2. Tech
  3. Talk about the process and port mapping

Talk about the process and port mapping

xiaoxiao2021-03-06  40

Creation time: 2002-02-05

Article attribute: original

Article Source:

Www.whitecell.org

Article submission:

Ilsy (MasterUser_AT_263.NET)

Author: Ilsy

Email: Ilsy@whitecell.org

Homepage:

http://www.whitecell.org

Japanese issue: 2002-02-06

Category: Safety

Keywords: Process PDE PTE Paging Core Object Linear Address Physical Address

There are many articles about the process and port mapping. I put me in the analysis of Fport, let everyone know how fport works.

Fport.exe is a free software produced by Foundstone Team, which can list all open ports in the system that is opened by those processes.

The method described in the face is based on Fport V1.33, if there is access to the Fport on your machine, check the FPORT version.

First, it detects whether the current user has administrator privileges (by reading the token of the current process, know if the current user has administrative privileges, please refer to

Related History

/ Device / PhysicalMemory, this object is used to access the system physical memory. The prototype of thezWopensection function is as follows:

NTSYSAPI

NTSTSTUS

NTAPI

ZWOPENSECTION

Out phandle sectionhandle;

In access_mask desidaccess;

In POBJECT_ATTRIBUTES OBJECTATTRIBUTES

}

(See ntddk.h)

The first parameter gets the handle after the function performs success.

The second parameter desidaccess is a constant, which can be the following value:

#define section_query 0x0001

#define section_map_write 0x0002

#define section_map_read 0x0004

#define section_map_execute 0x0008

#define section_extend_size 0x0010

#define section_all_access (Standard_Rights_Required | Section_Query | /

Section_map_write | /

Section_map_read | /

Section_map_execute | /

Section_extend_size)

(See ntddk.h)

The third parameter is a structure that contains information such as object types to open, and the structure is defined as follows:

Typedef struct _object_attributes {

Ulong Length;

Handle rootdirectory;

Punicode_String ObjectName;

Ulong attributes;

Pvoid ​​securityDescriptor; // points to Type Security_Descriptor

Pvoid ​​securityQualityOfservice; // points to type security_quality_of_service

} Object_attributes;

TYPEDEF Object_attributes * pObject_attributes;

(See NTDEF.H)

For the initialization of this structure, it is completed with a macro:

#define InitializeObjectttributes (p, n, a, r, s) {/

(p) -> Length = sizeof (object_attributes); /

(p) -> rootdirectory = r; / (p) -> attributes = a; /

(p) -> Objectname = n; /

(p) -> securityDescriptor = s; /

(p) -> securityQualityofService = null; /

}

(See NTDEF.H)

Then, open the kernel object / device / physicalMemory as follows:

Wchar physmemname [] = l "// device // PhysicalMemory";

Void * pmapphysicalmed;

Handle Phandle;

Bool OpenphysicalMemory ()

{

NTSTATUS STATUS;

Unicode_string physmemstring;

Object_attributes attributes;

RTLINITUNICODESTRING (& physmemstring, physmemname); // Initialize the Unicode string, the function original is ntddk.h

InitializeObjectAttributes (& Attributes, & Physmemstring,

Obj_case_insensitive, null, null; // Initialize Object_Attributes structure

Status = zwopensection (Phandle, Section_Map_read, & Attributes); // Open Kernel Object / Device / PhysicalMemory to get the handle

IF (! NT_Success (status))

Return False;

PMapphysicalMemory = MapViewoffile (Phandle, File_Map_read,

0, 0x30000, 0x1000);

// Mapping 0x1000 bytes from the memory address 0x30000

IF (getLastError ()! = 0)

Return False;

Return True;

}

Why start mapping from 0x30000, so, we know, under Windows NT / 2000, the system is divided into kernel mode and user mode, that is, us

The Ring0 and Ring3, under Windows NT / 2000, the process we can see is running under RING3, in general, system processes (that is, SYSTEM)

Process) Page Capitalalog (PDE) The physical address address of 0x30000, or said that the physical address of the smallest page directory in the system is 0x30000. Page Directory (PDE)

1024 components, each pointing one page (PTE), each page table is also composed of 1024 sheets, while the size of each page is 4K, 1024 * 4 = 4096 (0x1000), so

The address 0x30000 began to map 0x1000 bytes. (Specific description see WebCrazy article << 小 小 议 议 议 n n 机 机 机 >>)

After the program opens the kernel object / device / physicalmemory, continue to open kernel objects / device / TCP and Device / UDP, Zwopenfile with functions.

The prototype of the function is as follows:

NTSYSAPI

NTSTATUS

NTAPI

Zwopenfile

Out phaldle filehandle,

IN Access_mask desidaccess,

In Pobject_Attributes Objectttributes,

OUT PIO_STATUS_BLOCK IOSTATUSBLOCK,

In Ulong ShareAccess,

In Ulong OpenOptions

);

(See ntddk.h)

The first parameter returns the handle of the open object

The second parameter desidaccess is a constant, which can be the following value:

#define file_read_data (0x0001) // File & Pipe

#define file_list_directory (0x0001) // DIRECTORY

#define file_write_data (0x0002) // File & Pipe

#DEFINE FILE_ADD_FILE (0x0002) // Directory

#define file_append_data (0x0004) // File

#DEFINE FILE_ADD_SUBDIRECTORY (0x0004) // Directory

#define file_create_pipe_instance (0x0004) // Named PIPE

#define file_read_ea (0x0008) // File & Directory

#define file_write_ea (0x0010) // File & Directory

#define file_execute (0x0020) // file

#define file_traverse (0x0020) // Directory

#define file_delete_child (0x0040) // Directory

#define file_read_attributes (0x0080) // all

#define file_write_attributes (0x0100) // all

#define file_all_access (Standard_Rights_Required | Synchronize | 0x1FF)

#define file_generic_read (standard_rights_read | /

FILE_READ_DATA | /

FILE_READ_ATTRIBUTES | /

FILE_READ_EA | /

SYNCHRONIZE

#define file_generic_write (Standard_Rights_Write | /

FILE_WRITE_DATA | /

FILE_WRITE_ATTRIBUTES | /

FILE_WRITE_EA | /

FILE_APPEND_DATA | /

SYNCHRONIZE

#define file_generic_execute (standard_rights_execute | /

FILE_READ_ATTRIBUTES | /

FILE_EXECUTE | /

SYNCHRONIZE

(See NTDEF.H)

The third parameter is a structure that contains information such as object types to open, and the structural definition is shown above.

The fourth parameter returns the properties of the open object, is a structure, defined as follows:

Typedef struct _io_status_block {

Union {

NTSTATUS STATUS;

PVOID POINTER;

}

Ulong_ptr information;

} }_Status_block, * pio_status_block;

#if Defined (_Win64)

Typedef struct _io_status_block32 {

NTSTATUS STATUS;

Ulong information;

} IO_STATUS_BLOCK32, * PIO_STATUS_BLOCK32;

#ENDIF

(See ntddk.h)

The fifth parameter ShareAccess is a constant, which can be the following value:

#define file_share_read 0x00000001 // Winnt

#define file_share_write 0x00000002 // Winnt

#define file_share_delete 0x00000004 // WinNT

(See ntddk.h)

The sixth parameter OpenOptions is also a constant, which can be the following values:

#define file_directory_file 0x00000001

#define file_write_through 0x00000002

#define file_sequential_only 0x00000004

#define file_no_intermediate_buffering 0x00000008

#define file_synchronous_io_alert 0x00000010

#define file_synchronous_io_nonalert 0x00000020

#define file_non_directory_file 0x00000040

#define file_create_tree_connection 0x00000080

#define file_complete_if_oplocked 0x00000100

#define file_no_ea_knowledge 0x00000200

#define file_open_for_recovery 0x00000400

#define file_random_access 0x00000800

#define file_delete_on_close 0x00001000

#define file_open_BY_FILE_ID 0x00002000

#define file_open_for_backup_intent 0x00004000

#define file_no_compression 0x00008000

#DEFINE FILE_RESERVE_OPFILTER 0x00100000

#define file_open_reparse_point 0x00200000

#define file_open_no_recall 0x00400000

#define file_open_for_free_space_Query 0x00800000

#define file_copy_structured_storage 0x00000041

#define file_structured_storage 0x00000441 # Define file_valid_option_flags 0x00ffffff

#define file_valid_pipe_option_flags 0x00000032

#define file_valid_mailslot_option_flags 0x00000032

#define file_valid_set_flags 0x00000036

(See ntddk.h)

Then, open the kernel object / device / TCP and / Device / UDP statement as follows:

Wchar physmemnametcp [] = l "// device // TCP";

Wchar physmemnameudp [] = l "// device // UDP";

Handle ptcphandle;

Handle pudphandle;

Handle OpenDevicetcpudp (Wchar * DeviceName)

{

NTSTATUS STATUS;

Unicode_string physmemstring;

Object_attributes attributes;

IO_STATUS_BLOCK IOSB;

Handle PDEviceHandle;

RTLinitunicodeString (& physmemstring, deficename);

IF (getLastError ()! = 0)

Return NULL;

InitializeObjectAttributes (& Attributes, & Physmemstring,

Obj_case_insensitive, 0, null;

Status = Zwopenfile (& PDeviceHandle, 0x100000, & Attributes, & iOSB, 3, 0);

IF (! NT_Success (status))

Return NULL;

}

Next, the program uses the ZWQuerySystemInformation function to obtain the system currently the created handle and its related information, the prototype of the function is as follows:

NTSYSAPI

NTSTATUS

NTAPI

ZwQuerySystemInformation

In system_information_class systeminformationclass,

In Out Pvoid ​​SystemInformation,

In Ulong SystemInformationLength,

OUT Pulong ReturnLength Optional

}

(This function structure Microsoft is not open, see Gary Nebbett << Windows NT / 2000 Native API Reference >>)

The first parameter is an enumeration, setting the type of system information to query, ZwQuerySystemInformation supports the query of 54 system information, we have to use

Is its No. 16 function for systemHandleinformation query.

The system_handle_information structure is defined as follows:

Typedef struct _system_handle_information {

Ulong processid; // logo ID ID

Uchar ObjectTypenumber; // Object Type

Uchar flags; // 0x01 = protect_from_close, 0x02 = inherit

Ushort Handle; // The value of the object handle of the PVOID Object; // The kernel object address referred to in the object handle

Access_mask grantedAccess; // Create access to objects permitted when handle

} System_handle_information, * psystem_handle_information;

(This function structure Microsoft is not open, see Gary Nebbett << Windows NT / 2000 Native API Reference >>)

The result of the second parameter output query

The third parameter sets the length of the buffer

The fourth parameter return function correctly performs the size of the buffer required

code show as below:

#define systemHandleinformation 16

Pulong getHandList ()

{

Ulong cbuffer = 0x1000; // Set a smaller buffer space first

Pulong PBuffer = New Ulong [CBBuffer]; // Assign Memory

NTSTATUS STATUS;

DO

{

Status = ZwQuerySystemInformation

SystemHandleInformation,

PBUFFER, CBBUFFER * SIZEOF * PBUFFER, NULL;

IF (status == status_info_length_mismatch)

{

/ / If the return error message is not enough to buffer, then reassign the memory

delete [] PBuffer;

PBuffer = new ulong [cbuffer * = 2];

}

Else if (! NT_SUCCESS (STATUS))

{

// If you are other error messages, return

delete [] PBuffer;

Return False;

}

}

While (status == status_info_length_mismatch);

Return PBuffer;

}

Because if a process opens a port, it will definitely create kernel objects for / device / tcp and / device / udp, so we open in the current process.

The above two kernel objects are opened while opening the open handle, so we can find object handles in the current process in the handle list.

The value of the number of handles we save the two open kernel objects, and get the address of the kernel object points to the handle pointing. The code is as follows:

DWORD TCPHANDLE;

DWORD UDPHANDLE;

DWORD GETTCPUDPOBJECT (Pulong PBuffer, Handle Phandle, DWORD Process)

{

DWORD OBJTYPE1, OBJTYPE2, HANDLEOBJECT

Psystem_handle_information pprocesses = (psystem_handle_information) (PBuffer 1);

For (i = 0; i <* pBuffer; i )

{

IF (PPROCESS [i] .processid) == ProcessID)

{

Objtype1 = (dword) hdevicetcpudp;

Objtype2 = (dword) pprocesses [i] .handle;

IF (Objtype1 == Objtype2)

{

HandleObject = (dword) pprocesses.object;

Return HandleObject;

}

}

Return 0;

}

This kernel object address is a linear address, we need to convert this address to a physical address and get some related data. In the fport, the conversion is this:

(Specific description see WebCrazy article << 小 小 议 n n 分 分 机 >>) Void * NewMapPhy;

Void getPte (DWORD OBJADDRESS)

{

DWORD Physmembuff;

DWord Newaddress1, Newaddress2, Newaddress3, Newaddress4;

DWORD * NEWADDRESS;

Physmembuff = (dword) PMapphysicalMemory;

Newaddress1 = Physmembuff (Objaddress >> 0x16) * 4;

Newaddress = (dword *) newdress1;

Newaddress1 = * newdress;

Newaddress2 = objaddress & 0x3ff000;

Newaddress3 = newdress1 & 0x0fffff000;

Newaddress4 = newaddress2 newaddress3;

NewMapphy = MapViewoffile (GhphysicalMemory, file_map_read, 0, newaddress4, 0x1000);

/ / Re-map physical memory, get the physical address content of the PTE pointed to by the current linear address

}

Then get the physical page pointed to by this address according to the linear address of the kernel object, to obtain a page embodied in the contents of the current kernel object, as follows:

Typedef struct {

Ulong present;

Ulong WriteTable;

Ulong user;

Ulong Writethru;

Ulong nocache;

Ulong Accessed;

Ulong dirty;

Ulong pagesize;

Ulong global;

Ulong Available;

Ulong PFN;

} PTE, * PPTE;

(Note: I can't guarantee the correctness of this structure, but we only use two values, for the program, this structure is working, ^ _ ^)

code show as below:

Ulong currwritetable;

Ulong nocache;

Void getMustPar (DWORD OBJADDRESS)

{

DWORD CURRADDRESS;

Curraddress = Objaddress & 0xFFF;

PPTE PTE = (PPTE) ((DWORD) NEWMAPPHY CURRADDRESS;

CurrwriteTable = PTE-> WriteTable;

Currnocache = PTE-> Nocache;

}

Ok, we have already wanted to get it now, and you need to do it is the traversal process, with each handle in every process (huh, not every handle,

Under Windows NT, the / device / TCP and / Device / UDP handle type value is 0x16, the core address of this value of 0x1a under Windows 2000 is described above.

The way to get its PTE content, get its WRITETABLE value, if the kernel object / device / TCP and / device / udp are equal, this handle is possible to open

A port, confirmed this handle, it is possible. The confirmation code is as follows:

Typedef struct _tdi_connection_info {

Ulong State;

Ulong evenet;

Ulong Transmittedtsdus;

Ulong receivedtsdus;

Ulong TransmissionerRors;

Ulong receiveErro;

Large_integer throughput; large_integer delay;

Ulong sendbuffersize;

Ulong receivebuffersize;

Boolean unreliable;

} TDI_CONNECTION_INFO, * PTDI_CONNECTION_INFO;

Typedef struct _tdi_connection_information {

Long UserDaratangth;

Pvoid ​​Userdata;

Long OptionsLENGTH;

PVOID OPTION;

Long RemoteAddressLength;

PVOID Remoteaddress;

} TDI_CONNECTION_INFORMATION, * PTDI_CONNECTION_INFORMATION

(See tdi.h above the structure)

Void getopenport (DWORD DWPROCESSID, Ushort Handle, INT NOCACHE)

// dwprocessesid for the process identifier ID

/ / Handle is the handle of the process and is compared to / device / TCP or / Device / UDP type

// Nocache is a value in the PTE structure

{

Handle hproc, duphandle = null;

Handle heven = NULL;

Overlapped overlap;

U_SHORT OPENPORT;

INT i = 0;

Char procname [256] = {0};

INT portflag = 0;

Overlap.internal = 0;

Overlap.internalHigh = 0;

Overlap.offset = 0;

Overlap.offsethigh = 0;

HEVEN = CREATEEVENT (0, 1, 0, 0);

Overlap.hevent = heven;

Hproc = OpenProcess (Process_Dup_Handle,

0,

DWProcesSid;

IF (HPROC)

{

DuplicateHandle (HProc,

(Handle) Handle,

GetCurrentProcess (),

& Duphandle,

0,

False,

2);

CloseHandle (HPROC);

IF (duphandle)

{

TDI_CONNECTION_INFO TDICONNINFO = {0};

TDI_CONNECTION_INFORMATION TDICONNINFORMATION = {0};

DWORD DWRETU = 0;

IF (nocache == 0x2)

{

Tdiconninformation.RemoteAddressLength = 4;

IF (DEVICEIOCONTROL (Duplacele, 0x210012,

& TdiconnInformation, Sizeof (TDiConnInformation),

& TdiconnInfo, Sizeof (TDiConnInfo),

0, & overlap))

/ / TDI query to get information about the connection

{

Openport = NTOHS ((u_short) tdiconninfo.receivedtsdus);

Procname = getProcName (dwprocessesid); // Get the process name of the process identification ID

Printf ("PID =% 4D ProcessName =% 15S port =% 4D / N", dwprocessesid, procname, openport);}

}

IF (nocache == 0x1)

{

Tdiconninformation.RemoteAddressionLength = 3;

IF (DEVICEIOCONTROL (Duplacele, 0x210012,

& TdiconnInformation, Sizeof (TDiConnInformation),

& TdiconnInfo, Sizeof (TDiConnInfo),

0, & overlap))

/ / TDI query to get information about the connection

{

Openport = NTOHS ((u_short) tdiconninfo.receivedtsdus);

Procname = getProcName (dwprocessesid); // Get the process name of the process identification ID

Printf ("PID =% 4D ProcessName =% 15S Port =% 4D / N", DWProcesSid, Procname, OpenPort;

}

}

}

}

CloseHandle (HEVEN);

CloseHandle (Duphandle);

}

The above is my analysis of fport.exe and its current code, the demo can download from Whitecell.org, if you find problems, please inform me, ^ _ ^

reference:

Fport.exe

Gary Nebbett << Windows NT / 2000 Native API Reference >>

Webcrazy << 小 议 议 议 w w n 200 n 机 >>

NTDDK

about Us:

WSS (WhiteCell Security Systems), a non-profit private technology organization, dedicated to various system safety techniques. Adhere to the traditional Hacker spirit, pursue the pureness of technology.

WSS Home:

http://www.whitecell.org/

WSS Forum:

http://www.whitecell.org/forum/

转载请注明原文地址:https://www.9cbs.com/read-58680.html

9cbs

New Post(0)