HANDLE GetCsrPid()
{
HANDLE Process, hObject;
HANDLE CsrId = (HANDLE)0;
OBJECT_ATTRIBUTES obj;
CLIENT_ID cid;
UCHAR Buff[0x100];
POBJECT_NAME_INFORMATION ObjName = (PVOID)&Buff;
PSYSTEM_HANDLE_INFORMATION_EX Handles;
ULONG r;
Handles = GetInfoTable(SystemHandleInformation);
if (!Handles) return CsrId;
for (r = 0; r < Handles->NumberOfHandles; r++)
{
if (Handles->Information[r].ObjectTypeNumber == 21) //Port object
{
InitializeObjectAttributes(&obj, NULL, OBJ_KERNEL_HANDLE, NULL, NULL);
cid.UniqueProcess = (HANDLE)Handles->Information[r].ProcessId;
cid.UniqueThread = 0;
if (NT_SUCCESS(NtOpenProcess(&Process, PROCESS_DUP_HANDLE, &obj, &cid)))
{
if (NT_SUCCESS(ZwDuplicateObject(Process, (HANDLE)Handles->Information[r].Handle,NtCurrentProcess(), &hObject, 0, 0, DUPLICATE_SAME_ACCESS)))
{
if (NT_SUCCESS(ZwQueryObject(hObject, ObjectNameInformation, ObjName, 0x100, NULL)))
{
if (ObjName->Name.Buffer && !wcsncmp(L"\\Windows\\ApiPort", ObjName->Name.Buffer, 20))
{
CsrId = (HANDLE)Handles->Information[r].ProcessId;
}
}
ZwClose(hObject);
}
ZwClose(Process);
}
}
}
ExFreePool(Handles);
return CsrId;
}
///////////////////////////////////////////////////////////////////////////////////
//
// 功能实现:枚举Csrss.exe进程PID
// 输入参数:无
// 输出参数:返回Csrss.exe进程的PID
//
///////////////////////////////////////////////////////////////////////////////////
HANDLE GetCsrssPid()
{
NTSTATUS ntStatus;
HANDLE hProc, hObject;
HANDLE CsrssPid = (HANDLE)0;
OBJECT_ATTRIBUTES objAttr;
CLIENT_ID cid;
int i;
UNICODE_STRING ApiPortName;
POBJECT_NAME_INFORMATION ObjName;
PSYSTEM_HANDLE_INFORMATION_EX Handles;
RtlInitUnicodeString( &ApiPortName, L"\\Windows\\ApiPort" );
//获取句柄信息
Handles = GetInfoTable( SystemHandleInformation );
if( Handles == NULL )
{
DbgPrint("[GetCsrssPid]->GetInfoTable() Error\n");
return 0;
}
ObjName = ExAllocatePool( PagedPool, 0x2000 );
for( i = 0; i != Handles->NumberOfHandles; i++ )
{
if ( Handles->Information[i].ObjectTypeNumber == 21 ) //Port object,Win2kSP1下找不到21端口
{
InitializeObjectAttributes( &objAttr, NULL, OBJ_KERNEL_HANDLE, NULL, NULL );
cid.UniqueProcess = (HANDLE)Handles->Information[i].ProcessId;
cid.UniqueThread = 0;
//打开进程
ntStatus = ZwOpenProcess( &hProc, PROCESS_DUP_HANDLE, &objAttr, &cid );
if( NT_SUCCESS(ntStatus) )
{
//复制句柄
ntStatus = ZwDuplicateObject( hProc, (HANDLE)Handles->Information[i].Handle,
NtCurrentProcess(), &hObject, 0, 0, DUPLICATE_SAME_ACCESS );
if( NT_SUCCESS(ntStatus) )
{
//查询对象
ntStatus = ZwQueryObject( hObject, ObjectNameInformation, ObjName, 0x2000, NULL);
if( NT_SUCCESS(ntStatus) )
{
if (ObjName->Name.Buffer != NULL)
{
if ( wcsncmp( ApiPortName.Buffer, ObjName->Name.Buffer, 20 ) == 0 )
{
//获取Csrss.exe进程Pid
CsrssPid = (HANDLE)Handles->Information[i].ProcessId;
ZwClose( hProc );
ZwClose( hObject );
IxExFreePool( Handles );
IxExFreePool( ObjName );
return CsrssPid;
}
}
} else
DbgPrint("Error in Query Object\n");
ZwClose(hObject);
} else
DbgPrint("Error on duplicating object\n");
ZwClose(hProc);
} else
DbgPrint("Could not open process\n");
}
}
IxExFreePool( Handles );
IxExFreePool( ObjName );
return 0;
}
EASYHOOK_NT_EXPORT DbgHandleToObjectName(
HANDLE InNamedHandle,
PUNICODE_STRING OutNameBuffer,
ULONG InBufferSize,
ULONG* OutRequiredSize)
{
/*
Description:
Queries the kernel space name of a named object. This is
only possible if the handle refers to a named object of course.
Parameters:
- InNamedHandle
A valid file, event, section, etc.
- OutNameBuffer
A buffer large enough to hold the kernel space object name.
To query the required size in bytes, set this parameter to
NULL.
- InBufferSize
The maximum size in bytes the given buffer can hold.
- OutRequiredSize
Receives the required size in bytes. This parameter can be NULL.
*/
ULONG RequiredSize;
NTSTATUS NtStatus;
if((InNamedHandle == NULL) || (InNamedHandle == INVALID_HANDLE_VALUE))
THROW(STATUS_INVALID_PARAMETER_1, L"The given handle is invalid.");
if(!IsValidPointer(OutNameBuffer, InBufferSize))
{
// determine required length
if(InBufferSize != 0)
THROW(STATUS_INVALID_PARAMETER_3, L"If no buffer is specified, the buffer size is expected to be zero.");
if(OutRequiredSize == NULL)
THROW(STATUS_INVALID_PARAMETER_4, L"If no buffer is specified, you are expected to query the required size.");
}
if((NtStatus = ZwQueryObject(InNamedHandle, ObjectNameInformation, NULL, 0, &RequiredSize))
!= STATUS_INFO_LENGTH_MISMATCH)
FORCE(NtStatus);
if(IsValidPointer(OutNameBuffer, InBufferSize))
{
// query string
if(InBufferSize < RequiredSize)
THROW(STATUS_BUFFER_TOO_SMALL, L"The given buffer is not long enough to hold all the data.");
FORCE(ZwQueryObject(InNamedHandle, ObjectNameInformation, OutNameBuffer, InBufferSize, &RequiredSize));
}
if(IsValidPointer(OutRequiredSize, sizeof(ULONG)))
*OutRequiredSize = RequiredSize;
RETURN;
THROW_OUTRO:
FINALLY_OUTRO:
return NtStatus;
}
//获取csrss.exe进程
NTSTATUS GetCsrssPid(HANDLE *CsrssPid)
{
NTSTATUS ntStatus = STATUS_UNSUCCESSFUL;
HANDLE Process, hObject;
ULONG CsrId = 0;
OBJECT_ATTRIBUTES obj;
CLIENT_ID cid;
POBJECT_NAME_INFORMATION ObjName;
UNICODE_STRING ApiPortName;
PSYSTEM_HANDLE_INFORMATION_EX Handles;
ULONG i;
PAGED_CODE();
RtlInitUnicodeString(&ApiPortName, L"\\Windows\\ApiPort");
Handles = (PSYSTEM_HANDLE_INFORMATION_EX)GetInfoTable( SystemHandleInformation );
if( Handles == NULL ) {
return STATUS_INSUFFICIENT_RESOURCES;
}
ObjName = (POBJECT_NAME_INFORMATION)ExAllocatePoolWithTag( PagedPool, 0x2000, INFO_MEM_TAG);
KdPrint(("SYS: Number of handles %d\n", Handles->NumberOfHandles));
for(i = 0; i < Handles->NumberOfHandles; i++) {
//打开的对象的类型是否为21 Port object
if (Handles->Information[i].ObjectTypeNumber == 21) {
InitializeObjectAttributes(&obj, NULL, OBJ_KERNEL_HANDLE, NULL, NULL);
cid.UniqueProcess = (HANDLE)Handles->Information[i].ProcessId;
cid.UniqueThread = 0;
ntStatus = ZwOpenProcess(&Process, PROCESS_DUP_HANDLE, &obj, &cid);
if(NT_SUCCESS(ntStatus)) {
ntStatus = ZwDuplicateObject(
Process,
(HANDLE)Handles->Information[i].Handle,
NtCurrentProcess(),
&hObject,
0,
0,
DUPLICATE_SAME_ACCESS);
if(NT_SUCCESS(ntStatus)){
ntStatus = ZwQueryObject(hObject, (OBJECT_INFORMATION_CLASS)ObjectNameInformation, ObjName, 0x2000, NULL);
if(NT_SUCCESS(ntStatus)) {
if (ObjName->Name.Buffer != NULL) {
if (RtlCompareUnicodeString(&ApiPortName, &ObjName->Name, TRUE) == 0) {
KdPrint(("SYS: Csrss PID:%d\n", Handles->Information[i].ProcessId));
KdPrint(("SYS: Csrss Port - %wZ\n", &ObjName->Name));
CsrId = Handles->Information[i].ProcessId;
}
}
} else {
KdPrint(("SYS: Error in Query Object\n"));
}
ZwClose(hObject);
} else {
KdPrint(("SYS: Error on duplicating object\n"));
}
ZwClose(Process);
} else {
KdPrint(("SYS: Could not open process\n"));
}
}
}
ExFreePoolWithTag( Handles, INFO_MEM_TAG);
ExFreePoolWithTag(ObjName, INFO_MEM_TAG);
*CsrssPid = (HANDLE)CsrId;
return ntStatus;
}
