WIN10二级进程句柄表分析
void CD042HandleClientDlg::OnBnClickedBtntest1000()
{
HWND h = FindWindowA("CalcFrame", "计算器");
DWORD pid = 0;
if (!h)
{
MessageBoxA(0, "请打开计算器", 0, 0);
return;
}
GetWindowThreadProcessId(h, &pid);
HWND h2 = FindWindowA("Notepad", NULL);
DWORD pid2 = 0;
if (!h2)
{
MessageBoxA(0, "请打开记事本", 0, 0);
return;
}
GetWindowThreadProcessId(h2, &pid2);
for (DWORD i = 0; i < 0x1000; i++)
{
句柄0x1000[i] = OpenProcess(0x1F0000+i, 0, pid);
char buf[256];
sprintf_s(buf, "yjx:exe->句柄0x1000[%X]=%p 句柄权限=%X pid=%d\n", i, 句柄0x1000[i], 0x1F0000 + i, pid);
OutputDebugStringA(buf);
}
句柄0x1000[0x1000] = OpenProcess(0x1F0000 + 0x1000, 0, pid2);
char buf[256];
sprintf_s(buf, "yjx:exe->句柄0x1000[0x1000]=%p 句柄权限=%X pid=%d\n", 句柄0x1000[0x1000], 0x1F0000 + 0x1000, pid2);
OutputDebugStringA(buf);
}
yjx:exe->句柄0x1000[FFD]=00000000000042A8 句柄权限=1F0FFD pid=6920
yjx:exe->句柄0x1000[FFE]=00000000000042AC 句柄权限=1F0FFE pid=6920
yjx:exe->句柄0x1000[FFF]=00000000000042B0 句柄权限=1F0FFF pid=6920
yjx:exe->句柄0x1000[0x1000]=00000000000042B4 句柄权限=1F1000 pid=2400
(42b0h/4=10ACh=4268d)/256d=整10h 余ACh
handletmp=00000000000042B4
pep=FFFF85035B8D7080
pHandleTable=FFFFBC8E3BB8E9C0
tablecode=FFFFBC8E3201C001
级别=1
句柄表指针=FFFFBC8E3201C000
//整10h
kd> dq ffffbc8e3201c000+0x10*8
ffffbc8e3201c080 ffffbc8e370ec000 0000000000000000
ffffbc8e3201c090 0000000000000000 0000000000000000
kd> dq ffffbc8e370ec000
ffffbc8e370ec000 0000000000000000 0000000000004000
ffffbc8e370ec010 85035d3310500001 00000000001f3f54
ffffbc8e370ec020 85035d3310500001 00000000001f3f55
ffffbc8e370ec030 85035d3310500001 00000000001f3f56
ffffbc8e370ec040 85035d3310500001 00000000001f3f57
ffffbc8e370ec050 85035d3310500001 00000000001f3f58
ffffbc8e370ec060 85035d3310500001 00000000001f3f59
ffffbc8e370ec070 85035d3310500001 00000000001f3f5a
//余ACh
kd> dq ffffbc8e370ec000+0xAC*0x10
ffffbc8e370ecac0 85035d3310500001 00000000001f3fff
ffffbc8e370ecad0 85035d332050ffff 00000000001f1000
ffffbc8e370ecae0 0000000000000000 ffffbc8e370ecaf0
ffffbc8e370ecaf0 0000000000000000 ffffbc8e370ecb00
ffffbc8e370ecb00 0000000000000000 ffffbc8e370ecb10
ffffbc8e370ecb10 0000000000000000 ffffbc8e370ecb20
ffffbc8e370ecb20 0000000000000000 ffffbc8e370ecb30
ffffbc8e370ecb30 0000000000000000 ffffbc8e370ecb40
85035d3310500001>>0x10&FFFFFFFFFFFFFFf0 = FFFF85035D331050
kd> dt _EPROCESS FFFF85035D331050+0x30
ntdll!_EPROCESS
+0x570 ObjectTable : 0xffffbc8e30a3ef40 _HANDLE_TABLE
+0x578 DebugPort : (null)
+0x580 WoW64Process : 0xffff85035b8d4cf0 _EWOW64PROCESS
+0x588 DeviceMap : 0xffffbc8e2f2bb290 Void
+0x590 EtwDataSource : 0xffff85035da98010 Void
+0x598 PageDirectoryPte : 0
+0x5a0 ImageFilePointer : 0xffff85035ddafea0 _FILE_OBJECT
+0x5a8 ImageFileName : [15] "win32calc.exe"
85035d332050ffff>>0x10&FFFFFFFFFFFFFFf0 = FFFF85035D332050
kd> dt _EPROCESS FFFF85035D332050+0x30
ntdll!_EPROCESS
+0x570 ObjectTable : 0xffffbc8e3bb8f780 _HANDLE_TABLE
+0x578 DebugPort : (null)
+0x580 WoW64Process : 0xffff850357e1da10 _EWOW64PROCESS
+0x588 DeviceMap : 0xffffbc8e2f2bb290 Void
+0x590 EtwDataSource : 0xffff8503615ea2d0 Void
+0x598 PageDirectoryPte : 0
+0x5a0 ImageFilePointer : 0xffff850362004440 _FILE_OBJECT
+0x5a8 ImageFileName : [15] "notepad.exe"
