windows进程句柄权限控制

#pragma once #include<ntddk.h> #include"enumhandles.h" // 这两个偏移需要做兼容,没看到什么好方法 ULONG TABLEOFFSET = 0; ULONG TABLECODEOFFSET = 0; ULONG DecryptFlag = 0; PEPROCESS g_epro = 0; NTKERNELAPI UCHAR* PsGetProcessImageFileName(IN PEPROCESS Process); NTSTATUS PsLookupProcessByProcessId( HANDLE ProcessId, PEPROCESS* Process ); POBJECT_TYPE ObGetObjectType(IN PVOID Object); BOOLEAN CheckSystemVersion() { BOOLEAN Ret = TRUE; ULONG ulBuildNumber = 0; RTL_OSVERSIONINFOW osi; osi.dwOSVersionInfoSize = sizeof(RTL_OSVERSIONINFOW); RtlFillMemory(&osi, sizeof(RTL_OSVERSIONINFOW),0); RtlGetVersion(&osi); ulBuildNumber = osi.dwBuildNumber; DbgPrint("ulBuildNumber%d", ulBuildNumber); switch (ulBuildNumber) { case 19042: { TABLEOFFSET = 0x570; TABLECODEOFFSET = 0x8; DecryptFlag = 10; break; } case 7601: { TABLEOFFSET = 0x200; TABLECODEOFFSET = 0; DecryptFlag = 7; break; } default: Ret = FALSE; break; } } PVOID GetTableCodeByEpro(PVOID pEpro) { PVOID pHandleTable = (PCHAR)pEpro + TABLEOFFSET; if (!pHandleTable) { return; } if (!MmIsAddressValid(pHandleTable)) { //DbgPrint("pEpro???%llx\n", pEpro); return 0; } if (!MmIsAddressValid((PCHAR) * (PULONG64)pHandleTable + TABLECODEOFFSET)) { //DbgPrint("pEpro%llx???\n", pEpro); return 0; } PVOID pTableCode = *(PULONG64)((PCHAR) * (PULONG64)pHandleTable + TABLECODEOFFSET); if (!MmIsAddressValid(pHandleTable)) { //DbgPrint("pEpro%llx????\n", pEpro); return 0; } return pTableCode; } PVOID DecryptHandle(PVOID phandle) { PVOID temp=0; switch (DecryptFlag) { case 10: { temp = (((ULONG64)phandle >> 0x10) | (0xffff000000000000)) & 0xfffffffffffffff8; } break; case 8: { temp = (((ULONG64)phandle >> 0x13) | (0xffff000000000000)) & 0xfffffffffffffff8; } break; case 7: { temp = (ULONG64)phandle & 0xfffffffffffffff8; } break; default: break; } // win10句柄解密 return temp; } int n = 0; // 自定义处理 PVOID LookUpHandleInTable(PULONG64 TableEntry) { PVOID phandle; for (ULONG64 i = 0; i < 256; i++) { n++; phandle = *(TableEntry + 2 * i); PHANDLE_TABLE_ENTRY encryedHandle = TableEntry + 2 * i; phandle = DecryptHandle(phandle); if (!MmIsAddressValid(phandle)) { continue; } //DbgBreakPoint(); PVOID epro = (PCHAR)phandle + 0x30; //DbgPrint("phandle%p\n", phandle); if (MmIsAddressValid(PsGetProcessImageFileName(epro))) { //if (strstr(PsGetProcessImageFileName(epro), "zz")) if (epro == g_epro) { DbgPrint("find%d", i); DbgPrint("find%s,%llx\n", PsGetProcessImageFileName(epro), epro); DbgPrint("encryedHandle->GrantedAccessBits%x", encryedHandle->GrantedAccessBits); DbgPrint("encryedHandle%llx", encryedHandle); // 据说TP用的权限 encryedHandle->GrantedAccessBits = 0x1FFD85; DbgPrint("encryedHandle->GrantedAccessBits%x", encryedHandle->GrantedAccessBits); } } } } // 只测试了一级表二级表（case 0，case 1） PVOID GetHanldeFromTablecode(PVOID pTableCode, PVOID pDetcetedEpro) { ULONG64 flag = (ULONG64)pTableCode & 3; PULONG64 pTrueTableCode = 0; PVOID pHandleEntry = 0; switch (flag) { case 0: { pHandleEntry = pTableCode; //DbgPrint("pHandleEntry%p,flag%d\n", pHandleEntry, flag); if (!MmIsAddressValid(pHandleEntry)) break; LookUpHandleInTable(pHandleEntry); break; } case 1: { for (int i = 0; i < 512; i++) { pTrueTableCode = (PULONG64)((ULONG64)pTableCode & 0xfffffffffffffff8) + i; //DbgPrint("pTrueTableCode,%llx\n", pTrueTableCode); if (!MmIsAddressValid(*pTrueTableCode)) break; pHandleEntry = *(PULONG64)pTrueTableCode; if (!MmIsAddressValid(pHandleEntry)) break; //DbgPrint("pHandleEntry%p,flag%d\n", pHandleEntry, flag); LookUpHandleInTable(pHandleEntry); } break; } case 2: { DbgBreakPoint(); PULONG64 ptemp; PULONG64 ptemp2; for (ULONG64 i = 0; i < 512; i++) { pTrueTableCode = (PULONG64)((ULONG64)pTableCode & 0xfffffffffffffff8) + i; //DbgPrint("pTrueTableCode,%llx\n", pTrueTableCode); if (!MmIsAddressValid(*pTrueTableCode)) break; ptemp = *(PULONG64)pTrueTableCode; for (int i = 0; i < 512; i++) { ptemp2 = (PULONG64)((ULONG64)ptemp & 0xfffffffffffffff8) + i; if (!MmIsAddressValid(ptemp2)) break; pHandleEntry = *(PULONG64)ptemp2; if (!MmIsAddressValid(pHandleEntry)) break; LookUpHandleInTable(pHandleEntry); } } break; } default: { DbgPrint("default\n"); break; } } } PVOID EnumHandle(PVOID pDetcetedEpro) { PVOID pTableCode = GetTableCodeByEpro(pDetcetedEpro); DbgPrint("pTableCode%p\n", pTableCode); if (pTableCode) { PVOID phandle = GetHanldeFromTablecode(pTableCode, pDetcetedEpro); } return 0; } VOID ProtectEprocrss() { PEPROCESS eproc = NULL; for (int i = 4; i < 26214; i = i + 4) { eproc = 0; PsLookupProcessByProcessId((HANDLE)i, &eproc); if (eproc != NULL) { /*POBJECT_TYPE pobj = ObGetObjectType(eproc); if (*PsProcessType != pobj) { DbgPrint("not\n"); continue; }*/ if (MmIsAddressValid(PsGetProcessImageFileName(eproc))) { EnumHandle(eproc); } /*if (strstr(PsGetProcessImageFileName(eproc), "cheat")) { EnumHandle(eproc); }*/ ObDereferenceObject(eproc); } } DbgPrint("over%d", n); } VOID EnumProcess() { if (!CheckSystemVersion()) { DbgPrint("VERSION FAILED\n"); return; } ULONG i = 0; PEPROCESS eproc = NULL; //DbgBreakPoint(); if (!g_epro) { for (i = 4; i < 26214; i = i + 4) { eproc = 0; PsLookupProcessByProcessId((HANDLE)i, &eproc); if (eproc != NULL) { if (MmIsAddressValid(PsGetProcessImageFileName(eproc))) { if (strstr(PsGetProcessImageFileName(eproc), "zz")) { DbgPrint("it is enum %s%llx\n", PsGetProcessImageFileName(eproc), eproc); g_epro = eproc; } if (strstr(PsGetProcessImageFileName(eproc), "cheat")) { DbgPrint("it is enum %s%llx\n", PsGetProcessImageFileName(eproc), eproc); //DbgBreakPoint(); } } ObDereferenceObject(eproc); } } } ProtectEprocrss(); }