diff options
| author | Matt Graeber <mattgraeber@gmail.com> | 2013-05-16 20:21:04 -0400 |
|---|---|---|
| committer | Matt Graeber <mattgraeber@gmail.com> | 2013-05-16 20:21:04 -0400 |
| commit | c98734a764f790e56a5acbd46d37c7e53e9aa24e (patch) | |
| tree | 1552cba93caa2c06ef8dbdd4e657a542c337bd70 | |
| parent | af04f7e52838f88069eaaad12b831a4af4a28091 (diff) | |
| download | PowerSploit-c98734a764f790e56a5acbd46d37c7e53e9aa24e.tar.gz PowerSploit-c98734a764f790e56a5acbd46d37c7e53e9aa24e.zip | |
Added _SYSTEM_LOCK_INFORMATION struct
Yet another method of leaking kernel pointers.
| -rw-r--r-- | ReverseEngineering/Get-NtSystemInformation.format.ps1xml | 64 | ||||
| -rw-r--r-- | ReverseEngineering/Get-NtSystemInformation.ps1 | 56 |
2 files changed, 119 insertions, 1 deletions
diff --git a/ReverseEngineering/Get-NtSystemInformation.format.ps1xml b/ReverseEngineering/Get-NtSystemInformation.format.ps1xml index 5719d67..5b7d700 100644 --- a/ReverseEngineering/Get-NtSystemInformation.format.ps1xml +++ b/ReverseEngineering/Get-NtSystemInformation.format.ps1xml @@ -73,6 +73,70 @@ </TableControl> </View> <View> + <Name>SystemLockView</Name> + <ViewSelectedBy> + <TypeName>_SYSTEM_LOCK_INFORMATION</TypeName> + </ViewSelectedBy> + <TableControl> + <TableHeaders> + <TableColumnHeader> + <Label>Address</Label> + </TableColumnHeader> + <TableColumnHeader> + <Label>Type</Label> + </TableColumnHeader> + <TableColumnHeader> + <Label>ExclusiveOwnerThreadId</Label> + </TableColumnHeader> + <TableColumnHeader> + <Label>ActiveCount</Label> + </TableColumnHeader> + <TableColumnHeader> + <Label>ContentionCount</Label> + </TableColumnHeader> + <TableColumnHeader> + <Label>NumberOfSharedWaiters</Label> + </TableColumnHeader> + <TableColumnHeader> + <Label>NumberOfExclusiveWaiters</Label> + </TableColumnHeader> + </TableHeaders> + <TableRowEntries> + <TableRowEntry> + <TableColumnItems> + <TableColumnItem> + <ScriptBlock>"0x$($_.Address.ToString("X$([IntPtr]::Size * 2)"))"</ScriptBlock> + </TableColumnItem> + <TableColumnItem> + <PropertyName>Type</PropertyName> + <FormatString>0x{0:X4}</FormatString> + </TableColumnItem> + <TableColumnItem> + <PropertyName>ExclusiveOwnerThreadId</PropertyName> + <FormatString>0x{0:X4}</FormatString> + </TableColumnItem> + <TableColumnItem> + <PropertyName>ActiveCount</PropertyName> + <FormatString>0x{0:X8}</FormatString> + </TableColumnItem> + <TableColumnItem> + <PropertyName>ContentionCount</PropertyName> + <FormatString>0x{0:X8}</FormatString> + </TableColumnItem> + <TableColumnItem> + <PropertyName>NumberOfSharedWaiters</PropertyName> + <FormatString>0x{0:X8}</FormatString> + </TableColumnItem> + <TableColumnItem> + <PropertyName>NumberOfExclusiveWaiters</PropertyName> + <FormatString>0x{0:X8}</FormatString> + </TableColumnItem> + </TableColumnItems> + </TableRowEntry> + </TableRowEntries> + </TableControl> + </View> + <View> <Name>PoolTagView</Name> <ViewSelectedBy> <TypeName>_SYSTEM_POOL_TAG_INFORMATION</TypeName> diff --git a/ReverseEngineering/Get-NtSystemInformation.ps1 b/ReverseEngineering/Get-NtSystemInformation.ps1 index 2bd9d4a..37412fe 100644 --- a/ReverseEngineering/Get-NtSystemInformation.ps1 +++ b/ReverseEngineering/Get-NtSystemInformation.ps1 @@ -116,6 +116,10 @@ [Switch] $ObjectInformation, + [Parameter( ParameterSetName = 'LockInformation' )] + [Switch] + $LockInformation, + [Parameter( ParameterSetName = 'GlobalFlags' )] [Switch] $GlobalFlags @@ -171,7 +175,7 @@ #$EnumBuilder.DefineLiteral('SystemProcessorPerformanceInformation', [Int32] 0x00000008) | Out-Null $EnumBuilder.DefineLiteral('SystemGlobalFlag', [Int32] 0x00000009) | Out-Null $EnumBuilder.DefineLiteral('SystemModuleInformation', [Int32] 0x0000000B) | Out-Null - #$EnumBuilder.DefineLiteral('SystemLockInformation', [Int32] 0x0000000C) | Out-Null + $EnumBuilder.DefineLiteral('SystemLockInformation', [Int32] 0x0000000C) | Out-Null $EnumBuilder.DefineLiteral('SystemHandleInformation', [Int32] 0x00000010) | Out-Null $EnumBuilder.DefineLiteral('SystemObjectInformation', [Int32] 0x00000011) | Out-Null #$EnumBuilder.DefineLiteral('SystemPagefileInformation', [Int32] 0x00000012) | Out-Null @@ -320,6 +324,7 @@ $Size_SYSTEM_HANDLE_INFORMATION = 24 $Size_SYSTEM_OBJECTTYPE_INFORMATION = 64 $Size_SYSTEM_OBJECT_INFORMATION = 80 + $Size_SYSTEM_LOCK_INFORMATION = 40 } else { @@ -328,6 +333,7 @@ $Size_SYSTEM_HANDLE_INFORMATION = 16 $Size_SYSTEM_OBJECTTYPE_INFORMATION = 56 $Size_SYSTEM_OBJECT_INFORMATION = 48 + $Size_SYSTEM_LOCK_INFORMATION = 36 } try { $UnicodeStringClass = [_UNICODE_STRING] } catch [Management.Automation.RuntimeException] @@ -426,6 +432,41 @@ $ModuleInfoClass = $TypeBuilder.CreateType() } + try { $LockInfoClass = [_SYSTEM_LOCK_INFORMATION] } catch [Management.Automation.RuntimeException] + { + $TypeBuilder = $ModuleBuilder.DefineType('_SYSTEM_LOCK_INFORMATION', $StructAttributes, [ValueType], 1, $Size_SYSTEM_LOCK_INFORMATION) + $TypeBuilder.SetCustomAttribute($StructLayoutCustomAttribute) + + if ([IntPtr]::Size -eq 8) + { + $TypeBuilder.DefineField('Address', [IntPtr], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(0)))) + $TypeBuilder.DefineField('Type', [UInt16], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(8)))) + $TypeBuilder.DefineField('Reserved1', [UInt16], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(10)))) + $TypeBuilder.DefineField('ExclusiveOwnerThreadId', [UInt32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(16)))) + $TypeBuilder.DefineField('ActiveCount', [UInt32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(24)))) + $TypeBuilder.DefineField('ContentionCount', [UInt32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(28)))) + $TypeBuilder.DefineField('Reserved2', [UInt32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(32)))) + $TypeBuilder.DefineField('Reserved3', [UInt32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(36)))) + $TypeBuilder.DefineField('NumberOfSharedWaiters', [UInt32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(40)))) + $TypeBuilder.DefineField('NumberOfExclusiveWaiters', [UInt32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(44)))) + } + else + { + $TypeBuilder.DefineField('Address', [IntPtr], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(0)))) + $TypeBuilder.DefineField('Type', [UInt16], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(4)))) + $TypeBuilder.DefineField('Reserved1', [UInt16], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(6)))) + $TypeBuilder.DefineField('ExclusiveOwnerThreadId', [UInt32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(8)))) + $TypeBuilder.DefineField('ActiveCount', [UInt32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(12)))) + $TypeBuilder.DefineField('ContentionCount', [UInt32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(16)))) + $TypeBuilder.DefineField('Reserved2', [UInt32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(20)))) + $TypeBuilder.DefineField('Reserved3', [UInt32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(24)))) + $TypeBuilder.DefineField('NumberOfSharedWaiters', [UInt32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(28)))) + $TypeBuilder.DefineField('NumberOfExclusiveWaiters', [UInt32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(32)))) + } + + $LockInfoClass = $TypeBuilder.CreateType() + } + try { $PoolTagInfoClass = [_SYSTEM_POOL_TAG_INFORMATION] } catch [Management.Automation.RuntimeException] { $TypeBuilder = $ModuleBuilder.DefineType('_SYSTEM_POOL_TAG_INFORMATION', $StructAttributes, [ValueType], 4, $Size_SYSTEM_POOL_TAG_INFORMATION) @@ -743,6 +784,19 @@ [Runtime.InteropServices.Marshal]::FreeHGlobal($PtrData) } + 'LockInformation' { + $Arguments = @{ + InformationClass = $SystemInformationClass::SystemLockInformation + StructType = $LockInfoClass + X86Size = 36 + X64Size = 48 + OffsetMultiplier = 1 + ErrorText = 'system lock' + } + + Get-Struct @Arguments + } + 'GlobalFlags' { $TotalLength = 0 $ReturnedLength = 0 |