I want to Hijack handles. I go through the handle table and search for all handles who are process handles.
NTSTATUS status = ZwQuerySystemInformation(SystemHandleInformation, NULL, 0, &bytes);
PSYSTEM_HANDLE_TABLE_INFORMATION SysHandleTable = reinterpret_cast<PSYSTEM_HANDLE_TABLE_INFORMATION>(ExAllocatePoolWithTag(NonPagedPool, bytes, 0x74616731));
ZwQuerySystemInformation(SystemHandleInformation, SysHandleTable, bytes, NULL);
bytes = bytes + (SysHandleTable->HandleCount * sizeof(_SYSTEM_HANDLE_TABLE_ENTRY)) + 256; //256 for good measures
ExFreePoolWithTag(SysHandleTable, 0x74616731);
SysHandleTable = reinterpret_cast<PSYSTEM_HANDLE_TABLE_INFORMATION>(ExAllocatePoolWithTag(NonPagedPool, bytes, 0x74616731));
status = ZwQuerySystemInformation(SystemHandleInformation, SysHandleTable, bytes, NULL);
if (NT_SUCCESS(status))
{
for (ULONG i = 0; i < SysHandleTable->HandleCount; i++)
{
if (SysHandleTable->Handles[i].Handle != NULL)
{
if (SysHandleTable->Handles[i].ObjectTypeNumber == 0x7) // Is the current Handle a process handle
{
After Iâve found a process handle my code is getting the PEPROCESS of the process the handle belongs to
PEPROCESS processToHijack;
HANDLE procHandle = NULL;
status = PsLookupProcessByProcessId(reinterpret_cast<HANDLE>(SysHandleTable->Handles[i].ProcessId), &processToHijack);
if (NT_SUCCESS(status))
{
Up to this point I havenât had any problems but if I try to ObOpenObjectByPointer my VM crashes and gives me a BSOD with the error code being: INVALID_KERNEL_HANDLE.
status = ObOpenObjectByPointer(processToHijack, NULL, NULL, PROCESS_ALL_ACCESS, *PsProcessType, UserMode, &procHandle);
Why am I doing this? - I want to hijack a existing handle to a process. I want that handle to be a process handle. I am through all process handles and âopening a handle to the process that the handle belogns toâ so that i can ZwDuplicateObject the original process handle and compare its UniqueProcessId with the process i want to hijack. If the handle isnât a handle to my process i close all opened handles and continue with the next one. If i find a handle i am giving it to my process which controlls the driver and closing the original one, effectively hijacking the handle.
Full code:
void KernelMemory::GetHandleToProcess(HANDLE _ProcessID, void* _Response)
{
ULONG bytes;
HANDLE hijackHandle = NULL;
HANDLE procHandle = NULL;
PEPROCESS processToHijack;
NTSTATUS status = ZwQuerySystemInformation(SystemHandleInformation, NULL, 0, &bytes);
PSYSTEM_HANDLE_TABLE_INFORMATION SysHandleTable = reinterpret_cast<PSYSTEM_HANDLE_TABLE_INFORMATION>(ExAllocatePoolWithTag(NonPagedPool, bytes, 0x74616731));
ZwQuerySystemInformation(SystemHandleInformation, SysHandleTable, bytes, NULL);
bytes = bytes + (SysHandleTable->HandleCount * sizeof(_SYSTEM_HANDLE_TABLE_ENTRY)) + 256; //256 for good measures
ExFreePoolWithTag(SysHandleTable, 0x74616731);
SysHandleTable = reinterpret_cast<PSYSTEM_HANDLE_TABLE_INFORMATION>(ExAllocatePoolWithTag(NonPagedPool, bytes, 0x74616731));
status = ZwQuerySystemInformation(SystemHandleInformation, SysHandleTable, bytes, NULL);
if (NT_SUCCESS(status))
{
for (ULONG i = 0; i < SysHandleTable->HandleCount; i++)
{
if (SysHandleTable->Handles[i].Handle != NULL)
{
if (SysHandleTable->Handles[i].ObjectTypeNumber == 0x7)
{
if (procHandle != NULL || hijackHandle != NULL)
{
ZwClose(procHandle); ZwClose(hijackHandle);
}
PEPROCESS processToHijack;
HANDLE procHandle = NULL;
status = PsLookupProcessByProcessId(reinterpret_cast<HANDLE>(SysHandleTable->Handles[i].ProcessId), &processToHijack);
if (NT_SUCCESS(status))
{
status = ObOpenObjectByPointer(processToHijack, NULL, NULL, PROCESS_ALL_ACCESS, *PsProcessType, UserMode, &procHandle);
if (NT_SUCCESS(status))
{
}
DbgPrintEx(0, 0, "Error: %x", status);
}
ZwClose(procHandle);
ZwClose(hijackHandle);
ObDereferenceObject(processToHijack);
/* Return the PID */
/*if (reinterpret_cast<HANDLE>(ProcessBasic.UniqueProcessId) == _ProcessID)
{
DbgPrintEx(0, 0, "%i is a Process Handle and a Handle to our target Proccess", i);
DbgPrintEx(0, 0, "%i Passed all checks", i);
status = ObDuplicateObject(process, reinterpret_cast<HANDLE>(SysHandleTable->Handles[i].Handle), PsGetCurrentProcess(), &reinterpret_cast<HANDLE>(_Response), NULL, NULL, DUPLICATE_CLOSE_SOURCE, ExGetPreviousMode()); //Might have to parse my PID
if (NT_SUCCESS(status)) { ExFreePoolWithTag(SysHandleTable, 0x74616731); break; }
}*/
}
}
continue;
}
DbgPrintEx(0, 0, "No more checking");
}
DbgPrintEx(0, 0, "FreeingPool");
ExFreePoolWithTag(SysHandleTable, 0x74616731);
return;
}