[讨论] 关于EXHANDLE的结构的几个疑问 [已解决]
[讨论] 关于EXHANDLE的结构的几个疑问 [已解决]文章作者:sudami
信息来源:邪恶八进制信息安全团队([url=http://www.eviloctal.com/]www.eviloctal.com[/url])
google了很久,还是没有理解清楚。所以发帖问下--[img]http://forum.eviloctal.com/images/smilies/yangcong/08.gif[/img]
关于EXHANDLE的结构,XP SP2 和 W2K的结构是一样的不?怎么Windbg弄不出来呢?WRK也没得查啊。
WRK中的 ExpLookupHandleTableEntry 函数代码有个地方
引用:
EXHANDLE Handle;
Handle.Value ...
是不是W2K的EXHANDLE结构体中还多个参数Value啊?
下面这个EXHANDLE是不是XP下的呢?
复制内容到剪贴板
代码:
typedef struct _EXHANDLE {
union {
struct {
ULONG TagBits : 2;
ULONG Index : 30;
};
HANDLE GenericHandleOverlay;
};
} EXHANDLE, *PEXHANDLE;
句柄的值本身是个三层表的3个索引。简略的可以描述成下面这样的:
复制内容到剪贴板
代码:
ExpLookupHandleTableEntry (
IN PHANDLE_TABLE HandleTable,
IN EXHANDLE Handle
)
{
ULONG i,j,k,l;
l = (Handle.Index >> 24) & 255;
i = (Handle.Index >> 16) & 255;
j = (Handle.Index >> 8) & 255;
k = (Handle.Index) & 255;
return &(HandleTable->Table[i][j][k]);
}
GenericHandleOverlay保存传进来的进程ID
而EXHANDLE.Index = (GenericHandleOverlay/4) & 0x3FFFFFFF;
就是ID除4得到的值的后30位。
偶这样理解对不?
Index |_6_|__8_|__8_|__8_|
i j k
索引 0 1 2
下面的是WRK中关于 ExpLookupHandleTableEntry 的源码,偶看的很糊涂啊。有木有对这个函数理解很透彻的,还忘指点下子~~
复制内容到剪贴板
代码:
PHANDLE_TABLE_ENTRY
ExpLookupHandleTableEntry (
IN PHANDLE_TABLE HandleTable,
IN EXHANDLE tHandle
)
{
ULONG_PTR i,j,k;
ULONG_PTR CapturedTable;
ULONG TableLevel;
PHANDLE_TABLE_ENTRY Entry = NULL;
EXHANDLE Handle;
PUCHAR TableLevel1;
PUCHAR TableLevel2;
PUCHAR TableLevel3;
ULONG_PTR MaxHandle;
PAGED_CODE();
Handle = tHandle;
Handle.TagBits = 0;
// nt!_HANDLE_TABLE +0x038 NextHandleNeedingPool : Uint4B
MaxHandle = *(volatile ULONG *) &HandleTable->NextHandleNeedingPool;
if (Handle.Value >= MaxHandle) {
return NULL;
}
CapturedTable = *(volatile ULONG_PTR *) &HandleTable->TableCode;
TableLevel = (ULONG)(CapturedTable & LEVEL_CODE_MASK);
CapturedTable = CapturedTable - TableLevel;
switch (TableLevel) {
case 0:
TableLevel1 = (PUCHAR) CapturedTable;
Entry = (PHANDLE_TABLE_ENTRY) &TableLevel1[Handle.Value *
(sizeof (HANDLE_TABLE_ENTRY) / HANDLE_VALUE_INC)];
break;
case 1:
TableLevel2 = (PUCHAR) CapturedTable;
i = Handle.Value % (LOWLEVEL_COUNT * HANDLE_VALUE_INC);
Handle.Value -= i;
j = Handle.Value / ((LOWLEVEL_COUNT * HANDLE_VALUE_INC) / sizeof (PHANDLE_TABLE_ENTRY));
TableLevel1 = (PUCHAR) *(PHANDLE_TABLE_ENTRY *) &TableLevel2[j];
Entry = (PHANDLE_TABLE_ENTRY) &TableLevel1[i * (sizeof (HANDLE_TABLE_ENTRY) / HANDLE_VALUE_INC)];
break;
case 2:
TableLevel3 = (PUCHAR) CapturedTable;
i = Handle.Value % (LOWLEVEL_COUNT * HANDLE_VALUE_INC);
Handle.Value -= i;
k = Handle.Value / ((LOWLEVEL_COUNT * HANDLE_VALUE_INC) / sizeof (PHANDLE_TABLE_ENTRY));
j = k % (MIDLEVEL_COUNT * sizeof (PHANDLE_TABLE_ENTRY));
k -= j;
k /= MIDLEVEL_COUNT;
TableLevel2 = (PUCHAR) *(PHANDLE_TABLE_ENTRY *) &TableLevel3[k];
TableLevel1 = (PUCHAR) *(PHANDLE_TABLE_ENTRY *) &TableLevel2[j];
Entry = (PHANDLE_TABLE_ENTRY) &TableLevel1[i * (sizeof (HANDLE_TABLE_ENTRY) / HANDLE_VALUE_INC)];
break;
default :
_assume (0);
}
return Entry;
}WINDOWS内核疯狂爱好者
帖子242 精华[url=http://forum.eviloctal.com/digest.php?authorid=69539]6[/url] 积分5536 阅读权限150 性别男 在线时间1113 小时 注册时间2007-1-10 最后登录2008-7-23 [url=http://hi.baidu.com/sudami]查看个人网站[/url]
[url=http://forum.eviloctal.com/space.php?action=viewpro&uid=69539]查看详细资料[/url]TOP [url=http://www.google.cn/search?q=风水&client=pub-0204114945524753&forid=1&prog=aff&ie=UTF-8&oe=UTF-8&cof=GALT%3A#008000;GL%3A1;DIV%3A336699;VLC%3A663399;AH%3Acenter;BGC%3AFFFFFF;LBGC%3A336699;ALC%3A0000FF;LC%3A0000FF;T%3A000000;GFNT%3A0000FF;GIMP%3A0000FF;FORID%3A1&hl=zh-CN]良辰择日,预测咨询,公司改名,权威易经[/url]
[url=http://forum.eviloctal.com/space-uid-69539.html]sudami[/url]
大米米
[img]http://forum.eviloctal.com/customavatars/69539.gif[/img]
运维管理组
[img]http://forum.eviloctal.com/images/default/star_level2.gif[/img][img]http://forum.eviloctal.com/images/default/star_level1.gif[/img][img]http://forum.eviloctal.com/images/default/star_level1.gif[/img][img]http://forum.eviloctal.com/images/default/star_level1.gif[/img] 原来还真多了个value~~~~
typedef struct _EXHANDLE
{
union
{
struct
{
ULONG TagBits:2;
ULONG Index:30;
};
HANDLE GenericHandleOverlay;
ULONG_PTR Value;
};
} EXHANDLE, *PEXHANDLE;
fuck一下
[img]http://forum.eviloctal.com/images/smilies/yangcong/59.gif[/img]WINDOWS内核疯狂爱好者
帖子242 精华[url=http://forum.eviloctal.com/digest.php?authorid=69539]6[/url] 积分5536 阅读权限150 性别男 在线时间1113 小时 注册时间2007-1-10 最后登录2008-7-23 [url=http://hi.baidu.com/sudami]查看个人网站[/url]
[url=http://forum.eviloctal.com/space.php?action=viewpro&uid=69539]查看详细资料[/url]TOP [url=http://www.google.cn/search?q=鲜花预定&client=pub-0204114945524753&forid=1&prog=aff&ie=UTF-8&oe=UTF-8&cof=GALT%3A#008000;GL%3A1;DIV%3A336699;VLC%3A663399;AH%3Acenter;BGC%3AFFFFFF;LBGC%3A336699;ALC%3A0000FF;LC%3A0000FF;T%3A000000;GFNT%3A0000FF;GIMP%3A0000FF;FORID%3A1&hl=zh-CN]爱要怎么说出口[/url]
[url=http://forum.eviloctal.com/space-uid-15767.html]evilsir[/url]
gz1X
[img]http://forum.eviloctal.com/images/avatars/noavatar.gif[/img]
页:
[1]