01 全局句柄表
1、全局句柄表
<1>所有的进程和线程无论是否打开,都在这个表里
<2>每个进程和线程都有一个唯一的编号:PID和CID,这两个值其实就是全局句柄表中的索引
进程和线程的查询,主要是以下三个函数,按照给定的PID或CID从PspCidTable中查找相应的进线程对象
PspLookupProcessThreadByCid()
PspLookupProcessByProcesssId()
PspLookupThreadByThreadId()
2、全局句柄表结构
3、观察句柄表
通过PID在PspCidTable中找到内核对象
首先,我们在虚拟机里面打开计算器并打开任务管理器查看其PID
将240/4 = 60转十六进制为0x3C
查看全局句柄表
kd> dd PspCidTable
80562560 e1001650 00000002 00000001 00000000
80562570 00000000 00000000 00000000 00000000
80562580 e176e18f 00000000 00000000 00000000
80562590 00000000 00000000 00000000 00000000
805625a0 e175e18f 00000000 00000000 00000000
805625b0 00000000 00000000 00000000 00000000
805625c0 00000001 00000000 00000000 00000000
805625d0 00000000 00000000 00000000 00000000
查看第一个句柄表的结构
kd> dt _HANDLE_TABLE e1001650
ntdll!_HANDLE_TABLE
+0x000 TableCode : 0xe1003000
+0x004 QuotaProcess : (null)
+0x008 UniqueProcessId : (null)
+0x00c HandleTableLock : [4] _EX_PUSH_LOCK
+0x01c HandleTableList : _LIST_ENTRY [ 0xe100166c - 0xe100166c ]
+0x024 HandleContentionEvent : _EX_PUSH_LOCK
+0x028 DebugInfo : (null)
+0x02c ExtraInfoPages : 0n0
+0x030 FirstFree : 0x7cc
+0x034 LastFree : 0x208
+0x038 NextHandleNeedingPool : 0x800
+0x03c HandleCount : 0n356
+0x040 Flags : 1
+0x040 StrictFIFO : 0y1
查找计算器PID在句柄表中对应的位置
kd> dq 0xe1003000+3C*8
e10031e0 0000000086721da1 00000000868f2b21
e10031f0 000005f800000000 000007f400000000
e1003200 0000055800000000 000000008693ba71
e1003210 000006e800000000 0000019c00000000
e1003220 0000010c00000000 00000000866b7741
e1003230 00000000866d7021 0000000086719021
e1003240 000005d000000000 0000000086a44da1
e1003250 0000000086a95be1 00000000869a23d9
查看计算器进程信息
kd> dt _EPROCESS 86721da0
ntdll!_EPROCESS
+0x000 Pcb : _KPROCESS
+0x06c ProcessLock : _EX_PUSH_LOCK
+0x070 CreateTime : _LARGE_INTEGER 0x01d4c663`2617b79c
+0x078 ExitTime : _LARGE_INTEGER 0x0
+0x080 RundownProtect : _EX_RUNDOWN_REF
+0x084 UniqueProcessId : 0x000000f0 Void
+0x088 ActiveProcessLinks : _LIST_ENTRY [ 0x86a44e28 - 0x86a29a20 ]
+0x090 QuotaUsage : [3] 0x9d8
+0x09c QuotaPeak : [3] 0xc10
+0x0a8 CommitCharge : 0x172
+0x0ac PeakVirtualSize : 0x22ed000
+0x0b0 VirtualSize : 0x1f1b000
+0x0b4 SessionProcessLinks : _LIST_ENTRY [ 0x86a44e54 - 0x86a29a4c ]
+0x0bc DebugPort : (null)
+0x0c0 ExceptionPort : 0xe14893a8 Void
+0x0c4 ObjectTable : 0xe23c9570 _HANDLE_TABLE
+0x0c8 Token : _EX_FAST_REF
+0x0cc WorkingSetLock : _FAST_MUTEX
+0x0ec WorkingSetPage : 0x35057
+0x0f0 AddressCreationLock : _FAST_MUTEX
+0x110 HyperSpaceLock : 0
+0x114 ForkInProgress : (null)
+0x118 HardwareTrigger : 0
+0x11c VadRoot : 0x8690b750 Void
+0x120 VadHint : 0x86740da0 Void
+0x124 CloneRoot : (null)
+0x128 NumberOfPrivatePages : 0xc2
+0x12c NumberOfLockedPages : 0
+0x130 Win32Process : 0xe121a298 Void
+0x134 Job : (null)
+0x138 SectionObject : 0xe227b6d0 Void
+0x13c SectionBaseAddress : 0x01000000 Void
+0x140 QuotaBlock : 0x86a4d2b0 _EPROCESS_QUOTA_BLOCK
+0x144 WorkingSetWatch : (null)
+0x148 Win32WindowStation : 0x00000038 Void
+0x14c InheritedFromUniqueProcessId : 0x000005e0 Void
+0x150 LdtInformation : (null)
+0x154 VadFreeHint : (null)
+0x158 VdmObjects : (null)
+0x15c DeviceMap : 0xe16ac9c8 Void
+0x160 PhysicalVadList : _LIST_ENTRY [ 0x86721f00 - 0x86721f00 ]
+0x168 PageDirectoryPte : _HARDWARE_PTE_X86
+0x168 Filler : 0
+0x170 Session : 0xf7a9d000 Void
+0x174 ImageFileName : [16] “calc.exe”
+0x184 JobLinks : _LIST_ENTRY [ 0x0 - 0x0 ]
+0x18c LockedPagesList : (null)
+0x190 ThreadListHead : _LIST_ENTRY [ 0x868f2d4c - 0x868f2d4c ]
+0x198 SecurityPort : (null)
+0x19c PaeTop : (null)
+0x1a0 ActiveThreads : 1
+0x1a4 GrantedAccess : 0x1f0fff
+0x1a8 DefaultHardErrorProcessing : 1
+0x1ac LastThreadExitStatus : 0n0
+0x1b0 Peb : 0x7ffd3000 _PEB
+0x1b4 PrefetchTrace : _EX_FAST_REF
+0x1b8 ReadOperationCount : _LARGE_INTEGER 0x2
+0x1c0 WriteOperationCount : _LARGE_INTEGER 0x0
+0x1c8 OtherOperationCount : _LARGE_INTEGER 0x190
+0x1d0 ReadTransferCount : _LARGE_INTEGER 0x420
+0x1d8 WriteTransferCount : _LARGE_INTEGER 0x0
+0x1e0 OtherTransferCount : _LARGE_INTEGER 0x1718
+0x1e8 CommitChargeLimit : 0
+0x1ec CommitChargePeak : 0x172
+0x1f0 AweInfo : (null)
+0x1f4 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
+0x1f8 Vm : _MMSUPPORT
+0x238 LastFaultCount : 0
+0x23c ModifiedPageCount : 7
+0x240 NumberOfVads : 0x3f
+0x244 JobStatus : 0
+0x248 Flags : 0x50840
+0x248 CreateReported : 0y0
+0x248 NoDebugInherit : 0y0
+0x248 ProcessExiting : 0y0
+0x248 ProcessDelete : 0y0
+0x248 Wow64SplitPages : 0y0
+0x248 VmDeleted : 0y0
+0x248 OutswapEnabled : 0y1
+0x248 Outswapped : 0y0
+0x248 ForkFailed : 0y0
+0x248 HasPhysicalVad : 0y0
+0x248 AddressSpaceInitialized : 0y10
+0x248 SetTimerResolution : 0y0
+0x248 BreakOnTermination : 0y0
+0x248 SessionCreationUnderway : 0y0
+0x248 WriteWatch : 0y0
+0x248 ProcessInSession : 0y1
+0x248 OverrideAddressSpace : 0y0
+0x248 HasAddressSpace : 0y1
+0x248 LaunchPrefetched : 0y0
+0x248 InjectInpageErrors : 0y0
+0x248 VmTopDown : 0y0
+0x248 Unused3 : 0y0
+0x248 Unused4 : 0y0
+0x248 VdmAllowed : 0y0
+0x248 Unused : 0y00000 (0)
+0x248 Unused1 : 0y0
+0x248 Unused2 : 0y0
+0x24c ExitStatus : 0n259
+0x250 NextPageColor : 0x6010
+0x252 SubSystemMinorVersion : 0 ‘’
+0x253 SubSystemMajorVersion : 0x4 ‘’
+0x252 SubSystemVersion : 0x400
+0x254 PriorityClass : 0x2 ‘’
+0x255 WorkingSetAcquiredUnsafe : 0 ‘’
+0x258 Cookie : 0x27d0b89b