|
|
- #include <stdio.h>
- #include <Windows.h>
- NTSTATUS GetDebugPrivilege()
- {
- PVOID RtlAdjustPrivilege=NULL;
- DWORD dwRetVal=0;
- NTSTATUS ntst=0xC0000022;
- RtlAdjustPrivilege=(PVOID)GetProcAddress(GetModuleHandleA("ntdll.dll"),"RtlAdjustPrivilege");
- if(RtlAdjustPrivilege==NULL)
- return ntst;
- //RtlAdjustPrivilege(20,1,0,&dwRetVal);
- __asm
- {
- lea eax,dwRetVal
- push eax
- push 0
- push 1
- push 20
- call RtlAdjustPrivilege
- mov ntst,eax
- }
- return ntst;
- }
- /*
- Private Function MiniLzOpenProcess(ByVal ProcessID As Long, ByVal DesiredAccess As Long) As Long
- Dim ObjectAttributes(5&) As Long, ClientId(1&) As Long, ProcessHandle As Long, PHtemp As Long, HandleTable() As Long, ProcessInfo(5&) As Long
- ObjectAttributes(0&) = 24&: ClientId(0&) = ProcessID
- If ZwOpenProcess(VarPtr(ProcessHandle), DesiredAccess, VarPtr(ObjectAttributes(0&)), VarPtr(ClientId(0&))) >= 0& Then
- PHtemp = ProcessHandle
- Else
- ReDim HandleTable(&H7FFF&)
- Do
- ReDim HandleTable(UBound(HandleTable) * 2& + 1&)
- ProcessHandle = ZwQuerySystemInformation(16&, VarPtr(HandleTable(0&)), UBound(HandleTable) * 4& + 4&, 0&)
- Loop While ProcessHandle = &HC0000004
- Do While HandleTable(0&) > 0&
- If (HandleTable(HandleTable(0&) * 4& - 2&) And &HFF&) = 5& Then
- ClientId(0&) = HandleTable(HandleTable(0&) * 4& - 3&) And &HFFFF&
- If ZwOpenProcess(VarPtr(ProcessHandle), 64&, VarPtr(ObjectAttributes(0&)), VarPtr(ClientId(0&))) >= 0& Then
- If ZwDuplicateObject(ProcessHandle,
- HandleTable(HandleTable(0&) * 4& - 2&) \ &H10000,
- -1&,
- VarPtr(PHtemp),
- DesiredAccess Or &H400&,
- 0&,
- 4&) >= 0& Then
- If ZwQueryInformationProcess(PHtemp, 0&, VarPtr(ProcessInfo(0&)), 24&, 0&) >= 0& Then
- If ProcessInfo(4&) = ProcessID Then
- goto proc_end
- End If
- ZwClose PHtemp
- End If
- End If
- ZwClose ProcessHandle
- End If
- End If
- HandleTable(0&) = HandleTable(0&) - 1&
- Loop
- PHtemp = 0&
- End If
- proc_end:
- MiniLzOpenProcess = PHtemp
- End Function
- */
- HANDLE DkOpenProcess(DWORD DesiredAccess, BOOL bInheritHandle, DWORD ProcessID)
- {
- //typedef function
- typedef long (__stdcall *ZWOPENPROCESS)(PHANDLE, ULONG, PLONG, PLONG);
- typedef long (__stdcall *ZWQUERYSYSTEMINFORMATION)(LONG, PVOID, ULONG, PULONG);
- typedef long (__stdcall* ZWDUPLICATEOBJECT)(HANDLE, ULONG, HANDLE, PHANDLE, ACCESS_MASK, BOOLEAN, ULONG);
- typedef long (__stdcall* ZWQUERYINFORMATIONPROCESS)(HANDLE, PVOID, PVOID, ULONG, PULONG );
- typedef long (__stdcall *ZWCLOSE)(HANDLE);
- ZWOPENPROCESS ZwOpenProcess=(ZWOPENPROCESS)GetProcAddress(GetModuleHandleA("ntdll.dll"),"ZwOpenProcess");
- ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation=(ZWQUERYSYSTEMINFORMATION)GetProcAddress(GetModuleHandleA("ntdll.dll"),"ZwQuerySystemInformation");
- ZWDUPLICATEOBJECT ZwDuplicateObject=(ZWDUPLICATEOBJECT)GetProcAddress(GetModuleHandleA("ntdll.dll"),"ZwDuplicateObject");
- ZWQUERYINFORMATIONPROCESS ZwQueryInformationProcess=(ZWQUERYINFORMATIONPROCESS)GetProcAddress(GetModuleHandleA("ntdll.dll"),"ZwQueryInformationProcess");
- ZWCLOSE ZwClose=(ZWCLOSE)GetProcAddress(GetModuleHandleA("ntdll.dll"),"ZwClose");
- //declare var
- long ObjectAttributes[6]={0}, ClientId[2]={0}, ProcessInfo[6]={0};
- HANDLE ProcessHandle=NULL, PHtemp=NULL;
- PDWORD HandleTable=NULL;
- DWORD HandleTableCount=0;
- NTSTATUS st=0;
- //code
- ObjectAttributes[0]=24;
- ClientId[0]=ProcessID;
- if(ZwOpenProcess(&ProcessHandle, DesiredAccess, &ObjectAttributes[0], &ClientId[0]) >= 0)
- {
- PHtemp = ProcessHandle;
- }
- else
- {
- //Enum Handle Table
- HandleTableCount=0x7FFF+1;
- HandleTable=(PDWORD)malloc(HandleTableCount);
- memset(HandleTable,0,HandleTableCount);
- do{
- HandleTableCount=(HandleTableCount-1)*2+1;
- HandleTable=(PDWORD)malloc(HandleTableCount);
- memset(HandleTable,0,HandleTableCount);
- st = ZwQuerySystemInformation(16, &HandleTable[0], (HandleTableCount-1)*4+4, 0);
- }while(st==0xC0000004);
- //Get Target Handle
- while(HandleTable[0] > 0)
- {
- if((HandleTable[HandleTable[0]*4-2] & 0xFF) == 5)
- {
- ClientId[0] = HandleTable[HandleTable[0]*4-3] & 0xFFFF;
- if(ZwOpenProcess(&ProcessHandle, 64, &ObjectAttributes[0], &ClientId[0]) >= 0)
- {
- if(ZwDuplicateObject(ProcessHandle, HandleTable[HandleTable[0]*4-2] / 0x10000, (HANDLE)-1, &PHtemp, DesiredAccess | 0x400, 0, 4) >= 0)
- {
- if(ZwQueryInformationProcess(PHtemp, 0, &ProcessInfo[0], 24, 0) >= 0)
- {
- if(ProcessInfo[4] == ProcessID)
- {
- goto proc_end;
- }
- ZwClose(PHtemp);
- }
- }
- ZwClose(ProcessHandle);
- }
- }
- HandleTable[0] = HandleTable[0] - 1;
- }
- PHtemp=NULL;
- }
- proc_end:
- return PHtemp;
- }
- int main()
- {
- GetDebugPrivilege();
- DWORD pid;
- printf("Input Process id: ");
- scanf("%ld", &pid);
- printf("Process Handle: %ld", DkOpenProcess(PROCESS_ALL_ACCESS, 0, pid));
- getchar();
- getchar();
- return 0;
- }
|
|
发表于 2011-8-19 07:27:47
发表于 2011-8-19 07:52:15
发表于 2011-8-19 09:36:21
