遍历PspCidTable枚举进程

//测试环境：win7 32位 
 1 // DriverEntry.cpp
  2 
  3 #include "ntddk.h"
  4 #include <ntddvol.h>
  5 #include <ntdef.h>
  6 #include "header.h"
  7 
  8 extern "C" POBJECT_TYPE ObGetObjectType(IN PVOID Object);
  9 extern "C" NTSTATUS DefaultDispatch (
 10     __in struct _DEVICE_OBJECT *DeviceObject,
 11     __inout struct _IRP *Irp
 12     )
 13 {
 14     Irp->IoStatus.Status = STATUS_SUCCESS;
 15     Irp->IoStatus.Information = 0;
 16     IoCompleteRequest(Irp, IO_NO_INCREMENT);
 17     
 18     return STATUS_SUCCESS;
 19 }
 20 VOID DriverUnload (
 21     __in struct _DRIVER_OBJECT *DriverObject
 22     )
 23 {
 24 
 25 }
 26 
 27 extern "C" void* GetPspCidTable()
 28 {    
 29     UNICODE_STRING sysRoutineName;
 30     RtlInitUnicodeString(&sysRoutineName, L"PsLookupProcessByProcessId");
 31     PUCHAR pFun = (PUCHAR)MmGetSystemRoutineAddress(&sysRoutineName);
 32     if (pFun)
 33     {
 34         do 
 35         {
 36             if(!MmIsAddressValid(pFun) || !MmIsAddressValid((PUCHAR)pFun + 6))
 37             {
 38                 return NULL;
 39             }
 40             if (*(PSHORT)pFun == 0X3D8B && *((PUCHAR)pFun + 6) == 0Xe8)
 41             {
 42                 unsigned int pspCidTable =  *((unsigned int *)((PUCHAR)pFun + 2));
 43                 DbgPrint("%x", pspCidTable);
 44                 return (void*)pspCidTable;
 45                 //break;
 46             }
 47             pFun++;
 48         } while (1);
 49     }
 50     return NULL;
 51 }
 52 
 53 void EnumLevel1Tabel(PUCHAR pLevel1Table)
 54 {
 55     DbgPrint("Table1:%x\n", pLevel1Table);
 56     PHANDLE_TABLE_ENTRY phte = (PHANDLE_TABLE_ENTRY)pLevel1Table;
 57     for (ULONG i = 0; i < 512; i++)   //512为一级表项数,单位:HANDLE_TABLE_ENTRY
 58     {        
 59         PEPROCESS pProcess = (PEPROCESS)phte->Object;
 60         POBJECT_TYPE objType;        
 61         objType = *PsProcessType;
 62         pProcess = (PEPROCESS)((ULONG)pProcess & 0xfffffff8);  //后三位不知干什么。
 63         if (pProcess != NULL && objType == ObGetObjectType(pProcess))
 64         {            
 65             DbgPrint("Process Name:%s\n", (PUCHAR)pProcess + 0x16c);
 66         }
 67         phte++;
 68     }
 69 }
 70 
 71 void EnumLevel2Tabel(PULONG pLevel2Table)
 72 {
 73     DbgPrint("EnumLevel2Tabel:%x\n", pLevel2Table);
 74     for (ULONG i = 0; i < 1024; i++) //1024为二级表项数,单位:PHANDLE_TABLE_ENTRY
 75     {
 76         if (*pLevel2Table != 0)
 77         {            
 78             EnumLevel1Tabel((PUCHAR)*pLevel2Table);
 79         }
 80         else
 81         {
 82             break;
 83         }
 84         pLevel2Table++;
 85     }
 86 }
 87 void EnumLevel3Tabel(PULONG pLevel3Table)
 88 {
 89     DbgPrint("EnumLevel3Tabel:%x\n", pLevel3Table);
 90     for (ULONG i = 0; i < 32; i++) //32为三级表项数,单位:PHANDLE_TABLE_ENTRY*
 91     {
 92         if (*pLevel3Table != 0)
 93         {            
 94             EnumLevel2Tabel((PULONG)*pLevel3Table);
 95         }
 96         else
 97         {
 98             break;
 99         }
100         pLevel3Table++;
101     }
102 }
103 NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject,PUNICODE_STRING RegistryPath)
104 {
105     for (int i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++)
106     {
107         DriverObject->MajorFunction[i] = DefaultDispatch;
108     }
109     DriverObject->DriverUnload = DriverUnload;
110     PHANDLE_TABLE * pPspCidTable = (PHANDLE_TABLE* )GetPspCidTable();
111     if (pPspCidTable == NULL)
112     {
113         return STATUS_UNSUCCESSFUL;
114     }
115     __asm {int 3}
116     DbgPrint("pPspCidTable:%x\n", pPspCidTable);
117 
118     PHANDLE_TABLE pspCidTable = *pPspCidTable;    
119     ULONG level = pspCidTable->TableCode & 3;  //取后2位，得出句柄表的级数。
120     PUCHAR tableBase = (PUCHAR)pspCidTable->TableCode - level;
121     DbgPrint("level:%d\n", level);
122     DbgPrint("tableBase:%d\n", tableBase);
123     switch(level)
124     {
125     case 0:  
126         {
127             EnumLevel1Tabel((PUCHAR)tableBase);
128         }
129         break;
130     case 1:
131         {
132             EnumLevel2Tabel((PULONG)tableBase);
133         }
134         break;
135     case  2:
136         {
137             EnumLevel3Tabel((PULONG)tableBase);
138         }
139         
140     }
141     return STATUS_SUCCESS;
142 }

 1 //header.h
 2 #ifndef HEADER_H
 3 #define HEADER_H
 4 typedef struct  _HANDLE_TABLE
 5 {    
 6     ULONG_PTR TableCode;        
 7     PEPROCESS QuotaProcess;        
 8     PVOID UniqueProcessId;        
 9     PVOID HandleLock;        
10     LIST_ENTRY HandleTableList;        
11     PVOID HandleContentionEvent;        
12     PVOID DebugInfo;        
13     LONG ExtraInfoPages;        
14     union
15     {
16     ULONG Flags;
17     UCHAR StrictFIFO:1;
18     };        
19     LONG FirstFreeHandle;        
20     PVOID    LastFreeHandleEntry;        
21     LONG HandleCount;        
22     ULONG NextHandleNeedingPool;
23     ULONG HandleCountHighWatermark;
24 }HANDLE_TABLE, *PHANDLE_TABLE;
25 
26 
27 typedef struct _HANDLE_TABLE_ENTRY
28 {
29     union
30     {
31         PVOID Object;
32         ULONG_PTR ObAttributes;
33         PVOID InfoTable;
34         ULONG_PTR Value;
35     };
36     union
37     {
38         ULONG GrantedAccess;
39         struct
40         {
41             USHORT GrantedAccessIndex;
42             USHORT CreatorBackTraceIndex;
43         };
44         LONG NextFreeTableEntry;
45     };
46 } HANDLE_TABLE_ENTRY, *PHANDLE_TABLE_ENTRY;
47 #endif

posted @ 2015-07-05 21:37 东方阿姨阅读(559) 评论(0) 编辑收藏举报

会员力量，点亮园子希望

刷新页面返回顶部

kocpp

遍历PspCidTable枚举进程

公告