Debugging/Windows
프로세스(EPROCESS, KPROCESS, PEB, HANDLE...) - (2)
haewon83
2023. 2. 5. 16:23
5. Handle
여러 Create 함수들(CreateFile()...)을 호출할 때, Kernel Object가 생성되는데 이를 User mode 프로세스가 접근하기 위한 방법이 필요합니다. 이 때 사용되는 것이 Handle 입니다.
Handle은 Windows의 Subsystem 중 Object Manager가 Kernel Object 생성 시, Return 해주는 값으로 Handle은 프로세스와 관련된 값으로 프로세스가 이를 관리할 필요가 있습니다.
특정 프로세스와 연관된 모든 Handle은 !handle extension을 이용하여 조회할 수 있습니다.
이 extension은 EPROCESS 구조체에 있는 ObjectTable 필드 값에 저장되어 있는 _HANDLE_TALBE 포인터 주소를 이용합니다.
!handle extension 사용 시 내가 조회하고자 하는 프로세스의 EPROCESS 구조체 주소를 이용해야 합니다.
| 3: kd> !process 0 0 notepad.exe PROCESS ffffbc0c19c33080 SessionId: 1 Cid: 0318 Peb: c1e88f0000 ParentCid: 1010 DirBase: 1161d5000 ObjectTable: ffff918d8b13f600 HandleCount: 245. Image: notepad.exe 2: kd> !handle 0 f ffffbc0c19c33080 PROCESS ffffbc0c19c33080 SessionId: 1 Cid: 0318 Peb: c1e88f0000 ParentCid: 1010 DirBase: 1161d5000 ObjectTable: ffff918d8b13f600 HandleCount: 245. Image: notepad.exe Handle table at ffff918d8b13f600 with 245 entries in use 0004: Object: ffffbc0c1a170360 GrantedAccess: 001f0003 (Protected) (Inherit) Entry: ffff918d8b1ff010 Object: ffffbc0c1a170360 Type: (ffffbc0c15a9c380) Event ObjectHeader: ffffbc0c1a170330 (new version) HandleCount: 1 PointerCount: 32768 0008: Object: ffffbc0c1a170560 GrantedAccess: 001f0003 (Protected) (Inherit) Entry: ffff918d8b1ff020 Object: ffffbc0c1a170560 Type: (ffffbc0c15a9c380) Event ObjectHeader: ffffbc0c1a170530 (new version) HandleCount: 1 PointerCount: 32769 ... ... ... 03e4: free handle, Entry address ffff918d8b1fff90, Next Entry 0000000000000000 03e8: Object: ffffbc0c16c476c0 GrantedAccess: 001f0001 (Protected) Entry: ffff918d8b1fffa0 Object: ffffbc0c16c476c0 Type: (ffffbc0c15af3560) ALPC Port ObjectHeader: ffffbc0c16c47690 (new version) HandleCount: 1 PointerCount: 32768 03ec: free handle, Entry address ffff918d8b1fffb0, Next Entry 0000000000000000 03f0: free handle, Entry address ffff918d8b1fffc0, Next Entry ffff918d8b1fffb0 03f4: free handle, Entry address ffff918d8b1fffd0, Next Entry ffff918d8b1fffe0 03f8: free handle, Entry address ffff918d8b1fffe0, Next Entry ffff918d8b1ffff0 03fc: free handle, Entry address ffff918d8b1ffff0, Next Entry 0000000000000000 |
프로세스에는 여러 Handle이 연관되어 있을 수 있으며, 개별 Handle은 Handle 값을 이용하여 별도로 조회도 가능합니다.
아래 예제는 위에서 조회된 Handle 중 0x0004 값을 가지고 있는 Handle을 조회하는 경우입니다.
| 2: kd> !handle 4 f ffffbc0c19c33080 PROCESS ffffbc0c19c33080 SessionId: 1 Cid: 0318 Peb: c1e88f0000 ParentCid: 1010 DirBase: 1161d5000 ObjectTable: ffff918d8b13f600 HandleCount: 245. Image: notepad.exe Handle table at ffff918d8b13f600 with 245 entries in use 0004: Object: ffffbc0c1a170360 GrantedAccess: 001f0003 (Protected) (Inherit) Entry: ffff918d8b1ff010 Object: ffffbc0c1a170360 Type: (ffffbc0c15a9c380) Event ObjectHeader: ffffbc0c1a170330 (new version) HandleCount: 1 PointerCount: 32768 |
6. Object
CreateFile()과 같은 함수가 호출되면 Kernel의 Object가 생성된다고 말씀드렸습니다.
이러한 Kernel Object는 Windows Subsystem의 Object Manager가 생성/삭제/변경을 담당하며, Object Manager는 Object를 계층 구조로 관리합니다.
전체 Object를 조회할 때, !object extension과 Root Namespace를 가리키는 "\"를 이용할 수 있습니다.
| 2: kd> !object \ Object: ffff918d85608060 Type: (ffffbc0c15a73640) Directory ObjectHeader: ffff918d85608030 (new version) HandleCount: 0 PointerCount: 57 Directory Object: 00000000 Name: \ Hash Address Type Name ---- ------- ---- ---- 01 ffffbc0c1686ff90 Mutant PendingRenameMutex ffff918d85607ba0 Directory ObjectTypes 02 ffffbc0c190fb160 FilterConnectionPort storqosfltport 03 ffffbc0c163c1550 FilterConnectionPort MicrosoftMalwareProtectionRemoteIoPortWD 05 ffff918d8560d060 SymbolicLink SystemRoot 06 ffff918d85e32380 Directory Sessions ffffbc0c163c02c0 FilterConnectionPort MicrosoftMalwareProtectionVeryLowIoPortWD ... 36 ffffbc0c18e93980 Event SAM_SERVICE_STARTED ffff918d856adea0 Directory Driver ffff918d85643de0 Directory DriverStores |
Root namespace 부터 시작해서 계층별로 차례로 내려가면서 조회도 가능합니다.
| 2: kd> !object \sessions Object: ffff918d85e32380 Type: (ffffbc0c15a73640) Directory ObjectHeader: ffff918d85e32350 (new version) HandleCount: 1 PointerCount: 5 Directory Object: ffff918d85608060 Name: Sessions Hash Address Type Name ---- ------- ---- ---- 11 ffff918d88f26840 Directory 0 12 ffff918d88f262a0 Directory 1 21 ffff918d88f27ce0 Directory BNOLINKS 2: kd> !object \sessions\0 Object: ffff918d88f26840 Type: (ffffbc0c15a73640) Directory ObjectHeader: ffff918d88f26810 (new version) HandleCount: 1 PointerCount: 32771 Directory Object: ffff918d85e32380 Name: 0 Hash Address Type Name ---- ------- ---- ---- 06 ffff918d88f26660 Directory AppContainerNamedObjects 10 ffff918d85e92d00 SymbolicLink Windows 16 ffff918d88f26a20 Directory DosDevices 2: kd> !object \sessions\0\DosDevices Object: ffff918d88f26a20 Type: (ffffbc0c15a73640) Directory ObjectHeader: ffff918d88f269f0 (new version) HandleCount: 1 PointerCount: 8 Directory Object: ffff918d88f26840 Name: DosDevices Hash Address Type Name ---- ------- ---- ---- 04 ffff918d89162560 Directory 00000000-00008fc6 05 ffff918d89161de0 Directory 00000000-000003e4 06 ffff918d892901a0 Directory 00000000-000003e5 22 ffff918d8a1ff190 Directory 00000000-00064a4a 27 ffff918d8928f0c0 Directory 00000000-0000dd41 ffff918d89161840 Directory 00000000-00008f79 2: kd> !object \sessions\0\DosDevices\00000000-00008fc6 Object: ffff918d89162560 Type: (ffffbc0c15a73640) Directory ObjectHeader: ffff918d89162530 (new version) HandleCount: 1 PointerCount: 4 Directory Object: ffff918d88f26a20 Name: 00000000-00008fc6 Hash Address Type Name ---- ------- ---- ---- 18 ffff918d890c6f60 SymbolicLink Global |
Object Manager가 관리하는 Namespace는 Microsoft의 Winobj 도구를 이용하여 UI로도 확인이 가능합니다.
Handle은 모두 Object와 연관되어 있다고 말씀드렸습니다. 이 Object는 Object Header와 Object Type으로 구성되는데요.
!handle을 통해서 조회했던 아래 결과를 이용하여, Object Header와 Object Type을 조회할 수 있습니다.
참고로 Object Header는 Object 주소에서 -0x30 만큼 Offset을 이동하면 구할 수 있습니다.
| 0004: Object: ffffbc0c1a170360 GrantedAccess: 001f0003 (Protected) (Inherit) Entry: ffff918d8b1ff010 Object: ffffbc0c1a170360 Type: (ffffbc0c15a9c380) Event ObjectHeader: ffffbc0c1a170330 (new version) HandleCount: 1 PointerCount: 32768 2: kd> !object ffffbc0c1a170360 Object: ffffbc0c1a170360 Type: (ffffbc0c15a9c380) Event ObjectHeader: ffffbc0c1a170330 (new version) HandleCount: 1 PointerCount: 32768 2: kd> dt nt!_OBJECT_HEADER ffffbc0c1a170330 +0x000 PointerCount : 0n32768 +0x008 HandleCount : 0n1 +0x008 NextToFree : 0x00000000`00000001 Void +0x010 Lock : _EX_PUSH_LOCK +0x018 TypeIndex : 0x16 '' +0x019 TraceFlags : 0 '' +0x019 DbgRefTrace : 0y0 +0x019 DbgTracePermanent : 0y0 +0x01a InfoMask : 0x8 '' +0x01b Flags : 0 '' +0x01b NewObject : 0y0 +0x01b KernelObject : 0y0 +0x01b KernelOnlyAccess : 0y0 +0x01b ExclusiveObject : 0y0 +0x01b PermanentObject : 0y0 +0x01b DefaultSecurityQuota : 0y0 +0x01b SingleHandleEntry : 0y0 +0x01b DeletedInline : 0y0 +0x01c Reserved : 0 +0x020 ObjectCreateInfo : 0xffffbc0c`16b2ccc0 _OBJECT_CREATE_INFORMATION +0x020 QuotaBlockCharged : 0xffffbc0c`16b2ccc0 Void +0x028 SecurityDescriptor : (null) +0x030 Body : _QUAD 2: kd> dt nt!_OBJECT_TYPE ffffbc0c15a9c380 +0x000 TypeList : _LIST_ENTRY [ 0xffffbc0c`15a9c380 - 0xffffbc0c`15a9c380 ] +0x010 Name : _UNICODE_STRING "Event" +0x020 DefaultObject : (null) +0x028 Index : 0x10 '' +0x02c TotalNumberOfObjects : 0x1ba1 +0x030 TotalNumberOfHandles : 0x1d54 +0x034 HighWaterNumberOfObjects : 0x1ca8 +0x038 HighWaterNumberOfHandles : 0x1e7d +0x040 TypeInfo : _OBJECT_TYPE_INITIALIZER +0x0b8 TypeLock : _EX_PUSH_LOCK +0x0c0 Key : 0x6e657645 +0x0c8 CallbackList : _LIST_ENTRY [ 0xffffbc0c`15a9c448 - 0xffffbc0c`15a9c448 ] |
7. Token
마지막으로 Security와 관련된 Token에 대해서 알아보겠습니다.
!process extension으로 EPROCESS 구조체를 조회하면 아래 결과와 같이 Token 이라는 값을 볼 수 있습니다.
| 2: kd> !process 0 5 notepad.exe PROCESS ffffbc0c19c33080 SessionId: 1 Cid: 0318 Peb: c1e88f0000 ParentCid: 1010 DirBase: 1161d5000 ObjectTable: ffff918d8b13f600 HandleCount: 245. Image: notepad.exe VadRoot ffffbc0c1a056140 Vads 101 Clone 0 Private 586. Modified 4. Locked 0. DeviceMap ffff918d8a6b9470 Token ffff918d8b54a060 ElapsedTime 00:16:59.642 UserTime 00:00:00.015 KernelTime 00:00:00.015 QuotaPoolUsage[PagedPool] 262504 QuotaPoolUsage[NonPagedPool] 14256 Working Set Sizes (now,min,max) (3872, 50, 345) (15488KB, 200KB, 1380KB) PeakWorkingSetSize 3784 VirtualSize 2101419 Mb PeakVirtualSize 2101423 Mb PageFaultCount 3930 MemoryPriority BACKGROUND BasePriority 8 CommitCharge 722 THREAD ffffbc0c1a1a5080 Cid 0318.0354 Teb: 000000c1e88f1000 Win32Thread: ffffbc0c1a0813a0 WAIT THREAD ffffbc0c1a165080 Cid 0318.12cc Teb: 000000c1e88f9000 Win32Thread: 0000000000000000 WAIT THREAD ffffbc0c1a19d080 Cid 0318.0d58 Teb: 000000c1e88fb000 Win32Thread: 0000000000000000 WAIT THREAD ffffbc0c1a19c080 Cid 0318.0cd4 Teb: 000000c1e88fd000 Win32Thread: 0000000000000000 WAIT |
Token 구조체는 !token extension을 이용하여 조회해볼 수 있습니다.
당연히 _TOKEN 구조체로도 직접 조회가 가능합니다.
| 2: kd> !token ffff918d8b54a060 _TOKEN 0xffff918d8b54a060 TS Session ID: 0x1 User: S-1-5-21-965212738-2267896331-1051282314-500 User Groups: 00 S-1-5-21-965212738-2267896331-1051282314-513 Attributes - Mandatory Default Enabled 01 S-1-1-0 Attributes - Mandatory Default Enabled 02 S-1-5-114 Attributes - Mandatory Default Enabled 03 S-1-5-32-544 Attributes - Mandatory Default Enabled Owner 04 S-1-5-32-545 Attributes - Mandatory Default Enabled 05 S-1-5-4 Attributes - Mandatory Default Enabled 06 S-1-2-1 Attributes - Mandatory Default Enabled 07 S-1-5-11 Attributes - Mandatory Default Enabled 08 S-1-5-15 Attributes - Mandatory Default Enabled 09 S-1-5-113 Attributes - Mandatory Default Enabled 10 S-1-5-5-0-412130 Attributes - Mandatory Default Enabled LogonId 11 S-1-2-0 Attributes - Mandatory Default Enabled 12 S-1-5-64-10 Attributes - Mandatory Default Enabled 13 S-1-16-12288 Attributes - GroupIntegrity GroupIntegrityEnabled Primary Group: S-1-5-21-965212738-2267896331-1051282314-513 Privs: 05 0x000000005 SeIncreaseQuotaPrivilege Attributes - 08 0x000000008 SeSecurityPrivilege Attributes - 09 0x000000009 SeTakeOwnershipPrivilege Attributes - 10 0x00000000a SeLoadDriverPrivilege Attributes - 11 0x00000000b SeSystemProfilePrivilege Attributes - 12 0x00000000c SeSystemtimePrivilege Attributes - 13 0x00000000d SeProfileSingleProcessPrivilege Attributes - 14 0x00000000e SeIncreaseBasePriorityPrivilege Attributes - 15 0x00000000f SeCreatePagefilePrivilege Attributes - 17 0x000000011 SeBackupPrivilege Attributes - 18 0x000000012 SeRestorePrivilege Attributes - 19 0x000000013 SeShutdownPrivilege Attributes - 20 0x000000014 SeDebugPrivilege Attributes - 22 0x000000016 SeSystemEnvironmentPrivilege Attributes - 23 0x000000017 SeChangeNotifyPrivilege Attributes - Enabled Default 24 0x000000018 SeRemoteShutdownPrivilege Attributes - 25 0x000000019 SeUndockPrivilege Attributes - 28 0x00000001c SeManageVolumePrivilege Attributes - 29 0x00000001d SeImpersonatePrivilege Attributes - Enabled Default 30 0x00000001e SeCreateGlobalPrivilege Attributes - Enabled Default 33 0x000000021 SeIncreaseWorkingSetPrivilege Attributes - 34 0x000000022 SeTimeZonePrivilege Attributes - 35 0x000000023 SeCreateSymbolicLinkPrivilege Attributes - 36 0x000000024 SeDelegateSessionUserImpersonatePrivilege Attributes - Authentication ID: (0,64a4a) Impersonation Level: Anonymous TokenType: Primary Source: User32 TokenFlags: 0x2000 ( Token in use ) Token ID: 82af5 ParentToken ID: 0 Modified ID: (0, 7ed7c) RestrictedSidCount: 0 RestrictedSids: 0x0000000000000000 OriginatingLogonSession: 3e7 PackageSid: (null) CapabilityCount: 0 Capabilities: 0x0000000000000000 LowboxNumberEntry: 0x0000000000000000 Security Attributes: Unable to get the offset of nt!_AUTHZBASEP_SECURITY_ATTRIBUTE.ListLink Process Token TrustLevelSid: (null) 2: kd> dt _TOKEN 0xffff918d8b54a060 nt!_TOKEN +0x000 TokenSource : _TOKEN_SOURCE +0x010 TokenId : _LUID +0x018 AuthenticationId : _LUID +0x020 ParentTokenId : _LUID +0x028 ExpirationTime : _LARGE_INTEGER 0x7fffffff`ffffffff +0x030 TokenLock : 0xffffbc0c`1a170d90 _ERESOURCE +0x038 ModifiedId : _LUID +0x040 Privileges : _SEP_TOKEN_PRIVILEGES +0x058 AuditPolicy : _SEP_AUDIT_POLICY +0x078 SessionId : 1 +0x07c UserAndGroupCount : 0xf +0x080 RestrictedSidCount : 0 +0x084 VariableLength : 0x1dc +0x088 DynamicCharged : 0x1000 +0x08c DynamicAvailable : 0 +0x090 DefaultOwnerIndex : 4 +0x098 UserAndGroups : 0xffff918d`8b54a4f0 _SID_AND_ATTRIBUTES +0x0a0 RestrictedSids : (null) +0x0a8 PrimaryGroup : 0xffff918d`8ac2de10 Void +0x0b0 DynamicPart : 0xffff918d`8ac2de10 -> 0x501 +0x0b8 DefaultDacl : 0xffff918d`8ac2de2c _ACL +0x0c0 TokenType : 1 ( TokenPrimary ) +0x0c4 ImpersonationLevel : 0 ( SecurityAnonymous ) +0x0c8 TokenFlags : 0x2000 +0x0cc TokenInUse : 0x1 '' +0x0d0 IntegrityLevelIndex : 0xe +0x0d4 MandatoryPolicy : 3 +0x0d8 LogonSession : 0xffff918d`8a0567b0 _SEP_LOGON_SESSION_REFERENCES +0x0e0 OriginatingLogonSession : _LUID +0x0e8 SidHash : _SID_AND_ATTRIBUTES_HASH +0x1f8 RestrictedSidHash : _SID_AND_ATTRIBUTES_HASH +0x308 pSecurityAttributes : 0xffff918d`8ad91710 _AUTHZBASEP_SECURITY_ATTRIBUTES_INFORMATION +0x310 Package : (null) +0x318 Capabilities : (null) +0x320 CapabilityCount : 0 +0x328 CapabilitiesHash : _SID_AND_ATTRIBUTES_HASH +0x438 LowboxNumberEntry : (null) +0x440 LowboxHandlesEntry : (null) +0x448 pClaimAttributes : (null) +0x450 TrustLevelSid : (null) +0x458 TrustLinkedToken : (null) +0x460 IntegrityLevelSidValue : (null) +0x468 TokenSidValues : (null) +0x470 IndexEntry : 0xffff918d`8aa24950 _SEP_LUID_TO_INDEX_MAP_ENTRY +0x478 DiagnosticInfo : (null) +0x480 BnoIsolationHandlesEntry : (null) +0x488 SessionObject : 0xffffbc0c`167264f0 Void +0x490 VariablePart : 0xffff918d`8b54a5e0 |
!token extension에 -n 옵션을 추가하면, 조회된 SID 값들과 Mapping 되는 사용자 또는 그룹명을 확인할 수 있습니다.
| 2: kd> !token ffff918d8b54a060 -n _TOKEN 0xffff918d8b54a060 TS Session ID: 0x1 User: S-1-5-21-965212738-2267896331-1051282314-500 (no name mapped) User Groups: 00 S-1-5-21-965212738-2267896331-1051282314-513 (no name mapped) Attributes - Mandatory Default Enabled 01 S-1-1-0 (Well Known Group: localhost\Everyone) Attributes - Mandatory Default Enabled 02 S-1-5-114 (Well Known Group: NT AUTHORITY\Local account and member of Administrators group) Attributes - Mandatory Default Enabled 03 S-1-5-32-544 (Alias: BUILTIN\Administrators) Attributes - Mandatory Default Enabled Owner 04 S-1-5-32-545 (Alias: BUILTIN\Users) Attributes - Mandatory Default Enabled 05 S-1-5-4 (Well Known Group: NT AUTHORITY\INTERACTIVE) Attributes - Mandatory Default Enabled 06 S-1-2-1 (Well Known Group: localhost\CONSOLE LOGON) Attributes - Mandatory Default Enabled 07 S-1-5-11 (Well Known Group: NT AUTHORITY\Authenticated Users) Attributes - Mandatory Default Enabled 08 S-1-5-15 (Well Known Group: NT AUTHORITY\This Organization) Attributes - Mandatory Default Enabled 09 S-1-5-113 (Well Known Group: NT AUTHORITY\Local account) Attributes - Mandatory Default Enabled 10 S-1-5-5-0-412130 Unrecognized SID Attributes - Mandatory Default Enabled LogonId 11 S-1-2-0 (Well Known Group: localhost\LOCAL) Attributes - Mandatory Default Enabled 12 S-1-5-64-10 (Well Known Group: NT AUTHORITY\NTLM Authentication) Attributes - Mandatory Default Enabled 13 S-1-16-12288 (Label: Mandatory Label\High Mandatory Level) Attributes - GroupIntegrity GroupIntegrityEnabled Primary Group: S-1-5-21-965212738-2267896331-1051282314-513 (no name mapped) Privs: 05 0x000000005 SeIncreaseQuotaPrivilege Attributes - 08 0x000000008 SeSecurityPrivilege Attributes - 09 0x000000009 SeTakeOwnershipPrivilege Attributes - 10 0x00000000a SeLoadDriverPrivilege Attributes - 11 0x00000000b SeSystemProfilePrivilege Attributes - 12 0x00000000c SeSystemtimePrivilege Attributes - 13 0x00000000d SeProfileSingleProcessPrivilege Attributes - 14 0x00000000e SeIncreaseBasePriorityPrivilege Attributes - 15 0x00000000f SeCreatePagefilePrivilege Attributes - 17 0x000000011 SeBackupPrivilege Attributes - 18 0x000000012 SeRestorePrivilege Attributes - 19 0x000000013 SeShutdownPrivilege Attributes - 20 0x000000014 SeDebugPrivilege Attributes - 22 0x000000016 SeSystemEnvironmentPrivilege Attributes - 23 0x000000017 SeChangeNotifyPrivilege Attributes - Enabled Default 24 0x000000018 SeRemoteShutdownPrivilege Attributes - 25 0x000000019 SeUndockPrivilege Attributes - 28 0x00000001c SeManageVolumePrivilege Attributes - 29 0x00000001d SeImpersonatePrivilege Attributes - Enabled Default 30 0x00000001e SeCreateGlobalPrivilege Attributes - Enabled Default 33 0x000000021 SeIncreaseWorkingSetPrivilege Attributes - 34 0x000000022 SeTimeZonePrivilege Attributes - 35 0x000000023 SeCreateSymbolicLinkPrivilege Attributes - 36 0x000000024 SeDelegateSessionUserImpersonatePrivilege Attributes - Authentication ID: (0,64a4a) Impersonation Level: Anonymous TokenType: Primary Source: User32 TokenFlags: 0x2000 ( Token in use ) Token ID: 82af5 ParentToken ID: 0 Modified ID: (0, 7ed7c) RestrictedSidCount: 0 RestrictedSids: 0x0000000000000000 OriginatingLogonSession: 3e7 PackageSid: (null) CapabilityCount: 0 Capabilities: 0x0000000000000000 LowboxNumberEntry: 0x0000000000000000 Security Attributes: Unable to get the offset of nt!_AUTHZBASEP_SECURITY_ATTRIBUTE.ListLink Process Token TrustLevelSid: (null) |
지금까지 프로세스와 관련된 몇 가지 구조체에 대해서 살펴보았습니다.
다음에는 동일한 방식으로 쓰레드와 관련된 구조체에 대해서 알아보도록 하겠습니다.