Driver: native way to get handle object pointer

DarthTon · DarthTon · commit 37aa45b52f05 · 2017-04-22T22:43:45.000+03:00
diff --git a/src/BlackBoneDrv/Imports.h b/src/BlackBoneDrv/Imports.h
@@ -124,15 +124,13 @@ BOOLEAN
 NTAPI
 PsIsProtectedProcess( IN PEPROCESS Process );
 
-typedef VOID( NTAPI *PKNORMAL_ROUTINE )
-    (
+typedef VOID( NTAPI *PKNORMAL_ROUTINE )(
         PVOID NormalContext,
         PVOID SystemArgument1,
         PVOID SystemArgument2
     );
 
-typedef VOID( NTAPI* PKKERNEL_ROUTINE)
-    (
+typedef VOID( NTAPI* PKKERNEL_ROUTINE)(
         PRKAPC Apc,
         PKNORMAL_ROUTINE *NormalRoutine,
         PVOID *NormalContext,
@@ -180,3 +178,30 @@ RtlImageDirectoryEntryToData(
     USHORT DirectoryEntry,
     PULONG Size
     );
+
+
+typedef BOOLEAN ( *EX_ENUMERATE_HANDLE_ROUTINE )(
+#if !defined(_WIN7_)
+    IN PHANDLE_TABLE HandleTable,
+#endif
+    IN PHANDLE_TABLE_ENTRY HandleTableEntry,
+    IN HANDLE Handle,
+    IN PVOID EnumParameter
+    );
+
+NTKERNELAPI
+BOOLEAN
+ExEnumHandleTable(
+    IN PHANDLE_TABLE HandleTable,
+    IN EX_ENUMERATE_HANDLE_ROUTINE EnumHandleProcedure,
+    IN PVOID EnumParameter,
+    OUT PHANDLE Handle
+    );
+
+NTKERNELAPI
+VOID
+FASTCALL
+ExfUnblockPushLock (
+    IN OUT PEX_PUSH_LOCK PushLock,
+    IN OUT PVOID WaitBlock
+    );
diff --git a/src/BlackBoneDrv/NativeStructs10.h b/src/BlackBoneDrv/NativeStructs10.h
@@ -171,6 +171,12 @@ typedef struct _HANDLE_TABLE
     ULONG NextHandleNeedingPool;
     long ExtraInfoPages;
     LONG_PTR TableCode;
+    PEPROCESS QuotaProcess;
+    LIST_ENTRY HandleTableList;
+    ULONG UniqueProcessId;
+    ULONG Flags;
+    EX_PUSH_LOCK HandleContentionEvent;
+    EX_PUSH_LOCK HandleTableLock;
     // More fields here...
 } HANDLE_TABLE, *PHANDLE_TABLE;
 
diff --git a/src/BlackBoneDrv/NativeStructs7.h b/src/BlackBoneDrv/NativeStructs7.h
@@ -185,7 +185,7 @@ typedef struct _HANDLE_TABLE
     HANDLE UniqueProcessId;
     void* HandleLock;
     struct _LIST_ENTRY HandleTableList;
-    void* HandleContentionEvent;
+    EX_PUSH_LOCK HandleContentionEvent;
     struct _HANDLE_TRACE_DEBUG_INFO *DebugInfo;
     int ExtraInfoPages;
     ULONG Flags;
diff --git a/src/BlackBoneDrv/NativeStructs8.h b/src/BlackBoneDrv/NativeStructs8.h
@@ -166,6 +166,12 @@ typedef struct _HANDLE_TABLE
     ULONG NextHandleNeedingPool;
     long ExtraInfoPages;
     ULONG_PTR TableCode;
+    struct _EPROCESS * QuotaProcess;
+    LIST_ENTRY HandleTableList;
+    ULONG UniqueProcessId;
+    ULONG Flags;
+    EX_PUSH_LOCK HandleContentionEvent;
+    EX_PUSH_LOCK HandleTableLock;
     // More fields here...
 } HANDLE_TABLE, *PHANDLE_TABLE;
 
diff --git a/src/BlackBoneDrv/NativeStructs81.h b/src/BlackBoneDrv/NativeStructs81.h
@@ -167,8 +167,12 @@ typedef struct _HANDLE_TABLE
     ULONG NextHandleNeedingPool;
     long ExtraInfoPages;
     LONG_PTR TableCode;
-    PEPROCESS QuotaProcess; 
+    struct _EPROCESS * QuotaProcess;
     LIST_ENTRY HandleTableList;
+    ULONG UniqueProcessId;
+    ULONG Flags;
+    EX_PUSH_LOCK HandleContentionEvent;
+    EX_PUSH_LOCK HandleTableLock;
     // More fields here...
 } HANDLE_TABLE, *PHANDLE_TABLE;
 
diff --git a/src/BlackBoneDrv/Routines.c b/src/BlackBoneDrv/Routines.c
@@ -1,5 +1,6 @@
 #include "BlackBoneDrv.h"
 #include "Routines.h"
+#include "Utils.h"
 #include <Ntstrsafe.h>
 
 LIST_ENTRY g_PhysProcesses;
@@ -14,9 +15,18 @@ LONG g_trIndex = 0;         // Trampoline global index
 /// <returns>Found entry, NULL if not found</returns>
 PMEM_PHYS_ENTRY BBLookupPhysMemEntry( IN PLIST_ENTRY pList, IN PVOID pBase );
 VOID BBWriteTrampoline( IN PUCHAR place, IN PVOID pfn );
+BOOLEAN BBHandleCallback(
+#if !defined(_WIN7_)
+    IN PHANDLE_TABLE HandleTable,
+#endif
+    IN PHANDLE_TABLE_ENTRY HandleTableEntry, 
+    IN HANDLE Handle, 
+    IN PVOID EnumParameter 
+    );
 
 #pragma alloc_text(PAGE, BBDisableDEP)
 #pragma alloc_text(PAGE, BBSetProtection)
+#pragma alloc_text(PAGE, BBHandleCallback)
 #pragma alloc_text(PAGE, BBGrantAccess)
 #pragma alloc_text(PAGE, BBCopyMemory)
 #pragma alloc_text(PAGE, BBAllocateFreeMemory)
@@ -136,18 +146,64 @@ NTSTATUS BBSetProtection( IN PSET_PROC_PROTECTION pProtection )
     return status;
 }
 
+/// <summary>
+/// Handle enumeration callback
+/// </summary>
+/// <param name="HandleTable">Process handle table</param>
+/// <param name="HandleTableEntry">Handle entry</param>
+/// <param name="Handle">Handle value</param>
+/// <param name="EnumParameter">User context</param>
+/// <returns>TRUE when desired handle is found</returns>
+BOOLEAN BBHandleCallback(
+#if !defined(_WIN7_)
+    IN PHANDLE_TABLE HandleTable,
+#endif
+    IN PHANDLE_TABLE_ENTRY HandleTableEntry,
+    IN HANDLE Handle,
+    IN PVOID EnumParameter
+    )
+{
+
+    BOOLEAN result = FALSE;
+    ASSERT( EnumParameter );
+
+    if (EnumParameter != NULL)
+    {
+        PHANDLE_GRANT_ACCESS pAccess = (PHANDLE_GRANT_ACCESS)EnumParameter;
+        if (Handle == (HANDLE)pAccess->handle)
+        {
+            if (ExpIsValidObjectEntry( HandleTableEntry ))
+            {
+                // Update access
+                HandleTableEntry->GrantedAccessBits = pAccess->access;
+                result = TRUE;
+            }
+            else
+                DPRINT( "BlackBone: %s: 0x%X:0x%X handle is invalid\n. HandleEntry = 0x%p",
+                    __FUNCTION__, pAccess->pid, pAccess->handle, HandleTableEntry
+                    );
+        }
+    }
+
+#if !defined(_WIN7_)
+    // Release implicit locks
+    _InterlockedExchangeAdd8( (char*)&HandleTableEntry->VolatileLowValue, 1 );  // Set Unlocked flag to 1
+    if (HandleTable != NULL && HandleTable->HandleContentionEvent)
+        ExfUnblockPushLock( &HandleTable->HandleContentionEvent, NULL );
+#endif
+
+    return result;
+}
+
 /// <summary>
 /// Change handle granted access
 /// </summary>
 /// <param name="pAccess">Request params</param>
 /// <returns>Status code</returns>
 NTSTATUS BBGrantAccess( IN PHANDLE_GRANT_ACCESS pAccess )
 {
-    NTSTATUS  status = STATUS_SUCCESS;
+    NTSTATUS status = STATUS_SUCCESS;
     PEPROCESS pProcess = NULL;
-    PHANDLE_TABLE pTable = NULL;
-    PHANDLE_TABLE_ENTRY pHandleEntry = NULL;
-    EXHANDLE exHandle;
 
     // Validate dynamic offset
     if (dynData.ObjTable == 0)
@@ -157,25 +213,15 @@ NTSTATUS BBGrantAccess( IN PHANDLE_GRANT_ACCESS pAccess )
     }
 
     status = PsLookupProcessByProcessId( (HANDLE)pAccess->pid, &pProcess );
+    if (NT_SUCCESS( status ) && BBCheckProcessTermination( pProcess ))
+        status = STATUS_PROCESS_IS_TERMINATING;
+
     if (NT_SUCCESS( status ))
     {
-        pTable = *(PHANDLE_TABLE*)((PUCHAR)pProcess + dynData.ObjTable);
-        exHandle.Value = (ULONG_PTR)pAccess->handle;
-
-        if (pTable)
-            pHandleEntry = ExpLookupHandleTableEntry( pTable, exHandle );
-
-        if (ExpIsValidObjectEntry( pHandleEntry ))
-        {
-            pHandleEntry->GrantedAccessBits = pAccess->access;
-        }
-        else
-        {
-            DPRINT( "BlackBone: %s: 0x%X:0x%X handle is invalid. HandleEntry = 0x%p\n", 
-                    __FUNCTION__, pAccess->pid, pAccess->handle, pHandleEntry );
-
-            status = STATUS_UNSUCCESSFUL;
-        }
+        PHANDLE_TABLE pTable = *(PHANDLE_TABLE*)((PUCHAR)pProcess + dynData.ObjTable);
+        BOOLEAN found = ExEnumHandleTable( pTable, &BBHandleCallback, pAccess, NULL );
+        if (found == FALSE)
+            status = STATUS_NOT_FOUND;
     }
     else
         DPRINT( "BlackBone: %s: PsLookupProcessByProcessId failed with status 0x%X\n", __FUNCTION__, status );
