[2020]Leak EPROCESS/KPROCESS from Usermode huoji eprocess,kprocess 2020-05-28 1637 次浏览 1 次点赞 要做的事情: 1. Use NtQuerySystemInformation with SystemModuleInformation to get ntoskrnl address. 2. Load ntoskrnl and get address of PsInitialSystemProcess. 3. Rebase it so you will get a real kernel address. 3. Read the value at this address and that will be system EPROCESS. <!--more--> ```cpp #ifndef LEAKPROCESS_H #define LEAKPROCESS_H #include <windows.h> #include <stdio.h> #include <winternl.h> #include <vector> #pragma comment( lib, "ntdll.lib" ) // The following code gives you the EPROCESS.KPROCESS pointer for processes running on // your system without the need of any kernel driver or administrative rights. It is // an adaptation of code[1][2] that has previously worked on earlier versions of // windows. // The original method seems to break on builds >= 1803. As such, it has been adapted // to do the following: // 1. Dump all of the system handles of Process 4 (System) // 2. Check if lpHandleInformation->Handles[i].HandleAttributes is 0x102A // 3. Feed the result to another function that uses the KPROCESS.ActiveProcessLinks // LIST_ENTRY (+0x2e8) // Some hurdles involved with this method that were accounted for.: // 1. This particular SYSTEM_INFORMATION_CLASS doesn't accurately return the correct number of bytes required. // 2. ObjectTypeIndex is related to the order in which object types are created. Should not be defined as a constant. // The following materials were used as a reference in building this code // http://blog.rewolf.pl/blog/?p=1683 // https://github.com/clymb3r/KdExploitMe/blob/master/ExploitDemos/KernelAddressLeak.cpp // ObjectTypeIndex is related to the order in which object types are created. Should not // be defined in a constant. // IChooseY0u Copyright 600BC - 2019AD struct SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX // Size=28 { PVOID Object; // Size=4 Offset=0 ULONG UniqueProcessId; // Size=4 Offset=4 ULONG HandleValue; // Size=4 Offset=8 ULONG GrantedAccess; // Size=4 Offset=12 USHORT CreatorBackTraceIndex; // Size=2 Offset=16 USHORT ObjectTypeIndex; // Size=2 Offset=18 ULONG HandleAttributes; // Size=4 Offset=20 ULONG Reserved; // Size=4 Offset=24 }; struct SYSTEM_HANDLE_INFORMATION_EX // Size=36 { ULONG NumberOfHandles; // Size=4 Offset=0 ULONG Reserved; // Size=4 Offset=4 SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX Handles[1]; // Size=36 Offset=8 }; BOOL LeakKProcess( const UINT uResultCount, std::vector<UINT_PTR>& out ) { ULONG uLength = 0; //DEBUGOUT( "[+] Getting required length for SystemExtendedHandleInformation\n" ); const ULONG SystemExtendedHandleInformation = 0x40; // This particular SYSTEM_INFORMATION_CLASS doesn't accurately return the correct number of bytes required // some extra space is needed to avoid NTSTATUS C0000004 (STATUS_INFO_LENGTH_MISMATCH) // unsigned char lpProbeBuffer[1024] = {0}; NTSTATUS status = NtQuerySystemInformation( static_cast<SYSTEM_INFORMATION_CLASS>( SystemExtendedHandleInformation ), &lpProbeBuffer, sizeof( lpProbeBuffer ), &uLength ); if ( !uLength ) { //DEBUGOUT( "[!] Failed to call NtQuerySystemInformation( ), NTSTATUS=%0x\n", status ); return FALSE; } uLength += 50 * ( sizeof( SYSTEM_HANDLE_INFORMATION_EX ) + sizeof( SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX ) ); //DEBUGOUT( "[+] Allocating 0x%x bytes for SystemExtendedHandleInformation\n", uLength ); PVOID lpBuffer = VirtualAlloc( nullptr, uLength, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE ); if ( !lpBuffer ) { //DEBUGOUT( "[!] Failed to call VirtualAlloc( ), GetLastError( )=%d\n", GetLastError( ) ); return FALSE; } RtlSecureZeroMemory( lpBuffer, uLength ); ULONG uCorrectSize = 0; status = NtQuerySystemInformation( static_cast<SYSTEM_INFORMATION_CLASS>( SystemExtendedHandleInformation ), lpBuffer, uLength, &uCorrectSize ); if ( !NT_SUCCESS( status ) ) { //DEBUGOUT( "[!] Failed to call NtQuerySystemInformation( ), NTSTATUS=0x%x, uSizeReturn=0x%x (got:0x%x)\n", status, uCorrectSize, uLength ); return FALSE; } SYSTEM_HANDLE_INFORMATION_EX* lpHandleInformation = reinterpret_cast<SYSTEM_HANDLE_INFORMATION_EX*>( lpBuffer ); UINT uCount = 0; for ( UINT i = 0; i < lpHandleInformation->NumberOfHandles; i++ ) { //lkd > !process 0 0 System // PROCESS ffffbc8e28ede440 // SessionId : none Cid : 0004 Peb : 00000000 ParentCid : 0000 // DirBase : 001ad000 ObjectTable : ffff988dd5200700 HandleCount : 3030. // Image : System const UINT SystemUniqueReserved = 4; const UINT SystemKProcessHandleAttributes = 0x102A; if ( lpHandleInformation->Handles[i].UniqueProcessId == SystemUniqueReserved && lpHandleInformation->Handles[i].HandleAttributes == SystemKProcessHandleAttributes ) { ////DEBUGOUT( "[+] KPROCESS candidate, type: %I64X Access: %x, Attributes: %x, HandleValue: %d Process: %d Object:%p\n", //lpHandleInformation->Handles[i].GrantedAccess, //lpHandleInformation->Handles[i].HandleAttributes, //lpHandleInformation->Handles[i].HandleValue, //lpHandleInformation->Handles[i].UniqueProcessId, //lpHandleInformation->Handles[i].Object ); if ( uCount < uResultCount ) { out.push_back( reinterpret_cast<UINT_PTR>( lpHandleInformation->Handles[i].Object ) ); uCount++; continue; } VirtualFree( lpBuffer, 0, MEM_RELEASE ); return TRUE; } } VirtualFree( lpBuffer, 0, MEM_RELEASE ); return NULL; } #endif ``` 本文由 huoji 创作,采用 知识共享署名 3.0,可自由转载、引用,但需署名作者且注明文章出处。 点赞 1
Is there a way i can contact you?
papipapo2001 gmail com