
       );
NTSYSAPI
NTSTATUS
NTAPI
ZwDuplicateObject(
      IN HANDLE SourceProcessHandle,
      IN HANDLE SourceHandle,
      IN HANDLE TargetProcessHandle OPTIONAL,
      OUT PHANDLE TargetHandle OPTIONAL,
      IN ACCESS_MASK DesiredAccess,
      IN ULONG HandleAttributes,
      IN ULONG Options
      );
 
NTSYSAPI 
NTSTATUS
NTAPI
ZwOpenProcess(     
     OUT PHANDLE             ProcessHandle,
     IN ACCESS_MASK          AccessMask,
     IN POBJECT_ATTRIBUTES   ObjectAttributes,
     IN PCLIENT_ID           ClientId 
     );
 
 
NTSTATUS NTAPI AYA_EnumHandle();
void AYA_Unload( IN PDRIVER_OBJECT pDriverObj )
{
UNICODE_STRING Temp;
RtlInitUnicodeString( &Temp ,AYA_LINK );
IoDeleteSymbolicLink( &Temp );
IoDeleteDevice( pDriverObj->DeviceObject );
}
 
NTSTATUS AYA_Dispatch( IN PDEVICE_OBJECT pDeviceObj ,IN PIRP pIrp )
{
NTSTATUS ns = STATUS_SUCCESS;
PIO_STACK_LOCATION stIrp;
 
stIrp = IoGetCurrentIrpStackLocation( pIrp );
 
switch( stIrp->MajorFunction )
{
case IRP_MJ_CREATE:
   break;
case IRP_MJ_CLOSE:
   break;
case IRP_MJ_DEVICE_CONTROL:
   break;
default:
   pIrp->IoStatus.Status = STATUS_INVALID_PARAMETER;
   break;
}
 
ns = pIrp->IoStatus.Status;
IoCompleteRequest( pIrp ,IO_NO_INCREMENT );
return ns;
}
 
NTSTATUS DriverEntry( IN PDRIVER_OBJECT pDriverObj ,IN PUNICODE_STRING RegistryPath )
{
NTSTATUS ns = STATUS_SUCCESS;
UNICODE_STRING AYA;
UNICODE_STRING AYAL;
PDEVICE_OBJECT pDevice;
 
ns = AYA_EnumHandle();
RtlInitUnicodeString( &AYA ,AYA_DEVICE );
ns = IoCreateDevice( pDriverObj ,0 ,&AYA ,FILE_DEVICE_UNKNOWN ,0 ,FALSE ,&pDevice );
 
RtlInitUnicodeString( &AYAL ,AYA_LINK );
ns = IoCreateSymbolicLink( &AYAL ,&AYA );
 
pDriverObj->MajorFunction[IRP_MJ_CREATE]    = 
pDriverObj->MajorFunction[IRP_MJ_CLOSE]     =
pDriverObj->MajorFunction[IRP_MJ_DEVICE_CONTROL] = AYA_Dispatch;
 
pDriverObj->DriverUnload = AYA_Unload;
 
 
return ns;
 
}
 
 
NTSTATUS AYA_EnumHandle()
{
NTSTATUS ns = STATUS_SUCCESS;
ULONG ulSize;
PVOID pSysBuffer;
PSYSTEM_HANDLE_INFORMATION pSysHandleInfo;
SYSTEM_HANDLE_TABLE_ENTRY_INFO pSysHandleTEI;
OBJECT_BASIC_INFORMATION BasicInfo;   
PKOBJECT_NAME_INFORMATION pNameInfo;   
    POBJECT_TYPE_INFORMATION pTypeInfo; 
OBJECT_ATTRIBUTES oa;
ULONG ulProcessID;
HANDLE hProcess;
HANDLE hHandle;
HANDLE hDupObj;
CLIENT_ID cid;
ULONG i;
 
ulSize = 100;
do
{ 
   pSysBuffer = ExAllocatePoolWithTag( PagedPool ,ulSize ,'A0');
   ns = ZwQuerySystemInformation( SystemHandleInformation ,pSysBuffer ,ulSize ,NULL );
   ulSize *= 2;
   if ( !NT_SUCCESS( ns ) )
   {
    ExFreePool( pSysBuffer );
   }
 
} while( !NT_SUCCESS( ns ) );
 
 
pSysHandleInfo = (PSYSTEM_HANDLE_INFORMATION)pSysBuffer;
for ( i = 0 ;i < pSysHandleInfo->NumberOfHandles ;i++ )
{
   pSysHandleTEI = pSysHandleInfo->Handles[i];
 
   if ( pSysHandleTEI.ObjectTypeIndex != OB_TYPE_PROCESS )
   {
    continue;
   }
 
   ulProcessID = (ULONG)pSysHandleTEI.UniqueProcessId;
   cid.UniqueProcess = (HANDLE)ulProcessID;
   cid.UniqueThread = (HANDLE)0;
   hHandle = (HANDLE)pSysHandleTEI.HandleValue;
 
 
   InitializeObjectAttributes( &oa ,NULL ,0 ,NULL ,NULL );
   ns = ZwOpenProcess( &hProcess ,PROCESS_DUP_HANDLE ,&oa ,&cid );
   if ( !NT_SUCCESS( ns ) )
   {
    KdPrint(( "ZwOpenProcess : Fail " ));
    break;
   }
   ns = ZwDuplicateObject( hProcess ,hHandle ,NtCurrentProcess() ,&hDupObj ,\
    PROCESS_ALL_ACCESS ,0 ,DUPLICATE_SAME_ACCESS );
   
   if ( !NT_SUCCESS( ns ) )
   {
    KdPrint(( "ZwDuplicateObject : Fail " ));
    break;
   }
   
   ZwQueryObject( hDupObj ,ObjectBasicInformation ,&BasicInfo ,\
    sizeof( OBJECT_BASIC_INFORMATION ) ,NULL );
   
   pNameInfo = ExAllocatePoolWithTag( PagedPool ,BasicInfo.NameInformationLength ,'A1');
   RtlZeroMemory( pNameInfo ,BasicInfo.NameInformationLength );
   
   ZwQueryObject( hDupObj ,ObjectNameInformation ,pNameInfo ,\
    BasicInfo.NameInformationLength ,NULL );
   
   pTypeInfo = ExAllocatePoolWithTag( PagedPool ,BasicInfo.TypeInformationLength ,'A2');
   RtlZeroMemory( pTypeInfo ,BasicInfo.TypeInformationLength );
   
   ZwQueryObject( hDupObj ,ObjectTypeInformation ,pTypeInfo ,\
    BasicInfo.TypeInformationLength ,NULL );
   
   KdPrint(( "NAME:%wZ\t\t\tTYPE:%wZ\n" ,&(pNameInfo->Name) ,&(pTypeInfo->TypeName) ));
   
   ExFreePool( pNameInfo );
   ExFreePool( pTypeInfo );
   
}
 
ZwClose( hDupObj );
ZwClose( hProcess );
ZwClose( hHandle );
ExFreePool( pSysBuffer );
 
if ( !NT_SUCCESS( ns ) )
{
   return STATUS_UNSUCCESSFUL;
}
 
return ns;
 
 
}

登录后可查看完整内容

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

收藏・9

免费・7

支持

赞赏记录

参与人

雪币

留言

时间

Youlor

为你点赞~

2024-1-4 02:04

伟叔叔

为你点赞~

2023-11-24 00:09

QinBeast

为你点赞~

2023-9-2 00:10

PLEBFE

为你点赞~

2023-8-25 01:30

shinratensei

为你点赞~

2023-8-9 00:30

心游尘世外

为你点赞~

2023-7-28 05:40

飘零丶

为你点赞~

2023-7-16 00:03

最新回复 (2)
sudami 雪币： 709 活跃值： (2455) 能力值： ( LV12，RANK：1010 ) 在线值：发帖 71 回帖 1581 粉丝 67 关注私信	sudami 25 2 楼建议你先动态调试一下驱动.问题马上就出来了... 2008-10-17 18:21 0
nightxie 雪币： 86 活跃值： (61) 能力值： ( LV9，RANK：160 ) 在线值：发帖 11 回帖 71 粉丝 2 关注私信	nightxie 3 3 楼解决了。。。HOHO~~~~~~~~Thank you all the same~~~~ 2008-10-17 21:39 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

nightxie

发帖

回帖

160

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (2)
sudami 雪币： 709 活跃值： (2455) 能力值： ( LV12，RANK：1010 ) 在线值：发帖 71 回帖 1581 粉丝 67 关注私信	sudami 25 2 楼建议你先动态调试一下驱动.问题马上就出来了... 2008-10-17 18:21 0
nightxie 雪币： 86 活跃值： (61) 能力值： ( LV9，RANK：160 ) 在线值：发帖 11 回帖 71 粉丝 2 关注私信	nightxie 3 3 楼解决了。。。HOHO~~~~~~~~Thank you all the same~~~~ 2008-10-17 21:39 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

[原创]枚举系统句柄

账号登录 验证码登录

账号登录

验证码登录