c++ - windows 系统枚举任意内核进程对象的问题
黄舟
黄舟 2017-04-17 13:08:39
0
2
1127

原文地址:http://www.tuicool.com/articles/vaeAB3

最后一个方法 void EnumObjInfo(LPVOID pBuffer, DWORD pid)

pBuffer 是传什么进去?

// ConsoleApplication1.cpp : 定义控制台应用程序的入口点。
//

#include <stdio.h>
#include <tchar.h>
#include <windows.h>
//#include "ntsecapi.h"


typedef enum _SYSTEM_INFORMATION_CLASS {
    SystemBasicInformation,              // 0        Y        N
    SystemProcessorInformation,          // 1        Y        N
    SystemPerformanceInformation,        // 2        Y        N
    SystemTimeOfDayInformation,          // 3        Y        N
    SystemNotImplemented1,               // 4        Y        N
    SystemProcessesAndThreadsInformation, // 5       Y        N
    SystemCallCounts,                    // 6        Y        N
    SystemConfigurationInformation,      // 7        Y        N
    SystemProcessorTimes,                // 8        Y        N
    SystemGlobalFlag,                    // 9        Y        Y
    SystemNotImplemented2,               // 10       Y        N
    SystemModuleInformation,             // 11       Y        N
    SystemLockInformation,               // 12       Y        N
    SystemNotImplemented3,               // 13       Y        N
    SystemNotImplemented4,               // 14       Y        N
    SystemNotImplemented5,               // 15       Y        N
    SystemHandleInformation,             // 16       Y        N
    SystemObjectInformation,             // 17       Y        N
    SystemPagefileInformation,           // 18       Y        N
    SystemInstructionEmulationCounts,    // 19       Y        N
    SystemInvalidInfoClass1,             // 20
    SystemCacheInformation,              // 21       Y        Y
    SystemPoolTagInformation,            // 22       Y        N
    SystemProcessorStatistics,           // 23       Y        N
    SystemDpcInformation,                // 24       Y        Y
    SystemNotImplemented6,               // 25       Y        N
    SystemLoadImage,                     // 26       N        Y
    SystemUnloadImage,                   // 27       N        Y
    SystemTimeAdjustment,                // 28       Y        Y
    SystemNotImplemented7,               // 29       Y        N
    SystemNotImplemented8,               // 30       Y        N
    SystemNotImplemented9,               // 31       Y        N
    SystemCrashDumpInformation,          // 32       Y        N
    SystemExceptionInformation,          // 33       Y        N
    SystemCrashDumpStateInformation,     // 34       Y        Y/N
    SystemKernelDebuggerInformation,     // 35       Y        N
    SystemContextSwitchInformation,      // 36       Y        N
    SystemRegistryQuotaInformation,      // 37       Y        Y
    SystemLoadAndCallImage,              // 38       N        Y
    SystemPrioritySeparation,            // 39       N        Y
    SystemNotImplemented10,              // 40       Y        N
    SystemNotImplemented11,              // 41       Y        N
    SystemInvalidInfoClass2,             // 42
    SystemInvalidInfoClass3,             // 43
    SystemTimeZoneInformation,           // 44       Y        N
    SystemLookasideInformation,          // 45       Y        N
    SystemSetTimeSlipEvent,              // 46       N        Y
    SystemCreateSession,                 // 47       N        Y
    SystemDeleteSession,                 // 48       N        Y
    SystemInvalidInfoClass4,             // 49
    SystemRangeStartInformation,         // 50       Y        N
    SystemVerifierInformation,           // 51       Y        Y
    SystemAddVerifier,                   // 52       N        Y
    SystemSessionProcessesInformation    // 53       Y        N
} SYSTEM_INFORMATION_CLASS;

typedef NTSTATUS(WINAPI *ZWQUERYSYSTEMINFORMATION)(DWORD, PVOID, DWORD, PDWORD);
typedef enum _OBJECT_INFORMATION_CLASS {
    ObjectBasicInformation,
    ObjectNameInformation,
    ObjectTypeInformation,
    ObjectAllInformation,
    ObjectDataInformation,
} OBJECT_INFORMATION_CLASS;
typedef NTSTATUS(NTAPI *NTQUERYOBJECT)(
    HANDLE Handle,
    OBJECT_INFORMATION_CLASS ObjectInformationClass,
    PVOID ObjectInformation,
    ULONG ObjectInformationLength,
    PULONG ReturnLength
    );
typedef struct _UNICODE_STRING {
    USHORT  Length;     //UNICODE占用的内存字节数,个数*2;
    USHORT  MaximumLength;
    PWSTR  Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
typedef struct _OBJECT_NAME_INFORMATION {
    UNICODE_STRING Name;
} OBJECT_NAME_INFORMATION, *POBJECT_NAME_INFORMATION;
typedef struct _SYSTEM_HANDLE_INFORMATION
{
    ULONG ProcessId;
    UCHAR ObjectTypeNumber;
    UCHAR Flags;
    USHORT Handle;
    PVOID Object;
    ACCESS_MASK GrantedAccess;
}SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;

typedef struct _SYSTEM_HANDLE_INFORMATION_EX
{
    ULONG NumberOfHandles;
    SYSTEM_HANDLE_INFORMATION Information[1];
}SYSTEM_HANDLE_INFORMATION_EX, *PSYSTEM_HANDLE_INFORMATION_EX;
#define SystemHandleInformation 0x10  // 16



ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation;// = (ZWQUERYSYSTEMINFORMATION)GetProcAddress(GetModuleHandle("ntdll.dll"), "ZwQuerySystemInformation");
NTQUERYOBJECT    NtQueryObject;// = (NTQUERYOBJECT)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQueryObject");
                               /*功能函数体*/
void EnumObjInfo(LPVOID pBuffer, DWORD pid);
int _tmain1(int argc, _TCHAR* argv[])
{
     ZwQuerySystemInformation = (ZWQUERYSYSTEMINFORMATION)GetProcAddress(GetModuleHandle(TEXT("ntdll.dll")), "ZwQuerySystemInformation");
        NtQueryObject = (NTQUERYOBJECT)GetProcAddress(GetModuleHandle(TEXT("ntdll.dll")), "NtQueryObject");
    
    EnumObjInfo("Mutant",3816);

}

void EnumObjInfo(LPVOID pBuffer, DWORD pid)
{
    char szType[128] = { 0 };
    char szName[512] = { 0 };
    DWORD dwFlags = 0;

    POBJECT_NAME_INFORMATION pNameInfo;
    POBJECT_NAME_INFORMATION pNameType;

    PSYSTEM_HANDLE_INFORMATION_EX pInfo = (PSYSTEM_HANDLE_INFORMATION_EX)pBuffer;
    ULONG OldPID = 0;
    for (DWORD i = 0; i < pInfo->NumberOfHandles; i++)
    {
        if (OldPID != pInfo->Information[i].ProcessId)
        {
            if (pInfo->Information[i].ProcessId == pid)
            {

                HANDLE newHandle;
                DuplicateHandle(OpenProcess(PROCESS_ALL_ACCESS, FALSE, pInfo->Information[i].ProcessId), (HANDLE)pInfo->Information[i].Handle, GetCurrentProcess(), &newHandle, DUPLICATE_SAME_ACCESS, FALSE, DUPLICATE_SAME_ACCESS);
                NTSTATUS status1 = NtQueryObject(newHandle, ObjectNameInformation, szName, 512, &dwFlags);
                NTSTATUS status2 = NtQueryObject(newHandle, ObjectTypeInformation, szType, 128, &dwFlags);
                if (strcmp(szName, "") && strcmp(szType, "") && status1 != 0xc0000008 && status2 != 0xc0000008)
                {
                    pNameInfo = (POBJECT_NAME_INFORMATION)szName;
                    pNameType = (POBJECT_NAME_INFORMATION)szType;
                    printf("%wZ   ", pNameType);
                    printf("%wZ \n", pNameInfo);
                }
            }
        }
    }

}
黄舟
黄舟

人生最曼妙的风景,竟是内心的淡定与从容!

reply all(2)
阿神

It can be seen from the code that pBuffer represents the kernel object type name. Mutant is a mutant, Section is a memory file mapping, Semaphore is a semaphore, Thread and Process are not explained, Event is an event, File is a file, IoCompletion is a completion port... There are other types of kernel objects, please check for details. Reference WRK.

黄舟

First:

PSYSTEM_HANDLE_INFORMATION_EX pInfo = (PSYSTEM_HANDLE_INFORMATION_EX)pBuffer

So pBuffer is PSYSTEM_HANDLE_INFORMATION_EX, then let’s look at its definition:

typedef struct _SYSTEM_HANDLE_INFORMATION_EX
{
    ULONG NumberOfHandles;
    SYSTEM_HANDLE_INFORMATION Information[1];
}SYSTEM_HANDLE_INFORMATION_EX, *PSYSTEM_HANDLE_INFORMATION_EX

This is an array of SYSTEM_HANDLE_INFORAMTION, but the difference is that a NumberOfHandlers is needed to tell you how long the Information is. So if you want to provide an array with a length of 5, the size of malloc you need is

sizeof(ULONG) + 5 * sizeof(SYSTEM_HANDLE_INFORMATION)

But what I’m curious about is, why does a string need to be passed into the main function? The pBuffer of this function is definitely not a string. As can be seen from the code, this pBuffer is allocated by the GetSystemProcessHandleInfo function in the article you posted. ZwQuerySystemInformation will finally fill the buffer you gave according to the above format (but it doesn’t tell you how long it is, so you need to use a loop to try continuously), fill in all this information, and then you can Print it out in EnumObjInfo.

So you should first call GetSystemProcessHandleInfo and then throw it directly to EnumObjInfo.

Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template