-
Notifications
You must be signed in to change notification settings - Fork 91
/
Copy pathKernelAddressLeak.h
72 lines (61 loc) · 2.96 KB
/
KernelAddressLeak.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
#pragma once
#include "stdafx.h"
#define STATUS_INFO_LENGTH_MISMATCH 0xc0000004
// Function: LeakProcessObjectAddresses
// Description: Leaks the kernel address of every EPROCESS object the specific process (indicated by processId) has a HANDLE to.
// Parameters:
// processId - The Process ID to enumerate (will enumerate the EPROCESS objects that this process has a HANDLE to).
// objectAddresses - Pointer to an array of PVOID. Each PVOID is a kernel address. Must be freed by the caller.
// objectCount - The number of object addresses returned in the objectAddresses array.
// Returns:
// Success: Returns TRUE. objectAddresses and objectCount is set.
// Failure: Returns FALSE. objectAddresses is set to NULL and objectCount is set to 0.
BOOL LeakProcessObjectAddresses(HANDLE processId, PVOID** objectAddresses, size_t* objectCount);
// Function: LeakCurrentUserTokenAddress
// Description: Leaks the kernel address of the logon token object of the current process.
// Parameters:
// tokenAddress - Pointer to the kernel address of the token object.
// Returns:
// Success: Returns TRUE. tokenAddress is set.
// Failure: Returns FALSE. tokenAddress is set to NULL.
BOOL LeakCurrentUserTokenAddress(PVOID* tokenAddress);
// Function: LeakAddressOfByHandleInProcess
// Description: Leaks the kernel address of a kernel object that the current process has a HANDLE to.
// Parameters:
// hHandle - Handle to the object to find the address of.
// tokenAddress - Pointer to the kernel address of the token object.
// Returns:
// Success: Returns TRUE. tokenAddress is set.
// Failure: Returns FALSE. tokenAddress is set to NULL.
BOOL LeakAddressOfObjectByHandleInProcess(HANDLE hHandle, PVOID* tokenAddress);
// Function: GetProcessIdByName
// Description: Uses processName to return a corrosponding Process ID.
// If there are multiple processes with the same name, it is undefined which ID is returned.
// Parameters:
// processName - The process name to retrieve an ID for.
// processId - A pointer to a DWORD that will be filled by the function with the retrieved Process ID.
// Returns:
// Success: Returns TRUE. tokenAddress will be set.
// Failure: Returns FALSE.
BOOL GetProcessIdByName(LPCWSTR processName, DWORD* processId);
//
// Windows structures
//
typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX {
PVOID Object;
HANDLE UniqueProcessId;
HANDLE HandleValue;
ACCESS_MASK GrantedAccess;
USHORT CreatorBackTraceIndex;
USHORT ObjectTypeIndex;
ULONG HandleAttributes;
ULONG Reserved;
} SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO_EX;
typedef struct _SYSTEM_HANDLE_INFORMATION_EX
{
ULONG_PTR NumberOfHandles;
ULONG_PTR Reserved;
SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX Handles[1];
} SYSTEM_HANDLE_INFORMATION_EX, *PSYSTEM_HANDLE_INFORMATION_EX;
static const SYSTEM_INFORMATION_CLASS SystemExtendedHandleInformation = static_cast<SYSTEM_INFORMATION_CLASS>(64);
typedef NTSTATUS(WINAPI *tNtQuerySystemInformation)(SYSTEM_INFORMATION_CLASS, PVOID, ULONG, PULONG);