{"id":287548,"date":"2021-01-16T22:40:31","date_gmt":"2021-01-16T14:40:31","guid":{"rendered":"http:\/\/4563.org\/?p=287548"},"modified":"2021-01-17T22:09:48","modified_gmt":"2021-01-17T14:09:48","slug":"%e5%ba%a6%e6%8e%a2%e7%b4%a2%ef%bc%9a%e8%a7%a3%e9%99%a4%e6%96%87%e4%bb%b6%e5%8d%a0%e7%94%a8%e9%82%a3%e4%ba%9b%e5%9d%91","status":"publish","type":"post","link":"http:\/\/4563.org\/?p=287548","title":{"rendered":"\u5ea6\u63a2\u7d22\uff1a\u89e3\u9664\u6587\u4ef6\u5360\u7528\u90a3\u4e9b\u5751"},"content":{"rendered":"<div>\n<div>\n<div>\n<h1>                  \u5ea6\u63a2\u7d22\uff1a\u89e3\u9664\u6587\u4ef6\u5360\u7528\u90a3\u4e9b\u5751               <\/h1>\n<p> <\/p>\n<div>\n<div> <span>\u8cc7\u6df1\u5927\u4f6c : anhkgg <\/span>  <span><i><\/i> 0<\/span> <\/div>\n<div> <\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div isfirst=\"1\"> <\/p>\n<p>\u4e86\u89e3\u4e00\u70b9\u64cd\u4f5c\u7cfb\u7edf\u77e5\u8bc6\u7684\u540c\u5b66\u4eec\u5e94\u8be5\u90fd\u77e5\u9053\uff0c\u6587\u4ef6\u5360\u7528\u65e0\u6cd5\u5220\u9664\uff0c\u662f\u56e0\u4e3a\u67d0\u4e9b\u8fdb\u7a0b\u6b63\u5728\u4f7f\u7528\u8be5\u6587\u4ef6\u3002<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" referrerpolicy=\"no-referrer\" rel=\"noreferrer\" src=\"http:\/\/4563.org\/wp-content\/uploads\/2021\/01\/394321_GNC96RZJ9FHD6QT.png\" alt=\"\u5ea6\u63a2\u7d22\uff1a\u89e3\u9664\u6587\u4ef6\u5360\u7528\u90a3\u4e9b\u5751\" \/><\/p>\n<p>\u8981\u5220\u9664\u8fd9\u6837\u7684\u6587\u4ef6\uff0c\u5c31\u9700\u8981\u8ba9\u90a3\u4e9b\u8fdb\u7a0b\u5173\u95ed\u6587\u4ef6\uff0c\u7136\u540e\u81ea\u7136\u53ef\u4ee5\u5220\u9664\u3002<\/p>\n<p>\u4e00\u53e5\u8bdd\u7684\u4e8b\uff0c\u90a3\u7a76\u7adf\u8981\u600e\u4e48\u7528\u4ee3\u7801\u6765\u5b9e\u73b0\u8fd9\u4e2a\u529f\u80fd\u5462\uff1f<\/p>\n<h1>\u6253\u5f00\u548c\u5173\u95ed\u6587\u4ef6<\/h1>\n<p> <\/p>\n<p>\u8fd8\u8bb0\u5f97\u4e0a\u5927\u5b66\u7b2c\u4e00\u95e8\u8bed\u8a00\u8bfe-C \u8bed\u8a00\uff0c\u8fc4\u4eca\u4e3a\u6b62\u8fd8\u4f9d\u7136\u6d3b\u8dc3\u5e76\u88ab\u4e00\u76f4\u4f7f\u7528\u7684\u8bed\u8a00\u3002<\/p>\n<p>\u6bd4\u6c47\u7f16\u5bb9\u6613\u7406\u89e3\uff0c\u53c8\u66f4\u63a5\u8fd1\u5e95\u5c42\uff0c\u6240\u4ee5 Windows \u64cd\u4f5c\u7cfb\u7edf\u5185\u6838\u5927\u90e8\u5206\u4ee3\u7801\u90fd\u662f\u7528 C \u8bed\u8a00\u6765\u7f16\u5199\u7684\u3002<\/p>\n<p>\u5728 C \u7684\u8bfe\u7a0b\u91cc\uff0c\u6211\u4eec\u5b66\u8fc7\u901a\u8fc7 FILE \u6765\u64cd\u4f5c\u4f7f\u7528\u6587\u4ef6\uff0c\u6bd4\u5982\uff1a<\/p>\n<pre><code>FILE *fp; fp = fopen(\"c:temptest.txt\", \"r\")  <\/code><\/pre>\n<p>\u901a\u8fc7\u8bfb\u7684\u65b9\u5f0f\u6253\u5f00\u4e00\u4e2a\u6587\u4ef6\uff0c\u4f7f\u7528\u975e\u5e38\u7b80\u5355\uff0c\u540e\u7eed\u901a\u8fc7 fp \u8fd9\u4e2a\u7ed3\u6784\u4f53\u6307\u9488\u64cd\u4f5c\u6587\u4ef6\u5373\u53ef\u3002<\/p>\n<p>\u5176\u5b9e fopen \u5e76\u4e0d\u63a5\u8fd1\u64cd\u4f5c\u7cfb\u7edf\uff0c\u4ed6\u662f\u5bf9 win32 API CreateFile \u7684\u5c01\u88c5\u3002<\/p>\n<p>\u4e5f\u5c31\u662f\u524d\u8005\u662f\u6807\u51c6\u5e93\u63a5\u53e3\uff0c\u5728 Windows \u3001linux \u3001unix \u7b49\u90fd\u662f\u901a\u7528\u63a5\u53e3\u3002<\/p>\n<p>\u800c\u540e\u8005\u624d\u662f\u548c\u64cd\u4f5c\u7cfb\u7edf\u5173\u8054\u7d27\u5bc6\uff0c\u7531\u5fae\u8f6f\u81ea\u5df1\u63d0\u4f9b\u7684 API \u3002<\/p>\n<p>\u8981\u66f4\u597d\u7684\u7406\u89e3\u8fdb\u7a0b\u5982\u4f55\u4f7f\u7528\u6587\u4ef6\u7684\uff0c\u6211\u4eec\u8fd8\u5f97\u770b\u770bCreateFile\u8fd9\u4e2a API \u63a5\u53e3\u3002<\/p>\n<pre><code>HANDLE CreateFileA(   LPCSTR                lpFileName,   DWORD                 dwDesiredAccess,   DWORD                 dwShareMode,   LPSECURITY_ATTRIBUTES lpSecurityAttributes,   DWORD                 dwCreationDisposition,   DWORD                 dwFlagsAndAttributes,   HANDLE                hTemplateFile ); <\/code><\/pre>\n<p>\u8fd9\u662f msdn \u5bf9 CreateFile \u7684\u5b9a\u4e49\uff0c\u7b80\u5355\u6765\u770b\u6211\u4eec\u53ef\u4ee5\u53ea\u5173\u6ce8 lpFileName \u548c\u8fd4\u56de\u503c\uff0clpFileName \u4f20\u9012\u4f60\u8981\u6253\u5f00\u7684\u6587\u4ef6\uff0c\u8fd4\u56de\u503c\u662f\u64cd\u4f5c\u7cfb\u7edf\u7ed9\u4f60\u7684\u4e00\u4e2a\u4ee3\u8868\u6587\u4ef6\u7684\u53e5\u67c4\uff08 handle \uff09\u3002<\/p>\n<pre><code>HANDLE hFile = CreateFileA(\"c:temptest.txt\", ...); <\/code><\/pre>\n<p>\u8981\u5bf9\u6587\u4ef6\u8fdb\u884c\u8bfb\u3001\u5199\u7b49\u64cd\u4f5c\u90fd\u9700\u8981\u8fd9\u4e2a\u53e5\u67c4\uff0c\u4e5f\u5c31\u662f\u8bf4\u8fd9\u4e2a\u53e5\u67c4\u81f3\u5173\u91cd\u8981\uff0c\u5b83\u8868\u793a\u6587\u4ef6\u6b63\u5728\u88ab\u4f7f\u7528\u3002<\/p>\n<p>\u7136\u540e\u4ec0\u4e48\u65f6\u5019\u7ed3\u675f\u4f7f\u7528\u5462\uff0c\u6211\u4eec\u9700\u8981\u770b\u53e6\u4e00\u4e2a API CloseHandle.<\/p>\n<pre><code>BOOL CloseHandle(   HANDLE hObject ); <\/code><\/pre>\n<p>CloseHandle \u7528\u4e8e\u5173\u95ed\u4e00\u4e2a\u6b63\u5728\u88ab\u4f7f\u7528\u7684\u6587\u4ef6\uff0c\u901a\u8fc7\u53e5\u67c4\u6765\u5173\u95ed\u3002<\/p>\n<p>\u73b0\u5728\u660e\u767d\u8fc7\u6765\u4e86\u5417\uff0c\u53ea\u8981\u6211\u4eec\u8ba9\u8fdb\u7a0b\u8c03\u7528 CloseHandle \u8fd9\u4e2a API\uff0c\u5173\u95ed\u88ab\u5360\u7528\u7684\u6587\u4ef6\u53e5\u67c4\uff0c\u90a3\u4e48\u8be5\u6587\u4ef6\u4e5f\u5c31\u88ab\u89e3\u9664\u5360\u7528\u4e86\u3002<\/p>\n<p>\u54c8\u54c8\uff0c\u662f\u4e0d\u662f\u5f88\u7b80\u5355\u3002<\/p>\n<h1>\u679a\u4e3e\u5360\u7528\u6587\u4ef6\u7684\u8fdb\u7a0b<\/h1>\n<p> <\/p>\n<p>\u90a3\u4e48\u6211\u5c31\u60f3\u95ee\u540c\u5b66\u4eec\u4e00\u4e2a\u95ee\u9898\uff0c\u600e\u4e48\u77e5\u9053\u54ea\u4e9b\u8fdb\u7a0b\u5728\u4f7f\u7528\u6211\u4eec\u60f3\u5220\u9664\u7684\u6587\u4ef6\u5462\uff1f\u600e\u4e48\u53bb\u67e5\u627e\uff1f<\/p>\n<p>\u5e26\u7740\u8fd9\u4e2a\u95ee\u9898\uff0c\u6211\u4eec\u7ee7\u7eed\u5f80\u4e0b\u770b\u3002<\/p>\n<p>\u6211\u4eec\u6765\u60f3\u4e00\u4e2a\u95ee\u9898\uff0c\u64cd\u4f5c\u7cfb\u7edf\u7ed9\u8c03\u7528 CreateFile \u7684\u7528\u6237\u8fd4\u56de\u4e86\u4e00\u4e2a\u53e5\u67c4\uff0c\u7136\u540e\u901a\u8fc7\u53e5\u67c4\u6765\u64cd\u4f5c\u6587\u4ef6\uff0c\u90a3\u64cd\u4f5c\u7cfb\u7edf\u662f\u5982\u4f55\u77e5\u9053\u53e5\u67c4\u4ee3\u8868\u54ea\u4e2a\u6587\u4ef6\u5462\uff1f<\/p>\n<p>\u6211\u4eec\u7b80\u5355\u601d\u8003\u4e00\u4e0b\uff0c\u6211\u4eec\u8981\u505a\u5230\u8fd9\u4e2a\u76ee\u7684\u6709\u6ca1\u6709\u4ec0\u4e48\u65b9\u6cd5\uff0c\u6bd4\u5982\u6211\u7528\u4e00\u4e2a\u6570\u7ec4\u6765\u5b58\u7528\u6237\u6253\u5f00\u7684\u6587\u4ef6\u8def\u5f84\uff0c\u800c\u6570\u7ec4\u5e8f\u53f7\u5c31\u8fd4\u56de\u7ed9\u7528\u6237\uff0c\u4e0b\u6b21\u7528\u6237\u5c31\u53ea\u9700\u8981\u628a\u5e8f\u53f7\u7ed9\u6211\uff0c\u6211\u5c31\u77e5\u9053\u8981\u64cd\u4f5c\u4ec0\u4e48\u95ee\u9898\u4e86\u3002<\/p>\n<pre><code>\u6f14\u793a\u4ee3\u7801\uff0c\u5ffd\u7565\u7ec6\u8282 LPWSTR FileTable[100] = {0}; HANDLE CreateFileA(   LPCSTR                lpFileName,   ...)   {       for(int i = 0; i &lt; 100; i ++) {           if(FileTable[i] == NULL) { \/\/\u8fd8\u6709\u7a7a\u4f4d               FileTable[i] = lpFileName; \/\/\u4fdd\u5b58\u8def\u5f84               return (HANDLE)i; \/\/\u8fd4\u56de\u53e5\u67c4           }       }       return NULL;   } BOOL CloseHandle(   HANDLE hObject ) {     if((int)hObject &lt; 100) {         if(FileTable[hObject]) {             FileTable[hObject] = NULL;\/\/\u627e\u5230\u6587\u4ef6\u8def\u5f84             return TRUE;         }     }     return FALSE; } <\/code><\/pre>\n<p>\u4e0a\u9762\u7b80\u5355\u7684\u4ee3\u7801\u6f14\u793a\u4e86\u4e00\u4e0b\u6211\u4eec\u7c97\u7565\u8003\u7565\u7684\u6587\u4ef6\u548c\u53e5\u67c4\u7684\u5173\u7cfb\u4ee5\u53ca\u53e5\u67c4\u7684\u7ba1\u7406\uff0c\u90a3\u64cd\u4f5c\u7cfb\u7edf\u662f\u4e0d\u662f\u8fd9\u4e48\u505a\u7684\u5462\uff1f\u5176\u5b9e\u4e5f\u5dee\u4e0d\u591a\u3002<\/p>\n<p>\/\/https:\/\/www.cnblogs.com\/lsh123\/p\/8329989.html<\/p>\n<p>\u4efb\u610f\u8fdb\u7a0b\uff0c\u53ea\u8981\u6bcf\u6253\u5f00\u4e00\u4e2a\u5bf9\u8c61\uff08\u5305\u62ec\u6587\u4ef6\u3001\u8fdb\u7a0b\u3001\u7ebf\u7a0b\u7b49\u7b49\uff09\uff0c\u5c31\u4f1a\u83b7\u5f97\u4e00\u4e2a\u53e5\u67c4\u3002<\/p>\n<p>\u8fd9\u4e2a\u53e5\u67c4\u7528\u6765\u6807\u5fd7\u5bf9\u67d0\u4e2a\u5bf9\u8c61\u7684\u4e00\u6b21\u6253\u5f00\uff0c\u901a\u8fc7\u53e5\u67c4\uff0c\u53ef\u4ee5\u76f4\u63a5\u627e\u5230\u5bf9\u5e94\u7684\u5185\u6838\u5bf9\u8c61\u3002<\/p>\n<p>\u6bcf\u4e2a\u8fdb\u7a0b\u90fd\u6709\u4e00\u4e2a\u53e5\u67c4\u8868\uff0c\u7528\u6765\u8bb0\u5f55\u672c\u8fdb\u7a0b\u6253\u5f00\u7684\u6240\u6709\u5185\u6838\u5bf9\u8c61\u3002<\/p>\n<p>\u53e5\u67c4\u8868\u53ef\u4ee5\u7b80\u5355\u770b\u505a\u4e3a\u4e00\u4e2a\u4e00\u7ef4\u6570\u7ec4\uff0c\u6bcf\u4e2a\u8868\u9879\u5c31\u662f\u4e00\u4e2a\u53e5\u67c4\uff0c\u4e00\u4e2a\u7ed3\u6784\u4f53\uff0c\u4e00\u4e2a\u53e5\u67c4\u63cf\u8ff0\u7b26\u3002<\/p>\n<pre><code> struct _HANDLE_TABLE_ENTRY  \/\/\u53e5\u67c4\u63cf\u8ff0\u7b26  struct _HANDLE_TABLE    \/\/\u53e5\u67c4\u8868\u63cf\u8ff0\u7b26 <\/code><\/pre>\n<p>\u597d\uff0c\u66f4\u52a0\u7ec6\u8282\u7684\u53e5\u67c4\u8868\u7684\u539f\u7406\u6211\u4eec\u4e0d\u7528\u518d\u6df1\u7a76\uff0c\u6211\u4eec\u53ea\u9700\u8981\u77e5\u9053\u6bcf\u4e2a\u8fdb\u7a0b\u90fd\u6709\u4e00\u4e2a\u53e5\u67c4\u8868\uff0c\u901a\u8fc7\u53e5\u67c4\u8868\u5c31\u53ef\u4ee5\u627e\u5230\u6253\u5f00\u7684\u6587\u4ef6\u3002<\/p>\n<p>\u8fd9\u5c31\u662f\u6211\u4eec\u7684\u76ee\u7684\uff0c\u6211\u4eec\u9700\u8981\u67e5\u5230\u8fdb\u7a0b\u662f\u4e0d\u662f\u6253\u5f00\u4e86\u6211\u4eec\u8981\u5220\u9664\u7684\u6587\u4ef6\uff0c\u6211\u4eec\u9700\u8981\u67e5\u53e5\u67c4\u8868\u3002<\/p>\n<p>\u90a3\u600e\u4e48\u67e5\u5462\uff1f<\/p>\n<p>\u64cd\u4f5c\u7cfb\u7edf\u7ed9\u7528\u6237\u63d0\u4f9b\u4e86\u4e00\u4e2a\u63a5\u53e3ZwQuerySystemInformation\u3002<\/p>\n<pre><code>NTSTATUS WINAPI ZwQuerySystemInformation(   _In_      SYSTEM_INFORMATION_CLASS SystemInformationClass,   _Inout_   PVOID                    SystemInformation,   _In_      ULONG                    SystemInformationLength,   _Out_opt_ PULONG                   ReturnLength ); <\/code><\/pre>\n<p>\u5b83\u53ef\u4ee5\u83b7\u53d6\u7cfb\u7edf\u975e\u5e38\u591a\u7684\u4fe1\u606f\uff0c\u5305\u62ec\u8fdb\u7a0b\u3001\u6a21\u5757\u3001\u5904\u7406\u5668\u3001\u5185\u5b58\u7b49\u7b49\u5404\u79cd\u4fe1\u606f\u3002<\/p>\n<p>\u800c SystemHandleInformation = 16 \u5c31\u80fd\u83b7\u53d6\u5230\u7cfb\u7edf\u6240\u6709\u7684\u53e5\u67c4\u4fe1\u606f\u3002<\/p>\n<pre><code>typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO {     USHORT UniqueProcessId;\/\/\u6240\u5c5e\u8fdb\u7a0b     USHORT CreatorBackTraceIndex;     UCHAR ObjectTypeIndex;     UCHAR HandleAttributes;     USHORT HandleValue; \/\/\u53e5\u67c4     PVOID Object;     ULONG GrantedAccess; } SYSTEM_HANDLE_TABLE_ENTRY_INFO, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO;  typedef struct _SYSTEM_HANDLE_INFORMATION {     ULONG NumberOfHandles;     SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[1]; } SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION; <\/code><\/pre>\n<p>\u65e2\u7136\u77e5\u9053\u4e86\u65b9\u6cd5\uff0c\u4e0b\u9762\u5c31\u5f00\u59cb\u679a\u4e3e\u6240\u6709\u53e5\u67c4\uff0c\u627e\u5230\u6211\u4eec\u88ab\u5360\u7528\u7684\u6587\u4ef6\u7684\u8fdb\u7a0b\u4fe1\u606f\u3002<\/p>\n<pre><code>Status = ZwQuerySystemInformation(SystemHandleInformation,             Information,             Length,             &amp;ReturnLength);  for (i = 0; i &lt; Information-&gt;NumberOfHandles; i++) {     if (Information-&gt;Handles[i].UniqueProcessId != CurrentProcessId) {\/\/\u4e0d\u662f\u5f53\u524d\u8fdb\u7a0b         Status = ZwQueryObject(TargetHandle, ObjectTypeInformation, &amp;TypeInfo, sizeof(TypeInfo), NULL);         RtlInitUnicodeString(&amp;TargetType, L\"File\");         if (!RtlEqualUnicodeString(&amp;TypeInfo.Info.TypeName, &amp;TargetType, FALSE)) {             goto __next;         }         Status = ZwQueryObject(TargetHandle, ObjectNameInformation, &amp;NameInfo, sizeof(NameInfo), NULL);         if (RtlEqualUnicodeString(&amp;NameInfo.Info.Name, &amp;FileName, FALSE)) {             printf(\"\u5728\u8fdb\u7a0b(%d)\u53d1\u73b0\u6587\u4ef6\u5360\u7528\uff1a(%x) %wZn\",                     ProcessId,                     Information-&gt;Handles[i].HandleValue,                     &amp;NameInfo.Info.Name);         }     } } <\/code><\/pre>\n<p>ZwQuerySystemInformation \u83b7\u53d6\u5230\u6240\u6709\u53e5\u67c4\u4fe1\u606f\uff0c\u901a\u8fc7\u5faa\u73af\u679a\u4e3e Information-&gt;Handles\uff0c\u627e\u5230\u53e5\u67c4\u7c7b\u578b\u5c5e\u4e8e File\uff0c\u8def\u5f84\u662f\u76ee\u6807\u6587\u4ef6\u7684\u8fdb\u7a0b\u3002<\/p>\n<p>ZwQueryObject \u4f20\u5165 ObjectTypeInformation \u53ef\u4ee5\u83b7\u53d6\u53e5\u67c4\u7c7b\u578b\uff0cZwQueryObject \u4f20\u5165 ObjectNameInformation \u53ef\u4ee5\u83b7\u53d6\u6587\u4ef6\u8def\u5f84\u3002<\/p>\n<p>\u5982\u6b64\u4e24\u4e2a\u6761\u4ef6\u7684\u5bf9\u6bd4\uff0c\u5c31\u80fd\u8ba9\u6211\u4eec\u627e\u5230\u5360\u7528\u6587\u4ef6\u7684\u8fdb\u7a0b\u4e86\u3002<\/p>\n<p>\u662f\u4e0d\u662f\u611f\u89c9\u8fd8\u633a\u7b80\u5355\uff0c\u4e0d\u590d\u6742\u561b\u3002<\/p>\n<h1>\u5751\u4e00\uff1aZwQueryObject<\/h1>\n<p> <\/p>\n<p>\u524d\u9762\u63d0\u5230\uff0c\u6bcf\u4e2a\u8fdb\u7a0b\u90fd\u6709\u81ea\u5df1\u7684\u53e5\u67c4\u8868\uff0c\u6240\u4ee5 ZwQuerySystemInformation \u679a\u4e3e\u62ff\u5230\u7684\u53e5\u67c4\u5e76\u4e0d\u80fd\u76f4\u63a5\u4f7f\u7528\uff0c\u8fd8\u9700\u8981\u590d\u5236\u4e00\u4efd\u5230\u672c\u8fdb\u7a0b\u624d\u6709\u6548\u3002<\/p>\n<p>\u7cfb\u7edf\u4e5f\u63d0\u4f9b\u4e86 API \u53eb\u505aDuplicateHandle:<\/p>\n<pre><code>BOOL DuplicateHandle(   HANDLE   hSourceProcessHandle,   HANDLE   hSourceHandle,   HANDLE   hTargetProcessHandle,   LPHANDLE lpTargetHandle,   DWORD    dwDesiredAccess,   BOOL     bInheritHandle,   DWORD    dwOptions );  DuplicateHandle(hSrcProc, Information-&gt;Handles[i].HandleValue, hCurProc, TargetHandle, ...); <\/code><\/pre>\n<p>\u4e0a\u9762\u6211\u4eec\u4f7f\u7528\u7684 TargetHandle \u5c31\u662f\u901a\u8fc7\u590d\u5236\u83b7\u53d6\u7684\u3002<\/p>\n<p>\u8fd9\u4e2a\u5730\u65b9\u5e76\u4e0d\u662f\u5751\uff0c\u800c\u662f\u5728\u901a\u8fc7 ZwQueryObject \u83b7\u53d6\u53e5\u67c4\u5bf9\u5e94\u7684\u6587\u4ef6\u8def\u5f84\u65f6\uff0c\u4f1a\u53d1\u751f\u963b\u585e\uff0c\u5bfc\u81f4\u7a0b\u5e8f\u5361\u6b7b\u65e0\u6cd5\u7ee7\u7eed\u8fd0\u884c\u3002<\/p>\n<pre><code>0: kd&gt; kv  # ChildEBP RetAddr  Args to Child 00 d7fdb7cc 828aacda 00000000 00000000 a7d73040 nt!KiSwapContext+0x19 (FPO: [Uses EBP] [1,0,4]) 01 d7fdb86c 828aa358 d7fdb930 a7d73120 a7d73040 nt!KiSwapThread+0x4aa (FPO: [Non-Fpo]) 02 d7fdb8c8 828a9d67 00000000 00000000 00000000 nt!KiCommitThreadWait+0x128 (FPO: [Non-Fpo]) 03 d7fdb978 829298a3 8ff18afc 00000000 a7d73300 nt!KeWaitForSingleObject+0x1f7 (FPO: [Non-Fpo]) 04 d7fdb9a4 82c0759f 88c0e801 d7fdba18 8ff18ab0 nt!IopWaitForLockAlertable+0x3f (FPO: [Non-Fpo]) 05 d7fdb9cc 82d3f75c 88c0e800 a7d733f8 d7fdb9ef nt!IopWaitAndAcquireFileObjectLock+0x41 (FPO: [Non-Fpo]) 06 d7fdba1c 82bed31a 000001ee d7fdbb01 9a651dc0 nt!IopQueryXxxInformation+0x150f3e 07 d7fdba9c 82becf65 00000000 007af7a4 00000210 nt!IopQueryNameInternal+0x31a (FPO: [Non-Fpo]) 08 d7fdbab8 82bece25 8ff18ab0 87ff2400 007af7a4 nt!IopQueryName+0x1b (FPO: [Non-Fpo]) 09 d7fdbb40 82bec6a6 00000210 d7fdbc04 d7fdbb01 nt!ObQueryNameStringMode+0x495 (FPO: [Non-Fpo]) 0a d7fdbbf8 829cce6b 8ff18ab0 00000000 007af7a4 nt!NtQueryObject+0x186 (FPO: [SEH]) 0b d7fdbbf8 77cd5ef0 8ff18ab0 00000000 007af7a4 nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ d7fdbc14) <\/code><\/pre>\n<p>\u7ecf\u8fc7\u4e00\u4e9b\u7b80\u5355\u7684\u5206\u6790\uff0c\u5982\u679c\u6587\u4ef6\u88ab\u662f\u540c\u6b65\uff08 SYNCHRONIZE \uff09\u6253\u5f00\u7684\uff0c\u5185\u6838\u4f1a\u7b49\u5f85\u4e00\u4e0b\u9501\uff0c\u7b49\u5176\u4ed6\u7ebf\u7a0b\u64cd\u4f5c\u5b8c\u6210\uff0c\u672c\u7ebf\u7a0b\u624d\u80fd\u62ff\u5230\u6240\u6709\u6743\u3002<\/p>\n<pre><code>\/\/     \/\/ Make a special check here to determine whether this is a synchronous     \/\/ I\/O operation.  If it is, then wait here until the file is owned by     \/\/ the current thread.  If this is not a (serialized) synchronous I\/O     \/\/ operation, then initialize the local event.     \/\/      if (FileObject-&gt;Flags &amp; FO_SYNCHRONOUS_IO) {          BOOLEAN interrupted;          if (!IopAcquireFastLock( FileObject )) {             status = IopAcquireFileObjectLock( FileObject,                                                Mode,                                                (BOOLEAN) ((FileObject-&gt;Flags &amp; FO_ALERTABLE_IO) != 0),                                                &amp;interrupted );             if (interrupted) {                 ObDereferenceObject( FileObject );                 return status;             }         }         KeClearEvent( &amp;FileObject-&gt;Event );         synchronousIo = TRUE;     } <\/code><\/pre>\n<p>\u6240\u4ee5\u8fd9\u91cc\u6211\u4eec\u5c31\u9700\u8981\u901a\u8fc7\u7ebf\u7a0b\u548c\u8d85\u65f6\u7684\u65b9\u5f0f\u6765\u8c03\u7528 ZwQueryObject\uff0c\u8ba9\u7a0b\u5e8f\u53ef\u4ee5\u4e0d\u963b\u585e\u6b63\u5e38\u8fd0\u884c\u3002<\/p>\n<pre><code>void QueryThread(     IN PQUERY_CONTEXT Context ) {     Status = ZwQueryObject(TargetHandle, ObjectNameInformation, &amp;NameInfo, sizeof(NameInfo), NULL); }  ThreadHandle = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)QueryThread, Context, 0, NULL); Result = WaitForSingleObject(ThreadHandle, 1000); \/\/\u7b49\u5f85 1 \u79d2\u8d85\u65f6\uff0c\u7ebf\u7a0b\u9000\u51fa TerminateThread(ThreadHandle, 0); CloseHandle(ThreadHandle); <\/code><\/pre>\n<h1>\u5751\u4e8c\uff1a\u6587\u4ef6 Map<\/h1>\n<p> <\/p>\n<p>\u89e3\u51b3\u4e0a\u9762\u7684\u95ee\u9898\u4e4b\u540e\uff0c\u6211\u4eec\u57fa\u672c\u5c31\u89e3\u51b3\u4e86\u6587\u4ef6\u5360\u7528\u7684\u95ee\u9898\uff0c\u5927\u90e8\u5206\u60c5\u51b5\u4e0b\uff0c\u6211\u4eec\u53ef\u4ee5\u6b63\u5e38\u5220\u9664\u6587\u4ef6\u4e86\u3002<\/p>\n<p>\u53ef\u662f&#8230;<\/p>\n<p>\u67d0\u4e9b\u65f6\u5019\uff0c\u6211\u4eec\u8981\u5220\u9664\u7684\u6587\u4ef6\u5e76\u4e0d\u662f\u666e\u901a\u6587\u4ef6\uff0c\u53ef\u80fd\u662f\u4e00\u4e2a DLL \u3001\u6216\u8005\u5176\u4ed6\u7279\u6b8a\u6587\u4ef6\u3002<\/p>\n<p>\u5173\u95ed\u6240\u6709\u5360\u7528\u7684\u53e5\u67c4\u540e\uff0c\u4f9d\u7136\u65e0\u6cd5\u5220\u9664\u6587\u4ef6\uff0c\u8fd8\u662f\u63d0\u793a\u5360\u7528\u3002<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" referrerpolicy=\"no-referrer\" rel=\"noreferrer\" src=\"http:\/\/4563.org\/wp-content\/uploads\/2021\/01\/394321_RNKXT5N3X4PPMD8.png\" alt=\"\u5ea6\u63a2\u7d22\uff1a\u89e3\u9664\u6587\u4ef6\u5360\u7528\u90a3\u4e9b\u5751\" \/><\/p>\n<p>\u8fd9\u53ef\u600e\u4e48\u529e\uff1f<\/p>\n<p>\u7c7b\u4f3c\u4e8e DLL \u8fd9\u79cd\u6587\u4ef6\uff0c\u8fdb\u7a0b\u5728\u4f7f\u7528\u4e2d\uff0c\u64cd\u4f5c\u7cfb\u7edf\u4f1a\u6620\u5c04\u4e00\u4efd\u5185\u5b58\u5230\u8fdb\u7a0b\u7a7a\u95f4\uff0c\u6b64\u65f6\u5e76\u6ca1\u6709\u53e5\u67c4\u4e0e\u4e4b\u5bf9\u5e94\u3002<\/p>\n<p>\u4f46\u662f\u5b83\u5374\u5173\u8054\u4e86\u6587\u4ef6\u7684\u5185\u6838\u5bf9\u8c61\uff0c\u4e13\u4e1a\u672f\u8bed\u8bf4\u589e\u52a0\u4e86\u4e00\u6b21\u6587\u4ef6\u5bf9\u8c61\u7684\u5f15\u7528\u3002<\/p>\n<p>\u6211\u4eec\u8981\u77e5\u9053\uff0c\u4e3a\u4e86\u80fd\u591f\u5b89\u5168\u5220\u9664\u4e00\u4e2a\u6587\u4ef6\uff0c\u64cd\u4f5c\u7cfb\u7edf\u9700\u8981\u4fdd\u8bc1\u8be5\u6587\u4ef6\u7684\u5185\u6838\u5bf9\u8c61\u5728\u4e24\u79cd\u5f15\u7528\u8ba1\u6570\u4e0a\u6e05\u96f6\u3002<\/p>\n<p>\u4e00\u4e2a\u662f\u53e5\u67c4\u5f15\u7528\u8ba1\u6570\uff0c\u4e00\u4e2a\u662f\u5bf9\u8c61\u5f15\u7528\u8ba1\u6570\u3002<\/p>\n<p>\u524d\u9762\u6211\u4eec\u901a\u8fc7\u679a\u4e3e\u53e5\u67c4\uff0c\u5c06\u53e5\u67c4\u5f15\u7528\u8ba1\u6570\u6e05\u96f6\u3002<\/p>\n<p>\u4f46\u662f\u56e0\u4e3a\u5171\u4eab\u5185\u5b58\u7684\u539f\u56e0\uff0c\u5bf9\u8c61\u5f15\u7528\u8ba1\u6570\u4ecd\u672a\u6e05\u96f6\uff0c\u6240\u4ee5\u65e0\u6cd5\u5220\u9664\u6587\u4ef6\u3002<\/p>\n<pre><code>0: kd&gt; !handle 48  PROCESS fffffa801b7c6060     SessionId: 1  Cid: 0b70    Peb: 7efdf000  ParentCid: 0588     DirBase: 1bfea000  ObjectTable: fffff8a0029f27e0  HandleCount: 157.     Image: procexp.exe  Handle table at fffff8a0029f27e0 with 157 entries in use  0004: Object: fffffa801bdcca10  GrantedAccess: 00000003 Entry: fffff8a0020cc010 Object: fffffa801bdcca10  Type: (fffffa8018dcfa30) File     ObjectHeader: fffffa801bdcc9e0 (new version)         HandleCount: 0\/\/\u53e5\u67c4\u5f15\u7528\u8ba1\u6570  PointerCount: 1 \/\/\u5bf9\u8c61\u5f15\u7528\u8ba1\u6570 <\/code><\/pre>\n<p>\u6211\u4eec\u901a\u8fc7!vad \u4fe9\u770b\u770b\u5185\u5b58 map \u3002<\/p>\n<pre><code>0: kd&gt; !vad fffffa8019d34e00 VAD           Level     Start       End Commit fffffa8019d34e00  0      1000      12ce      0 Mapped       READONLY           WindowsGlobalizationSortingSortDefault.nls  0: kd&gt; dt _mmvad fffffa8019d34e00 nt!_MMVAD    +0x000 u1               : &lt;unnamed-tag&gt;    +0x008 LeftChild        : (null)     +0x010 RightChild       : (null)     +0x018 StartingVpn      : 0x1000    +0x020 EndingVpn        : 0x12ce    +0x028 u                : &lt;unnamed-tag&gt;    +0x030 PushLock         : _EX_PUSH_LOCK    +0x038 u5               : &lt;unnamed-tag&gt;    +0x040 u2               : &lt;unnamed-tag&gt;    +0x048 Subsection       : 0xfffffa80`1b56ef90 _SUBSECTION    +0x048 MappedSubsection : 0xfffffa80`1b56ef90 _MSUBSECTION    +0x050 FirstPrototypePte : 0xfffff8a0`00b02000 _MMPTE    +0x058 LastContiguousPte : 0xfffff8a0`00b03670 _MMPTE    +0x060 ViewLinks        : _LIST_ENTRY [ 0xfffffa80`18ec81c0 - 0xfffffa80`18fcd190 ]    +0x070 VadsProcess      : 0xfffffa80`1b7c6061 _EPROCESS 0: kd&gt; dt 0xfffffa80`1b56ef90 _SUBSECTION nt!_SUBSECTION    +0x000 ControlArea      : 0xfffffa80`1b56ef10 _CONTROL_AREA    +0x008 SubsectionBase   : 0xfffff8a0`00b02000 _MMPTE    +0x010 NextSubsection   : 0xfffffa80`193a0a60 _SUBSECTION    +0x018 PtesInSubsection : 0x2cf    +0x020 UnusedPtes       : 0    +0x020 GlobalPerSessionHead : (null)     +0x028 u                : &lt;unnamed-tag&gt;    +0x02c StartingSector   : 0    +0x030 NumberOfFullSectors : 0x2cf 0: kd&gt; dt 0xfffffa80`1b56ef10 _CONTROL_AREA nt!_CONTROL_AREA    +0x000 Segment          : 0xfffff8a0`03b31fd0 _SEGMENT    +0x008 DereferenceList  : _LIST_ENTRY [ 0x00000000`00000000 - 0x00000000`00000000 ]    +0x018 NumberOfSectionReferences : 0    +0x020 NumberOfPfnReferences : 0x101    +0x028 NumberOfMappedViews : 0x2a    +0x030 NumberOfUserReferences : 0x2a    +0x038 u                : &lt;unnamed-tag&gt;    +0x03c FlushInProgressCount : 0    +0x040 FilePointer      : _EX_FAST_REF    +0x048 ControlAreaLock  : 0n0    +0x04c ModifiedWriteCount : 0    +0x04c StartingFrame    : 0    +0x050 WaitList         : (null)     +0x058 u2               : &lt;unnamed-tag&gt;    +0x068 LockedPages      : 1    +0x070 ViewList         : _LIST_ENTRY [ 0xfffffa80`1be91570 - 0xfffffa80`1abbe690 ] 0: kd&gt; dx -id 0,0,fffffa801b7c6060 -r1 (*((ntkrnlmp!_EX_FAST_REF *)0xfffffa801b56ef50)) (*((ntkrnlmp!_EX_FAST_REF *)0xfffffa801b56ef50))                 [Type: _EX_FAST_REF]     [+0x000] Object           : 0xfffffa801b61fa14 [Type: void *]     [+0x000 ( 3: 0)] RefCnt           : 0x4 [Type: unsigned __int64]     [+0x000] Value            : 0xfffffa801b61fa14 [Type: unsigned __int64] 0: kd&gt; !object 0xfffffa801b61fa10 Object: fffffa801b61fa10  Type: (fffffa8018dcfa30) File     ObjectHeader: fffffa801b61f9e0 (new version)     HandleCount: 0  PointerCount: 5     Directory Object: 00000000  Name: WindowsGlobalizationSortingSortDefault.nls {HarddiskVolume2}  0: kd&gt; dt _file_object 0xfffffa801b61fa10 nt!_FILE_OBJECT    +0x000 Type             : 0n5    +0x002 Size             : 0n216    +0x008 DeviceObject     : 0xfffffa80`19e9d530 _DEVICE_OBJECT    +0x010 Vpb              : 0xfffffa80`19eca270 _VPB    +0x018 FsContext        : 0xfffff8a0`00ad0140 Void    +0x020 FsContext2       : 0xfffff8a0`00ad0330 Void    +0x028 SectionObjectPointer : 0xfffffa80`1b61f808 _SECTION_OBJECT_POINTERS 0: kd&gt; dx -id 0,0,fffffa801b7c6060 -r1 ((ntkrnlmp!_SECTION_OBJECT_POINTERS *)0xfffffa801b61f808) ((ntkrnlmp!_SECTION_OBJECT_POINTERS *)0xfffffa801b61f808)                 : 0xfffffa801b61f808 [Type: _SECTION_OBJECT_POINTERS *]     [+0x000] DataSectionObject : 0xfffffa801b56ef10 [Type: void *] \/\/\u5176\u5b9e\u5c31\u662f\u524d\u9762\u7684_mmvad-&gt;Subsection-&gt;ControlArea     [+0x008] SharedCacheMap   : 0x0 [Type: void *]     [+0x010] ImageSectionObject : 0x0 [Type: void *] <\/code><\/pre>\n<p>SortDefault.nls \u662f\u88ab\u6620\u5c04\u5230\u4e86\u8fdb\u7a0b\u4e2d\uff0c\u901a\u8fc7_mmvad-&gt;Subsection-&gt;ControlArea-&gt;FilePointer \u6211\u4eec\u53ef\u4ee5\u4e00\u6b65\u6b65\u5b9a\u4f4d\u5230\u5b83\u5f15\u7528\u7684\u6587\u4ef6\u5bf9\u8c61\u3002<\/p>\n<p><code>!object 0xfffffa801b61fa10<\/code>\u770b\u5230\u786e\u5b9e\u662f\u8be5\u6587\u4ef6\uff0c\u4e5f\u53ef\u4ee5\u901a\u8fc7 fileobject-&gt;SectionObjectPointer-&gt;DataSectionObject \u627e\u5230\u5bf9\u5e94\u7684\u6620\u5c04\u5185\u5b58\u3002<\/p>\n<p>\u5982\u6b64\u6211\u4eec\u521d\u6b65\u7406\u89e3\u4e86\u6587\u4ef6 map \u5bfc\u81f4\u6587\u4ef6\u5360\u7528\u65e0\u6cd5\u5220\u9664\u6587\u4ef6\u7684\u539f\u7406\u3002<\/p>\n<p>\u4e0b\u9762\u6211\u4eec\u5c31\u9700\u8981\u627e\u5230\u65b9\u6cd5\u600e\u4e48\u89e3\u51b3\u8fd9\u4e2a\u95ee\u9898\u3002<\/p>\n<p>\u9996\u5148\uff0c\u9700\u8981\u679a\u4e3e\u8fdb\u7a0b\u7684\u865a\u62df\u5185\u5b58\uff0c\u627e\u5230\u662f\u5426\u6709\u6211\u4eec\u9700\u8981\u67e5\u627e\u7684\u6587\u4ef6\u7684 map\uff0c\u7136\u540e\u5bf9\u8be5\u8fdb\u7a0b\u6709\u4e24\u79cd\u64cd\u4f5c\uff1a<\/p>\n<ol>\n<li>\u975e\u5e38\u66b4\u529b\u4f46\u662f\u7b80\u5355\u7684\u65b9\u6cd5\uff0c\u90a3\u5c31\u662f\u76f4\u63a5\u5173\u95ed\u8fdb\u7a0b<\/li>\n<li>\u6216\u8005 unmap \u8fd9\u5757\u5185\u5b58\uff0c\u89e3\u9664\u5bf9\u8c61\u5f15\u7528\u8ba1\u6570\uff08\u7ecf\u8fc7\u6d4b\u8bd5\uff0c\u672a\u6210\u529f\uff0c\u5f85\u6df1\u5165\u7814\u7a76\uff0c\u4e5f\u8bf7\u5927\u4f6c\u6307\u6559\uff09<\/li>\n<\/ol>\n<p>\u5982\u4f55\u679a\u4e3e\u865a\u62df\u5185\u5b58\u5462\uff0c\u4f7f\u7528ZwQueryVirtualMemory.<\/p>\n<pre><code>NTSTATUS ZwQueryVirtualMemory(   _In_      HANDLE                   ProcessHandle,   _In_opt_  PVOID                    BaseAddress,   _In_      MEMORY_INFORMATION_CLASS MemoryInformationClass,   _Out_     PVOID                    MemoryInformation,   _In_      SIZE_T                   MemoryInformationLength,   _Out_opt_ PSIZE_T                  ReturnLength );  \/\/MemoryBasicInformation typedef struct _MEMORY_BASIC_INFORMATION {   PVOID  BaseAddress;   PVOID  AllocationBase;   ULONG  AllocationProtect;   USHORT PartitionId;   SIZE_T RegionSize;   ULONG  State;   ULONG  Protect;   ULONG  Type; } MEMORY_BASIC_INFORMATION, *PMEMORY_BASIC_INFORMATION;  Type The type of pages in the region. The following types are defined. MEM_IMAGE 0x1000000 Indicates that the memory pages within the region are mapped into the view of an image section. MEM_MAPPED 0x40000 Indicates that the memory pages within the region are mapped into the view of a section. MEM_PRIVATE 0x20000 Indicates that the memory pages within the region are private (that is, not shared by other processes). <\/code><\/pre>\n<p>\u4ece 0 \u5730\u5740\u5f00\u59cb\uff0c\u6bcf\u6b21\u52a0\u4e00\u4e2a\u9875\uff0c\u83b7\u53d6\u5185\u5b58\u4fe1\u606f\uff0c\u5982\u679c\u5185\u5b58\u7684 type \u662f MEM_IMAGE \u6216\u8005 MEM_MAPPED\uff0c\u90a3\u4e48\u5c31\u662f\u6587\u4ef6 map\uff0c\u7136\u540e\u83b7\u53d6\u865a\u62df\u5185\u5b58\u5bf9\u5e94\u540d\u5b57\uff0c\u5224\u65ad\u662f\u4e0d\u662f\u76ee\u6807\u6587\u4ef6\u3002<\/p>\n<pre><code>for (;;) {     Status = ZwQueryVirtualMemory(ProcessHandle, BaseAddress, MemoryBasicInformation,         &amp;MemoryInfo, sizeof(MemoryInfo), NULL);     if (MemoryInfo.Type == MEM_IMAGE ||  \/\/image         MemoryInfo.Type == MEM_MAPPED) { \/\/data             Status = ZwQueryVirtualMemory(ProcessHandle, BaseAddress, MemoryMappedFilenameInformation, &amp;Name, sizeof(Name), NULL);             if (RtlEqualUnicodeString(&amp;Name.u, &amp;TargetName, TRUE)) {                 \/\/\u627e\u5230\u76ee\u6807\u6587\u4ef6                 break;             }         }     } } <\/code><\/pre>\n<p>\u627e\u5230\u76ee\u6807\u8fdb\u7a0b\u540e\uff0c\u5173\u95ed\u8fdb\u7a0b\uff0c\u8f7b\u677e\u5220\u9664\u6587\u4ef6\u3002<\/p>\n<p>\u4ee3\u7801\u90fd\u5728\u73af 3 \u5b8c\u6210\u3002\u5de5\u5177\u5728\u6b64\uff1aFileLock<\/p>\n<p>\uff08\u5b8c\uff09<\/p>\n<p>\u6b22\u8fce\u5173\u6ce8 gzh\uff1a\u6c49\u5ba2\u513f <\/p>\n<\/p><\/div>\n<div> <b>\u5927\u4f6c\u6709\u8a71\u8aaa<\/b> (<span>0<\/span>)        <\/div>\n<div> <\/div>\n<\/p><\/div>\n<\/p><\/div>\n<ul>\n<li>\n","protected":false},"excerpt":{"rendered":"<p>\u5ea6\u63a2\u7d22\uff1a\u89e3\u9664\u6587\u4ef6\u5360\u7528\u90a3\u4e9b\u5751 \u8cc7\u6df1\u5927&hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[],"tags":[],"_links":{"self":[{"href":"http:\/\/4563.org\/index.php?rest_route=\/wp\/v2\/posts\/287548"}],"collection":[{"href":"http:\/\/4563.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/4563.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/4563.org\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/4563.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=287548"}],"version-history":[{"count":1,"href":"http:\/\/4563.org\/index.php?rest_route=\/wp\/v2\/posts\/287548\/revisions"}],"predecessor-version":[{"id":287551,"href":"http:\/\/4563.org\/index.php?rest_route=\/wp\/v2\/posts\/287548\/revisions\/287551"}],"wp:attachment":[{"href":"http:\/\/4563.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=287548"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/4563.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=287548"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/4563.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=287548"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}