-
Notifications
You must be signed in to change notification settings - Fork 10
/
Copy pathhijack_handle.cpp
126 lines (95 loc) · 2.63 KB
/
hijack_handle.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
#include "includes.hpp"
bool EnumProcessHandles(std::vector<SYSTEM_HANDLE_TABLE_ENTRY_INFO>* out_proc_handles_vec)
{
if (!out_proc_handles_vec)
{
return false;
}
if (!out_proc_handles_vec->empty())
{
out_proc_handles_vec->clear();
}
size_t size = PAGE_SIZE * 5;
size_t size_out = 0;
BYTE* handles_buf = new BYTE[size];
if (!handles_buf)
{
return false;
}
while (NATIVE::NtQuerySystemInformation(SYSTEM_INFORMATION_CLASS::SystemHandleInformation, handles_buf, size, (ULONG*)&size_out) == STATUS_INFO_LENGTH_MISMATCH)
{
delete[size] handles_buf;
size = size_out + PAGE_SIZE;
handles_buf = new BYTE[size];
if (!handles_buf)
{
return false;
}
}
SYSTEM_HANDLE_INFORMATION* handle_info = (SYSTEM_HANDLE_INFORMATION*)handles_buf;
size_t handles_count = handle_info->NumberOfHandles;
if (!handles_count)
{
delete[size] handles_buf;
return false;
}
SYSTEM_HANDLE_TABLE_ENTRY_INFO* handle_entry = handle_info->Handles;
for (DWORD i = 0; i < handles_count; ++i, ++handle_entry)
{
if ((OBJECT_TYPE_NUMBER)handle_entry->ObjectTypeIndex == OBJECT_TYPE_NUMBER::Process)
{
out_proc_handles_vec->push_back(*handle_entry);
}
}
delete[size] handles_buf;
return true;
}
bool FindProcessHandles(const std::vector<SYSTEM_HANDLE_TABLE_ENTRY_INFO>* sys_handles_vec, DWORD target_pid, std::vector<HANDLE_INFO>* out_proc_handles_vec, ACCESS_MASK desired_access)
{
if (!sys_handles_vec || sys_handles_vec->empty() || !out_proc_handles_vec)
{
return false;
}
if (!out_proc_handles_vec->empty())
{
out_proc_handles_vec->clear();
}
for (auto& h_info : *sys_handles_vec)
{
WORD current_pid = h_info.UniqueProcessId;
if (current_pid == target_pid || current_pid == GetCurrentProcessId())
{
continue;
}
if (desired_access != HJ_HANDLE_ANY_ACCESS && (h_info.GrantedAccess & desired_access) != desired_access)
{
continue;
}
HANDLE h_current_proc = OpenProcess(PROCESS_DUP_HANDLE, NULL, current_pid);
if (!h_current_proc)
{
continue;
}
HANDLE src_handle = (HANDLE)h_info.HandleValue;
HANDLE dst_handle = 0;
if (!DuplicateHandle(h_current_proc, src_handle, GetCurrentProcess(), &dst_handle, PROCESS_QUERY_LIMITED_INFORMATION, NULL, NULL))
{
CloseHandle(h_current_proc);
continue;
}
if (GetProcessId(dst_handle) != target_pid)
{
CloseHandle(h_current_proc);
CloseHandle(dst_handle);
continue;
}
CloseHandle(h_current_proc);
CloseHandle(dst_handle);
HANDLE_INFO hi = { 0 };
hi.granted_access = h_info.GrantedAccess;
hi.handle = (HANDLE)h_info.HandleValue;
hi.owner_pid = h_info.UniqueProcessId;
out_proc_handles_vec->push_back(hi);
}
return true;
}