注:ExEnumHandleTable 和WRK上的无出入,所以可以直接使用WRK上的代码 -- by sudami nt!ExEnumHandleTable: 80904204 8bff mov edi,edi 80904206 55 push ebp 80904207 8bec mov ebp,esp 80904209 83ec14 sub esp,14h 8090420c 56 push esi 8090420d 57 push edi ;保存寄存器 8090420e 64a124010000 mov eax,dword ptr fs:[00000124h] ; KeGetCurrentThread () 80904214 8365f800 and dword ptr [ebp-8],0 ; 局部变量2 先设置为0 80904218 ff75f8 push dword ptr [ebp-8] 8090421b 8bf8 mov edi,eax 8090421d ff7508 push dword ptr [ebp+8] ; HandleTable <--PspCidTable 80904220 ff8fd4000000 dec dword ptr [edi+0D4h] ; KernelApcDisable-- 80904226 c645ff00 mov byte ptr [ebp-1],0 ; 局部变量1(LocalHandle).Value = 0 8090422a e8928cf8ff call nt!ExpLookupHandleTableEntry (8088cec1) 8090422f 8bf0 mov esi,eax 80904231 85f6 test esi,esi 80904233 7420 je nt!ExEnumHandleTable+0xaf (80904255) ------+ 80904235 53 push ebx | 80904236 833e00 cmp dword ptr [esi],0 ; 确保HandleTableEntry 存在 80904239 0f8559ffffff jne nt!ExEnumHandleTable+0x37 (80904198) | 8090423f 8345f804 add dword ptr [ebp-8],4 80904243 ff75f8 push dword ptr [ebp-8] 80904246 ff7508 push dword ptr [ebp+8] | 80904249 e8738cf8ff call nt!ExpLookupHandleTableEntry (8088cec1) 8090424e 8bf0 mov esi,eax 80904250 85f6 test esi,esi | 80904252 75e2 jne nt!ExEnumHandleTable+0x32 (80904236) 80904254 5b pop ebx | 80904255 ff87d4000000 inc dword ptr [edi+0D4h]; KernelApcDisable++ <--+ 8090425b 750b jne nt!ExEnumHandleTable+0xca (80904268) 8090425d 8d4734 lea eax,[edi+34h] ; ApcState 80904260 3900 cmp dword ptr [eax],eax 80904262 0f850eaf0200 jne nt!ExEnumHandleTable+0xbe (8092f176) 80904268 8a45ff mov al,byte ptr [ebp-1] 8090426b 5f pop edi 8090426c 5e pop esi 8090426d c9 leave 8090426e c21000 ret 10h lkd> u 80904198 l 30 nt!ExEnumHandleTable+0x37: 80904198 837e04fe cmp dword ptr [esi+4],0FFFFFFFEh 8090419c 0f849d000000 je nt!ExEnumHandleTable+0x7c (8090423f) 809041a2 8975f0 mov dword ptr [ebp-10h],esi 809041a5 8b1e mov ebx,dword ptr [esi] 809041a7 f6c301 test bl,1 809041aa 895dec mov dword ptr [ebp-14h],ebx 809041ad 7434 je nt!ExEnumHandleTable+0x93 (809041e3) 809041af 8d43ff lea eax,[ebx-1] 809041b2 8945f4 mov dword ptr [ebp-0Ch],eax 809041b5 8b45ec mov eax,dword ptr [ebp-14h] 809041b8 8b4df0 mov ecx,dword ptr [ebp-10h] 809041bb 8b55f4 mov edx,dword ptr [ebp-0Ch] 809041be 0fb111 cmpxchg dword ptr [ecx],edx 809041c1 3bc3 cmp eax,ebx 809041c3 7522 jne nt!ExEnumHandleTable+0x97 (809041e7) 809041c5 ff7510 push dword ptr [ebp+10h] 809041c8 ff75f8 push dword ptr [ebp-8] 809041cb 56 push esi 809041cc ff550c call dword ptr [ebp+0Ch] 809041cf 56 push esi 809041d0 ff7508 push dword ptr [ebp+8] 809041d3 8845ff mov byte ptr [ebp-1],al 809041d6 e8878ef8ff call nt!ExUnlockHandleTableEntry (8088d062) 809041db 807dff00 cmp byte ptr [ebp-1],0 809041df 745e je nt!ExEnumHandleTable+0x7c (8090423f) 809041e1 eb0f jmp nt!ExEnumHandleTable+0xa2 (809041f2) 809041e3 85db test ebx,ebx 809041e5 7458 je nt!ExEnumHandleTable+0x7c (8090423f) 809041e7 56 push esi 809041e8 ff7508 push dword ptr [ebp+8] 809041eb e861390000 call nt!ExpBlockOnLockedHandleEntry (80907b51) 809041f0 ebb3 jmp nt!ExEnumHandleTable+0x40 (809041a5) 809041f2 8b4514 mov eax,dword ptr [ebp+14h] 809041f5 85c0 test eax,eax 809041f7 0f856faf0200 jne nt!ExEnumHandleTable+0xa9 (8092f16c) 809041fd eb55 jmp nt!ExEnumHandleTable+0xae (80904254) 809041ff 90 nop 80904200 90 nop 80904201 90 nop 80904202 90 nop 80904203 90 nop /////////////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////////////////////////// NTKERNELAPI BOOLEAN ExEnumHandleTable ( __in PHANDLE_TABLE HandleTable, __in EX_ENUMERATE_HANDLE_ROUTINE EnumHandleProcedure, __in PVOID EnumParameter, __out_opt PHANDLE Handle ) /*++ Routine Description: This function enumerates all the valid handles in a handle table. For each valid handle in the handle table, the specified eumeration function is called. If the enumeration function returns TRUE, then the enumeration is stopped, the current handle is returned to the caller via the optional Handle parameter, and this function returns TRUE to indicated that the enumeration stopped at a specific handle. Arguments: HandleTable - Supplies a pointer to a handle table. EnumHandleProcedure - Supplies a pointer to a function to call for each valid handle in the enumerated handle table. EnumParameter - Supplies an uninterpreted 32-bit value that is passed to the EnumHandleProcedure each time it is called. Handle - Supplies an optional pointer a variable that receives the Handle value that the enumeration stopped at. Contents of the variable only valid if this function returns TRUE. Return Value: If the enumeration stopped at a specific handle, then a value of TRUE is returned. Otherwise, a value of FALSE is returned. --*/ { PKTHREAD CurrentThread; BOOLEAN ResultValue; EXHANDLE LocalHandle; PHANDLE_TABLE_ENTRY HandleTableEntry; PAGED_CODE(); CurrentThread = KeGetCurrentThread (); // // Our initial return value is false until the enumeration callback // function tells us otherwise // ResultValue = FALSE; // // Iterate through the handle table and for each handle that is // allocated we'll invoke the call back. Note that this loop exits // when we get a null handle table entry. We know there will be no // more possible entries after the first null one is encountered // because we allocate memory for the handles in a dense fashion // KeEnterCriticalRegionThread (CurrentThread); for (LocalHandle.Value = 0; // does essentially the following "LocalHandle.Index = 0, LocalHandle.TagBits = 0;" (HandleTableEntry = ExpLookupHandleTableEntry( HandleTable, LocalHandle )) != NULL; LocalHandle.Value += HANDLE_VALUE_INC) { // // Only do the callback if the entry is not free // if ( ExpIsValidObjectEntry( HandleTableEntry ) ) { // // Lock the handle table entry because we're about to give // it to the callback function, then release the entry // right after the call back. // if (ExpLockHandleTableEntry( HandleTable, HandleTableEntry )) { // // Invoke the callback, and if it returns true then set // the proper output values and break out of the loop. // ResultValue = (*EnumHandleProcedure)( HandleTableEntry, LocalHandle.GenericHandleOverlay, EnumParameter ); ExUnlockHandleTableEntry( HandleTable, HandleTableEntry ); if (ResultValue) { if (ARGUMENT_PRESENT( Handle )) { *Handle = LocalHandle.GenericHandleOverlay; } break; } } } } KeLeaveCriticalRegionThread (CurrentThread); return ResultValue; }