#pragma once
#include<ntddk.h>
#include"enumhandles.h"
// 这两个偏移需要做兼容,没看到什么好方法
ULONG TABLEOFFSET = 0;
ULONG TABLECODEOFFSET = 0;
ULONG DecryptFlag = 0;
PEPROCESS g_epro = 0;
NTKERNELAPI UCHAR* PsGetProcessImageFileName(IN PEPROCESS Process);
NTSTATUS PsLookupProcessByProcessId(
HANDLE ProcessId,
PEPROCESS* Process
);
POBJECT_TYPE ObGetObjectType(IN PVOID Object);
BOOLEAN CheckSystemVersion()
{
BOOLEAN Ret = TRUE;
ULONG ulBuildNumber = 0;
RTL_OSVERSIONINFOW osi;
osi.dwOSVersionInfoSize = sizeof(RTL_OSVERSIONINFOW);
RtlFillMemory(&osi, sizeof(RTL_OSVERSIONINFOW),0);
RtlGetVersion(&osi);
ulBuildNumber = osi.dwBuildNumber;
DbgPrint("ulBuildNumber%d", ulBuildNumber);
switch (ulBuildNumber)
{
case 19042:
{
TABLEOFFSET = 0x570;
TABLECODEOFFSET = 0x8;
DecryptFlag = 10;
break;
}
case 7601:
{
TABLEOFFSET = 0x200;
TABLECODEOFFSET = 0;
DecryptFlag = 7;
break;
}
default:
Ret = FALSE;
break;
}
}
PVOID GetTableCodeByEpro(PVOID pEpro)
{
PVOID pHandleTable = (PCHAR)pEpro + TABLEOFFSET;
if (!pHandleTable)
{
return;
}
if (!MmIsAddressValid(pHandleTable))
{
//DbgPrint("pEpro???%llx\n", pEpro);
return 0;
}
if (!MmIsAddressValid((PCHAR) * (PULONG64)pHandleTable + TABLECODEOFFSET))
{
//DbgPrint("pEpro%llx???\n", pEpro);
return 0;
}
PVOID pTableCode = *(PULONG64)((PCHAR) * (PULONG64)pHandleTable + TABLECODEOFFSET);
if (!MmIsAddressValid(pHandleTable))
{
//DbgPrint("pEpro%llx????\n", pEpro);
return 0;
}
return pTableCode;
}
PVOID DecryptHandle(PVOID phandle)
{
PVOID temp=0;
switch (DecryptFlag)
{
case 10:
{
temp = (((ULONG64)phandle >> 0x10) | (0xffff000000000000)) & 0xfffffffffffffff8;
}
break;
case 8:
{
temp = (((ULONG64)phandle >> 0x13) | (0xffff000000000000)) & 0xfffffffffffffff8;
}
break;
case 7:
{
temp = (ULONG64)phandle & 0xfffffffffffffff8;
}
break;
default:
break;
}
// win10句柄解密
return temp;
}
int n = 0;
// 自定义处理
PVOID LookUpHandleInTable(PULONG64 TableEntry)
{
PVOID phandle;
for (ULONG64 i = 0; i < 256; i++)
{
n++;
phandle = *(TableEntry + 2 * i);
PHANDLE_TABLE_ENTRY encryedHandle = TableEntry + 2 * i;
phandle = DecryptHandle(phandle);
if (!MmIsAddressValid(phandle))
{
continue;
}
//DbgBreakPoint();
PVOID epro = (PCHAR)phandle + 0x30;
//DbgPrint("phandle%p\n", phandle);
if (MmIsAddressValid(PsGetProcessImageFileName(epro)))
{
//if (strstr(PsGetProcessImageFileName(epro), "zz"))
if (epro == g_epro)
{
DbgPrint("find%d", i);
DbgPrint("find%s,%llx\n", PsGetProcessImageFileName(epro), epro);
DbgPrint("encryedHandle->GrantedAccessBits%x", encryedHandle->GrantedAccessBits);
DbgPrint("encryedHandle%llx", encryedHandle);
// 据说TP用的权限
encryedHandle->GrantedAccessBits = 0x1FFD85;
DbgPrint("encryedHandle->GrantedAccessBits%x", encryedHandle->GrantedAccessBits);
}
}
}
}
// 只测试了一级表二级表(case 0,case 1)
PVOID GetHanldeFromTablecode(PVOID pTableCode, PVOID pDetcetedEpro)
{
ULONG64 flag = (ULONG64)pTableCode & 3;
PULONG64 pTrueTableCode = 0;
PVOID pHandleEntry = 0;
switch (flag)
{
case 0:
{
pHandleEntry = pTableCode;
//DbgPrint("pHandleEntry%p,flag%d\n", pHandleEntry, flag);
if (!MmIsAddressValid(pHandleEntry))
break;
LookUpHandleInTable(pHandleEntry);
break;
}
case 1:
{
for (int i = 0; i < 512; i++)
{
pTrueTableCode = (PULONG64)((ULONG64)pTableCode & 0xfffffffffffffff8) + i;
//DbgPrint("pTrueTableCode,%llx\n", pTrueTableCode);
if (!MmIsAddressValid(*pTrueTableCode))
break;
pHandleEntry = *(PULONG64)pTrueTableCode;
if (!MmIsAddressValid(pHandleEntry))
break;
//DbgPrint("pHandleEntry%p,flag%d\n", pHandleEntry, flag);
LookUpHandleInTable(pHandleEntry);
}
break;
}
case 2:
{
DbgBreakPoint();
PULONG64 ptemp;
PULONG64 ptemp2;
for (ULONG64 i = 0; i < 512; i++)
{
pTrueTableCode = (PULONG64)((ULONG64)pTableCode & 0xfffffffffffffff8) + i;
//DbgPrint("pTrueTableCode,%llx\n", pTrueTableCode);
if (!MmIsAddressValid(*pTrueTableCode))
break;
ptemp = *(PULONG64)pTrueTableCode;
for (int i = 0; i < 512; i++)
{
ptemp2 = (PULONG64)((ULONG64)ptemp & 0xfffffffffffffff8) + i;
if (!MmIsAddressValid(ptemp2))
break;
pHandleEntry = *(PULONG64)ptemp2;
if (!MmIsAddressValid(pHandleEntry))
break;
LookUpHandleInTable(pHandleEntry);
}
}
break;
}
default:
{
DbgPrint("default\n");
break;
}
}
}
PVOID EnumHandle(PVOID pDetcetedEpro)
{
PVOID pTableCode = GetTableCodeByEpro(pDetcetedEpro);
DbgPrint("pTableCode%p\n", pTableCode);
if (pTableCode)
{
PVOID phandle = GetHanldeFromTablecode(pTableCode, pDetcetedEpro);
}
return 0;
}
VOID ProtectEprocrss()
{
PEPROCESS eproc = NULL;
for (int i = 4; i < 26214; i = i + 4)
{
eproc = 0;
PsLookupProcessByProcessId((HANDLE)i, &eproc);
if (eproc != NULL)
{
/*POBJECT_TYPE pobj = ObGetObjectType(eproc);
if (*PsProcessType != pobj)
{
DbgPrint("not\n");
continue;
}*/
if (MmIsAddressValid(PsGetProcessImageFileName(eproc)))
{
EnumHandle(eproc);
}
/*if (strstr(PsGetProcessImageFileName(eproc), "cheat"))
{
EnumHandle(eproc);
}*/
ObDereferenceObject(eproc);
}
}
DbgPrint("over%d", n);
}
VOID EnumProcess()
{
if (!CheckSystemVersion())
{
DbgPrint("VERSION FAILED\n");
return;
}
ULONG i = 0;
PEPROCESS eproc = NULL;
//DbgBreakPoint();
if (!g_epro)
{
for (i = 4; i < 26214; i = i + 4)
{
eproc = 0;
PsLookupProcessByProcessId((HANDLE)i, &eproc);
if (eproc != NULL)
{
if (MmIsAddressValid(PsGetProcessImageFileName(eproc)))
{
if (strstr(PsGetProcessImageFileName(eproc), "zz"))
{
DbgPrint("it is enum %s%llx\n", PsGetProcessImageFileName(eproc), eproc);
g_epro = eproc;
}
if (strstr(PsGetProcessImageFileName(eproc), "cheat"))
{
DbgPrint("it is enum %s%llx\n", PsGetProcessImageFileName(eproc), eproc);
//DbgBreakPoint();
}
}
ObDereferenceObject(eproc);
}
}
}
ProtectEprocrss();
}
评论1