#需要安装sdk
#目前只在2000的平台下测试过,没有问题
#根据fport反汇编获取
#program by:flashsky
#time:2002-5-7
#include
#include
#include
#include #include#include#include#pragma comment ( lib, "ws2_32.lib" )#define NT_HANDLE_LIST 16#define OBJECT_TYPE_SOCKET 0x1A#define MAX_HANDLE_LIST_BUF 0x200000typedef struct _HandleInfo{USHORT dwPid;USHORT CreatorBackTraceIndex;BYTE ObjType;BYTE HandleAttributes;USHORT HndlOffset;DWORD dwKeObject;ULONG GrantedAccess;}HANDLEINFO, *PHANDLEINFO;typedef struct _IO_STATUS_BLOCK {DWORD Status;ULONG Information;} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;typedef struct _LSA_UNICODE_STRING {USHORT Length;USHORT MaximumLength;PWSTR Buffer;} LSA_UNICODE_STRING, *PLSA_UNICODE_STRING;typedef LSA_UNICODE_STRING UNICODE_STRING, *PUNICODE_STRING;typedef struct _OBJECT_ATTRIBUTES {ULONG Length;HANDLE RootDirectory;UNICODE_STRING *ObjectName;ULONG Attributes;PSECURITY_DESCRIPTOR SecurityDescriptor;PSECURITY_QUALITY_OF_SERVICE SecurityQualityOfService;} OBJECT_ATTRIBUTES,*POBJECT_ATTRIBUTES;// 申明NtQuerySystemInformation()函数typedef DWORD (CALLBACK* NTQUERYSYSTEMINFORMATION)( DWORD, PDWORD, DWORD, PVOID );NTQUERYSYSTEMINFORMATION NtQuerySystemInformation;typedef VOID (CALLBACK* RTLINITUNICODESTRING)(PUNICODE_STRING,PCWSTR);RTLINITUNICODESTRING RtlInitUnicodeString;typedef DWORD (CALLBACK* ZWOPENSECTION)(PVOID, DWORD,POBJECT_ATTRIBUTES);ZWOPENSECTION ZwOpenSection;typedef DWORD (CALLBACK* ZWOPENFILE)(PHANDLE,DWORD,POBJECT_ATTRIBUTES,PIO_STATUS_BLOCK,ULONG,ULONG);ZWOPENFILE ZwOpenFile;//此函数是将获取的对象进行地址转换DWORD getmap(PHANDLEINFO get1,LPVOID addr,HANDLE pm,char * buf){DWORD readset;LPVOID pmaddr1;int i;readset = (get1-dwKeObject0x16);readset = *((LPDWORD)((DWORD)addr + 4*readset));if((readset&0x000000ff){return 0;}if((readset&0x000000ff){pmaddr1 = MapViewOfFile(pm,4,0,readset&0xfffff000,0x1000);readset = (get1-dwKeObject0x0c) & 0x3ff;readset = *((LPDWORD)((DWORD)pmaddr1 + 4*readset));UnmapViewOfFile(pmaddr1);readset = readset & 0x0FFFFF000;}else{readset=(readset&0xfffff000)+(get1-dwKeObject&0x003ff000);}pmaddr1 =MapViewOfFile(pm,4,0,readset,0x1000);if(pmaddr1!=NULL){readset = get1-dwKeObject&0x00000fff;readset = (DWORD)pmaddr1+readset;for(i=0;ibuf[i] = *((char *)(readset + i));UnmapViewOfFile(pmaddr1);}else{return 0;}return readset;}int main( ){DWORD readset1;DWORD readset2;DWORD readset3;OVERLAPPED la;HMODULE hNtdll = NULL;DWORD dwNumEntries;PHANDLEINFO pHandleInfo;HANDLE htcp;HANDLE pmy;HANDLE hudp;HANDLE myhand;HANDLE h1=NULL;hNtdll = LoadLibrary( "ntdll.dll" );DWORD status;LPVOID pmaddr;TOKEN_PRIVILEGES NewState;DWORD dwNumBytes = MAX_HANDLE_LIST_BUF;PDWORD pdwHandleList;PDWORD pdwHandInfo;DWORD dwNumBytesRet;HANDLE hToken;DWORD isok;UNICODE_STRING dn;IO_STATUS_BLOCK ch3;int port1;HANDLE hProc;wchar_t * ch1 = L"\Device\Tcp";wchar_t * ch2 = L"\Device\Udp";OBJECT_ATTRIBUTES ofs;DWORD i;DWORD p=0;char buf1[0x70];char buf2[0x70];char buf3[0x70];char in[0x18];char in1[0x18];unsigned char out[0x38];unsigned char out1[0x30];PHANDLEINFO tcpdnum;PHANDLEINFO udpdnum;if ( !hNtdll ){printf( "LoadLibrary( NTDLL.DLL ) Error:%dn", GetLastError() );return false;}NtQuerySystemInformation = (NTQUERYSYSTEMINFORMATION)GetProcAddress( hNtdll, "NtQuerySystemInformation");RtlInitUnicodeString = (RTLINITUNICODESTRING)GetProcAddress( hNtdll, "RtlInitUnicodeString");ZwOpenSection = (ZWOPENSECTION)GetProcAddress( hNtdll, "ZwOpenSection");;ZwOpenFile = (ZWOPENFILE)GetProcAddress( hNtdll, "ZwOpenFile");;RtlInitUnicodeString(&dn,L"\Device\PhysicalMemory");OBJECT_ATTRIBUTES udm= {sizeof(OBJECT_ATTRIBUTES), // LengthNULL, // RootDirectory&dn, // ObjectName0, // AttributesNULL, // SecurityDescriptorNULL, // SecurityQualityOfService};status = ZwOpenSection(&h1,SECTION_MAP_READ,&udm);if(status == 0){pmy = GetCurrentProcess();pmaddr =MapViewOfFile(h1,4,0,0x30000,0x1000);NewState.PrivilegeCount=1;NewState.Privileges[0].Attributes=2;NewState.Privileges[0].Luid.HighPart=0;NewState.Privileges[0].Luid.LowPart=0;isok=LookupPrivilegeValue(0,SE_DEBUG_NAME,&NewState.Privileges[0].Luid);isok=OpenProcessToken(pmy,0x20,&hToken);isok=AdjustTokenPrivileges(hToken,0,&NewState,0x10,0,0);CloseHandle(hToken);RtlInitUnicodeString(&dn,ch1);ofs.SecurityDescriptor = 0;ofs.ObjectName = &dn;ofs.Length =0x18;ofs.RootDirectory = 0;ofs.Attributes =0x40;ofs.SecurityQualityOfService =0;status=ZwOpenFile(&htcp,0x100000,&ofs,&ch3,3,0);RtlInitUnicodeString(&dn,ch2);ofs.ObjectName = &dn;status=ZwOpenFile(&hudp,0x100000,&ofs,&ch3,3,0);pdwHandleList = (PDWORD)malloc(dwNumBytes);pdwHandInfo = (PDWORD)malloc(2048);dwNumBytesRet = 0x10;isok = (*NtQuerySystemInformation)(0x10,pdwHandleList,dwNumBytes,&dwNumBytesRet);if( !isok){dwNumEntries = pdwHandleList[0];pHandleInfo = (PHANDLEINFO)( pdwHandleList + 1 );for (i = 0; i{if(pHandleInfo-dwPid == GetCurrentProcessId() && pHandleInfo-HndlOffset ==(int)htcp){tcpdnum = pHandleInfo;break;}pHandleInfo++;}pHandleInfo = (PHANDLEINFO)( pdwHandleList + 1 );for (i = 0; i{if(pHandleInfo-dwPid == GetCurrentProcessId() && pHandleInfo-HndlOffset ==(int)hudp){udpdnum = pHandleInfo;break;}pHandleInfo++;}ZeroMemory(buf1,0x70);ZeroMemory(buf2,0x70);readset1 = getmap(tcpdnum,pmaddr,h1,buf1);if(readset1==0){printf("map tcp failen");return 0;}readset2 = getmap(udpdnum,pmaddr,h1,buf2);if(readset2==0){printf("map udp failen");return 0;}la.hEvent = CreateEvent(0,1,0,0);;la.Internal = 0;la.InternalHigh=0;la.Offset = 0;la.OffsetHigh = 0;pHandleInfo = (PHANDLEINFO)( pdwHandleList + 1 );for (i = 0; i{ZeroMemory(buf3,0x70);if(pHandleInfo-ObjType == tcpdnum-ObjType){readset3 = getmap(pHandleInfo,pmaddr,h1,buf3);if(readset3==0){pHandleInfo++;continue;}if(buf3[4]==buf1[4] && buf3[5]==buf1[5]&& buf3[6]==buf1[6]&& buf3[7]==buf1[7]){if((buf3[16]==1 || buf3[16]==2) && buf3[17]==0 && buf3[18]==0 && buf3[19]==0){
