Friday, August 5, 2011

Hijacking kernel handle

Why need handle?
Handle just use citing of object,This is simple for get object when entry kernel.But why need handle? We should speak to need handle for parameter call api.Because irect use object,Maybe involves many of not-export.if realize oneself that is hardly real.however,Use standard kernel api depend on handle in many cases and we can't get handle for a kinds of reason.We will discuss how get a useful handle.

1.Create Handle
ObpCreateHandle will diagnoseAccessMode,if there is user mode,PVOID ObjectTable;
ObjectTable = PsGetCurrentProcess()->ObjectTable
If there is driver to open handle,ObjectTable = ObpKernelHandleTable;
ObpKernelHandleTable is pointer of HANDLE_TABLE with not-export and ATTACH to process of SYSTEM at systerm.
Call ObpIncrementHandleCount to add Object count numbers,here notice without necessary to do some thing .
Call ExCreateHandle to create handle,Call in ExCreateHandle
//// Allocation one HANDLE_TABLE_ENTRY and a handle,The handle's value produce and finished on
ExpAllocateHandleTableEntry is core for allocation handle,That refer to related data structure.but leave it.
We only know ObpCreateHandle to return handle and add a HANDLE_TABLE_ENTRY at ObjectTable
   +0x000 Object           : Ptr32 Void
HANDLE_TABLE_ENTRY Include our Object.

2 Handle to mapping of OBJECT
There refer to format of HandleTable,Online talk about HandleTable,Here don't talk about is
typedef struct _EXHANDLE    
            ULONG TagBits : 02;   
            ULONG Index   : 30;   
        HANDLE GenericHandleOverlay;   

It is observed that a type is for HANDLE.Infact that is divided into two parts-TagBits and Index,Specific what,watch next function
               IN PXP_HANDLE_TABLE HandleTable,   
               IN EXHANDLE         Handle   
    ULONG i, j, k;   
    ULONG TableCode = HandleTable->TableCode& ~TABLE_LEVEL_MASK;   
    i = (Handle.Index >> 17) &0x1FF;   
    j = (Handle.Index >> 9)  &0x1FF;   
    k = (Handle.Index)       &0x1FF;   
    switch (HandleTable->TableCode &TABLE_LEVEL_MASK)   
        case 0 :   
          Entry = &((PHANDLE_TABLE_ENTRY)TableCode)[k];   
        case 1 :   
          if (((PVOID *)TableCode)[j])    
             Entry = &((PHANDLE_TABLE_ENTRY *)TableCode)[j][k];            
        case 2 :   
          if (((PVOID *)TableCode)[i])   
          if (((PVOID **)TableCode)[i][j])   
             Entry = &((PHANDLE_TABLE_ENTRY **)TableCode)[i][j][k];           

    return Entry;   

We can get HANDLE_TABLE_ENTRY to get Object depanded on handle
Above function only fit XP and 2003

3.Permissions of handle
If we modified one permissions of handle to throughHANDLE_TABLE_ENTRY::GrantedAccess

ObReferenceObjectByPointer add count
ObpCreateHandle create handle

5.How fake
Such as we forge handle of XX.EXE process.

1 First need confirm ObpKernelHandleTable
  DWORD dwObpKernelHandleTable = 0;
  PVOID lpPsSystemObject = (PVOID)PsGetCurrentProcess();
  dwObpKernelHandleTable = *(DWORD*)((DWORD)lpPsSystemObject +


2 ObOpenObjectByPointer open explorer.exe (Try to find protective process)
Get handle hProcess
3 Get EPROCESS of XX.EXE's process object with some way
4 hProcess as an paramenter to be call,LookupHandleTableEntry get pEntry that was pointer of PHANDLE_TABLE_ENTRY
It's about time pEntry->Object must is EPRCESS of explorer.exe
5 Modified pEntry->Object = XX.EXE的EPROCESS
This is the time we finishied HANDLE and OBJECT hijack..

There is key step and some detauks need notice,such as add handle count of object etc.

6 Have the effect?
We know most kernel API have a parament as HANDLE and inside most call it.
ObReferenceObjectByHandle position object,Analysis ObReferenceObjectByHandle we can know how hijack was useful.
It is clear ObReferenceObjectByHandle depend on HANDLE_TABLE to handle into object,That is handle--->> pEntry->Object
So hijack was successed.
That is my thiking,Thanks.
[1] WRK
[2] PsCidTable related to article

No comments:

Post a Comment