📄 nthandle的实现过程和反汇编的c源代码.txt
字号:
ver = GetVersion();
//把资源文件拷贝成驱动程序
if(ver<0x80000000)
{
//NT OR 2000
if(CopyMyDrivceNt()==false)
return false;
}
//98下应该用nthandle.vdx,但是由于没反汇编,所以直接就返回,因此这个代码只适合NT和2000的
else
return false;
//注册驱动程序
if(RegHandelDev("NTHANDLE")==false)
return false;
pmy = GetCurrentProcess();
ChangePrivilege(pmy,SE_DEBUG_NAME);
ChangePrivilege(pmy,SE_LOAD_DRIVER_NAME);
pdwHandInfo = (PDWORD)malloc(0x2048);
PVOID handlebuf;
PVOID paddr1;
handlebuf = VirtualAlloc(0,0x200000,MEM_RESERVE,PAGE_READWRITE);
if(handlebuf==NULL)
{
printf("VirtualAlloc error\n");
return false;
}
dwSize = 0X4000;
do
{
handlebuf = VirtualAlloc(handlebuf,dwSize,MEM_COMMIT,PAGE_READWRITE);
//获取所有句柄信息
isok = (*NtQuerySystemInformation)(0x10,(unsigned long *)handlebuf,dwSize,&dwNumBytesRet);
dwSize = dwSize+0x2000;
}while(isok==0xc0000004);
if(isok)
{
printf("NtQuerySystemInformation error\n");
return false;
}
DWORD dwNumEntries=*(DWORD *)handlebuf;
dwNumEntries--;
DWORD i;
int j;
HANDLE oph;
MYOBJECTINFO mydrvobj;
DWORD objlen;
char printfbuf[0x4000];
char deviobuf[0x800];
char objbuf[0x1000];
DWORD retunnum=0;
PPEB pe;
char prothrinfo[0x18];
ZeroMemory(printfbuf,0x4000);
ZeroMemory(deviobuf,0x800);
pHandleInfo = ((PHANDLEINFO)((DWORD)handlebuf+4));
GetProcessAuth(atoi(argv[1]));
printf("Handle Type Desc\n");
for (i = 1;i <=dwNumEntries; i++)
{
paddr1=(PVOID)((DWORD)handlebuf+(i*16));
mydrvobj.pid=(*(WORD *)((DWORD)paddr1+4));
mydrvobj.objaddr=*(DWORD *)((DWORD)paddr1+12);
mydrvobj.objhandle = (*(WORD *)((DWORD)paddr1+10));
if(mydrvobj.pid == atoi(argv[1]))
{
oph=OpenProcess(PROCESS_DUP_HANDLE,0,mydrvobj.pid);
isok =DuplicateHandle(oph,(HANDLE)mydrvobj.objhandle,pmy,&dh,NULL,NULL,NULL);
CloseHandle(oph);
if(isok)
{
//先获取查询对象需要的缓冲大小
isok=NtQueryObject(dh,2,NULL,NULL,&objlen);
//ZeroMemory(objbuf,objlen);
isok=NtQueryObject(dh,2,objbuf,objlen,NULL);
DWORD tmp2=*(WORD*)((DWORD)objbuf);
if(tmp2<0xfffffffe)
{
DWORD tmp3=*(DWORD*)((DWORD)objbuf+4);
//这里就是对象类型的UNICODE名字
for(j=1;j<((tmp2>>1)+1);j++)
printfbuf[j-1]=*(char *)(tmp3+2*j-2);
printfbuf[j-1]=0;
//比较对象类型的名字是否为process
if(_stricmp(printfbuf,"process")==0)
{
//比较对象类型的名字是否为process,用0X400访问权限复制句柄
CloseHandle(dh);
oph=OpenProcess(PROCESS_DUP_HANDLE,0,mydrvobj.pid);
isok =DuplicateHandle(oph,(HANDLE)mydrvobj.objhandle,pmy,&dh,0x400,NULL,NULL);
CloseHandle(oph);
isok=NtQueryInformationProcess(dh,0,prothrinfo,0x18,&retunnum);
if(isok==0)
{
//返回来的是一个结构。其中offset+4是被打开进程的PEB结构地址
printf("%08x:%s\n",mydrvobj.objhandle,printfbuf);
printf(" PebBaseAddress:%8x\n",*(DWORD *)(prothrinfo+4));
//显示PEB中的两个组员
pe = (PPE (*(DWORD *)(prothrinfo+4));
printf(" BeingDebugged:%02x\n",pe->BeingDebugged);
printf(" SessionId:%08x\n",pe->SessionId);
//打开的进程的ID号,如果不等于自己,说明打开了另一个进程的句柄
if(*(DWORD *)(prothrinfo+0x10)!=atoi(argv[1]))
printf(" Open Other Process is:%8d\n",*(DWORD *)(prothrinfo+0x10));
isok=CloseHandle(dh);
}
else
printf("%08x:error oprn process\n",mydrvobj.objhandle);
}
else if(_stricmp(printfbuf,"thread")==0)
{
//比较对象类型的名字是否为thread,用0X40访问权限复制句柄
//isok=NtQueryInformationThread(dh,0,&b4[0],0x1c,&retunnum);
CloseHandle(dh);
oph=OpenProcess(PROCESS_DUP_HANDLE,0,mydrvobj.pid);
isok =DuplicateHandle(oph,(HANDLE)mydrvobj.objhandle,pmy,&dh,0x40,NULL,NULL);
CloseHandle(oph);
isok=NtQueryInformationThread(dh,0,prothrinfo,0x1c,&retunnum);
if(isok==0)
{
printf("%08x:%s\n",mydrvobj.objhandle,printfbuf);
printf(" TebBaseAddress:%8x\n",*(DWORD *)(prothrinfo+4));
//打开的进程的ID号和线城,如果不等于自己,说明打开了另一个进程的句柄
if(*(DWORD *)(prothrinfo+0x8)==atoi(argv[1]))
printf(" UniqueThreadId:%08d\n",*(DWORD *)(prothrinfo+12));
else
printf(" Open Process:%08d's Thread:%08d\n",*(DWORD *)(prothrinfo+8),*(DWORD *)(prothrinfo+12));
isok=CloseHandle(dh);
}
else
printf("%08x:error oprn process\n",mydrvobj.objhandle);
}
else
{
//通过NTHANDLE.SYS驱动设备进行进一步处理
deviobuf[0]=0;
isok = callnthandle(0x83350000,&mydrvobj,0xc,deviobuf,0x800);
printf("%08x:%s",mydrvobj.objhandle,printfbuf);
if(isok)
printf(", %s\n",deviobuf);
else
printf("\n");
isok=CloseHandle(dh);
}
}
}
}
}
pHandleInfo = ((PHANDLEINFO)((DWORD)handlebuf+4)+1+i);
VirtualFree(handlebuf,0,MEM_DECOMMIT| MEM_RELEASE);
//VirtualFree(processbuf,0,MEM_DECOMMIT| MEM_RELEASE);
free(pdwHandInfo);
CloseHandle(drv);
return true;
}
//NTHANDLE.SYS驱动的代码,需要DDK环境进行编译
//驱动程序头文件
#include "ntddk.h"
#ifndef __NTHANDLE_H
#define __NTHANDLE_H
#define NT_DEVICE_NAME L"\\Device\\NtHandle"
#define DOS_DEVICE_NAME L"\\DosDevices\\NtHandle"
NTSTATUS
DriverEntry(
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
;
NTSTATUS
HandleQuert(
IN PVOID inbuf,
IN OUT PVOID outbuf
;
unsigned long
gethandleinfo(
PFILE_OBJECT p1,
unsigned long p2,
PVOID p3,
unsigned long * p4,
PVOID p5,
unsigned long * p6,
unsigned long p7,
PIO_STATUS_BLOCK p8,
PDEVICE_OBJECT p9);
unsigned long
getinfo(
PVOID p1,
PVOID p2,
unsigned long p3);
unsigned long
callmap(
PVOID Object,
PVOID p2,
unsigned long p3);
#endif
//驱动程序C代码文件
#include "ntddk.h"
#include "nthandle.h"
//申明未存档的API函数
NTSYSAPI unsigned long NTAPI ZwOpenProcessToken(HANDLE,unsigned long,PHANDLE);
NTSYSAPI VOID NTAPI PsLookupProcessByProcessId(unsigned long,PHANDLE);
NTSYSAPI VOID NTAPI KeAttachProcess(HANDLE);
NTSYSAPI VOID NTAPI KeDetachProcess();
NTSYSAPI unsigned long NTAPI ZwOpenProcess(PHANDLE,ACCESS_MASK,POBJECT_ATTRIBUTES,PCLIENT_ID);
NTSYSAPI VOID NTAPI ZwDuplicateObject(HANDLE,HANDLE,HANDLE,PHANDLE,unsigned long,unsigned long,unsigned long);
NTSYSAPI unsigned long ObQueryNameString(PVOID,PUNICODE_STRING,unsigned long,unsigned long *);
typedef struct _MYOBJECTINFO {
unsigned long pid;
unsigned long objaddr;
unsigned long objhandle;
} MYOBJECTINFO, *PMYOBJECTINFO;
//驱动程序主入口点
NTSTATUS
DriverEntry(
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
{
NTSTATUS status = STATUS_SUCCESS;
UNICODE_STRING ntDeviceName;
UNICODE_STRING win32DeviceName;
BOOLEAN fSymbolicLink = FALSE;
PDEVICE_OBJECT deviceObject;
//创建设备和符号连接,申明使用的IOCONTROL代码点为0x8335xxxx
RtlInitUnicodeString(&ntDeviceName, NT_DEVICE_NAME);
status = IoCreateDevice (DriverObject,0,&ntDeviceName,0x8335,0,TRUE,&deviceObject);
if (!NT_SUCCESS (status)) {
goto ERROR;
}
RtlInitUnicodeString(&win32DeviceName, DOS_DEVICE_NAME);
status = IoCreateSymbolicLink( &win32DeviceName, &ntDeviceName );
if (!NT_SUCCESS(status)) // If we couldn't create the link then
{ // abort installation.
goto ERROR;
}
//驱动程序例程分派
DriverObject->MajorFunction[IRP_MJ_CREATE] = HandleQuert;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = HandleQuert;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = HandleQuert;
return(STATUS_SUCCESS);
ERROR:
if(deviceObject)
IoDeleteDevice(deviceObject);
//DbgPrint( "Leave DriverEntry failed\n" );
return status;
}
//设备创建,关闭和IO操作的例程入口点
NTSTATUS
HandleQuert(
PDEVICE_OBJECT aa1, // Our device object
PIRP aa2)
{
NTSTATUS RC;
unsigned long ret;
//DbgPrint( "Entry HandleQuery, IRP : DO %x:%x\n", aa2,aa1 );
RC = STATUS_SUCCESS;
aa2->RequestorMode = 0;
//比较是否是DEVICEIOCONTROL操作还是CREATE和CLOSE操作,后两个直接返回成功
if(aa2->Tail.Overlay.CurrentStackLocation->MajorFunction==0xe)
{
ret = gethandleinfo(
aa2->Tail.Overlay.CurrentStackLocation->FileObject,
1,
aa2->AssociatedIrp.SystemBuffer, //使用的输入缓冲
&(aa2->Tail.Overlay.CurrentStackLocation->Parameters.DeviceIoControl.InputBufferLength),
aa2->AssociatedIrp.SystemBuffer, //使用的输出缓冲
&(aa2->Tail.Overlay.CurrentStackLocation->Parameters.DeviceIoControl.OutputBufferLength),
aa2->Tail.Overlay.CurrentStackLocation->Parameters.DeviceIoControl.IoControlCode,
&(aa2->IoStatus),
aa1);
if(ret>0)
RC=STATUS_INVALID_DEVICE_REQUEST;
aa2->IoStatus.Status = ret;
}
//操作完成,返回IO完成例程,将systembuf中的内容拷贝到用户缓冲区中
IofCompleteRequest(aa2,IO_NO_INCREMENT);
//DbgPrint( "Leave HandleQuery\n" );
return(RC);
}
//具体处理的例程
unsigned long gethandleinfo(PFILE_OBJECT p1,unsigned long p2,PVOID p3,unsigned long * p4,PVOID p5,unsigned long * p6,unsigned long p7,PIO_STATUS_BLOCK p8,PDEVICE_OBJECT p9)
{
//p3就是DEVICEIOCONTROL传入的输入BUFFER
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -