• Ring3句柄表的枚举

    由于windows并没有给出枚举所有句柄所用到的API,要获得句柄,我们必须使用未公开的Native API才可以,使用如下函数:
    NTSTATUS WINAPI NtQuerySystemInformation(
  _In_      SYSTEM_INFORMATION_CLASS SystemInformationClass,
  _Inout_   PVOID                    SystemInformation,
  _In_      ULONG                    SystemInformationLength,
  _Out_opt_ PULONG                   ReturnLength
);
    枚举的关键是使用NtQuerySystemInformation,注意它的第一项,是我们查询枚举信息所想要做的class集合,如下,我们在这里使用的是 SystemHandleInformation(16),这很重要,

      
    typedef enum _SYSTEM_INFORMATION_CLASS {
    SystemBasicInformation,
    SystemProcessorInformation,             
    SystemPerformanceInformation,
    SystemTimeOfDayInformation,
    SystemPathInformation,
    SystemProcessInformation,
    SystemCallCountInformation,
    SystemDeviceInformation,
    SystemProcessorPerformanceInformation,
    SystemFlagsInformation,
    SystemCallTimeInformation,
    SystemModuleInformation,
    SystemLocksInformation,
    SystemStackTraceInformation,
    SystemPagedPoolInformation,
    SystemNonPagedPoolInformation,
    SystemHandleInformation,
    SystemObjectInformation,
    SystemPageFileInformation,
    SystemVdmInstemulInformation,
    SystemVdmBopInformation,
    SystemFileCacheInformation,
    SystemPoolTagInformation,
    SystemInterruptInformation,
    SystemDpcBehaviorInformation,
    SystemFullMemoryInformation,
    SystemLoadGdiDriverInformation,
    SystemUnloadGdiDriverInformation,
    SystemTimeAdjustmentInformation,
    SystemSummaryMemoryInformation,
    SystemMirrorMemoryInformation,
    SystemPerformanceTraceInformation,
    SystemObsolete0,
    SystemExceptionInformation,
    SystemCrashDumpStateInformation,
    SystemKernelDebuggerInformation,
    SystemContextSwitchInformation,
    SystemRegistryQuotaInformation,
    SystemExtendServiceTableInformation,
    SystemPrioritySeperation,
    SystemVerifierAddDriverInformation,
    SystemVerifierRemoveDriverInformation,
    SystemProcessorIdleInformation,
    SystemLegacyDriverInformation,
    SystemCurrentTimeZoneInformation,
    SystemLookasideInformation,
    SystemTimeSlipNotification,
    SystemSessionCreate,
    SystemSessionDetach,
    SystemSessionInformation,
    SystemRangeStartInformation,
    SystemVerifierInformation,
    SystemVerifierThunkExtend,
    SystemSessionProcessInformation,
    SystemLoadGdiDriverInSystemSpace,
    SystemNumaProcessorMap,
    SystemPrefetcherInformation,
    SystemExtendedProcessInformation,
    SystemRecommendedSharedDataAlignment,
    SystemComPlusPackage,
    SystemNumaAvailableMemory,
    SystemProcessorPowerInformation,
    SystemEmulationBasicInformation,
    SystemEmulationProcessorInformation,
    SystemExtendedHandleInformation,
    SystemLostDelayedWriteInformation,
    SystemBigPoolInformation,
    SystemSessionPoolTagInformation,
    SystemSessionMappedViewInformation,
    SystemHotpatchInformation,
    SystemObjectSecurityMode,
    SystemWatchdogTimerHandler,
    SystemWatchdogTimerInformation,
    SystemLogicalProcessorInformation,
    SystemWow64SharedInformation,
    SystemRegisterFirmwareTableInformationHandler,
    SystemFirmwareTableInformation,
    SystemModuleInformationEx,
    SystemVerifierTriageInformation,
    SystemSuperfetchInformation,
    SystemMemoryListInformation,
    SystemFileCacheInformationEx,
    MaxSystemInfoClass  // MaxSystemInfoClass should always be the last enum
} SYSTEM_INFORMATION_CLASS;
    复制代码
    第17项(枚举值16)的SystemHandleInformation,这就是我们想要的东西,通过这个值传入NtQuerySystemInformation
     
     然后我们利用ObjectTypeInformation ObjectNameInformation(下面是他们的结构体) 去枚举对象类型和对象名字,这样我们得到这三项做信息查询枚举,做小MFC可以知道句柄和对应的对象类型,对象名字,是一个很简答的查阅工具

    typedef enum OBJECT_INFORMATION_CLASS
    {
    ObjectBasicInformation,
    ObjectNameInformation,
    ObjectTypeInformation,
    ObjectTypesInformation,
    ObjectHandleFlagInformation,
    ObjectSessionInformation,
    MaxObjectInfoClass
    }OBJECT_INFORMATION_CLASS;

    当然我们这里为了在MFC显示要有自己的数据结构去得到这些值,然后压栈,显示等,这是我的结构体:

    typedef
    struct _USER_DATA_
    {
    HANDLE HandleValue;
    uint32_t GrantedAccess = 0;//要求
    uint32_t Flags = 0;
    ULONG64 ObjectValue;

    std::wstring ObjectTypeName;//类型
    std::wstring ObjectName;//对象名字
    SECTION_INFORMATION SectionInfo;
    }USER_DATA, *PUSER_DATA;

    接下来是枚举的代码过程:其中有注释

    if ((ProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessID)) == NULL)
    {
    return Status;
    }
    if (__NtQuerySystemInformation==NULL||__NtDuplicateObject==NULL||__NtQueryObject==NULL||__NtQuerySection==NULL)
    {
    goto Exit;
    }

    BufferData = (uint8_t*)VirtualAlloc(NULL, BufferLength, MEM_COMMIT/*物理页属性*/, PAGE_READWRITE);
    if (BufferData = NULL)
    {
    goto Exit;
    }

    Status = __NtQuerySystemInformation(SystemHandleInformation, BufferData, BufferLength, &ReturnLength);
    //得到系统信息
    while (Status == STATUS_INFO_LENGTH_MISMATCH)
    {
    BufferLength *= 2;
    VirtualFree(BufferData, 0, MEM_RELEASE);
    BufferData = (uint8_t*)VirtualAlloc(NULL, BufferLength, MEM_COMMIT, PAGE_READWRITE);
    Status = __NtQuerySystemInformation(SystemHandleInformation, BufferData, BufferLength, &ReturnLength);
    }
    //列表获得句柄
    SE_SYSTEM_EHT_INFORMATION_T* SystemEHTInfo = (SE_SYSTEM_EHT_INFORMATION_T*)BufferData;//模板定义记笔记
    for (ULONG i = 0; i < SystemEHTInfo->ItemCount; i++)
    {
    if (SystemEHTInfo->Items[i].ProcessID != ProcessID)
    {
    continue;
    }
    //拷贝
    Status = __NtDuplicateObject(ProcessHandle, reinterpret_cast<HANDLE>(SystemEHTInfo->Items[i].HandleValue/*获得句柄所以 这样*/),
    GetCurrentProcess()/*给到当前*/, &DuplicatedHandle, 0, 0, DUPLICATE_SAME_ACCESS);//拷贝
    if (!NT_SUCCESS(Status))
    {
    continue;
    }
    //还是结构体模板
    //对象信息获得
    ObjectTypeInfo = (OBJECT_TYPE_INFORMATION_T*)malloc(0x1000);
    Status = __NtQueryObject(DuplicatedHandle, ObjectTypeInformation, ObjectTypeInfo, 0x1000, &ReturnLength);
    if (!NT_SUCCESS(Status))
    {
    CloseHandle(DuplicateHandle);
    continue;
    }
    ObjectNameInfo = malloc(0x1000);
    Status = __NtQueryObject(DuplicatedHandle, ObjectNameInformation, ObjectNameInfo, 0x1000, &ReturnLength);
    if (!NT_SUCCESS(Status))
    {
    if (Status==STATUS_INFO_LENGTH_MISMATCH)
    {
    ObjectNameInfo = realloc(ObjectNameInfo, ReturnLength);
    Status = __NtQueryObject(DuplicatedHandle, ObjectNameInformation, ObjectNameInfo, ReturnLength/*这儿有点意思*/, &ReturnLength);
    if (!NT_SUCCESS(Status))
    {
    goto Exit;
    }
    }
    else
    {
    goto Exit;
    }
    }

    ObjectName = *(_UNICODE_STRING_T<WCHAR*>*)ObjectNameInfo;
    //赋值到用户上
    v1.HandleValue = reinterpret_cast<HANDLE>(SystemEHTInfo->Items[i].HandleValue);
    v1.GrantedAccess = SystemEHTInfo->Items[i].GrantedAccess;
    v1.Flags = SystemEHTInfo->Items[i].Flags;
    v1.ObjectValue = SystemEHTInfo->Items[i].ObjectValue;
    //类型状态赋值
    if (ObjectTypeInfo->ObjectTypeName.BufferLength)
    v1.ObjectTypeName = (wchar_t*)ObjectTypeInfo->ObjectTypeName.BufferData;
    if (ObjectName.BufferLength)
    v1.ObjectName = ObjectName.BufferData;
    if (_wcsicmp(v1.ObjectTypeName.c_str(), L"Section") == 0)
    {
    SECTION_BASIC_INFORMATION_T SectionBasicInfo = { 0 };
    //结构提函数
    Status = __NtQuerySection(DuplicatedHandle, SectionBasicInformation, &SectionBasicInfo,
    (ULONG)sizeof(SectionBasicInfo), NULL);
    if (NT_SUCCESS(Status))
    {

    v1.SectionInfo.SectionSize = SectionBasicInfo.SectionSize/*T*/.QuadPart;
    v1.SectionInfo.SectionAttributes = SectionBasicInfo.Attributes;
    }
    }
    ProcessHandleInfo.push_back(v1);
  • 相关阅读:
    手机端页面自适应解决方案
    每日一算法之拓扑排序
    C++顺序容器类总结
    c++ 运算符优先级
    CUDA获取显卡数据
    第一个CUDA程序
    C++有关类的符号总结
    shell编程的一些例子5
    shell编程的一些例子4
    shell编程的一些例子3
  • 原文地址:https://www.cnblogs.com/L-Sunny/p/8352752.html
Copyright © 2020-2023  润新知