有关进程和端口映射
文章已经有很多了,我把我对fport分析也写出来,让大家知道fport是如何工作.fport.exe是由foundstone team出品
免费软件Software,可以列出系统中所有开放端口都是由那些进程打开.而下面所描述
思路方法是基于fport v1.33,如果和你机器上fport有出入,请检查fport版本.首先,它检测当前用户是否拥有管理员权限(通过读取当前进程
令牌可知当前用户是否具有管理权限,请参考相关历程),如果没有,打印
句提示后退出,然后设置当前进程令牌,接着,用ZwOpenSection
打开内核对象\Device\PhysicalMemory,这个对象用于对系统物理内存
访问.ZwOpenSection原型如下:NTSYSAPI
NTSTSTUS
NTAPI
ZwOpenSection(
Out PHANDLE sectionHandle;
IN ACCESS_MASK DesiredAccess;
IN POBJECT_ATTRIBUTES ObjectAttributes
};
(见ntddk.h)
第
个参数得到执行成功后句柄第 2个参数DesiredAccess为
个常数,可以是下列值:#
SECTION_QUERY 0x0001#
SECTION_MAP_WRITE 0x0002#
SECTION_MAP_READ 0x0004#
SECTION_MAP_EXECUTE 0x0008#
SECTION_EXTEND_SIZE 0x0010#
SECTION_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SECTION_QUERY|\SECTION_MAP_WRITE | \
SECTION_MAP_READ | \
SECTION_MAP_EXECUTE | \
SECTION_EXTEND_SIZE)
(见ntddk.h)
第 3个参数是
个结构,包含要打开对象类型等信息,结构定义如下:typedef struct _OBJECT_ATTRIBUTES {
ULONG Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor; // Po
s to type SECURITY_DESCRIPTORPVOID SecurityQualityOfService; // Po
s to type SECURITY_QUALITY_OF_SERVICE} OBJECT_ATTRIBUTES;
typedef OBJECT_ATTRIBUTES *POBJECT_ATTRIBUTES;
(见ntdef.h)
对于这个结构
化用个宏完成:#
InitializeObjectAttributes( p, n, a, r, s ) { \(p)->Length =
( OBJECT_ATTRIBUTES ); \(p)->RootDirectory = r; \
(p)->Attributes = a; \
(p)->ObjectName = n; \
(p)->SecurityDescriptor = s; \
(p)->SecurityQualityOfService = NULL; \
}
(见ntdef.h)
那么,打开内核对象\Device\PhysicalMemory
语句如下:WCHAR PhysmemName
= L"\\Device\\PhysicalMemory";void * pMapPhysicalMemory;
HANDLE pHandle;
bool OpenPhysicalMemory
{
NTSTATUS status;
UNICODE_STRING physmemString;
OBJECT_ATTRIBUTES attributes;
RtlInitUnicodeString( &physmemString, PhysmemName ); //
化Unicode
串,原型见ntddk.h InitializeObjectAttributes( &attributes, &physmemString,
OBJ_CASE_INSENSITIVE, NULL, NULL ); //
化OBJECT_ATTRIBUTES结构status = ZwOpenSection(pHandle, SECTION_MAP_READ, &attributes ); //打开内核对象\Device\PhysicalMemory,获得句柄
( !NT_SUCCESS( status )) 
false;pMapPhysicalMemory=MapViewOfFile(pHandle,FILE_MAP_READ,
0,0x30000,0x1000);
//从内存地址0x30000开始映射0x1000个字节
( GetLastError!=0) false; true;}
为什么要从0x30000开始映射呢,是这样,我们知道,在Windows NT/2000下,系统分为内核模式和用户模式,也就是我们
所说
Ring0和Ring3,在Windows NT/2000下,我们所能够看到进程都运行在Ring3下,般情况下,系统进程(也就是
进程)
页目录(PDE)所在物理地址地址为0x30000,或者说,系统中最小页目录所在物理地址为0x30000.而页目录(PDE)由1024项组成,每项均指向
页表(PTE),每页表也由1024个页组成,而每页大小为4K,1024*4=4096(0x1000),所以,上面从物理地址0x30000开始映射了0x1000个字节.(具体描述见WebCrazy
文章<<小议Windows NT/2000分页机制>>)
打开打开内核对象\Device\PhysicalMemory后,继续用ZwOpenFile打开内核对象\Device\Tcp和Device\Udp,ZwOpenFile原型如下:NTSYSAPI
NTSTATUS
NTAPI
ZwOpenFile(
OUT PHANDLE FileHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN ULONG ShareAccess,
IN ULONG OpenOptions
);
(见ntddk.h)
第
个参数返回打开对象句柄第 2个参数DesiredAccess为
个常数,可以是下列值:#
FILE_READ_DATA ( 0x0001 ) // file & pipe#
FILE_LIST_DIRECTORY ( 0x0001 ) // directory#
FILE_WRITE_DATA ( 0x0002 ) // file & pipe#
FILE_ADD_FILE ( 0x0002 ) // directory#
FILE_APPEND_DATA ( 0x0004 ) // file#
FILE_ADD_SUBDIRECTORY ( 0x0004 ) // directory#
FILE_CREATE_PIPE_INSTANCE ( 0x0004 ) // named pipe#
FILE_READ_EA ( 0x0008 ) // file & directory#
FILE_WRITE_EA ( 0x0010 ) // file & directory#
FILE_EXECUTE ( 0x0020 ) // file#
FILE_TRAVERSE ( 0x0020 ) // directory#
FILE_DELETE_CHILD ( 0x0040 ) // directory#
FILE_READ_ATTRIBUTES ( 0x0080 ) // all#
FILE_WRITE_ATTRIBUTES ( 0x0100 ) // all#
FILE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x1FF)#
FILE_GENERIC_READ (STANDARD_RIGHTS_READ |\FILE_READ_DATA |\
FILE_READ_ATTRIBUTES |\
FILE_READ_EA |\
SYNCHRONIZE)
#
FILE_GENERIC_WRITE (STANDARD_RIGHTS_WRITE |\FILE_WRITE_DATA |\
FILE_WRITE_ATTRIBUTES |\
FILE_WRITE_EA |\
FILE_APPEND_DATA |\
SYNCHRONIZE)
#
FILE_GENERIC_EXECUTE (STANDARD_RIGHTS_EXECUTE |\FILE_READ_ATTRIBUTES |\
FILE_EXECUTE |\
SYNCHRONIZE)
(见ntdef.h)
第 3个参数是
个结构,包含要打开对象类型等信息,结构定义见上面所述第 4个参数返回打开对象
属性,是个结构,定义如下:typedef struct _IO_STATUS_BLOCK {
union {
NTSTATUS Status;
PVOID Po
er;};
ULONG_PTR Information;
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
#
d(_WIN64)typedef struct _IO_STATUS_BLOCK32 {
NTSTATUS Status;
ULONG Information;
} IO_STATUS_BLOCK32, *PIO_STATUS_BLOCK32;
#end
(见ntddk.h)
第 5个参数ShareAccess是
个常数,可以是下列值:#
FILE_SHARE_READ 0x00000001 // winnt#
FILE_SHARE_WRITE 0x00000002 // winnt#
FILE_SHARE_DELETE 0x00000004 // winnt(见ntddk.h)
第 6个参数OpenOptions也是
个常数,可以是下列值:#
FILE_DIRECTORY_FILE 0x00000001#
FILE_WRITE_THROUGH 0x00000002#
FILE_SEQUENTIAL_ONLY 0x00000004#
FILE_NO_INTERMEDIATE_BUFFERING 0x00000008#
FILE_SYNCHRONOUS_IO_ALERT 0x00000010#
FILE_SYNCHRONOUS_IO_NONALERT 0x00000020#
FILE_NON_DIRECTORY_FILE 0x00000040#
FILE_CREATE_TREE_CONNECTION 0x00000080#
FILE_COMPLETE_IF_OPLOCKED 0x00000100#
FILE_NO_EA_KNOWLEDGE 0x00000200#
FILE_OPEN_FOR_RECOVERY 0x00000400#
FILE_RANDOM_ACCESS 0x00000800#
FILE_DELETE_ON_CLOSE 0x00001000#
FILE_OPEN_BY_FILE_ID 0x00002000#
FILE_OPEN_FOR_BACKUP_INTENT 0x00004000#
FILE_NO_COMPRESSION 0x00008000#
FILE_RESERVE_OPFILTER 0x00100000#
FILE_OPEN_REPARSE_POINT 0x00200000#
FILE_OPEN_NO_RECALL 0x00400000#
FILE_OPEN_FOR_FREE_SPACE_QUERY 0x00800000#
FILE_COPY_STRUCTURED_STORAGE 0x00000041#
FILE_STRUCTURED_STORAGE 0x00000441#
FILE_VALID_OPTION_FLAGS 0x00ffffff#
FILE_VALID_PIPE_OPTION_FLAGS 0x00000032#
FILE_VALID_MAILSLOT_OPTION_FLAGS 0x00000032#
FILE_VALID_SET_FLAGS 0x00000036(见ntddk.h)
那么,打开内核对象\Device\Tcp和\Device\Udp
语句如下: WCHAR physmemNameTcp
=L"\\Device\\TCP";WCHAR physmemNameUdp
=L"\\Device\\UDP";HANDLE pTcpHandle;
HANDLE pUdpHandle;
HANDLE OpenDeviceTcpUdp(WCHAR * deviceName)
{
NTSTATUS status;
UNICODE_STRING physmemString;
OBJECT_ATTRIBUTES attributes;
IO_STATUS_BLOCK iosb;
HANDLE pDeviceHandle;
RtlInitUnicodeString(&physmemString, deviceName);
(GetLastError!=0) NULL;InitializeObjectAttributes( &attributes,&physmemString,
OBJ_CASE_INSENSITIVE,0, NULL );
status = ZwOpenFile ( &pDeviceHandle,0x100000, &attributes, &iosb, 3,0);
( !NT_SUCCESS( status )) NULL;}
接着,
用ZwQueryInformation获得系统当前所以进程所建立句柄及其相关信息,原型如下:NTSYSAPI
NTSTATUS
NTAPI
ZwQuery
Information(IN SYSTEM_INFORMATION_CLASS
InformationClass,IN OUT PVOID
Information,IN ULONG
InformationLength,OUT PULONG ReturnLength OPTIONAL
};
(这个
结构Microsoft没有公开,参见Gary Nebbett<<Windows NT/2000 Native API Reference>>)第
个参数是个枚举常数,设置要查询系统信息类型,ZwQueryInformation支持54个系统信息查询,我们要用到是它
第16号功能,进行HandleInformation查询.SYSTEM_HANDLE_INFORMATION结构定义如下:
typedef struct _SYSTEM_HANDLE_INFORMATION{
ULONG ProcessID; //进程
标识IDUCHAR ObjectTypeNumber; //对象类型
UCHAR Flags; //0x01 = PROTECT_FROM_CLOSE,0x02 = INHERIT
USHORT Handle; //对象句柄
数值PVOID Object; //对象句柄所指
内核对象地址ACCESS_MASK GrantedAccess; //创建句柄时所准许
对象访问权}SYSTEM_HANDLE_INFORMATION, * PSYSTEM_HANDLE_INFORMATION;
(这个
结构Microsoft没有公开,参见Gary Nebbett<<Windows NT/2000 Native API Reference>>)第 2个参数输出查询
结果第 3个参数设置缓冲区
长度第 4个参数返回
正确执行需要缓冲区大小代码如下:
#
HandleInformation 16PULONG GetHandleList
{
ULONG cbBuffer = 0x1000; //先设定
个较小缓冲空间PULONG pBuffer =
ULONG[cbBuffer]; //分配内存NTSTATUS Status;
do
{
Status = ZwQuery
Information(HandleInformation,pBuffer, cbBuffer *
* pBuffer, NULL); (Status 
STATUS_INFO_LENGTH_MISMATCH){
//如果返回
信息为缓冲区长度不够,那么重新分配内存delete
pBuffer;pBuffer =
ULONG[cbBuffer *= 2];}
(!NT_SUCCESS(Status)){
//如果是其他
信息,返回delete
pBuffer; false;}
}
while (Status
STATUS_INFO_LENGTH_MISMATCH); pBuffer;}
如果个进程打开了端口,那么它肯定会建立类型为\Device\Tcp和\Device\Udp内核对象,所以,我们在当前进程中打开上述
两个内核对象,在打开同时保存了打开句柄,这样,我们可以在上面获得句柄列表中当前进程中查找对象句柄数值和我们保存
两个打开内核对象句柄数值相同句柄,并得到其句柄所指向内核对象地址.代码如下:DWORD TcpHandle;
DWORD UdpHandle;
DWORD GetTcpUdpObject(PULONG pBuffer,HANDLE pHandle,DWORD ProcessId)
{
DWORD objTYPE1,objTYPE2,HandleObject;
PSYSTEM_HANDLE_INFORMATION pProcesses = (PSYSTEM_HANDLE_INFORMATION)(pBuffer+1);
for (i=0;i< * pBuffer;i
){
((pProcesses[i].ProcessID) ProcessId){
objTYPE1 = (DWORD)hDeviceTcpUdp;
objTYPE2 = (DWORD)pProcesses[i].Handle;
(objTYPE1objTYPE2){
HandleObject = (DWORD)pProcesses.Object;
HandleObject;}
}
0;}
这个内核对象地址是
个线性地址,我们需要把这个地址转换为物理地址,并得到些相关数据.在fport中,换算是这样进行:(具体描述见WebCrazy
文章<<小议Windows NT/2000分页机制>>)void * NewmapPhy;
void GetPTE(DWORD objAddress)
{
DWORD physmemBuff;
DWORD
Address1,Address2,Address3,Address4;DWORD *
Address;physmemBuff = (DWORD)pMapPhysicalMemory;
Address1 = physmemBuff+(objAddress>>0x16)*4;Address = (DWORD *)Address1;Address1 = * Address;Address2 = objAddress & 0x3FF000;Address3 = Address1 & 0x0FFFFF000;Address4 = Address2 + Address3;NewmapPhy = MapViewOfFile(ghPhysicalMemory,FILE_MAP_READ,0,
Address4,0x1000);//重新映射物理内存,得到当前线性地址所指向
PTE物理地址内容}
然后在根据内核对象
线性地址得到这个地址所指向物理页,得到体现当前内核对象内容页,其结构如下:typedef struct {
ULONG Present;
ULONG WriteTable;
ULONG User;
ULONG WriteThru;
ULONG NoCache;
ULONG Accessed;
ULONG Dirty;
ULONG PageSize;
ULONG Global;
ULONG Available;
ULONG Pfn;
} PTE, *PPTE;
(注:我不能保证这个结构
正确性,但我们只会用到其中两个值,对来说,这个结构是可以工作,^_^)代码如下:
ULONG CurrWriteTable;
ULONG NoCache;
void GetMustPar(DWORD objAddress)
{
DWORD CurrAddress;
CurrAddress = objAddress & 0xFFF;
PPTE pte = (PPTE)(VOID *)((DWORD)NewmapPhy+CurrAddress);
CurrWriteTable = pte->WriteTable;
CurrNoCache = Pte->NoCache;
}
好了,我们现在想要得到
都已经得到了,下面需要做是遍历进程,用每个进程中每个句柄(呵呵,不是每个句柄,在Windows NT下,\Device\Tcp和\Device\Udp
句柄类型值为0x16,在Windows 2000下这个值为0x1A)核心地址用上面所描述
办法得到其PTE内容,得到其WriteTable值,如果和内核对象\Device\Tcp和\Device\Udp相等,那么这个句柄就有可能打开了
个端口,再对这个句柄进行确认,就可以了.确认代码如下:typedef struct _TDI_CONNECTION_INFO {
ULONG State;
ULONG Event;
ULONG TransmittedTsdus;
ULONG ReceivedTsdus;
ULONG TransmissionErrors;
ULONG ReceiveErrors;
LARGE_INTEGER Throughput;
LARGE_INTEGER Delay;
ULONG SendBufferSize;
ULONG ReceiveBufferSize;
BOOLEAN Unreliable;
} TDI_CONNECTION_INFO, *PTDI_CONNECTION_INFO;
typedef struct _TDI_CONNECTION_INFORMATION {
LONG UserDataLength;
PVOID UserData;
LONG OptionsLength;
PVOID Options;
LONG RemoteAddressLength;
PVOID RemoteAddress;
} TDI_CONNECTION_INFORMATION, *PTDI_CONNECTION_INFORMATION;
(以上结构见tdi.h)
void GetOpenPort(DWORD dwProcessesID,USHORT Handle,
NoCache)//dwProcessesID为进程标识ID
//Handle为进程打开
句柄,并且经过比较为\Device\Tcp或\Device\Udp类型//NoCache为PTE结构中
个值 {
HANDLE hProc,DupHandle=NULL;
HANDLE hEven=NULL;
OVERLAPPED overlap;
u_
openport; i=0;char procName[256]={0};
portflag=0;overlap.Internal = 0;
overlap.InternalHigh = 0;
overlap.Off
= 0;overlap.Off
High = 0;hEven=CreateEvent(0,1,0,0);
overlap.hEvent = hEven;
hProc = OpenProcess(PROCESS_DUP_HANDLE,
0,
dwProcessesID);
(hProc){
DuplicateHandle(hProc,
(HANDLE)Handle,
GetCurrentProcess
,&DupHandle,
0,
FALSE,
2);
CloseHandle( hProc );
(DupHandle){
TDI_CONNECTION_INFO TdiConnInfo={0};
TDI_CONNECTION_INFORMATION TdiConnInformation={0};
DWORD dwRetu=0;
(NoCache0x2){
TdiConnInformation.RemoteAddressLength= 4;
(DeviceIoControl(DupHandle,0x210012,&TdiConnInformation,
(TdiConnInformation),&TdiConnInfo,
(TdiConnInfo),0,&overlap))
//进行TDI查询,得到连接
相关信息{
openport = ntohs((u_
)TdiConnInfo.ReceivedTsdus);procname = GetProcName(dwProcessesID); //得到进程标识ID
进程名称pr
f("PID = %4d ProcessName = %15s PORT = %4d\n",dwProcessesID,procName,openport);}
}
(NoCache0x1){
TdiConnInformation.RemoteAddressLength= 3;
(DeviceIoControl(DupHandle,0x210012,&TdiConnInformation,
(TdiConnInformation),&TdiConnInfo,
(TdiConnInfo),0,&overlap))
//进行TDI查询,得到连接
相关信息{
openport = ntohs((u_
)TdiConnInfo.ReceivedTsdus);procname = GetProcName(dwProcessesID); //得到进程标识ID
进程名称pr
f("PID = %4d ProcessName = %15s PORT = %4d\n",dwProcessesID,procName,openport);}
}
}
}
CloseHandle(hEven);
CloseHandle(DupHandle);
}
以上是我对fport.exe
分析及其实现代码,演示可以从whitecell.org下载,如果你发现有问题,请通知我,^_^参考:
fport.exe
Gary Nebbett<<Windows NT/2000 Native API Reference>>
WebCrazy<<小议Windows NT/2000分页机制>>
NTDDK
最新评论