x64 PspCidTable 枚举进程/ 线程
2024-06-03 22:30:53
x64 PspCidTable 枚举进程/ 线程
#include <ntifs.h>#define Rva_CALL(p) (PVOID)((PUCHAR)p + *(PINT32)((PUCHAR)p + 1) + 5)
#define Rva_ULONG_PTR(p,i,l) ((PVOID)((PUCHAR)p + *(PULONG)((PUCHAR)p + (ULONG)i) + (ULONG)l))
#define Log(...) DbgPrintEx( DPFLTR_SYSTEM_ID, DPFLTR_ERROR_LEVEL, "[Driver] " __VA_ARGS__ )
static RTL_OSVERSIONINFOEXW verInfo;
static PULONG_PTR PspCidTable = NULL;EXTERN_C{POBJECT_TYPE NTAPI ObGetObjectType(IN PVOID Object);NTKERNELAPI HANDLE PsGetProcessInheritedFromUniqueProcessId(__in PEPROCESS Process);
NTKERNELAPI PVOID PsGetThreadTeb(__in PETHREAD Thread);
NTKERNELAPI PCHAR NTAPI PsGetProcessImageFileName(PEPROCESS Process);PVOID Asm_ExpLookupHandleTableEntry(ULONG64 pTable, ULONG id);
_Use_decl_annotations_ static void DriverpDriverUnload(PDRIVER_OBJECT driver_object);
_Use_decl_annotations_ NTSTATUS DriverEntry(PDRIVER_OBJECT driver_object,PUNICODE_STRING registry_path);
ULONG64 pWinDows = 0;
}PVOID GetSystemAddress(PCWSTR Name) {UNICODE_STRING routineName;RtlInitUnicodeString(&routineName, Name);return MmGetSystemRoutineAddress(&routineName);
}NTSTATUS GetWindData() {verInfo.dwOSVersionInfoSize = sizeof(RTL_OSVERSIONINFOW);if (NT_SUCCESS(RtlGetVersion((PRTL_OSVERSIONINFOW)&verInfo))) {if (verInfo.dwBuildNumber<=7602){pWinDows = 7;}else if (verInfo.dwMajorVersion==6&& verInfo.dwBuildNumber > 7602){pWinDows =8;}else if (verInfo.dwMajorVersion == 10) {pWinDows = 10;}PVOID Ptr = GetSystemAddress(L"PsLookupProcessByProcessId");PUCHAR it = (PUCHAR)Ptr;if (verInfo.dwBuildNumber<=7602){do {it++;if (it[0] == 0x48 && it[1] == 0x8B && it[7] == 0xE8) {PVOID gptr = (PVOID)((PUCHAR)Rva_ULONG_PTR(it, 3, 7) - 0x100000000);PspCidTable = (PULONG_PTR)(MmIsAddressValid(gptr) ? (ULONG64)gptr : (ULONG64)gptr + 0x100000000);break;}} while (it<(PUCHAR)Ptr+0x150);}else{PVOID gptr = NULL;do{it++;if (it[0] == 0xE8) {gptr = Rva_CALL(it);break;}} while (it < (PUCHAR)Ptr + 0x150);if (gptr){it = (PUCHAR)gptr;do{it++;if (it[0] == 0x48 && it[1] == 0x8B && it[2] == 0x05) {gptr = (PVOID)((PUCHAR)Rva_ULONG_PTR(it, 3, 7) - 0x100000000);PspCidTable = (PULONG_PTR)(MmIsAddressValid(gptr) ? (ULONG64)gptr : (ULONG64)gptr + 0x100000000);break;}} while (it < (PUCHAR)gptr + 0x150);}}if (PspCidTable){return STATUS_SUCCESS;}}return STATUS_UNSUCCESSFUL;
}//EPROCESS PTHREAD
VOID EnumPspCidTable(BOOLEAN byt,HANDLE pid=NULL) {PUNICODE_STRING ImagePath;if (!PspCidTable || !MmIsAddressValid(PspCidTable))return ;ULONG Max_id = 0;if (verInfo.dwBuildNumber <= 7602){Max_id = (*(PULONG)(PspCidTable[0] + 0x5C)) / 4;}else{Max_id = (*(PULONG)(PspCidTable[0])) / 4;}for (int i = 0; i<Max_id; i++){PVOID Object = Asm_ExpLookupHandleTableEntry(PspCidTable[0], i * 4);if (MmIsAddressValid(Object)){POBJECT_TYPE Objectbyte = ObGetObjectType(Object);if (Objectbyte == *PsProcessType){if (byt){PEPROCESS Pe = (PEPROCESS)Object;if (PsGetProcessExitStatus(Pe) == STATUS_PENDING){SeLocateProcessImageName(Pe, &ImagePath);Log("Ep: %p pid:%d paid:%d %s %wZ\n", Pe,PsGetProcessId(Pe),PsGetProcessInheritedFromUniqueProcessId(Pe),PsGetProcessImageFileName(Pe),ImagePath);}}}if (Objectbyte == *PsThreadType){PETHREAD Pt = (PETHREAD)Object;if (!byt && PsGetThreadProcessId(Pt) == pid){Log("PETHREAD: %p tid:%d TEB:%p Priority:%d\n", Pt,PsGetThreadId(Pt),PsGetThreadTeb(Pt),KeQueryPriorityThread(Pt));}}}}}_Use_decl_annotations_ NTSTATUS DriverEntry(PDRIVER_OBJECT driver_object,PUNICODE_STRING registry_path) {UNREFERENCED_PARAMETER(registry_path);PAGED_CODE();auto status = STATUS_UNSUCCESSFUL;driver_object->DriverUnload = DriverpDriverUnload;status = GetWindData();if (NT_SUCCESS(status)){EnumPspCidTable(TRUE);EnumPspCidTable(FALSE, (HANDLE)4);}Log("DriverEntry Success!\n\r");return status;
}// Unload handler
_Use_decl_annotations_ static void DriverpDriverUnload(PDRIVER_OBJECT driver_object) {NTSTATUS ntstatus = STATUS_SUCCESS;UNREFERENCED_PARAMETER(driver_object);Log("DriverEntry UnLoad!\n\r");}下面是asm代码.data
.code
include macamd64.incEXTERN pWinDows:qwordpublic Asm_ExpLookupHandleTableEntry;
Asm_ExpLookupHandleTableEntry PROCmov rax,[pWinDows]
cmp rax,0
je loc_1405F1632
cmp rax,7
je labwin7x64
cmp rax ,8
je labwin8x64
mov eax, [rcx]
and rdx, 0FFFFFFFFFFFFFFFCh
cmp rdx, rax
jnb short loc_1405F1632mov eax, [rcx]
and rdx, 0FFFFFFFFFFFFFFFCh
cmp rdx, rax
jnb short loc_1405F1632
mov r8, [rcx+8]
mov eax, r8d
and eax, 3
cmp eax, 1
jnz short loc_1405F1601
mov rax, rdx
shr rax, 0Ah
and edx, 3FFh
mov rax, [r8+rax*8-1]
lea rax, [rax+rdx*4]
jmp loabiloc_1405F1601:
test eax, eax
jnz short loc_1405F160A
lea rax, [r8+rdx*4]
jmp loabiloc_1405F160A:
mov rcx, rdx
shr rcx, 0Ah
mov rax, rcx
and ecx, 1FFh
shr rax, 9
and edx, 3FFh
mov rax, [r8+rax*8-2]
mov rax, [rax+rcx*8]
lea rax, [rax+rdx*4]
jmp loabi
loc_1405F1632:
xor eax, eax
retloabi:test rax,raxje loc_1405F1632mov rax,[rax]sar rax,10hand rax,0FFFFFFFFFFFFFFF0hret
labwin7x64:mov eax, [rcx+5Ch]and rdx, 0FFFFFFFFFFFFFFFChmov r9,rdxcmp r9, raxjnb short loc_140384FF2mov r8, [rcx]mov ecx, r8dand ecx, 3mov eax, ecxsub r8, raxcmp ecx, 1jnz short loc_140384FE5mov rcx, r9and ecx, 3FFhsub r9, rcxshr r9, 7mov rax, [r8+r9]lea rax, [rax+rcx*4]jmp loabi7retloc_140384FE5: test ecx, ecxjnz loc_14039C440
lea rax, [r8+r9*4]
jmp loabi7
retloc_140384FF2:
xor eax, eaxret
loc_14039C440:mov rdx, r9
and edx, 3FFh
sub r9, rdx
shr r9, 7
mov rcx, r9
and ecx, 0FFFh
sub r9, rcx
shr r9, 9
mov rax, [r8+r9]
mov rcx, [rax+rcx]
lea rax, [rcx+rdx*4]
jmp loabi7
retloabi7:test rax,raxje loc_1405F1632mov rax,qword ptr [rax]test al,1je loc_140384FF2dec raxret labwin8x64:mov eax, [rcx]and rdx, 0FFFFFFFFFFFFFFFChcmp rdx, raxjnb short loc_1403AAB9Bmov r8, [rcx+8]mov eax, r8dand eax, 3jz short loc_1403AAB96dec eaxjnz loc_140539F76mov rax, rdxshr rax, 0Ahand edx, 3FFhmov rax, [r8+rax*8-1]lea rax, [rax+rdx*4]jmp loabi8retloc_1403AAB96: lea rax, [r8+rdx*4]jmp loabi8retloc_1403AAB9B: xor eax, eaxret
loc_140539F76: mov rcx, rdxand edx, 3FFhshr rcx, 0Ahmov rax, rcxand ecx, 1FFhshr rax, 9mov rax, [r8+rax*8-2]mov rax, [rax+rcx*8]lea rax, [rax+rdx*4]jmp loabi8retloabi8:test rax,raxje loc_1403AAB9Bmov rax,qword ptr [rax]test al,1je loc_1403AAB9Bdec raxsar rax,10hand rax,0FFFFFFFFFFFFFFF0hret
Asm_ExpLookupHandleTableEntry ENDPEND驱动源码[驱动源码](https://share.weiyun.com/Yjk7Ftm8)https://share.weiyun.com/Yjk7Ftm8 密码:f7365tx64 PspCidTable 枚举进程/ 线程相关推荐
- DLL注入:远程线程注入
Dll 代码: #include "stdafx.h" #include <iostream> #include <Windows.h> #include ...
- 关于ISCC2013的思路整理
这一次ISCC初赛,感觉自己变牛逼了一点,本来想把所有题作完再来整理的,结果内核突然出了好几道超变态的题.顿时没有心思做了. 以前都是分大体写,这次写在一起吧. //================= ...
- 还不明白可空类型原理? 我可要挖到底了
一:背景 1. 讲故事 做好自媒体到现在有一个月了,关注我的兄弟应该知道我产出了不少文章,号里的粉丝也多起来了,我也尽最大努力做到有问必回,现在是基础的.高深的问题都接踵而来,可我也只是一只小菜鸟,想 ...
- java的枚举类型是什么_什么是枚举(java枚举类型enum用法)
最佳回答 枚举 1.枚举 (enumeration) 值类型的一种特殊形式,它从 System.Enum 继承,并为基础基元类型的值提供备用名称.枚举类型有名称.基础类型和一组字段.基础类型. &qu ...
- 多线程编程指南 part 2
多线程编程指南 Sun Microsystems, Inc. 4150 Network Circle Santa Clara, CA95054 U.S.A. 文件号码819–7051–10 2006 ...
- X64驱动:内核操作进线程/模块
内核枚举进线程/模块 内核枚举进程: 进程就是活动起来的程序,每一个进程在内核里,都有一个名为 EPROCESS 的结构记录它的详细信息,其中就包括进程名,PID,PPID,进程路径等,通常在应用层枚 ...
- C/C++:Windows编程—创建进程、终止进程、枚举进程、枚举线程、枚举DLL
创建进程的2种方式 1. 创建进程最简单的方法 UINT WINAPI WinExec(_In_ LPCSTR lpCmdLine, // 指向可执行文件_In_ UINT uCmdShow // 程 ...
- 内核线程注入(x64)
阅读BlackBone源码从里面扣出来的关于内核线程注入方法的使用. 经过自己修改后做成的Demo,功能主要通过Ring0层驱动Attach到目标进程(目标进程可以是32位进程也可以是64位进程,使用 ...
- [CLR via C#]25. 线程基础
原文:[CLR via C#]25. 线程基础 一.Windows为什么要支持线程 Microsoft设计OS内核时,他们决定在一个进程(process)中运行应用程序的每个实例.进程不过是应用程序的 ...
最新文章
- Earth to developers: Grow up!
- mysql 渗透及漏洞利用总结
- MATLAB | matlab运行、下载链接及21个matlab基本图像调试代码
- 批量提取文件创建时间_批量采集新浪微博用户内容
- OAuth2.0 授权码认证方式使用流程
- Centos 7 Puppet之foreman介绍安装测试
- dll封装成activex控件_Qt编写自定义控件26-平铺背景控件
- Java生成32位全局唯一id
- 读书笔记 —— 《深入浅出MySQL数据库开发、优化与管理维护 第2版》
- 航空模型手工制作_小学生简易航空模型的制作
- Virtual-Taobao: Virtualizing Real-World Online Retail Environment for Reinforcement Learning
- pg数据库自动备份记录
- 数学基础知识总结 —— 7. 行列式的基本知识
- dart和python哪个好学_2018最坑爹的编程语言排行出炉,这些你碰都不要碰!
- 【思特奇杯】编程之星初赛
- kdj超卖_kdj超卖是什么意思?kdj超买超卖区别是什么
- windows和Linux查看文件MD5的方法
- 全球及中国醛酮树脂行业研究及十四五规划分析报告
- 杨辉三角详细解析(C语言)
- 行人检测数据库(包含9个常见数据库)