From c98734a764f790e56a5acbd46d37c7e53e9aa24e Mon Sep 17 00:00:00 2001 From: Matt Graeber Date: Thu, 16 May 2013 20:21:04 -0400 Subject: Added _SYSTEM_LOCK_INFORMATION struct Yet another method of leaking kernel pointers. --- .../Get-NtSystemInformation.format.ps1xml | 64 ++++++++++++++++++++++ ReverseEngineering/Get-NtSystemInformation.ps1 | 56 ++++++++++++++++++- 2 files changed, 119 insertions(+), 1 deletion(-) diff --git a/ReverseEngineering/Get-NtSystemInformation.format.ps1xml b/ReverseEngineering/Get-NtSystemInformation.format.ps1xml index 5719d67..5b7d700 100644 --- a/ReverseEngineering/Get-NtSystemInformation.format.ps1xml +++ b/ReverseEngineering/Get-NtSystemInformation.format.ps1xml @@ -72,6 +72,70 @@ + + SystemLockView + + _SYSTEM_LOCK_INFORMATION + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + "0x$($_.Address.ToString("X$([IntPtr]::Size * 2)"))" + + + Type + 0x{0:X4} + + + ExclusiveOwnerThreadId + 0x{0:X4} + + + ActiveCount + 0x{0:X8} + + + ContentionCount + 0x{0:X8} + + + NumberOfSharedWaiters + 0x{0:X8} + + + NumberOfExclusiveWaiters + 0x{0:X8} + + + + + + PoolTagView diff --git a/ReverseEngineering/Get-NtSystemInformation.ps1 b/ReverseEngineering/Get-NtSystemInformation.ps1 index 2bd9d4a..37412fe 100644 --- a/ReverseEngineering/Get-NtSystemInformation.ps1 +++ b/ReverseEngineering/Get-NtSystemInformation.ps1 @@ -116,6 +116,10 @@ [Switch] $ObjectInformation, + [Parameter( ParameterSetName = 'LockInformation' )] + [Switch] + $LockInformation, + [Parameter( ParameterSetName = 'GlobalFlags' )] [Switch] $GlobalFlags @@ -171,7 +175,7 @@ #$EnumBuilder.DefineLiteral('SystemProcessorPerformanceInformation', [Int32] 0x00000008) | Out-Null $EnumBuilder.DefineLiteral('SystemGlobalFlag', [Int32] 0x00000009) | Out-Null $EnumBuilder.DefineLiteral('SystemModuleInformation', [Int32] 0x0000000B) | Out-Null - #$EnumBuilder.DefineLiteral('SystemLockInformation', [Int32] 0x0000000C) | Out-Null + $EnumBuilder.DefineLiteral('SystemLockInformation', [Int32] 0x0000000C) | Out-Null $EnumBuilder.DefineLiteral('SystemHandleInformation', [Int32] 0x00000010) | Out-Null $EnumBuilder.DefineLiteral('SystemObjectInformation', [Int32] 0x00000011) | Out-Null #$EnumBuilder.DefineLiteral('SystemPagefileInformation', [Int32] 0x00000012) | Out-Null @@ -320,6 +324,7 @@ $Size_SYSTEM_HANDLE_INFORMATION = 24 $Size_SYSTEM_OBJECTTYPE_INFORMATION = 64 $Size_SYSTEM_OBJECT_INFORMATION = 80 + $Size_SYSTEM_LOCK_INFORMATION = 40 } else { @@ -328,6 +333,7 @@ $Size_SYSTEM_HANDLE_INFORMATION = 16 $Size_SYSTEM_OBJECTTYPE_INFORMATION = 56 $Size_SYSTEM_OBJECT_INFORMATION = 48 + $Size_SYSTEM_LOCK_INFORMATION = 36 } try { $UnicodeStringClass = [_UNICODE_STRING] } catch [Management.Automation.RuntimeException] @@ -426,6 +432,41 @@ $ModuleInfoClass = $TypeBuilder.CreateType() } + try { $LockInfoClass = [_SYSTEM_LOCK_INFORMATION] } catch [Management.Automation.RuntimeException] + { + $TypeBuilder = $ModuleBuilder.DefineType('_SYSTEM_LOCK_INFORMATION', $StructAttributes, [ValueType], 1, $Size_SYSTEM_LOCK_INFORMATION) + $TypeBuilder.SetCustomAttribute($StructLayoutCustomAttribute) + + if ([IntPtr]::Size -eq 8) + { + $TypeBuilder.DefineField('Address', [IntPtr], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(0)))) + $TypeBuilder.DefineField('Type', [UInt16], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(8)))) + $TypeBuilder.DefineField('Reserved1', [UInt16], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(10)))) + $TypeBuilder.DefineField('ExclusiveOwnerThreadId', [UInt32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(16)))) + $TypeBuilder.DefineField('ActiveCount', [UInt32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(24)))) + $TypeBuilder.DefineField('ContentionCount', [UInt32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(28)))) + $TypeBuilder.DefineField('Reserved2', [UInt32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(32)))) + $TypeBuilder.DefineField('Reserved3', [UInt32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(36)))) + $TypeBuilder.DefineField('NumberOfSharedWaiters', [UInt32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(40)))) + $TypeBuilder.DefineField('NumberOfExclusiveWaiters', [UInt32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(44)))) + } + else + { + $TypeBuilder.DefineField('Address', [IntPtr], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(0)))) + $TypeBuilder.DefineField('Type', [UInt16], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(4)))) + $TypeBuilder.DefineField('Reserved1', [UInt16], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(6)))) + $TypeBuilder.DefineField('ExclusiveOwnerThreadId', [UInt32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(8)))) + $TypeBuilder.DefineField('ActiveCount', [UInt32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(12)))) + $TypeBuilder.DefineField('ContentionCount', [UInt32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(16)))) + $TypeBuilder.DefineField('Reserved2', [UInt32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(20)))) + $TypeBuilder.DefineField('Reserved3', [UInt32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(24)))) + $TypeBuilder.DefineField('NumberOfSharedWaiters', [UInt32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(28)))) + $TypeBuilder.DefineField('NumberOfExclusiveWaiters', [UInt32], 'Public').SetCustomAttribute((New-Object Reflection.Emit.CustomAttributeBuilder($FieldOffsetConstructor, @(32)))) + } + + $LockInfoClass = $TypeBuilder.CreateType() + } + try { $PoolTagInfoClass = [_SYSTEM_POOL_TAG_INFORMATION] } catch [Management.Automation.RuntimeException] { $TypeBuilder = $ModuleBuilder.DefineType('_SYSTEM_POOL_TAG_INFORMATION', $StructAttributes, [ValueType], 4, $Size_SYSTEM_POOL_TAG_INFORMATION) @@ -743,6 +784,19 @@ [Runtime.InteropServices.Marshal]::FreeHGlobal($PtrData) } + 'LockInformation' { + $Arguments = @{ + InformationClass = $SystemInformationClass::SystemLockInformation + StructType = $LockInfoClass + X86Size = 36 + X64Size = 48 + OffsetMultiplier = 1 + ErrorText = 'system lock' + } + + Get-Struct @Arguments + } + 'GlobalFlags' { $TotalLength = 0 $ReturnedLength = 0 -- cgit v1.2.3