有没有办法将 process_query_information 添加到现有进程句柄?
is there a way to add process_query_information to existing process handle?
我绝对是初学者,我一直在尝试使用 ntquerysysteminformation 在我的系统上收集句柄,现在我得到了我想要的句柄(我通过使用 processhacker 知道这一点)但是当我尝试时出现了问题从该句柄收集 pid 以确定注入我的 dll 的正确句柄(我的函数 returns 句柄数组),我知道它可以简单地使用 msdn 中的 getprocessid() 但它 returns 0x6 错误代码。
是否有另一种不使用 openprocess 的优雅方式来做到这一点?
*duplicatehandle() 似乎也不起作用
或者有没有一种方法可以简单地为这个句柄添加 process_query_information 访问权限?
由于我们是在外部进程中,所以分发NtQuerySystemInformation提供的句柄没有意义,需要将句柄复制到我们自己的进程中。
用于测试的源进程:
#include <Windows.h>
#include <iostream>
#include <fstream>
int main()
{
HANDLE hprocess = OpenProcess(PROCESS_VM_READ,false,10924);//any access without PROCESS_QUERY_INFORMATION or PROCESS_QUERY_LIMITED_INFORMATION
printf("pid: %d\n", GetCurrentProcessId());
printf("handle: 0x%x\nwait...\n", hprocess);
getchar();
CloseHandle(hprocess);
return 0;
}
结果:
pid: 11972
handle: 0x108
wait...
主要流程:
#include <Windows.h>
#include <iostream>
using namespace std;
typedef struct _SYSTEM_HANDLE_INFORMATION
{
ULONG ProcessId;
UCHAR ObjectTypeNumber;
UCHAR Flags;
USHORT Handle;
PVOID Object;
ACCESS_MASK GrantedAccess;
}SYSTEM_HANDLE_INFORMATION, * PSYSTEM_HANDLE_INFORMATION;
typedef struct _SYSTEM_HANDLE_INFORMATION_EX
{
ULONG NumberOfHandles;
SYSTEM_HANDLE_INFORMATION Information[655360];//This is the size I defined myself
}SYSTEM_HANDLE_INFORMATION_EX, * PSYSTEM_HANDLE_INFORMATION_EX;
#define SystemHandleInformation 0x10
typedef NTSTATUS(WINAPI* NTQUERYSYSTEMINFORMATION)(DWORD, PVOID, DWORD, PDWORD);
int main()
{
HMODULE hNtDll = LoadLibraryW(L"ntdll.dll");
NTQUERYSYSTEMINFORMATION NtQuerySystemInformation = (NTQUERYSYSTEMINFORMATION)GetProcAddress(hNtDll, "NtQuerySystemInformation");
ULONG cbBuffer = sizeof(SYSTEM_HANDLE_INFORMATION_EX);
LPVOID pBuffer = (LPVOID)malloc(cbBuffer);
if (pBuffer)
{
NTSTATUS status = NtQuerySystemInformation(SystemHandleInformation, pBuffer, cbBuffer, NULL);
PSYSTEM_HANDLE_INFORMATION_EX pInfo = (PSYSTEM_HANDLE_INFORMATION_EX)pBuffer;
DWORD pid = 0;
int err = 0;
for (ULONG r = 0; r < pInfo->NumberOfHandles; r++)
{
if (pInfo->Information[r].ProcessId == 11972 && pInfo->Information[r].Handle == 0x108)//hard code to test
{
if ((pid = GetProcessId((HANDLE)pInfo->Information[r].Handle)) == 0)
{
err = GetLastError();
cout << "The 1st GetProcessId error : " << err << endl;
}
HANDLE hProcess = OpenProcess(PROCESS_DUP_HANDLE, false, pInfo->Information[r].ProcessId);
HANDLE hTarget;
if (!DuplicateHandle(hProcess, (HANDLE)pInfo->Information[r].Handle, ::GetCurrentProcess(), &hTarget, PROCESS_QUERY_LIMITED_INFORMATION, FALSE, 0))
{
err = GetLastError();
cout << "DuplicateHandle error : " << err << endl;
return -1;
}
if ((pid = GetProcessId(hTarget)) == 0)
{
err = GetLastError();
cout << "GetProcessId error : " << err << endl;
return -1;
}
cout << "The 2nd GetProcessId succeed, " << "ProcessId = " << pid << endl;
}
}
free(pBuffer);
}
FreeModule(hNtDll);
getchar();
}
结果:
The 1st GetProcessId error : 6
The 2nd GetProcessId succeed, ProcessId = 10924
for (SYSTEM_HANDLE a : getAllProcessesHandle()) {
if ((HANDLE)a.wValue == isthehandleiwant) {
owner = OpenProcess(PROCESS_DUP_HANDLE, false, a.dwProcessId);
bool duplicatestatus = DuplicateHandle(owner, (HANDLE)a.wValue, GetCurrentProcess(), &duplicatedHandle, DUPLICATE_SAME_ACCESS, false, 0);
}
}
std::cout << std::dec << GetProcessId(duplicatedHandle) << " TEST " << std::endl;
return duplicatedHandle;
我绝对是初学者,我一直在尝试使用 ntquerysysteminformation 在我的系统上收集句柄,现在我得到了我想要的句柄(我通过使用 processhacker 知道这一点)但是当我尝试时出现了问题从该句柄收集 pid 以确定注入我的 dll 的正确句柄(我的函数 returns 句柄数组),我知道它可以简单地使用 msdn 中的 getprocessid() 但它 returns 0x6 错误代码。
是否有另一种不使用 openprocess 的优雅方式来做到这一点? *duplicatehandle() 似乎也不起作用
或者有没有一种方法可以简单地为这个句柄添加 process_query_information 访问权限?
由于我们是在外部进程中,所以分发NtQuerySystemInformation提供的句柄没有意义,需要将句柄复制到我们自己的进程中。
用于测试的源进程:
#include <Windows.h>
#include <iostream>
#include <fstream>
int main()
{
HANDLE hprocess = OpenProcess(PROCESS_VM_READ,false,10924);//any access without PROCESS_QUERY_INFORMATION or PROCESS_QUERY_LIMITED_INFORMATION
printf("pid: %d\n", GetCurrentProcessId());
printf("handle: 0x%x\nwait...\n", hprocess);
getchar();
CloseHandle(hprocess);
return 0;
}
结果:
pid: 11972
handle: 0x108
wait...
主要流程:
#include <Windows.h>
#include <iostream>
using namespace std;
typedef struct _SYSTEM_HANDLE_INFORMATION
{
ULONG ProcessId;
UCHAR ObjectTypeNumber;
UCHAR Flags;
USHORT Handle;
PVOID Object;
ACCESS_MASK GrantedAccess;
}SYSTEM_HANDLE_INFORMATION, * PSYSTEM_HANDLE_INFORMATION;
typedef struct _SYSTEM_HANDLE_INFORMATION_EX
{
ULONG NumberOfHandles;
SYSTEM_HANDLE_INFORMATION Information[655360];//This is the size I defined myself
}SYSTEM_HANDLE_INFORMATION_EX, * PSYSTEM_HANDLE_INFORMATION_EX;
#define SystemHandleInformation 0x10
typedef NTSTATUS(WINAPI* NTQUERYSYSTEMINFORMATION)(DWORD, PVOID, DWORD, PDWORD);
int main()
{
HMODULE hNtDll = LoadLibraryW(L"ntdll.dll");
NTQUERYSYSTEMINFORMATION NtQuerySystemInformation = (NTQUERYSYSTEMINFORMATION)GetProcAddress(hNtDll, "NtQuerySystemInformation");
ULONG cbBuffer = sizeof(SYSTEM_HANDLE_INFORMATION_EX);
LPVOID pBuffer = (LPVOID)malloc(cbBuffer);
if (pBuffer)
{
NTSTATUS status = NtQuerySystemInformation(SystemHandleInformation, pBuffer, cbBuffer, NULL);
PSYSTEM_HANDLE_INFORMATION_EX pInfo = (PSYSTEM_HANDLE_INFORMATION_EX)pBuffer;
DWORD pid = 0;
int err = 0;
for (ULONG r = 0; r < pInfo->NumberOfHandles; r++)
{
if (pInfo->Information[r].ProcessId == 11972 && pInfo->Information[r].Handle == 0x108)//hard code to test
{
if ((pid = GetProcessId((HANDLE)pInfo->Information[r].Handle)) == 0)
{
err = GetLastError();
cout << "The 1st GetProcessId error : " << err << endl;
}
HANDLE hProcess = OpenProcess(PROCESS_DUP_HANDLE, false, pInfo->Information[r].ProcessId);
HANDLE hTarget;
if (!DuplicateHandle(hProcess, (HANDLE)pInfo->Information[r].Handle, ::GetCurrentProcess(), &hTarget, PROCESS_QUERY_LIMITED_INFORMATION, FALSE, 0))
{
err = GetLastError();
cout << "DuplicateHandle error : " << err << endl;
return -1;
}
if ((pid = GetProcessId(hTarget)) == 0)
{
err = GetLastError();
cout << "GetProcessId error : " << err << endl;
return -1;
}
cout << "The 2nd GetProcessId succeed, " << "ProcessId = " << pid << endl;
}
}
free(pBuffer);
}
FreeModule(hNtDll);
getchar();
}
结果:
The 1st GetProcessId error : 6
The 2nd GetProcessId succeed, ProcessId = 10924
for (SYSTEM_HANDLE a : getAllProcessesHandle()) {
if ((HANDLE)a.wValue == isthehandleiwant) {
owner = OpenProcess(PROCESS_DUP_HANDLE, false, a.dwProcessId);
bool duplicatestatus = DuplicateHandle(owner, (HANDLE)a.wValue, GetCurrentProcess(), &duplicatedHandle, DUPLICATE_SAME_ACCESS, false, 0);
}
}
std::cout << std::dec << GetProcessId(duplicatedHandle) << " TEST " << std::endl;
return duplicatedHandle;