WIN10进程句柄表调试

Debug X64模式控制台程序:

 1 #include <iostream>
 2 #include <Windows.h>
 3 
 4 
 5 int main()
 6 {
 7     HANDLE tmp;
 8     HWND h = FindWindowA("CalcFrame", "计算器");
 9     DWORD pid = 0;
10     if (!h)
11     {
12         MessageBoxA(0, "请打开计算器", 0, 0);
13         return -1;
14     }
15     GetWindowThreadProcessId(h, &pid);
16     for (int i = 0; i < 20; i++)
17     {
18         tmp = OpenProcess(PROCESS_ALL_ACCESS, NULL, pid);
19         std::cout << tmp << std::endl;
20         __debugbreak();
21     }
22     __debugbreak();
23     tmp = OpenProcess(PROCESS_CREATE_THREAD, TRUE, pid);
24     SetHandleInformation(tmp, HANDLE_FLAG_PROTECT_FROM_CLOSE, HANDLE_FLAG_PROTECT_FROM_CLOSE);
25     getchar();
26     return 0;
27 }
View Code

 WinDbg双机调试,在虚拟机里运行控制台程序Win10X64Handle.exe

 

kd>!process 0 0

 

kd>dt _EPROCESS ffff85035d97b080

 kd>dt _HANDLE_TABLE 0xffffbc8e`3189f380

TableCode后两位为0,TableCode就是指向句柄表第一个句柄表项

HANDLE_TABLE_ENTRY[NULL句柄表项]的指针.

HANDLE_TABLE_ENTRY结构体16字节

PEPROCESS = [TableCode+(句柄/4)*0x10]>>0x10&FFFFFFFFFFFFFFF0+0x30

 第一个句柄为D0,  D0/4*0x10=0x340

 85035d33`10500001>>0x10&FFFFFFFFFFFFFFF0 = FFFF85035D331050 指向对象头OBJECT_HEADER

 真正的内核对象保存在OBJECT_HEADER+0x030 Body中

dt _Eprocess FFFF85035D331050+0x30

 

--------------------------------------------------------------------------------------------------

 

 

 

posted @ 2024-02-09 18:49  kaling  阅读(44)  评论(0)    收藏  举报