首页
论坛
课程
招聘
[原创]枚举系统句柄
2008-10-17 15:33 9155

[原创]枚举系统句柄

2008-10-17 15:33
9155
之前我在这儿问了关于这个驱动的问题。感谢sudami的回复。。。问题解决了,这里把我的代码贴出来。。

原来问的问题:
本来想写一个枚举句柄的驱动,可是不料出现了很奇怪的加载驱动失败的问题。我又太菜,看不出是为什么,所以跑过来请教各位大虾!



奇怪的地方是在DriverEntry里加上AYA_EnumHandle函数后,加载就失败,就是连DriverEntry都进不去了。。。但是去掉AYA_EnumHandle就正常加载驱动了。。。我无语了。
完全晕了。。。。。。


代码:
一直在使用一个小工具叫unlocker。知道它是用关闭句柄的方法来删除文件的,但是自己也没有怎么研究过这东西。传说中更厉害的方法是直接向磁盘写0和Xcb大法,最近准备好好研究这些删除方法。那么就从句柄开始吧。这里我只做枚举句柄的工作,因为关闭句柄就是把ZwDuplicateObject 的Options 这个参数赋值为DUPLICATE_CLOSE_SOURCE 。这里还要感谢一下sudami和NetRoc同学。。。O(∩_∩)O哈哈~

#include <ntddk.h>


#define AYA_DEVICE L"\\Device\\EnumHandle"
#define AYA_LINK L"\\DosDevices\\EnumHandle"

#define SystemHandleInformation 16

#define OB_TYPE_PROCESS                 5

typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO
{
    USHORT UniqueProcessId;
    USHORT CreatorBackTraceIndex;
    UCHAR ObjectTypeIndex;
    UCHAR HandleAttributes;
    USHORT HandleValue;
    PVOID Object;
    ULONG GrantedAccess;
} SYSTEM_HANDLE_TABLE_ENTRY_INFO, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO;

typedef struct _SYSTEM_HANDLE_INFORMATION
{
    ULONG NumberOfHandles;
    SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[];
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;

typedef enum _OBJECT_INFORMATION_CLASS { 
ObjectBasicInformation,
ObjectNameInformation,
ObjectTypeInformation,
ObjectAllInformation,
ObjectDataInformation
} OBJECT_INFORMATION_CLASS, *POBJECT_INFORMATION_CLASS;

typedef struct _OBJECT_BASIC_INFORMATION {
ULONG                   Attributes;
ACCESS_MASK             DesiredAccess;
ULONG                   HandleCount;
ULONG                   ReferenceCount;
ULONG                   PagedPoolUsage;
ULONG                   NonPagedPoolUsage;
ULONG                   Reserved[3];
ULONG                   NameInformationLength;
ULONG                   TypeInformationLength;
ULONG                   SecurityDescriptorLength;
LARGE_INTEGER           CreationTime;
} OBJECT_BASIC_INFORMATION, *POBJECT_BASIC_INFORMATION;

typedef struct _KOBJECT_NAME_INFORMATION { 
UNICODE_STRING          Name;
WCHAR                   NameBuffer[];
} KOBJECT_NAME_INFORMATION, *PKOBJECT_NAME_INFORMATION;

typedef struct _OBJECT_TYPE_INFORMATION { 
UNICODE_STRING          TypeName;
ULONG                   TotalNumberOfHandles;
ULONG                   TotalNumberOfObjects;
WCHAR                   Unused1[8];
ULONG                   HighWaterNumberOfHandles;
ULONG                   HighWaterNumberOfObjects;
WCHAR                   Unused2[8];
ACCESS_MASK             InvalidAttributes;
GENERIC_MAPPING         GenericMapping;
ACCESS_MASK             ValidAttributes;
BOOLEAN                 SecurityRequired;
BOOLEAN                 MaintainHandleCount;
USHORT                  MaintainTypeList;
POOL_TYPE               PoolType;
ULONG                   DefaultPagedPoolCharge;
ULONG                   DefaultNonPagedPoolCharge;
} OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION;


NTSYSAPI
NTSTATUS
NTAPI
ZwQueryObject(
     IN HANDLE Handle,
     IN OBJECT_INFORMATION_CLASS ObjectInformationClass,
     OUT PVOID ObjectInformation,
     IN ULONG ObjectInformationLength,
     OUT PULONG ReturnLength OPTIONAL
     );


NTSYSAPI
NTSTATUS
NTAPI
ZwQuerySystemInformation(    
       ULONG    SystemInformationClass,
       PVOID    SystemInformation,
       ULONG    SystemInformationLength,
       PULONG    ReturnLength
       );
NTSYSAPI
NTSTATUS
NTAPI
ZwDuplicateObject(
      IN HANDLE SourceProcessHandle,
      IN HANDLE SourceHandle,
      IN HANDLE TargetProcessHandle OPTIONAL,
      OUT PHANDLE TargetHandle OPTIONAL,
      IN ACCESS_MASK DesiredAccess,
      IN ULONG HandleAttributes,
      IN ULONG Options
      );

NTSYSAPI 
NTSTATUS
NTAPI
ZwOpenProcess(     
     OUT PHANDLE             ProcessHandle,
     IN ACCESS_MASK          AccessMask,
     IN POBJECT_ATTRIBUTES   ObjectAttributes,
     IN PCLIENT_ID           ClientId 
     );


NTSTATUS NTAPI AYA_EnumHandle();
void AYA_Unload( IN PDRIVER_OBJECT pDriverObj )
{
UNICODE_STRING Temp;
RtlInitUnicodeString( &Temp ,AYA_LINK );
IoDeleteSymbolicLink( &Temp );
IoDeleteDevice( pDriverObj->DeviceObject );
}

NTSTATUS AYA_Dispatch( IN PDEVICE_OBJECT pDeviceObj ,IN PIRP pIrp )
{
NTSTATUS ns = STATUS_SUCCESS;
PIO_STACK_LOCATION stIrp;

stIrp = IoGetCurrentIrpStackLocation( pIrp );

switch( stIrp->MajorFunction )
{
case IRP_MJ_CREATE:
   break;
case IRP_MJ_CLOSE:
   break;
case IRP_MJ_DEVICE_CONTROL:
   break;
default:
   pIrp->IoStatus.Status = STATUS_INVALID_PARAMETER;
   break;
}

ns = pIrp->IoStatus.Status;
IoCompleteRequest( pIrp ,IO_NO_INCREMENT );
return ns;
}

NTSTATUS DriverEntry( IN PDRIVER_OBJECT pDriverObj ,IN PUNICODE_STRING RegistryPath )
{
NTSTATUS ns = STATUS_SUCCESS;
UNICODE_STRING AYA;
UNICODE_STRING AYAL;
PDEVICE_OBJECT pDevice;

ns = AYA_EnumHandle();
RtlInitUnicodeString( &AYA ,AYA_DEVICE );
ns = IoCreateDevice( pDriverObj ,0 ,&AYA ,FILE_DEVICE_UNKNOWN ,0 ,FALSE ,&pDevice );

RtlInitUnicodeString( &AYAL ,AYA_LINK );
ns = IoCreateSymbolicLink( &AYAL ,&AYA );

pDriverObj->MajorFunction[IRP_MJ_CREATE]    = 
pDriverObj->MajorFunction[IRP_MJ_CLOSE]     =
pDriverObj->MajorFunction[IRP_MJ_DEVICE_CONTROL] = AYA_Dispatch;

pDriverObj->DriverUnload = AYA_Unload;


return ns;

}


NTSTATUS AYA_EnumHandle()
{
NTSTATUS ns = STATUS_SUCCESS;
ULONG ulSize;
PVOID pSysBuffer;
PSYSTEM_HANDLE_INFORMATION pSysHandleInfo;
SYSTEM_HANDLE_TABLE_ENTRY_INFO pSysHandleTEI;
OBJECT_BASIC_INFORMATION BasicInfo;   
PKOBJECT_NAME_INFORMATION pNameInfo;   
    POBJECT_TYPE_INFORMATION pTypeInfo; 
OBJECT_ATTRIBUTES oa;
ULONG ulProcessID;
HANDLE hProcess;
HANDLE hHandle;
HANDLE hDupObj;
CLIENT_ID cid;
ULONG i;

ulSize = 100;
do 
{ 
   pSysBuffer = ExAllocatePoolWithTag( PagedPool ,ulSize ,'A0');
   ns = ZwQuerySystemInformation( SystemHandleInformation ,pSysBuffer ,ulSize ,NULL );
   ulSize *= 2;
   if ( !NT_SUCCESS( ns ) )
   {
    ExFreePool( pSysBuffer );
   }

} while( !NT_SUCCESS( ns ) );


pSysHandleInfo = (PSYSTEM_HANDLE_INFORMATION)pSysBuffer;
for ( i = 0 ;i < pSysHandleInfo->NumberOfHandles ;i++ )
{
   pSysHandleTEI = pSysHandleInfo->Handles[i];

   if ( pSysHandleTEI.ObjectTypeIndex != OB_TYPE_PROCESS )
   {
    continue;
   }

   ulProcessID = (ULONG)pSysHandleTEI.UniqueProcessId;
   cid.UniqueProcess = (HANDLE)ulProcessID;
   cid.UniqueThread = (HANDLE)0;
   hHandle = (HANDLE)pSysHandleTEI.HandleValue;


   InitializeObjectAttributes( &oa ,NULL ,0 ,NULL ,NULL );
   ns = ZwOpenProcess( &hProcess ,PROCESS_DUP_HANDLE ,&oa ,&cid );
   if ( !NT_SUCCESS( ns ) )
   {
    KdPrint(( "ZwOpenProcess : Fail " ));
    break;
   }
   ns = ZwDuplicateObject( hProcess ,hHandle ,NtCurrentProcess() ,&hDupObj ,\
    PROCESS_ALL_ACCESS ,0 ,DUPLICATE_SAME_ACCESS );
  
   if ( !NT_SUCCESS( ns ) )
   {
    KdPrint(( "ZwDuplicateObject : Fail " ));
    break;
   }
  
   ZwQueryObject( hDupObj ,ObjectBasicInformation ,&BasicInfo ,\
    sizeof( OBJECT_BASIC_INFORMATION ) ,NULL );
  
   pNameInfo = ExAllocatePoolWithTag( PagedPool ,BasicInfo.NameInformationLength ,'A1');
   RtlZeroMemory( pNameInfo ,BasicInfo.NameInformationLength );
  
   ZwQueryObject( hDupObj ,ObjectNameInformation ,pNameInfo ,\
    BasicInfo.NameInformationLength ,NULL );
  
   pTypeInfo = ExAllocatePoolWithTag( PagedPool ,BasicInfo.TypeInformationLength ,'A2');
   RtlZeroMemory( pTypeInfo ,BasicInfo.TypeInformationLength );
  
   ZwQueryObject( hDupObj ,ObjectTypeInformation ,pTypeInfo ,\
    BasicInfo.TypeInformationLength ,NULL );
  
   KdPrint(( "NAME:%wZ\t\t\tTYPE:%wZ\n" ,&(pNameInfo->Name) ,&(pTypeInfo->TypeName) ));
  
   ExFreePool( pNameInfo );
   ExFreePool( pTypeInfo );
  
}

ZwClose( hDupObj );
ZwClose( hProcess );
ZwClose( hHandle );
ExFreePool( pSysBuffer );

if ( !NT_SUCCESS( ns ) )
{
   return STATUS_UNSUCCESSFUL;
}

return ns;


}

看雪招聘平台创建简历并且简历完整度达到90%及以上可获得500看雪币~

收藏
点赞0
打赏
分享
最新回复 (2)
雪    币: 462
活跃值: 活跃值 (1069)
能力值: ( LV12,RANK:1010 )
在线值:
发帖
回帖
粉丝
sudami 活跃值 25 2008-10-17 18:21
2
0
建议你先动态调试一下驱动.问题马上就出来了...
雪    币: 41
活跃值: 活跃值 (41)
能力值: ( LV9,RANK:160 )
在线值:
发帖
回帖
粉丝
nightxie 活跃值 3 2008-10-17 21:39
3
0
解决了。。。HOHO~~~~~~~~Thank you all the same~~~~
游客
登录 | 注册 方可回帖
返回