#include <windows.h>
#include <stdio.h>
#include <aclapi.h>
#include <conio.h>
/*
* you'll find a list of NTSTATUS status codes in the DDK header
* ntstatus.h (\WINDDK\2600.1106\inc\ddk\wxp\)
*/
#define NT_SUCCESS(status) ((NTSTATUS)(status)>=0)
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
#define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L)
/*
*************************************************************************
* ntddk.h
*/
typedef LONG NTSTATUS;
typedef ULONG ACCESS_MASK;
/*
* ntdef.h
*************************************************************************
*/
/*
*************************************************************************
* <<Windows NT/2000 Native API Reference>> - Gary Nebbett
*/
typedef enum _SYSTEM_INFORMATION_CLASS
{
SystemHandleInformation = 16
} SYSTEM_INFORMATION_CLASS;
/*
*Information Class 16
*/
typedef struct _SYSTEM_HANDLE_INFORMATION
{
ULONG ProcessId;
UCHAR ObjectTypeNumber;
UCHAR Flags;
USHORT Handle;
PVOID Object;
ACCESS_MASK GrantedAccess;
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
#define InitializeObjectAttributes( p, n, a, r, s ) { (p)->Length = sizeof( OBJECT_ATTRIBUTES ); (p)->RootDirectory = r; (p)->Attributes = a; (p)->ObjectName = n; (p)->SecurityDescriptor = s; (p)->SecurityQualityOfService = NULL; }
/*
*************************************************************************
* <<Windows NT/2000 Native API Reference>> - Gary Nebbett
*************************************************************************
*/
typedef ULONG ( __stdcall *RTLNTSTATUSTODOSERROR ) ( IN NTSTATUS Status );
typedef NTSTATUS ( __stdcall *ZWQUERYSYSTEMINFORMATION ) ( IN SYSTEM_INFORMATION_CLASS SystemInformationClass, IN OUT PVOID
SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength OPTIONAL );
/************************************************************************
* *
* Function Prototype *
* *
************************************************************************/
static DWORD GetEprocessFromPid ( ULONG PID );
static BOOL LocateNtdllEntry ( void );
/************************************************************************
* *
* Static Global Var *
* *
************************************************************************/
static RTLNTSTATUSTODOSERROR RtlNtStatusToDosError = NULL;
static ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation = NULL;
static HMODULE hModule = NULL;
/************************************************************************/
static DWORD GetEprocessFromPid ( ULONG PID )
{
NTSTATUS status;
PVOID buf = NULL;
ULONG size = 1;
ULONG NumOfHandle = 0;
ULONG i;
PSYSTEM_HANDLE_INFORMATION h_info = NULL;
for ( size = 1; ; size *= 2 )
{
if ( NULL == ( buf = calloc( size, 1 ) ) )
{
fprintf( stderr, "calloc( %u, 1 ) failed\n", size );
goto GetEprocessFromPid_exit;
}
status = ZwQuerySystemInformation( SystemHandleInformation, buf, size, NULL );
if ( !NT_SUCCESS( status ) )
{
if ( STATUS_INFO_LENGTH_MISMATCH == status )
{
free( buf );
buf = NULL;
}
else
{
printf( "ZwQuerySystemInformation() failed");
goto GetEprocessFromPid_exit;
}
}
else
{
break;
}
} /* end of for */
//返回到缓冲区的首先是一个ULONG类型的数据,表示有多少数组
NumOfHandle = (ULONG)buf;
h_info = ( PSYSTEM_HANDLE_INFORMATION )((ULONG)buf+4);
for(i = 0; i<NumOfHandle ;i++)
{
if( ( h_info[i].ProcessId == PID )&&( h_info[i].ObjectTypeNumber == 5 ))//&&( h_info[i].Handle==0x3d8 ) )
{
printf("Handle:0x%x,OBJECT 0x%x\n\r",h_info[i].Handle,h_info[i].Object);
return((DWORD)(h_info[i].Object));
}
}
GetEprocessFromPid_exit:
if ( buf != NULL )
{
free( buf );
buf = NULL;
}
return(FALSE);
}
/*
* ntdll.dll
*/
static BOOL LocateNtdllEntry ( void )
{
BOOL ret = FALSE;
char NTDLL_DLL[] = "ntdll.dll";
HMODULE ntdll_dll = NULL;
if ( ( ntdll_dll = GetModuleHandle( NTDLL_DLL ) ) == NULL )
{
printf( "GetModuleHandle() failed");
return( FALSE );
}
if ( !( ZwQuerySystemInformation = ( ZWQUERYSYSTEMINFORMATION )GetProcAddress( ntdll_dll, "ZwQuerySystemInformation" ) )
)
{
goto LocateNtdllEntry_exit;
}
ret = TRUE;
LocateNtdllEntry_exit:
if ( FALSE == ret )
{
printf( "GetProcAddress() failed");
}
ntdll_dll = NULL;
return( ret );
} /* end of LocateNtdllEntry */
int main(int argc,char **argv)
{
LocateNtdllEntry( );
//打开自身句柄,这样才能在handle列表中找到自己,PROCESS 对应 ObjectTypeNum 为5
OpenProcess( PROCESS_ALL_ACCESS,FALSE,GetCurrentProcessId() );
DWORD Addr = GetEprocessFromPid( (DWORD)GetCurrentProcessId() );
printf("result: Current EPROCESS's Address is 0x%x \n\r",Addr); //这个显示EPROCESS没问题
printf("result: Current EPROCESS's Address is 0x%x \n\r",(DWORD)*(DWORD *)(Addr + 0xbc)); //这里显示 DebugPort 就出错啦,是不是在r3模式下不能读取这段
return TRUE;
}
[课程]Android-CTF解题方法汇总!
