c++ - windows 系统枚举任意内核进程对象的问题

浏览：32日期：2023-05-28

问题描述

原文地址：http://www.tuicool.com/articles/vaeAB3

最后一个方法 void EnumObjInfo(LPVOID pBuffer, DWORD pid)

pBuffer 是传什么进去？

// ConsoleApplication1.cpp : 定义控制台应用程序的入口点。//#include <stdio.h>#include <tchar.h>#include <windows.h>//#include 'ntsecapi.h'typedef enum _SYSTEM_INFORMATION_CLASS { SystemBasicInformation, // 0YN SystemProcessorInformation, // 1YN SystemPerformanceInformation,// 2YN SystemTimeOfDayInformation, // 3YN SystemNotImplemented1, // 4YN SystemProcessesAndThreadsInformation, // 5 YN SystemCallCounts, // 6YN SystemConfigurationInformation, // 7YN SystemProcessorTimes,// 8YN SystemGlobalFlag, // 9YY SystemNotImplemented2, // 10 YN SystemModuleInformation, // 11 YN SystemLockInformation, // 12 YN SystemNotImplemented3, // 13 YN SystemNotImplemented4, // 14 YN SystemNotImplemented5, // 15 YN SystemHandleInformation, // 16 YN SystemObjectInformation, // 17 YN SystemPagefileInformation, // 18 YN SystemInstructionEmulationCounts, // 19 YN SystemInvalidInfoClass1, // 20 SystemCacheInformation, // 21 YY SystemPoolTagInformation, // 22 YN SystemProcessorStatistics, // 23 YN SystemDpcInformation,// 24 YY SystemNotImplemented6, // 25 YN SystemLoadImage, // 26 NY SystemUnloadImage, // 27 NY SystemTimeAdjustment,// 28 YY SystemNotImplemented7, // 29 YN SystemNotImplemented8, // 30 YN SystemNotImplemented9, // 31 YN SystemCrashDumpInformation, // 32 YN SystemExceptionInformation, // 33 YN SystemCrashDumpStateInformation, // 34 YY/N SystemKernelDebuggerInformation, // 35 YN SystemContextSwitchInformation, // 36 YN SystemRegistryQuotaInformation, // 37 YY SystemLoadAndCallImage, // 38 NY SystemPrioritySeparation, // 39 NY SystemNotImplemented10, // 40 YN SystemNotImplemented11, // 41 YN SystemInvalidInfoClass2, // 42 SystemInvalidInfoClass3, // 43 SystemTimeZoneInformation, // 44 YN SystemLookasideInformation, // 45 YN SystemSetTimeSlipEvent, // 46 NY SystemCreateSession, // 47 NY SystemDeleteSession, // 48 NY SystemInvalidInfoClass4, // 49 SystemRangeStartInformation, // 50 YN SystemVerifierInformation, // 51 YY SystemAddVerifier, // 52 NY SystemSessionProcessesInformation // 53 YN} SYSTEM_INFORMATION_CLASS;typedef NTSTATUS(WINAPI *ZWQUERYSYSTEMINFORMATION)(DWORD, PVOID, DWORD, PDWORD);typedef enum _OBJECT_INFORMATION_CLASS { ObjectBasicInformation, ObjectNameInformation, ObjectTypeInformation, ObjectAllInformation, ObjectDataInformation,} OBJECT_INFORMATION_CLASS;typedef NTSTATUS(NTAPI *NTQUERYOBJECT)( HANDLE Handle, OBJECT_INFORMATION_CLASS ObjectInformationClass, PVOID ObjectInformation, ULONG ObjectInformationLength, PULONG ReturnLength );typedef struct _UNICODE_STRING { USHORT Length; //UNICODE占用的内存字节数，个数*2； USHORT MaximumLength; PWSTR Buffer;} UNICODE_STRING, *PUNICODE_STRING;typedef struct _OBJECT_NAME_INFORMATION { UNICODE_STRING Name;} OBJECT_NAME_INFORMATION, *POBJECT_NAME_INFORMATION;typedef struct _SYSTEM_HANDLE_INFORMATION{ ULONG ProcessId; UCHAR ObjectTypeNumber; UCHAR Flags; USHORT Handle; PVOID Object; ACCESS_MASK GrantedAccess;}SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;typedef struct _SYSTEM_HANDLE_INFORMATION_EX{ ULONG NumberOfHandles; SYSTEM_HANDLE_INFORMATION Information[1];}SYSTEM_HANDLE_INFORMATION_EX, *PSYSTEM_HANDLE_INFORMATION_EX;#define SystemHandleInformation 0x10 // 16ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation;// = (ZWQUERYSYSTEMINFORMATION)GetProcAddress(GetModuleHandle('ntdll.dll'), 'ZwQuerySystemInformation');NTQUERYOBJECT NtQueryObject;// = (NTQUERYOBJECT)GetProcAddress(GetModuleHandle('ntdll.dll'), 'NtQueryObject'); /*功能函数体*/void EnumObjInfo(LPVOID pBuffer, DWORD pid);int _tmain1(int argc, _TCHAR* argv[]){ ZwQuerySystemInformation = (ZWQUERYSYSTEMINFORMATION)GetProcAddress(GetModuleHandle(TEXT('ntdll.dll')), 'ZwQuerySystemInformation');NtQueryObject = (NTQUERYOBJECT)GetProcAddress(GetModuleHandle(TEXT('ntdll.dll')), 'NtQueryObject');EnumObjInfo('Mutant',3816);}void EnumObjInfo(LPVOID pBuffer, DWORD pid){ char szType[128] = { 0 }; char szName[512] = { 0 }; DWORD dwFlags = 0; POBJECT_NAME_INFORMATION pNameInfo; POBJECT_NAME_INFORMATION pNameType; PSYSTEM_HANDLE_INFORMATION_EX pInfo = (PSYSTEM_HANDLE_INFORMATION_EX)pBuffer; ULONG OldPID = 0; for (DWORD i = 0; i < pInfo->NumberOfHandles; i++) {if (OldPID != pInfo->Information[i].ProcessId){ if (pInfo->Information[i].ProcessId == pid) {HANDLE newHandle;DuplicateHandle(OpenProcess(PROCESS_ALL_ACCESS, FALSE, pInfo->Information[i].ProcessId), (HANDLE)pInfo->Information[i].Handle, GetCurrentProcess(), &newHandle, DUPLICATE_SAME_ACCESS, FALSE, DUPLICATE_SAME_ACCESS);NTSTATUS status1 = NtQueryObject(newHandle, ObjectNameInformation, szName, 512, &dwFlags);NTSTATUS status2 = NtQueryObject(newHandle, ObjectTypeInformation, szType, 128, &dwFlags);if (strcmp(szName, '') && strcmp(szType, '') && status1 != 0xc0000008 && status2 != 0xc0000008){ pNameInfo = (POBJECT_NAME_INFORMATION)szName; pNameType = (POBJECT_NAME_INFORMATION)szType; printf('%wZ ', pNameType); printf('%wZ n', pNameInfo);} }} }}

问题解答

回答1：

从代码中看pBuffer代表的是内核对象类型名称。Mutant是突变体，另外还有Section是内存文件映射，Semaphore是信号量，Thread和Process不解释了，Event是事件，File是文件，IoCompletion是完成端口……还有其他类型的内核对象，具体请参考WRK。

回答2：

首先：

PSYSTEM_HANDLE_INFORMATION_EX pInfo = (PSYSTEM_HANDLE_INFORMATION_EX)pBuffer

所以pBuffer就是PSYSTEM_HANDLE_INFORMATION_EX，然后我们来看它的定义：

typedef struct _SYSTEM_HANDLE_INFORMATION_EX{ ULONG NumberOfHandles; SYSTEM_HANDLE_INFORMATION Information[1];}SYSTEM_HANDLE_INFORMATION_EX, *PSYSTEM_HANDLE_INFORMATION_EX

这是一个SYSTEM_HANDLE_INFORAMTION的数组，但是有点不同的是，前面需要一个NumberOfHandlers来告诉你Information到底有多长。于是如果你要提供一个长度为5的数组，那你需要malloc的大小就是

sizeof(ULONG) + 5 * sizeof(SYSTEM_HANDLE_INFORMATION)

不过我很奇怪的是，为什么main函数里面要传一个字符串进去？这个函数的pBuffer肯定不是一个字符串。从代码里面可以看出，这个pBuffer就是你贴的文章里面的GetSystemProcessHandleInfo函数分配出来的。ZwQuerySystemInformation最后会按照上面的格式填充你给的buffer（但是他没告诉你要多长，所以才需要用一个循环不断地尝试），填满了所有的这些信息，然后你才能在EnumObjInfo里面打印出来。

所以你应该首先调用GetSystemProcessHandleInfo，然后直接丢给EnumObjInfo就可以了。

上一条：c++ - 虚析构函数的内容一定要为空吗？下一条：C++中如何详细的使用尾置返回类型？

相关文章：
1. javascript - 一个字符串转换成数字,例子就是a="2,322.222",b=’1,211.21’,如何在angualr中执行相减2. 为什么矛那里的 <a href=" " 这地方为什么是空的呢？？3. javascript - js怎么实现jq的addclass,removeclass,例如本来是 class="aa",要变成class="aa bb"4. javascript - Vue中的"development" !== ’production’5. 请问老师以下两种方式有何区别呢？6. javascript - <div onclick="fun()"></div>这种fun函数只有写成全局函数才有效吗？7. javascript - 线上部署webpack，提示Uncaught Error: Cannot find module "—progress"8. 为什么要将Stop()放到animate的前面9. javascript - (_a = [""], _a.raw = [""],....); js一个小括号的是什么意思？10. jQuery怎么用不了