今天的隨筆寫點如何用內核調試器“手工”分析句柄表,小兒科的伎倆~
結合 Russinovich 的工具 Handle 正好可以驗證我手工分析的正確性
平臺是 Win-XP SP2
高手權當消遣~
因爲我也就是當消遣才寫的
因爲我也就是當消遣才寫的
// 拿進程 SYSTEM 開刀 //
Handle v3.2
Copyright (C) 1997-2006 Mark Russinovich
Sysinternals -
www.sysinternals.com
------------------------------------------------------------------------------
System pid: 4 NT AUTHORITY/SYSTEM
340 : File (---) C:/Documents and Settings/WangYu/Local Settings/Application Data/Microsoft/Windows/UsrClass.dat
7D8: File (R--) D:/System Volume Information/_restore{B546FFD0-E3B9-4B2D-AFB2-DD50CA238520}/RP123/change.log
880: File (---) C:/Documents and Settings/LocalService/Local Settings/Application Data/Microsoft/Windows/UsrClass.dat
884: File (---) C:/Documents and Settings/LocalService/ntuser.dat.LOG
88C: File (---) C:/Documents and Settings/LocalService/Local Settings/Application Data/Microsoft/Windows/UsrClass.dat.LOG
8A0: File (---) C:/Documents and Settings/LocalService/NTUSER.DAT
8E0: File (---) C:/Documents and Settings/WangYu/NTUSER.DAT
8E4: File (---) C:/Documents and Settings/WangYu/ntuser.dat.LOG
8E8: File (---) C:/Documents and Settings/WangYu/Local Settings/Application Data/Microsoft/Windows/UsrClass.dat.LOG
998: File (---) C:/WINDOWS/system32/config/SAM.LOG
9E8: File (---) C:/WINDOWS/system32/config/default
9F4: File (---) C:/WINDOWS/system32/config/system.LOG
9FC: File (---) C:/WINDOWS/system32/config/default.LOG
A80: File (---) C:/WINDOWS/system32/config/software.LOG
A88: File (---) C:/WINDOWS/system32/config/software
A94: File (---) C:/WINDOWS/system32/config/SECURITY.LOG
A98: File (---) C:/WINDOWS/system32/config/system
A9C: File (---) C:/WINDOWS/system32/config/SAM
AA8: File (---) C:/Documents and Settings/NetworkService/Local Settings/Application Data/Microsoft/Windows/UsrClass.dat
AD0: File (---) C:/Documents and Settings/NetworkService/NTUSER.DAT
ADC: File (---) C:/Documents and Settings/NetworkService/ntuser.dat.LOG
AE0: File (---) C:/Documents and Settings/NetworkService/Local Settings/Application Data/Microsoft/Windows/UsrClass.dat.LOG
AF4: File (R--) C:/System Volume Information/_restore{B546FFD0-E3B9-4B2D-AFB2-DD50CA238520}/RP123/change.log
B9C: File (---) C:/WINDOWS/system32/config/SECURITY
BAC : File (-W-) C:/pagefile.sys
------------------------------------------------------------------------------
smss.exe pid: 908 NT AUTHORITY/SYSTEM
...................................
System pid: 4 NT AUTHORITY/SYSTEM
340 : File (---) C:/Documents and Settings/WangYu/Local Settings/Application Data/Microsoft/Windows/UsrClass.dat
7D8: File (R--) D:/System Volume Information/_restore{B546FFD0-E3B9-4B2D-AFB2-DD50CA238520}/RP123/change.log
880: File (---) C:/Documents and Settings/LocalService/Local Settings/Application Data/Microsoft/Windows/UsrClass.dat
884: File (---) C:/Documents and Settings/LocalService/ntuser.dat.LOG
88C: File (---) C:/Documents and Settings/LocalService/Local Settings/Application Data/Microsoft/Windows/UsrClass.dat.LOG
8A0: File (---) C:/Documents and Settings/LocalService/NTUSER.DAT
8E0: File (---) C:/Documents and Settings/WangYu/NTUSER.DAT
8E4: File (---) C:/Documents and Settings/WangYu/ntuser.dat.LOG
8E8: File (---) C:/Documents and Settings/WangYu/Local Settings/Application Data/Microsoft/Windows/UsrClass.dat.LOG
998: File (---) C:/WINDOWS/system32/config/SAM.LOG
9E8: File (---) C:/WINDOWS/system32/config/default
9F4: File (---) C:/WINDOWS/system32/config/system.LOG
9FC: File (---) C:/WINDOWS/system32/config/default.LOG
A80: File (---) C:/WINDOWS/system32/config/software.LOG
A88: File (---) C:/WINDOWS/system32/config/software
A94: File (---) C:/WINDOWS/system32/config/SECURITY.LOG
A98: File (---) C:/WINDOWS/system32/config/system
A9C: File (---) C:/WINDOWS/system32/config/SAM
AA8: File (---) C:/Documents and Settings/NetworkService/Local Settings/Application Data/Microsoft/Windows/UsrClass.dat
AD0: File (---) C:/Documents and Settings/NetworkService/NTUSER.DAT
ADC: File (---) C:/Documents and Settings/NetworkService/ntuser.dat.LOG
AE0: File (---) C:/Documents and Settings/NetworkService/Local Settings/Application Data/Microsoft/Windows/UsrClass.dat.LOG
AF4: File (R--) C:/System Volume Information/_restore{B546FFD0-E3B9-4B2D-AFB2-DD50CA238520}/RP123/change.log
B9C: File (---) C:/WINDOWS/system32/config/SECURITY
BAC : File (-W-) C:/pagefile.sys
------------------------------------------------------------------------------
smss.exe pid: 908 NT AUTHORITY/SYSTEM
...................................
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
// 先用 !handle 命令解析進程"4"的句柄"340",以作爲我下面手工解析的對照 //
// 每一個進程都有一個進程句柄表,EPROCESS中objecttable就是handletable
//而handletable中第一項就是tablecode。
//tablecode是分級的,最後兩位表示0,1,2三個級別。
//0級句柄表爲基本表,由HANDLE_TABLE_ENTRY結構組成(8byte)。一個基本表大小爲1k,有1k/8=512個表項(第一個表項//無效,可用的就有511個),因爲句柄索引以4步進,因此一個基本表項最大句柄索引是 512*4=0x800。
0: kd> !handle 340 7 4
processor number 0, process 00000004
Searching for Process with Cid == 4
PROCESS 89e31830 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 0a480020 ObjectTable: e1000e80 HandleCount: 425.
Image: System
Handle table at e1817000 with 425 Entries in use
0340: Object: 89a3e6f0 GrantedAccess: 00000003 (Protected) Entry: e1004680
Object: 89a3e6f0 Type: (89e63ad0) File
ObjectHeader: 89a3e6d8 (old version)
HandleCount: 1 PointerCount: 4
Directory Object: 00000000 Name: /Documents and Settings/WangYu/Local Settings/Application Data/Microsoft/Windows/UsrClass.dat {HarddiskVolume1}
0340: Object: 89a3e6f0 GrantedAccess: 00000003 (Protected) Entry: e1004680
Object: 89a3e6f0 Type: (89e63ad0) File
ObjectHeader: 89a3e6d8 (old version)
HandleCount: 1 PointerCount: 4
Directory Object: 00000000 Name: /Documents and Settings/WangYu/Local Settings/Application Data/Microsoft/Windows/UsrClass.dat {HarddiskVolume1}
// 手工解析從 ObjectTable 開始 //
//objectTable = e1817001 最後兩位爲1,兩級句柄
//二級句柄表地址:e1817000
0: kd> dd e1000e80
e1000e80 e1817001 00000000 00000004 00000000
e1000e90 00000000 00000000 00000000 e14533bc
e1000ea0 80564aa8 00000000 00000000 00000000
e1000eb0 000005e4 00000c28 00001000 000001a9
e1000ec0 00000000 ffffffff 0c03040a 54446d4d
e1000ed0 00000002 89e822e8 89e82278 00000000
e1000ee0 0c040403 54446d4d 0074004e 00730066
e1000ef0 0073002e 00730079 00000000 00000000
//二級句柄表有兩項,代表兩個一級句柄表
0: kd> dd e1817000
e1817000 e1004000 e1818000 00000000 00000000
e1817010 00000000 00000000 00000000 00000000
e1817020 00000000 00000000 00000000 00000000
e1817030 00000000 00000000 00000000 00000000
e1817040 00000000 00000000 00000000 00000000
e1817050 00000000 00000000 00000000 00000000
e1817060 00000000 00000000 00000000 00000000
e1817070 00000000 00000000 00000000 00000000
0: kd> dd e1817000
e1817000 e1004000 e1818000 00000000 00000000
e1817010 00000000 00000000 00000000 00000000
e1817020 00000000 00000000 00000000 00000000
e1817030 00000000 00000000 00000000 00000000
e1817040 00000000 00000000 00000000 00000000
e1817050 00000000 00000000 00000000 00000000
e1817060 00000000 00000000 00000000 00000000
e1817070 00000000 00000000 00000000 00000000
// 1級句柄表第一項(即0級句柄表)裏的內容,我們要分析的句柄 "0x340" 位於第 D0h 個
// (第一項handle_table_entry無效)
// 因爲句柄索引以4步進,0x340句柄爲0x340/4=0xD0個索引,每個索引項爲8byte,因此句柄項偏移
// e1004000+(0x340/4)*8既 e1004000+0x340*2
0: kd> dd e1004000
e1004000 00000000 fffffff e 89e31819 001f0fff
e1004010 89e30019 00000000 e10003e9 00000000
e1004020 e1449139 000f003f e143b1b9 00020019
e1004030 e144b139 00020019 e14534a9 0002001f
e1004040 e1453431 00020019 e144a541 00020019
e1004050 e145d639 00020019 e1011791 0002001f
e1004060 e144a499 00020019 89e1a4b9 001f0003
e1004070 00000000 00000040 00000000 000000a0
0: kd> dd e1004000
e1004000 00000000 fffffff e 89e31819 001f0fff
e1004010 89e30019 00000000 e10003e9 00000000
e1004020 e1449139 000f003f e143b1b9 00020019
e1004030 e144b139 00020019 e14534a9 0002001f
e1004040 e1453431 00020019 e144a541 00020019
e1004050 e145d639 00020019 e1011791 0002001f
e1004060 e144a499 00020019 89e1a4b9 001f0003
e1004070 00000000 00000040 00000000 000000a0
// 也就是它 //
0: kd> dd e1004000+D0*8
e1004680 89a3e6d9 02000003 00000000 00000744
e1004690 00000000 00000338 00000000 00000348
e10046a0 00000000 0000034c 89dd7929 0012019f
e10046b0 00000000 00000350 00000000 00000358
e10046c0 00000000 0000035c 00000000 00000360
e10046d0 00000000 00000364 00000000 00000368
e10046e0 00000000 0000036c 00000000 00000370
e10046f0 00000000 00000374 00000000 00000378
0: kd> dd e1004000+D0*8
e1004680 89a3e6d9 02000003 00000000 00000744
e1004690 00000000 00000338 00000000 00000348
e10046a0 00000000 0000034c 89dd7929 0012019f
e10046b0 00000000 00000350 00000000 00000358
e10046c0 00000000 0000035c 00000000 00000360
e10046d0 00000000 00000364 00000000 00000368
e10046e0 00000000 0000036c 00000000 00000370
e10046f0 00000000 00000374 00000000 00000378
// 然後計算一下
// handle_table_entry 的object:89a3e6d9 grantedaccess:02000003
// 89a3e6d9 不是對象指針,因爲object對象以8字節對齊,所以最後三位用於標記
// 掩去最後三位就得到object_header指針,object_header指針頭後接的是object_body
// object_header+0x18(指針頭大小)就得到object_body
0: kd> ?(89a3e6d9&fffffff8)+18
Evaluate expression: -1985747216 = 89a3e6f0
0: kd> ?(89a3e6d9&fffffff8)+18
Evaluate expression: -1985747216 = 89a3e6f0
// 看看,我手工解析句柄表也不賴吧 ^_^ //
0: kd> !object 89a3e6f0
Object: 89a3e6f0 Type: (89e63ad0) File
ObjectHeader: 89a3e6d8 (old version)
HandleCount: 1 PointerCount: 4
Directory Object: 00000000 Name: /Documents and Settings/WangYu/Local Settings/Application Data/Microsoft/Windows/UsrClass.dat {HarddiskVolume1}
0: kd> !object 89a3e6f0
Object: 89a3e6f0 Type: (89e63ad0) File
ObjectHeader: 89a3e6d8 (old version)
HandleCount: 1 PointerCount: 4
Directory Object: 00000000 Name: /Documents and Settings/WangYu/Local Settings/Application Data/Microsoft/Windows/UsrClass.dat {HarddiskVolume1}
// 多來點信息 //
0: kd> dt nt!_OBJECT_HEADER 89a3e6f0-18
+0x000 PointerCount : 4
+0x004 HandleCount : 1
+0x004 NextToFree : 0x00000001
+0x008 Type : 0x89e63ad0 _OBJECT_TYPE
+0x00c NameInfoOffset : 0 ''
+0x00d HandleInfoOffset : 0x18 ''
+0x00e QuotaInfoOffset : 0 ''
+0x00f Flags : 0x46 'F'
+0x010 ObjectCreateInfo : 0x00000001 _OBJECT_CREATE_INFORMATION
+0x010 QuotaBlockCharged : 0x00000001
+0x014 SecurityDescriptor : (null)
+0x018 Body : _QUAD
0: kd> dt nt!_OBJECT_HEADER 89a3e6f0-18
+0x000 PointerCount : 4
+0x004 HandleCount : 1
+0x004 NextToFree : 0x00000001
+0x008 Type : 0x89e63ad0 _OBJECT_TYPE
+0x00c NameInfoOffset : 0 ''
+0x00d HandleInfoOffset : 0x18 ''
+0x00e QuotaInfoOffset : 0 ''
+0x00f Flags : 0x46 'F'
+0x010 ObjectCreateInfo : 0x00000001 _OBJECT_CREATE_INFORMATION
+0x010 QuotaBlockCharged : 0x00000001
+0x014 SecurityDescriptor : (null)
+0x018 Body : _QUAD
0: kd> dt nt!_OBJECT_TYPE 0x89e63ad0
+0x000 Mutex : _ERESOURCE
+0x038 TypeList : _LIST_ENTRY [ 0x89dea220 - 0x88963150 ]
+0x040 Name : _UNICODE_STRING "File"
+0x048 DefaultObject : 0x0000005c
+0x04c Index : 0x1c
+0x050 TotalNumberOfObjects : 0x170c
+0x054 TotalNumberOfHandles : 0x4e6
+0x058 HighWaterNumberOfObjects : 0x173b
+0x05c HighWaterNumberOfHandles : 0x56e
+0x060 TypeInfo : _OBJECT_TYPE_INITIALIZER
+0x0ac Key : 0x656c6946
+0x0b0 ObjectLocks : [4] _ERESOURCE
+0x000 Mutex : _ERESOURCE
+0x038 TypeList : _LIST_ENTRY [ 0x89dea220 - 0x88963150 ]
+0x040 Name : _UNICODE_STRING "File"
+0x048 DefaultObject : 0x0000005c
+0x04c Index : 0x1c
+0x050 TotalNumberOfObjects : 0x170c
+0x054 TotalNumberOfHandles : 0x4e6
+0x058 HighWaterNumberOfObjects : 0x173b
+0x05c HighWaterNumberOfHandles : 0x56e
+0x060 TypeInfo : _OBJECT_TYPE_INITIALIZER
+0x0ac Key : 0x656c6946
+0x0b0 ObjectLocks : [4] _ERESOURCE
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
// 再來分析一下句柄 "BAC" 就收工 //
0: kd> !handle BAC 7 4
processor number 0, process 00000004
Searching for Process with Cid == 4
PROCESS 89e31830 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 0a480020 ObjectTable: e1000e80 HandleCount: 425.
Image: System
0: kd> !handle BAC 7 4
processor number 0, process 00000004
Searching for Process with Cid == 4
PROCESS 89e31830 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 0a480020 ObjectTable: e1000e80 HandleCount: 425.
Image: System
Handle table at e1817000 with 425 Entries in use
0bac: Object: 89cce770 GrantedAccess: 00140003 Entry: e1818758
Object: 89cce770 Type: (89e63ad0) File
ObjectHeader: 89cce758 (old version)
HandleCount: 1 PointerCount: 2
Directory Object: 00000000 Name: /pagefile.sys {HarddiskVolume1}
0bac: Object: 89cce770 GrantedAccess: 00140003 Entry: e1818758
Object: 89cce770 Type: (89e63ad0) File
ObjectHeader: 89cce758 (old version)
HandleCount: 1 PointerCount: 2
Directory Object: 00000000 Name: /pagefile.sys {HarddiskVolume1}
// 顯然這個句柄位於1級句柄表第二項(即0級句柄表)裏,索引值是0xeb //
0: kd> ?bac/4-200
Evaluate expression: 235 = 000000eb
// 就是它了 //
0: kd> dd e1818000+eb*8
e1818758 89cce759 00140003 00000000 00000a28
e1818768 89aaebd9 0012019f 89ace7f1 0012019f
e1818778 89b075e9 0012019f 89a59149 0012019f
e1818788 89afccf1 0012019f 89d7f0c9 0012019f
e1818798 89a81cf1 0012019f 89c81159 0012019f
e18187a8 89c720c9 0012019f 89d5d0c9 0012019f
e18187b8 89b0abf9 0012019f 89b090c9 0012019f
e18187c8 89b13a81 0012019f 89c8f0c9 0012019f
0: kd> dd e1818000+eb*8
e1818758 89cce759 00140003 00000000 00000a28
e1818768 89aaebd9 0012019f 89ace7f1 0012019f
e1818778 89b075e9 0012019f 89a59149 0012019f
e1818788 89afccf1 0012019f 89d7f0c9 0012019f
e1818798 89a81cf1 0012019f 89c81159 0012019f
e18187a8 89c720c9 0012019f 89d5d0c9 0012019f
e18187b8 89b0abf9 0012019f 89b090c9 0012019f
e18187c8 89b13a81 0012019f 89c8f0c9 0012019f
// 計算一下 //
0: kd> ?(89cce759&fffffff8)+18
Evaluate expression: -1983060112 = 89cce770
0: kd> ?(89cce759&fffffff8)+18
Evaluate expression: -1983060112 = 89cce770
// OK! 睡覺了! //
0: kd> !object 89cce770
Object: 89cce770 Type: (89e63ad0) File
ObjectHeader: 89cce758 (old version)
HandleCount: 1 PointerCount: 2
Directory Object: 00000000 Name: /pagefile.sys {HarddiskVolume1}
0: kd> !object 89cce770
Object: 89cce770 Type: (89e63ad0) File
ObjectHeader: 89cce758 (old version)
HandleCount: 1 PointerCount: 2
Directory Object: 00000000 Name: /pagefile.sys {HarddiskVolume1}