看了SYSTEM_HANDLE_INFORMATION里面的ObjectTypeNumber成员,一直在源码种找不到它的定义,网上找到了半天,然后对比又对不上号……
目前比较靠谱的就是achillis大年的
http://hi.baidu.com/_achillis/blog/item/b175e2d254745ad8a8ec9a69.html
不过他说vista以后的可能不一样(我也没试验过),索性写了一份来专门打印出来的代码。
代码:
#define ObjectNameInformation 1
#define SystemHandleInformation 0x10
typedef struct _SYSTEM_HANDLE_INFORMATION {
ULONG ProcessId;
UCHAR ObjectTypeNumber;
UCHAR Flags;
USHORT Handle;
PVOID Object;
ACCESS_MASK GrantedAccess;
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
typedef struct _SYSTEM_HANDLE_INFORMATION_EX {
ULONG NumberOfHandles;
SYSTEM_HANDLE_INFORMATION Information[1];
} SYSTEM_HANDLE_INFORMATION_EX, *PSYSTEM_HANDLE_INFORMATION_EX;
NTSTATUS ZwQuerySystemInformation(
IN ULONG SystemInformationClass,
IN PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength);
/*
NTSTATUS ZwDuplicateObject(
IN HANDLE SourceProcessHandle,
IN PHANDLE SourceHandle,
IN HANDLE TargetProcessHandle,
OUT PHANDLE TargetHandle,
IN ACCESS_MASK DesiredAccess OPTIONAL,
IN BOOLEAN InheritHandle,
IN ULONG Options );
NTSTATUS ZwQueryObject(
IN HANDLE ObjectHandle,
IN ULONG ObjectInformationClass,
OUT PVOID ObjectInformation,
IN ULONG ObjectInformationLength,
OUT PULONG ReturnLength OPTIONAL);
NTSTATUS PsLookupProcessByProcessId(
IN ULONG ulProcId,
OUT PEPROCESS * pEProcess);
NTSTATUS KeAttachProcess(PEPROCESS pPeb);
NTSTATUS KeDetachProcess();
*/
PVOID GetInfoTable(ULONG ATableType)
{
ULONG mSize = 0x4000;
PVOID mPtr = NULL;
NTSTATUS St;
do
{
mPtr = ExAllocatePoolWithTag(PagedPool, mSize, 'ACEK');
memset(mPtr, 0, mSize);
if (mPtr)
{
St = ZwQuerySystemInformation(ATableType, mPtr, mSize, NULL);
} else return NULL;
if (St == STATUS_INFO_LENGTH_MISMATCH)
{
ExFreePoolWithTag(mPtr, 'ACEK');
mSize = mSize * 2;
}
} while (St == STATUS_INFO_LENGTH_MISMATCH);
if (St == STATUS_SUCCESS) return mPtr;
ExFreePool(mPtr);
return NULL;
}
typedef struct _OBJECT_TYPE_INDEX {
WCHAR Format[0x40];
}OBJECT_TYPE_INDEX, *POBJECT_TYPE_INDEX;
OBJECT_TYPE_INDEX TypeIndex[0x20] = { 0 };
void ObjectTypeFormat( ULONG Type, WCHAR * FormatName )
{
if (Type >= 0x20) {
return;
}
if (TypeIndex[Type].Format[0] == 0) {
RtlStringCbPrintfW(
TypeIndex[Type].Format,
0x40,
L"OB_TYPE_%s",
FormatName
);
}
}
void ObjectTypeDbgPrint()
{
ULONG i = 0;
for (i = 0; i < 30; i++) {
if (TypeIndex[i].Format[0] == 0) {
DbgPrint("#define OB_TYPE_UNKNOWN %d\n", i);
} else {
_wcsupr(TypeIndex[i].Format);
DbgPrint("#define %S %d\n", TypeIndex[i].Format, i);
}
}
}
HANDLE TestTable()
{
HANDLE Process, hObject;
HANDLE CsrId = (HANDLE)0;
OBJECT_ATTRIBUTES obj;
CLIENT_ID cid;
UCHAR Buff[0x100];
POBJECT_NAME_INFORMATION ObjName = (PVOID)&Buff;
PSYSTEM_HANDLE_INFORMATION_EX Handles;
ULONG r;
ULONG i;
Handles = GetInfoTable(SystemHandleInformation);
if (!Handles) return CsrId;
for (r = 0; r < Handles->NumberOfHandles; r++)
{
{
InitializeObjectAttributes(&obj, NULL, OBJ_KERNEL_HANDLE, NULL, NULL);
cid.UniqueProcess = (HANDLE)Handles->Information[r].ProcessId;
cid.UniqueThread = 0;
if (NT_SUCCESS(NtOpenProcess(&Process, PROCESS_DUP_HANDLE, &obj, &cid)))
{
if (NT_SUCCESS(ZwDuplicateObject(
Process,
(HANDLE)Handles->Information[r].Handle,
NtCurrentProcess(), &hObject, 0, 0, DUPLICATE_SAME_ACCESS)))
{
PPUBLIC_OBJECT_TYPE_INFORMATION uoti = (PPUBLIC_OBJECT_TYPE_INFORMATION)NULL;
uoti = (PPUBLIC_OBJECT_TYPE_INFORMATION)ExAllocatePoolWithTag(
NonPagedPool, sizeof(PUBLIC_OBJECT_TYPE_INFORMATION) + 0x100, 'ACEK' );
if (!uoti) {
return 0;
}
RtlZeroMemory( uoti, sizeof(PUBLIC_OBJECT_TYPE_INFORMATION) + 0x100 );
if (NT_SUCCESS(ZwQueryObject(hObject, ObjectTypeInformation, uoti, sizeof(PUBLIC_OBJECT_TYPE_INFORMATION) + 0x100, NULL))) {
//ANSI_STRING AnsiFormat = { 0 };
//KdPrint(("%wZ = %d\n", &uoti->TypeName, Handles->Information[r].ObjectTypeNumber));
//if (NT_SUCCESS(ZwQueryObject(hObject, ObjectNameInformation, ObjName, 0x100, NULL)))
//{
//KdPrint(("TestTable: Number = %d, %wZ, ObjectName = %wZ\n",
// Handles->Information[r].ObjectTypeNumber, &uoti->TypeName, &ObjName->Name));
//}
//RtlUnicodeStringToAnsiString( &AnsiFormat, &uoti->TypeName, TRUE);
ObjectTypeFormat( Handles->Information[r].ObjectTypeNumber, uoti->TypeName.Buffer );
//RtlFreeAnsiString( &AnsiFormat );
}
ExFreePoolWithTag( uoti, 'ACEK' );
ZwClose(hObject);
}
ZwClose(Process);
}
}
}
ObjectTypeDbgPrint();
ExFreePool(Handles);
return CsrId;
}
#define OB_TYPE_UNKNOWN 0
#define OB_TYPE_UNKNOWN 1
#define OB_TYPE_DIRECTORY 2
#define OB_TYPE_SYMBOLICLINK 3
#define OB_TYPE_TOKEN 4
#define OB_TYPE_PROCESS 5
#define OB_TYPE_THREAD 6
#define OB_TYPE_JOB 7
#define OB_TYPE_UNKNOWN 8
#define OB_TYPE_EVENT 9
#define OB_TYPE_UNKNOWN 10
#define OB_TYPE_MUTANT 11
#define OB_TYPE_UNKNOWN 12
#define OB_TYPE_SEMAPHORE 13
#define OB_TYPE_TIMER 14
#define OB_TYPE_UNKNOWN 15
#define OB_TYPE_KEYEDEVENT 16
#define OB_TYPE_WINDOWSTATION 17
#define OB_TYPE_DESKTOP 18
#define OB_TYPE_SECTION 19
#define OB_TYPE_KEY 20
#define OB_TYPE_PORT 21
#define OB_TYPE_WAITABLEPORT 22
#define OB_TYPE_UNKNOWN 23
#define OB_TYPE_UNKNOWN 24
#define OB_TYPE_UNKNOWN 25
#define OB_TYPE_UNKNOWN 26
#define OB_TYPE_IOCOMPLETION 27
#define OB_TYPE_FILE 28
#define OB_TYPE_WMIGUID 29
这个是我在xp sp3下打印的,如果需要其他系统的话,打印一次就行了。
当然有些是unknown的,是因为我系统没有相应的handle罢了,如果你系统有的话,打印出来也没有问题。
另外给出一份achillis大牛的:
typedef enum _SYSTEM_HANDLE_TYPE
{
OB_TYPE_UNKNOWN=0, //0
OB_TYPE_TYPE, // 1,fixed
OB_TYPE_DIRECTORY, // 2,fixed
OB_TYPE_SYMBOLIC_LINK, // 3,fixed
OB_TYPE_TOKEN, // 4,fixed
OB_TYPE_PROCESS, // 5,fixed
OB_TYPE_THREAD, // 6,fixed
OB_TYPE_JOB, // 7,fixed
OB_TYPE_DEBUG_OBJECT, // 8,fixed
OB_TYPE_EVENT, // 9,fixed
OB_TYPE_EVENT_PAIR, //10,fixed
OB_TYPE_MUTANT, //11,fixed
OB_TYPE_CALLBACK, //12,fixed
OB_TYPE_SEMAPHORE, //13,fixed
OB_TYPE_TIMER, //14,fixed
OB_TYPE_PROFILE, //15,fixed
OB_TYPE_KEYED_EVENT, //16,fixed
OB_TYPE_WINDOWS_STATION,//17,fixed
OB_TYPE_DESKTOP, //18,fixed
OB_TYPE_SECTION, //19,fixed
OB_TYPE_KEY, //20,fixed
OB_TYPE_PORT, //21,fixed
OB_TYPE_WAITABLE_PORT, //22,fixed
OB_TYPE_ADAPTER, //23,fixed
OB_TYPE_CONTROLLER, //24,fixed
OB_TYPE_DEVICE, //25,fixed
OB_TYPE_DRIVER, //26,fixed
OB_TYPE_IOCOMPLETION, //27,fixed
OB_TYPE_FILE, //28,fixed
OB_TYPE_WMIGUID //29,fixed
}SYSTEM_HANDLE_TYPE;
可以对比一下