因爲我也就是當消遣才寫的
// 拿進程 SYSTEM 開刀 //
Handle v3.2
Copyright (C) 1997-2006 Mark Russinovich
Sysinternals -
www.sysinternals.com
System pid: 4 NT AUTHORITY/SYSTEM
340 : File (---) C:/Documents and Settings/WangYu/Local Settings/Application Data/Microsoft/Windows/UsrClass.dat
7D8: File (R--) D:/System Volume Information/_restore{B546FFD0-E3B9-4B2D-AFB2-DD50CA238520}/RP123/change.log
880: File (---) C:/Documents and Settings/LocalService/Local Settings/Application Data/Microsoft/Windows/UsrClass.dat
884: File (---) C:/Documents and Settings/LocalService/ntuser.dat.LOG
88C: File (---) C:/Documents and Settings/LocalService/Local Settings/Application Data/Microsoft/Windows/UsrClass.dat.LOG
8A0: File (---) C:/Documents and Settings/LocalService/NTUSER.DAT
8E0: File (---) C:/Documents and Settings/WangYu/NTUSER.DAT
8E4: File (---) C:/Documents and Settings/WangYu/ntuser.dat.LOG
8E8: File (---) C:/Documents and Settings/WangYu/Local Settings/Application Data/Microsoft/Windows/UsrClass.dat.LOG
998: File (---) C:/WINDOWS/system32/config/SAM.LOG
9E8: File (---) C:/WINDOWS/system32/config/default
9F4: File (---) C:/WINDOWS/system32/config/system.LOG
9FC: File (---) C:/WINDOWS/system32/config/default.LOG
A80: File (---) C:/WINDOWS/system32/config/software.LOG
A88: File (---) C:/WINDOWS/system32/config/software
A94: File (---) C:/WINDOWS/system32/config/SECURITY.LOG
A98: File (---) C:/WINDOWS/system32/config/system
A9C: File (---) C:/WINDOWS/system32/config/SAM
AA8: File (---) C:/Documents and Settings/NetworkService/Local Settings/Application Data/Microsoft/Windows/UsrClass.dat
AD0: File (---) C:/Documents and Settings/NetworkService/NTUSER.DAT
ADC: File (---) C:/Documents and Settings/NetworkService/ntuser.dat.LOG
AE0: File (---) C:/Documents and Settings/NetworkService/Local Settings/Application Data/Microsoft/Windows/UsrClass.dat.LOG
AF4: File (R--) C:/System Volume Information/_restore{B546FFD0-E3B9-4B2D-AFB2-DD50CA238520}/RP123/change.log
B9C: File (---) C:/WINDOWS/system32/config/SECURITY
BAC : File (-W-) C:/pagefile.sys
------------------------------------------------------------------------------
smss.exe pid: 908 NT AUTHORITY/SYSTEM
...................................
0: kd> !handle 340 7 4
processor number 0, process 00000004
Searching for Process with Cid == 4
PROCESS 89e31830 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 0a480020 ObjectTable: e1000e80 HandleCount: 425.
Image: System
0340: Object: 89a3e6f0 GrantedAccess: 00000003 (Protected) Entry: e1004680
Object: 89a3e6f0 Type: (89e63ad0) File
ObjectHeader: 89a3e6d8 (old version)
HandleCount: 1 PointerCount: 4
Directory Object: 00000000 Name: /Documents and Settings/WangYu/Local Settings/Application Data/Microsoft/Windows/UsrClass.dat {HarddiskVolume1}
// 手工解析從 ObjectTable 開始 //
0: kd> dd e1000e80
e1000e80 e1817001 00000000 00000004 00000000
e1000e90 00000000 00000000 00000000 e14533bc
e1000ea0 80564aa8 00000000 00000000 00000000
e1000eb0 000005e4 00000c28 00001000 000001a9
e1000ec0 00000000 ffffffff 0c03040a 54446d4d
e1000ed0 00000002 89e822e8 89e82278 00000000
e1000ee0 0c040403 54446d4d 0074004e 00730066
e1000ef0 0073002e 00730079 00000000 00000000
0: kd> dd e1817000
e1817000 e1004000 e1818000 00000000 00000000
e1817010 00000000 00000000 00000000 00000000
e1817020 00000000 00000000 00000000 00000000
e1817030 00000000 00000000 00000000 00000000
e1817040 00000000 00000000 00000000 00000000
e1817050 00000000 00000000 00000000 00000000
e1817060 00000000 00000000 00000000 00000000
e1817070 00000000 00000000 00000000 00000000
0: kd> dd e1004000
e1004000 00000000 fffffff e 89e31819 001f0fff
e1004010 89e30019 00000000 e10003e9 00000000
e1004020 e1449139 000f003f e143b1b9 00020019
e1004030 e144b139 00020019 e14534a9 0002001f
e1004040 e1453431 00020019 e144a541 00020019
e1004050 e145d639 00020019 e1011791 0002001f
e1004060 e144a499 00020019 89e1a4b9 001f0003
e1004070 00000000 00000040 00000000 000000a0
0: kd> dd e1004000+D0*8
e1004680 89a3e6d9 02000003 00000000 00000744
e1004690 00000000 00000338 00000000 00000348
e10046a0 00000000 0000034c 89dd7929 0012019f
e10046b0 00000000 00000350 00000000 00000358
e10046c0 00000000 0000035c 00000000 00000360
e10046d0 00000000 00000364 00000000 00000368
e10046e0 00000000 0000036c 00000000 00000370
e10046f0 00000000 00000374 00000000 00000378
0: kd> ?(89a3e6d9&fffffff8)+18
Evaluate expression: -1985747216 = 89a3e6f0
0: kd> !object 89a3e6f0
Object: 89a3e6f0 Type: (89e63ad0) File
ObjectHeader: 89a3e6d8 (old version)
HandleCount: 1 PointerCount: 4
Directory Object: 00000000 Name: /Documents and Settings/WangYu/Local Settings/Application Data/Microsoft/Windows/UsrClass.dat {HarddiskVolume1}
0: kd> dt nt!_OBJECT_HEADER 89a3e6f0-18
+0x000 PointerCount : 4
+0x004 HandleCount : 1
+0x004 NextToFree : 0x00000001
+0x008 Type : 0x89e63ad0 _OBJECT_TYPE
+0x00c NameInfoOffset : 0 ''
+0x00d HandleInfoOffset : 0x18 ''
+0x00e QuotaInfoOffset : 0 ''
+0x00f Flags : 0x46 'F'
+0x010 ObjectCreateInfo : 0x00000001 _OBJECT_CREATE_INFORMATION
+0x010 QuotaBlockCharged : 0x00000001
+0x014 SecurityDescriptor : (null)
+0x018 Body : _QUAD
+0x000 Mutex : _ERESOURCE
+0x038 TypeList : _LIST_ENTRY [ 0x89dea220 - 0x88963150 ]
+0x040 Name : _UNICODE_STRING "File"
+0x048 DefaultObject : 0x0000005c
+0x04c Index : 0x1c
+0x050 TotalNumberOfObjects : 0x170c
+0x054 TotalNumberOfHandles : 0x4e6
+0x058 HighWaterNumberOfObjects : 0x173b
+0x05c HighWaterNumberOfHandles : 0x56e
+0x060 TypeInfo : _OBJECT_TYPE_INITIALIZER
+0x0ac Key : 0x656c6946
+0x0b0 ObjectLocks : [4] _ERESOURCE
0: kd> !handle BAC 7 4
processor number 0, process 00000004
Searching for Process with Cid == 4
PROCESS 89e31830 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000
DirBase: 0a480020 ObjectTable: e1000e80 HandleCount: 425.
Image: System
0bac: Object: 89cce770 GrantedAccess: 00140003 Entry: e1818758
Object: 89cce770 Type: (89e63ad0) File
ObjectHeader: 89cce758 (old version)
HandleCount: 1 PointerCount: 2
Directory Object: 00000000 Name: /pagefile.sys {HarddiskVolume1}
// 顯然這個句柄位於1級句柄表第二項(即0級句柄表)裏,索引值是0xeb //
0: kd> ?bac/4-200
Evaluate expression: 235 = 000000eb
0: kd> dd e1818000+eb*8
e1818758 89cce759 00140003 00000000 00000a28
e1818768 89aaebd9 0012019f 89ace7f1 0012019f
e1818778 89b075e9 0012019f 89a59149 0012019f
e1818788 89afccf1 0012019f 89d7f0c9 0012019f
e1818798 89a81cf1 0012019f 89c81159 0012019f
e18187a8 89c720c9 0012019f 89d5d0c9 0012019f
e18187b8 89b0abf9 0012019f 89b090c9 0012019f
e18187c8 89b13a81 0012019f 89c8f0c9 0012019f
0: kd> ?(89cce759&fffffff8)+18
Evaluate expression: -1983060112 = 89cce770
0: kd> !object 89cce770
Object: 89cce770 Type: (89e63ad0) File
ObjectHeader: 89cce758 (old version)
HandleCount: 1 PointerCount: 2
Directory Object: 00000000 Name: /pagefile.sys {HarddiskVolume1}