NTSTATUS ScanProcessHandleTable(PEPROCESS EProcess)
{
NTSTATUS Status = STATUS_UNSUCCESSFUL;
PHANDLE_TABLE HandleTable = NULL;
PVOID TableCode = NULL;
ULONG Flag = 0;
if (EProcess==NULL)
{
return Status;
}
HandleTable = (PHANDLE_TABLE)(*((ULONG*)((UINT8*)EProcess + _HANDLE_TABLE_OFFSET_EPROCESS)));//windbg调试可以看到
if (HandleTable==NULL)
{
return Status;
}
TableCode = HandleTable->TableCode;
TableCode = (ULONG)TableCode & 0xFFFFFFFC;//与的结果是0 是第一个表 以此类推
Flag = (ULONG)(HandleTable->TableCode) & 0x03; //00 01 10 11
switch (Flag)
{
case 0:
{
EnumTable0(TableCode);
break;
}
case 1:
{
EnumTable1(TableCode);
break;
}
case 2:
{
EnumTable2(TableCode);
break;
}
case 3:
{
EnumTable3(TableCode);
break;
}
}
}
NTSTATUS EnumTable0(PVOID TableCode)
{
PHANDLE_TABLE_ENTRY HandleTableEntry = NULL;
ULONG i = 0;
HandleTableEntry = (PHANDLE_TABLE_ENTRY)((ULONG*)((UINT8*)TableCode + _FFFFFFFE));
for (i = 0; i<_MAX; i++)
{
if (MmIsAddressValid((PVOID)HandleTableEntry)) //判断该虚拟内存是否合法
{
PVOID ObjectHeader = (PVOID)((ULONG)(HandleTableEntry->Object) & 0xFFFFFFF8);//这样得对象头
if (MmIsAddressValid(ObjectHeader))
{
DbgPrint("ObjectHeader:%p
",ObjectHeader);
PVOID ObjectBody = (PVOID)((UINT8*)ObjectHeader + _BODY_OFFSET_OBJECT_HEADER);//加0x18就是对象体的位置
if (MmIsAddressValid(ObjectBody)) //这里应当判断对象是否合法
{
DbgPrint("Object:%p
", ObjectBody);
__ObjectCount++;
}
}
}
HandleTableEntry++; //结构体指针++ 一加一个结构体
}
return STATUS_SUCCESS;
}
NTSTATUS EnumTable1(PVOID TableCode)
{
do
{
EnumTable0(*(ULONG*)TableCode);
(UINT8*)TableCode += sizeof(ULONG);
} while (*(ULONG*)TableCode != 0 && MmIsAddressValid(*(ULONG*)TableCode));
return STATUS_SUCCESS;
}
NTSTATUS EnumTable2(PVOID TableCode)
{
do
{
EnumTable1(*(ULONG*)TableCode);
(UINT8*)TableCode += sizeof(ULONG);
} while (*(ULONG*)TableCode != 0 && MmIsAddressValid(*(ULONG*)TableCode));
return STATUS_SUCCESS;
}
NTSTATUS EnumTable3(PVOID TableCode)
{
do
{
EnumTable2(*(ULONG*)TableCode);
(UINT8*)TableCode += sizeof(ULONG);
} while (*(ULONG*)TableCode != 0 && MmIsAddressValid(*(ULONG*)TableCode));
return STATUS_SUCCESS;
}