加工厂: 五月 2018

2018年5月1日星期二

手工替换进程的令牌

标题:在内核调试器下给进程提权.

前言:
安全的一个重要话题是权限.
对于操作系统而言,其重要的安全就是两个:
1.进程(用户)自身的权限,即令牌.
2.对象自身的权限,如:文件,注册表,进程,线程,互斥体等.
3.以及和上面相关的结构.

但是对于CPU来说还有另外一个概念的权限,如:常说的ring0,cs代码段的内存的属性等.

另外还有漏洞,

另外还有网络,加密,通讯等的安全.

另外还有各种意义上的非技术的安全.

闲话不多,进入正题.

--------------------------------------------------------------------------------------------------

打开一个cmd.exe,在里面输入whoami,显示如下:
C:\Users\Administrator>whoami
desktop-aps5qst\administrator

挂上内核调试器,进行如下操作:

查看进程的令牌和system进程的令牌信息.

0: kd> vertarget
Windows 10 Kernel Version 16299 MP (4 procs) Free x64
Built by: 16299.15.amd64fre.rs3_release.170928-1534
Machine Name:
Kernel base = 0xfffff801`b020e000 PsLoadedModuleList = 0xfffff801`b056fff0
Debug session time: Fri Feb 23 08:55:50.166 2018 (UTC + 8:00)
System Uptime: 0 days 0:17:06.651
0: kd> dt nt!_eprocess token 
   +0x358 Token : _EX_FAST_REF
0: kd> dt _EX_FAST_REF
ntdll!_EX_FAST_REF
   +0x000 Object           : Ptr64 Void
   +0x000 RefCnt           : Pos 0, 4 Bits
   +0x000 Value            : Uint8B
0: kd> !process 0 0 system
PROCESS ffff9c804d0b9040
    SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000
    DirBase: 001aa000  ObjectTable: ffffc201774031c0  HandleCount: 2336.
    Image: System
0: kd> dq ffff9c804d0b9040+358 L1
ffff9c80`4d0b9398  ffffc201`7741804a
0: kd> ? ffffc201`7741804a & ffffffff`fffffff0
Evaluate expression: -68163425173440 = ffffc201`77418040
0: kd> !token ffffc201`77418040
_TOKEN 0xffffc20177418040
TS Session ID: 0
User: S-1-5-18
User Groups: 
 00 S-1-5-32-544
    Attributes - Default Enabled Owner 
 01 S-1-1-0
    Attributes - Mandatory Default Enabled 
 02 S-1-5-11
    Attributes - Mandatory Default Enabled 
 03 S-1-16-16384
    Attributes - GroupIntegrity GroupIntegrityEnabled 
Primary Group: S-1-5-18
Privs: 
 02 0x000000002 SeCreateTokenPrivilege            Attributes - 
 03 0x000000003 SeAssignPrimaryTokenPrivilege     Attributes - 
 04 0x000000004 SeLockMemoryPrivilege             Attributes - Enabled Default 
 05 0x000000005 SeIncreaseQuotaPrivilege          Attributes - 
 07 0x000000007 SeTcbPrivilege                    Attributes - Enabled Default 
 08 0x000000008 SeSecurityPrivilege               Attributes - 
 09 0x000000009 SeTakeOwnershipPrivilege          Attributes - 
 10 0x00000000a SeLoadDriverPrivilege             Attributes - 
 11 0x00000000b SeSystemProfilePrivilege          Attributes - Enabled Default 
 12 0x00000000c SeSystemtimePrivilege             Attributes - 
 13 0x00000000d SeProfileSingleProcessPrivilege   Attributes - Enabled Default 
 14 0x00000000e SeIncreaseBasePriorityPrivilege   Attributes - Enabled Default 
 15 0x00000000f SeCreatePagefilePrivilege         Attributes - Enabled Default 
 16 0x000000010 SeCreatePermanentPrivilege        Attributes - Enabled Default 
 17 0x000000011 SeBackupPrivilege                 Attributes - 
 18 0x000000012 SeRestorePrivilege                Attributes - 
 19 0x000000013 SeShutdownPrivilege               Attributes - 
 20 0x000000014 SeDebugPrivilege                  Attributes - Enabled Default 
 21 0x000000015 SeAuditPrivilege                  Attributes - Enabled Default 
 22 0x000000016 SeSystemEnvironmentPrivilege      Attributes - 
 23 0x000000017 SeChangeNotifyPrivilege           Attributes - Enabled Default 
 25 0x000000019 SeUndockPrivilege                 Attributes - 
 28 0x00000001c SeManageVolumePrivilege           Attributes - 
 29 0x00000001d SeImpersonatePrivilege            Attributes - Enabled Default 
 30 0x00000001e SeCreateGlobalPrivilege           Attributes - Enabled Default 
 31 0x00000001f SeTrustedCredManAccessPrivilege   Attributes - 
 32 0x000000020 SeRelabelPrivilege                Attributes - 
 33 0x000000021 SeIncreaseWorkingSetPrivilege     Attributes - Enabled Default 
 34 0x000000022 SeTimeZonePrivilege               Attributes - Enabled Default 
 35 0x000000023 SeCreateSymbolicLinkPrivilege     Attributes - Enabled Default 
 36 0x000000024 SeDelegateSessionUserImpersonatePrivilege  Attributes - Enabled Default 
Authentication ID:         (0,3e7)
Impersonation Level:       Anonymous
TokenType:                 Primary
Source: *SYSTEM*           TokenFlags: 0x2000 ( Token in use )
Token ID: 3eb              ParentToken ID: 0
Modified ID:               (0, 3ec)
RestrictedSidCount: 0      RestrictedSids: 0x0000000000000000
OriginatingLogonSession: 0
PackageSid: (null)
CapabilityCount: 0      Capabilities: 0x0000000000000000
LowboxNumberEntry: 0x0000000000000000
Security Attributes:
Invalid AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION with no claims
Process Token TrustLevelSid: S-1-19-1024-8192

查看cmd.exe进程的令牌信息.

0: kd> !process 0 0 cmd.exe
PROCESS ffff9c804e97f080
    SessionId: 1  Cid: 10a4    Peb: fc49f44000  ParentCid: 1224
    DirBase: 9d213000  ObjectTable: ffffc201852a6900  HandleCount:  43.
    Image: cmd.exe
0: kd> dq ffff9c804e97f080+358 L1
ffff9c80`4e97f3d8  ffffc201`80ee306b
0: kd> ? ffffc201`80ee306b & ffffffff`fffffff0
Evaluate expression: -68163262861216 = ffffc201`80ee3060
0: kd> !token ffffc201`80ee3060
_TOKEN 0xffffc20180ee3060
TS Session ID: 0x1
User: S-1-5-21-4121102992-2463281863-3266931683-500
User Groups: 
 00 S-1-5-21-4121102992-2463281863-3266931683-513
    Attributes - Mandatory Default Enabled 
 01 S-1-1-0
    Attributes - Mandatory Default Enabled 
 02 S-1-5-114
    Attributes - DenyOnly 
 03 S-1-5-21-4121102992-2463281863-3266931683-1000
    Attributes - Mandatory Default Enabled 
 04 S-1-5-32-544
    Attributes - DenyOnly 
 05 S-1-5-32-545
    Attributes - Mandatory Default Enabled 
 06 S-1-5-4
    Attributes - Mandatory Default Enabled 
 07 S-1-2-1
    Attributes - Mandatory Default Enabled 
 08 S-1-5-11
    Attributes - Mandatory Default Enabled 
 09 S-1-5-15
    Attributes - Mandatory Default Enabled 
 10 S-1-5-113
    Attributes - Mandatory Default Enabled 
 11 S-1-5-5-0-263777
    Attributes - Mandatory Default Enabled LogonId 
 12 S-1-2-0
    Attributes - Mandatory Default Enabled 
 13 S-1-5-64-10
    Attributes - Mandatory Default Enabled 
 14 S-1-16-8192
    Attributes - GroupIntegrity GroupIntegrityEnabled 
Primary Group: S-1-5-21-4121102992-2463281863-3266931683-513
Privs: 
 19 0x000000013 SeShutdownPrivilege               Attributes - 
 23 0x000000017 SeChangeNotifyPrivilege           Attributes - Enabled Default 
 25 0x000000019 SeUndockPrivilege                 Attributes - 
 33 0x000000021 SeIncreaseWorkingSetPrivilege     Attributes - 
 34 0x000000022 SeTimeZonePrivilege               Attributes - 
Authentication ID:         (0,40725)
Impersonation Level:       Anonymous
TokenType:                 Primary
Source: User32             TokenFlags: 0x2a00 ( Token in use )
Token ID: 327462           ParentToken ID: 40728
Modified ID:               (0, 40731)
RestrictedSidCount: 0      RestrictedSids: 0x0000000000000000
OriginatingLogonSession: 3e7
PackageSid: (null)
CapabilityCount: 0      Capabilities: 0x0000000000000000
LowboxNumberEntry: 0x0000000000000000
Security Attributes:
Unable to get the offset of nt!_AUTHZBASEP_SECURITY_ATTRIBUTE.ListLink
Process Token TrustLevelSid: (null)

最重要的一步就这一个操作:

0: kd> eq ffff9c80`4e97f3d8 ffffc201`77418040
0: kd> g

下面是验证:

C:\Users\Administrator>whoami
nt authority\system

不过,此时用procexp.exe查看,相应的conhost.exe的权限还是没有变.
而且cmd.exe的安全属性是打不开的,估计是权限不足.
注意:此时需要重新打开一下procexp.exe,否者显示的还是以前的信息.


--------------------------------------------------------------------------------------------------


参考:
https://www.anquanke.com/post/id/87292
https://blog.xpnsec.com/becoming-system/

made by correy
made at 9:32 2018/2/23
http://correy.webs.com

对象体由执行体管理
对象头由对象管理器管理器
句柄由进程的句柄表维护。

0: kd> $实验环境是：
0: kd> vertarget
Windows 8 Kernel Version 9200 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 16299.15.amd64fre.rs3_release.170928-1534
Machine Name:
Kernel base = 0xfffff803`7b41c000 PsLoadedModuleList = 0xfffff803`7b782fd0
Debug session time: Tue Mar 6 09:25:21.921 2018 (UTC + 8:00)
System Uptime: 27 days 19:47:07.599
0: kd> $文件的版本是：
0: kd> lm vm nt
Browse full module list
start end module name
fffff803`7b41c000 fffff803`7bcf1000 nt (pdb symbols) c:\symbols\ntkrnlmp.pdb\9378084E8DBD4AB1A155099BCE693E341\ntkrnlmp.pdb
Loaded symbol image file: ntkrnlmp.exe
Image path: ntkrnlmp.exe
Image name: ntkrnlmp.exe
Browse all global symbols functions data
Timestamp: Mon Jan 1 19:07:05 2018 (5A4A1659)
CheckSum: 00842CC4
ImageSize: 008D5000
Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4
0: kd> $测试的进程是：
0: kd> !process 0 0 cmd.exe
PROCESS ffff8c08dc95f080
SessionId: 4 Cid: 0fdc Peb: 008ff000 ParentCid: 1934
DirBase: 1d7a00000 ObjectTable: 00000000 HandleCount: 0.
Image: cmd.exe

PROCESS ffff8c08d9136080
SessionId: 11 Cid: 0168 Peb: f170b88000 ParentCid: 16fc
DirBase: 112600000 ObjectTable: ffffa00a63dc1600 HandleCount: 40.
Image: cmd.exe

0: kd> $这里选定第二个。
0: kd> $另一个看法是：
0: kd> dt nt!_eprocess ffff8c08d9136080 ObjectTable
+0x418 ObjectTable : 0xffffa00a`63dc1600 _HANDLE_TABLE

句柄表的信息是：
0: kd> dt 0xffffa00a`63dc1600 nt!_HANDLE_TABLE
+0x000 NextHandleNeedingPool : 0x400
+0x004 ExtraInfoPages : 0n0
+0x008 TableCode : 0xffffa00a`591d4000
+0x010 QuotaProcess : 0xffff8c08`d9136080 _EPROCESS
+0x018 HandleTableList : _LIST_ENTRY [ 0xffffa00a`74606b58 - 0xffffa00a`56527758 ]
+0x028 UniqueProcessId : 0x168
+0x02c Flags : 0x10
+0x02c StrictFIFO : 0y0
+0x02c EnableHandleExceptions : 0y0
+0x02c Rundown : 0y0
+0x02c Duplicated : 0y0
+0x02c RaiseUMExceptionOnInvalidHandleClose : 0y1
+0x030 HandleContentionEvent : _EX_PUSH_LOCK
+0x038 HandleTableLock : _EX_PUSH_LOCK
+0x040 FreeLists : [1] _HANDLE_TABLE_FREE_LIST
+0x040 ActualEntry : [32] ""
+0x060 DebugInfo : (null)

要实现的效果是：
0: kd> !handle 0 0 0168

PROCESS ffff8c08d9136080
SessionId: 11 Cid: 0168 Peb: f170b88000 ParentCid: 16fc
DirBase: 112600000 ObjectTable: ffffa00a63dc1600 HandleCount: 40.
Image: cmd.exe

Handle table at ffffa00a63dc1600 with 40 entries in use

0004: Object: ffff8c08d7911fe0 GrantedAccess: 001f0003 (Protected) (Inherit)

0008: Object: ffff8c08d9a8b4d0 GrantedAccess: 00000001 (Inherit)

000c: Object: ffff8c08d4ae0700 GrantedAccess: 001f0003 (Protected) (Audit)

0010: Object: ffff8c08de983660 GrantedAccess: 000f00ff (Protected) (Inherit)

0014: Object: ffff8c08d509e430 GrantedAccess: 00100002

0018: Object: ffff8c08d65c3260 GrantedAccess: 00000001 (Protected) (Inherit)

001c: Object: ffff8c08d6353f30 GrantedAccess: 00100002

0020: Object: ffff8c08d50642b0 GrantedAccess: 00000001

0024: Object: ffff8c08d8e81e20 GrantedAccess: 00000804 (Protected) (Inherit) (Audit)

0028: Object: ffff8c08d78fabd0 GrantedAccess: 00000804 (Inherit)

002c: Object: ffff8c08d81c6bb0 GrantedAccess: 00000804

0030: Object: ffffa00a484f2560 GrantedAccess: 00000003 (Protected) (Inherit)

0034: Object: ffff8c08d82241f0 GrantedAccess: 001f0003 (Audit)

0038: Object: ffff8c08d7aeba60 GrantedAccess: 001f0003 (Protected) (Inherit)

003c: Object: ffff8c08d5b034b0 GrantedAccess: 00100020

0040: Object: ffff8c08d9b79e30 GrantedAccess: 0012019f

0044: Object: ffff8c08d8d678e0 GrantedAccess: 0012019f (Protected) (Inherit)

0048: Object: ffff8c08dfe92a10 GrantedAccess: 001f0001 (Inherit) (Audit)

004c: Object: ffff8c08d50d9ef0 GrantedAccess: 0012019f (Audit)

0050: Object: ffff8c08d82243b0 GrantedAccess: 0012019f

0054: Object: ffff8c08d82243b0 GrantedAccess: 0012019f

0058: Object: ffff8c08d7fcd1f0 GrantedAccess: 00000804 (Audit)

005c: Object: ffff8c08d477f070 GrantedAccess: 00000804 (Audit)

0060: Object: ffff8c08d7692080 GrantedAccess: 001f0003 (Protected) (Audit)

0064: Object: ffff8c08d5fef8a0 GrantedAccess: 000f00ff (Protected) (Inherit) (Audit)

0068: Object: ffff8c08d56f6470 GrantedAccess: 00100002 (Audit)

006c: Object: ffff8c08dbcbcbb0 GrantedAccess: 00000001

0070: Object: ffff8c08d3aa7b00 GrantedAccess: 00100002 (Protected) (Audit)

0074: Object: ffff8c08da19e7a0 GrantedAccess: 00000001 (Protected) (Inherit) (Audit)

0078: Object: ffffa00a651f3b20 GrantedAccess: 00020019 (Protected) (Inherit) (Audit)

007c: Object: ffff8c08db568700 GrantedAccess: 001fffff (Protected) (Audit)

0088: Object: ffffa00a5f9292a0 GrantedAccess: 000f003f (Protected) (Inherit) (Audit)

008c: Object: ffffa00a555e3780 GrantedAccess: 000f003f (Protected) (Audit)

0090: Object: ffffa00a62d1cf70 GrantedAccess: 00020019 (Audit)

0094: Object: ffffa00a5b95f760 GrantedAccess: 00020019 (Protected) (Inherit)

0098: Object: ffffa00a6f835950 GrantedAccess: 00020019 (Inherit)

009c: Object: ffff8c08d5ca9070 GrantedAccess: 00000804 (Audit)

00a0: Object: ffffa00a627c16c0 GrantedAccess: 00000001 (Protected)

00a4: Object: ffffa00a59d39880 GrantedAccess: 00020019 (Protected) (Audit)

00a8: Object: ffff8c08dba217c0 GrantedAccess: 00120089 (Protected)

也就是要手工实现/分析出这个命令的效果。
有时候仅仅这一个命令就够了，但是有时候，需要更详细的分析，会有更多/更深的用途。

--------------------------------------------------------------------------------------------------
先熟悉两个结构的信息：

nt!_HANDLE_TABLE
+0x000 NextHandleNeedingPool : Uint4B
+0x004 ExtraInfoPages : Int4B
+0x008 TableCode : Uint8B
+0x010 QuotaProcess : Ptr64 _EPROCESS
+0x018 HandleTableList : _LIST_ENTRY
+0x028 UniqueProcessId : Uint4B
+0x02c Flags : Uint4B
+0x02c StrictFIFO : Pos 0, 1 Bit
+0x02c EnableHandleExceptions : Pos 1, 1 Bit
+0x02c Rundown : Pos 2, 1 Bit
+0x02c Duplicated : Pos 3, 1 Bit
+0x02c RaiseUMExceptionOnInvalidHandleClose : Pos 4, 1 Bit
+0x030 HandleContentionEvent : _EX_PUSH_LOCK
+0x038 HandleTableLock : _EX_PUSH_LOCK
+0x040 FreeLists : [1] _HANDLE_TABLE_FREE_LIST
+0x040 ActualEntry : [32] UChar
+0x060 DebugInfo : Ptr64 _HANDLE_TRACE_DEBUG_INFO

0: kd> dt nt!_object_header
+0x000 PointerCount : Int8B
+0x008 HandleCount : Int8B
+0x008 NextToFree : Ptr64 Void
+0x010 Lock : _EX_PUSH_LOCK
+0x018 TypeIndex : UChar
+0x019 TraceFlags : UChar
+0x019 DbgRefTrace : Pos 0, 1 Bit
+0x019 DbgTracePermanent : Pos 1, 1 Bit
+0x01a InfoMask : UChar
+0x01b Flags : UChar
+0x01b NewObject : Pos 0, 1 Bit
+0x01b KernelObject : Pos 1, 1 Bit
+0x01b KernelOnlyAccess : Pos 2, 1 Bit
+0x01b ExclusiveObject : Pos 3, 1 Bit
+0x01b PermanentObject : Pos 4, 1 Bit
+0x01b DefaultSecurityQuota : Pos 5, 1 Bit
+0x01b SingleHandleEntry : Pos 6, 1 Bit
+0x01b DeletedInline : Pos 7, 1 Bit
+0x01c Reserved : Uint4B
+0x020 ObjectCreateInfo : Ptr64 _OBJECT_CREATE_INFORMATION
+0x020 QuotaBlockCharged : Ptr64 Void
+0x028 SecurityDescriptor : Ptr64 Void
+0x030 Body : _QUAD
0: kd> ?? sizeof(nt!_object_header)
unsigned int64 0x38

因为nt!_object_header包含Body成员信息，所以nt!_object_header的大小为0x030。

0: kd> ?? sizeof(nt!_HANDLE_TABLE_ENTRY)
unsigned int64 0x10

注意：以上结构，你应该能看到位成员的信息，如果又联合还应看到联合成员的信息。

--------------------------------------------------------------------------------------------------

注意：_HANDLE_TABLE的TableCode的信息实际是PHANDLE_TABLE_ENTRY，而且最低的几位是几维数组的标志。
这里是0，说明这就是HANDLE_TABLE_ENTRY的数组的第一个元素。
不过第一个元素始终为空，见各种书籍的说明。
之所以这样设计是因为句柄为0的是无效的吧！

_HANDLE_TABLE的TableCode的信息实际是PHANDLE_TABLE_ENTRY，这句话的证据的是：见ExpAllocateHandleTable的函数。

0: kd> dq 0xffffa00a`591d4000
ffffa00a`591d4000 00000000`00000000 00000000`00000000
ffffa00a`591d4010 8c08d791`1fb0fffb 00000000`001f0003
ffffa00a`591d4020 8c08d9a8`b4a0fffd 00000000`00000001
ffffa00a`591d4030 8c08d4ae`06d0fff7 00000000`001f0003
ffffa00a`591d4040 8c08de98`3630fff9 00000000`000f00ff
ffffa00a`591d4050 8c08d509`e400fffd 00000000`00100002
ffffa00a`591d4060 8c08d65c`3230fffd 00000000`00000001
ffffa00a`591d4070 8c08d635`3f00fffd 00000000`00100002
注意：这个到底有多少个有效的呢？
WIN7的_HANDLE_TABLE有个成员叫HandleCount,但是win10没有。
其实dq的命令的地址的后面加个参数，就是显示的长度，尽量长些，但是不超过NextHandleNeedingPool。
可以发现，dq的第一个64位的值位0就是为空，就是无效的句柄。

注意：
1.句柄是按照数组的位置来计算的，具体的算法相信你应该领会，但是还是看WRK的代码为好。
2.句柄不一定是连续的，只要第一个64位不为空，就是有效的句柄，数组的大小不超过NextHandleNeedingPool。

从这里也能看到一些信息，如准许的权限等。
注意第一个是空的。

0: kd> dt nt!_HANDLE_TABLE_ENTRY ffffa00a`591d4010
+0x000 VolatileLowValue : 0n-8356192090284032005
+0x000 LowValue : 0n-8356192090284032005
+0x000 InfoTable : 0x8c08d791`1fb0fffb _HANDLE_TABLE_ENTRY_INFO
+0x008 HighValue : 0n2031619
+0x008 NextFreeHandleEntry : 0x00000000`001f0003 _HANDLE_TABLE_ENTRY
+0x008 LeafHandleValue : _EXHANDLE
+0x000 RefCountField : 0n-8356192090284032005
+0x000 Unlocked : 0y1
+0x000 RefCnt : 0y0111111111111101 (0x7ffd)
+0x000 Attributes : 0y000
+0x000 ObjectPointerBits : 0y10001100000010001101011110010001000111111011 (0x8c08d7911fb)
+0x008 GrantedAccessBits : 0y0000111110000000000000011 (0x1f0003)
+0x008 NoRightsUpgrade : 0y0
+0x008 Spare1 : 0y000000 (0)
+0x00c Spare2 : 0
0: kd> dt nt!_HANDLE_TABLE_ENTRY_INFO
+0x000 AuditMask : Uint4B
+0x004 MaxRelativeAccessMask : Uint4B
0: kd> dt nt!_EXHANDLE
+0x000 TagBits : Pos 0, 2 Bits
+0x000 Index : Pos 2, 30 Bits
+0x000 GenericHandleOverlay : Ptr64 Void
+0x000 Value : Uint8B

注意：
0x8c08d7911fb
ffff8c08d7911fe0
最后一个补0，高位补f,还差0x30

0: kd> !object ffff8c08d7911fe0
Object: ffff8c08d7911fe0 Type: (ffff8c08d32ecdb0) Event
ObjectHeader: ffff8c08d7911fb0 (new version)
HandleCount: 1 PointerCount: 32768

0: kd> dt nt!_HANDLE_TABLE_ENTRY ffffa00a`591d4020
+0x000 VolatileLowValue : 0n-8356189789977772035
+0x000 LowValue : 0n-8356189789977772035
+0x000 InfoTable : 0x8c08d9a8`b4a0fffd _HANDLE_TABLE_ENTRY_INFO
+0x008 HighValue : 0n1
+0x008 NextFreeHandleEntry : 0x00000000`00000001 _HANDLE_TABLE_ENTRY
+0x008 LeafHandleValue : _EXHANDLE
+0x000 RefCountField : 0n-8356189789977772035
+0x000 Unlocked : 0y1
+0x000 RefCnt : 0y0111111111111110 (0x7ffe)
+0x000 Attributes : 0y000
+0x000 ObjectPointerBits : 0y10001100000010001101100110101000101101001010 (0x8c08d9a8b4a)
+0x008 GrantedAccessBits : 0y0000000000000000000000001 (0x1)
+0x008 NoRightsUpgrade : 0y0
+0x008 Spare1 : 0y000000 (0)
+0x00c Spare2 : 0

0: kd> dt nt!_HANDLE_TABLE_ENTRY
+0x000 VolatileLowValue : Int8B
+0x000 LowValue : Int8B
+0x000 InfoTable : Ptr64 _HANDLE_TABLE_ENTRY_INFO
+0x008 HighValue : Int8B
+0x008 NextFreeHandleEntry : Ptr64 _HANDLE_TABLE_ENTRY
+0x008 LeafHandleValue : _EXHANDLE
+0x000 RefCountField : Int8B
+0x000 Unlocked : Pos 0, 1 Bit
+0x000 RefCnt : Pos 1, 16 Bits
+0x000 Attributes : Pos 17, 3 Bits
+0x000 ObjectPointerBits : Pos 20, 44 Bits
+0x008 GrantedAccessBits : Pos 0, 25 Bits
+0x008 NoRightsUpgrade : Pos 25, 1 Bit
+0x008 Spare1 : Pos 26, 6 Bits
+0x00c Spare2 : Uint4B
注意：位和联合的定义。

--------------------------------------------------------------------------------------------------

注意：WRK还顶一个系统进程的句柄表，可以说是内核的全局的句柄表，专用于内核的句柄的。
0: kd> x nt!ObpKernelHandleTable
fffff803`7b780ce0 nt!ObpKernelHandleTable = <no type information>

made by correy
made at 10:36 2018/3/8
http://correy.webs.com

枚举ObRegisterCallbacks注册的信息

2: kd> dt nt!_OBJECT_TYPE poi(nt!PsProcessType)
+0x000 TypeList : _LIST_ENTRY [ 0xffff8481`f02d7350 - 0xffff8481`f02d7350 ]
+0x010 Name : _UNICODE_STRING "Process"
+0x020 DefaultObject : (null)
+0x028 Index : 0x7 ''
+0x02c TotalNumberOfObjects : 0x3f
+0x030 TotalNumberOfHandles : 0x20a
+0x034 HighWaterNumberOfObjects : 0x51
+0x038 HighWaterNumberOfHandles : 0x25c
+0x040 TypeInfo : _OBJECT_TYPE_INITIALIZER
+0x0b8 TypeLock : _EX_PUSH_LOCK
+0x0c0 Key : 0x636f7250
+0x0c8 CallbackList : _LIST_ENTRY [ 0xffffcf0d`19f25b90 - 0xffffcf0d`19f25b90 ]

这个CallbackList链表的前后节点都一样,我还以为是空呢?

2: kd> dps ffffcf0d`19f25b90
ffffcf0d`19f25b90 ffff8481`f02d7418 这个和下面的一样,可以考虑是LIST_ENTRY
ffffcf0d`19f25b98 ffff8481`f02d7418
ffffcf0d`19f25ba0 00000001`00000003 后面的3是Operations
ffffcf0d`19f25ba8 ffffcf0d`19f25b70 又是一个结构
ffffcf0d`19f25bb0 ffff8481`f02d7350 是PsProcessType
ffffcf0d`19f25bb8 fffff802`425f10e0 ObCallbackTest!CBTdPreOperationCallback [e:\开源\microsoft\windows-driver-samples\trunk\general\obcallback\driver\callback.c @ 264]
ffffcf0d`19f25bc0 fffff802`425f1000 ObCallbackTest!CBTdPostOperationCallback [e:\开源\microsoft\windows-driver-samples\trunk\general\obcallback\driver\callback.c @ 427]
ffffcf0d`19f25bc8 00000000`00000000 未知,补充,保留
ffffcf0d`19f25bd0 ffff8481`f02c7b88
ffffcf0d`19f25bd8 ffff8481`f02c7b88
ffffcf0d`19f25be0 00000001`00000003 后面的3是Operations
ffffcf0d`19f25be8 ffffcf0d`19f25b70
ffffcf0d`19f25bf0 ffff8481`f02c7ac0 是PsThreadType
ffffcf0d`19f25bf8 fffff802`425f10e0 ObCallbackTest!CBTdPreOperationCallback [e:\开源\microsoft\windows-driver-samples\trunk\general\obcallback\driver\callback.c @ 264]
ffffcf0d`19f25c00 fffff802`425f1000 ObCallbackTest!CBTdPostOperationCallback [e:\开源\microsoft\windows-driver-samples\trunk\general\obcallback\driver\callback.c @ 427]
ffffcf0d`19f25c08 00000000`00000000
2: kd> !object ffff8481`f02d7350
Object: ffff8481f02d7350 Type: (ffff8481f02f7ec0) Type
ObjectHeader: ffff8481f02d7320 (new version)
HandleCount: 0 PointerCount: 2
Directory Object: ffffcf0d11e147f0 Name: Process
2: kd> !object ffff8481`f02c7ac0
Object: ffff8481f02c7ac0 Type: (ffff8481f02f7ec0) Type
ObjectHeader: ffff8481f02c7a90 (new version)
HandleCount: 0 PointerCount: 2
Directory Object: ffffcf0d11e147f0 Name: Thread
2: kd> dps ffffcf0d`19f25b70 L20
ffffcf0d`19f25b70 00000000`00020100
ffffcf0d`19f25b78 fffff802`425f50b0 ObCallbackTest!CBCallbackRegistration
ffffcf0d`19f25b80 00000000`00080008
ffffcf0d`19f25b88 ffffcf0d`19f25c10
ffffcf0d`19f25b90 ffff8481`f02d7418
ffffcf0d`19f25b98 ffff8481`f02d7418
ffffcf0d`19f25ba0 00000001`00000003
ffffcf0d`19f25ba8 ffffcf0d`19f25b70
ffffcf0d`19f25bb0 ffff8481`f02d7350
ffffcf0d`19f25bb8 fffff802`425f10e0 ObCallbackTest!CBTdPreOperationCallback [e:\开源\microsoft\windows-driver-samples\trunk\general\obcallback\driver\callback.c @ 264]
ffffcf0d`19f25bc0 fffff802`425f1000 ObCallbackTest!CBTdPostOperationCallback [e:\开源\microsoft\windows-driver-samples\trunk\general\obcallback\driver\callback.c @ 427]
ffffcf0d`19f25bc8 00000000`00000000
ffffcf0d`19f25bd0 ffff8481`f02c7b88
ffffcf0d`19f25bd8 ffff8481`f02c7b88
ffffcf0d`19f25be0 00000001`00000003
ffffcf0d`19f25be8 ffffcf0d`19f25b70
ffffcf0d`19f25bf0 ffff8481`f02c7ac0
ffffcf0d`19f25bf8 fffff802`425f10e0 ObCallbackTest!CBTdPreOperationCallback [e:\开源\microsoft\windows-driver-samples\trunk\general\obcallback\driver\callback.c @ 264]
ffffcf0d`19f25c00 fffff802`425f1000 ObCallbackTest!CBTdPostOperationCallback [e:\开源\microsoft\windows-driver-samples\trunk\general\obcallback\driver\callback.c @ 427]
ffffcf0d`19f25c08 00000000`00000000
ffffcf0d`19f25c10 00300030`00300031
ffffcf0d`19f25c18 00000012`00000201
ffffcf0d`19f25c20 3066744e`0303030c
ffffcf0d`19f25c28 07be696e`a40c5c62
ffffcf0d`19f25c30 ffffcf0d`18bec700
ffffcf0d`19f25c38 ffffcf0d`19f8e430
ffffcf0d`19f25c40 00000064`04d44d5b
ffffcf0d`19f25c48 00000073`006c006f
ffffcf0d`19f25c50 6e664d46`03160303
ffffcf0d`19f25c58 07be696e`a40c5c12
ffffcf0d`19f25c60 00000000`0150f204
ffffcf0d`19f25c68 00000000`00000000

typedef struct _CALLBACK_ENTRY_ITEM {
LIST_ENTRY EntryItemList;
OB_OPERATION Operations;
CALLBACK_ENTRY* CallbackEntry; // Points to the CALLBACK_ENTRY which we use for ObUnRegisterCallback
POBJECT_TYPE ObjectType;
POB_PRE_OPERATION_CALLBACK PreOperation;
POB_POST_OPERATION_CALLBACK PostOperation;
__int64 unk;
}CALLBACK_ENTRY_ITEM, *PCALLBACK_ENTRY_ITEM;

typedef struct _CALLBACK_ENTRY{
__int16 Version;
char buffer1[6];
POB_OPERATION_REGISTRATION RegistrationContext;
__int16 AltitudeLength1;
__int16 AltitudeLength2;
char buffer2[4];
WCHAR* AltitudeString;
CALLBACK_ENTRY_ITEM Items; // Is actually an array of CALLBACK_ENTRY_ITEMs that are also in a doubly linked list
}CALLBACK_ENTRY, *PCALLBACK_ENTRY;

https://douggemhax.wordpress.com/2015/05/27/obregistercallbacks-and-countermeasures/
https://www.unknowncheats.me/forum/dayz-sa/166167-douggem-_callback_entry-rebuilding.html

订阅：博文 (Atom)

2018年5月1日星期二

手工替换进程的令牌

手工分析进程的句柄表

枚举ObRegisterCallbacks注册的信息