This commit is contained in:
DavidXanatos 2024-05-31 11:35:09 +02:00
parent eee94ca9a2
commit 65c68b9fb6
3 changed files with 90 additions and 4 deletions

View File

@ -78,6 +78,12 @@ static NTSTATUS Ipc_Api_QuerySymbolicLink(PROCESS *proc, ULONG64 *parms);
//---------------------------------------------------------------------------
NTSTATUS Thread_GetKernelHandleForUserHandle(
HANDLE *OutKernelHandle, HANDLE InUserHandle);
//---------------------------------------------------------------------------
#ifdef ALLOC_PRAGMA
#pragma alloc_text (INIT, Ipc_Init)
#pragma alloc_text (INIT, Ipc_Init_Type)
@ -1421,10 +1427,65 @@ _FX NTSTATUS Ipc_Api_DuplicateObject(PROCESS *proc, ULONG64 *parms)
if (NT_SUCCESS(status)) {
status = NtDuplicateObject(
SourceProcessHandle, SourceHandle,
TargetProcessHandle, TargetHandle,
DesiredAccess, HandleAttributes, Options);
PROCESS* proc1 = NULL;
if (!IS_ARG_CURRENT_PROCESS(SourceProcessHandle))
proc1 = Process_Find_ByHandle(SourceProcessHandle, NULL);
else
proc1 = proc;
PROCESS* proc2 = NULL;
if (!IS_ARG_CURRENT_PROCESS(TargetProcessHandle))
proc2 = Process_Find_ByHandle(TargetProcessHandle, NULL);
else
proc2 = proc;
if (proc1 != proc2 && (proc1 == NULL || proc2 == NULL || !Process_IsSameBox(proc1, proc2, 0))) {
status = NtDuplicateObject(
SourceProcessHandle, SourceHandle,
TargetProcessHandle, TargetHandle,
DesiredAccess, HandleAttributes, Options);
} else {
HANDLE SourceProcessKernelHandle;
if (!IS_ARG_CURRENT_PROCESS(SourceProcessHandle))
status = Thread_GetKernelHandleForUserHandle(&SourceProcessKernelHandle, SourceProcessHandle);
else
SourceProcessKernelHandle = ZwCurrentProcess();
if (NT_SUCCESS(status)) {
HANDLE TargetProcessKernelHandle;
if (!IS_ARG_CURRENT_PROCESS(TargetProcessHandle))
status = Thread_GetKernelHandleForUserHandle(&TargetProcessKernelHandle, TargetProcessHandle);
else
TargetProcessKernelHandle = ZwCurrentProcess();
if (NT_SUCCESS(status)) {
HANDLE SourceKernelHandle;
status = Thread_GetKernelHandleForUserHandle(&SourceKernelHandle, SourceHandle);
if (NT_SUCCESS(status)) {
status = ZwDuplicateObject(
SourceProcessKernelHandle, SourceKernelHandle,
TargetProcessKernelHandle, &DuplicatedHandle,
DesiredAccess, HandleAttributes, Options & ~DUPLICATE_CLOSE_SOURCE);
if (Options & DUPLICATE_CLOSE_SOURCE)
NtClose(SourceHandle);
*TargetHandle = DuplicatedHandle;
ZwClose(SourceKernelHandle);
}
if (!IS_ARG_CURRENT_PROCESS(TargetProcessKernelHandle))
ZwClose(TargetProcessKernelHandle);
}
if (!IS_ARG_CURRENT_PROCESS(SourceProcessKernelHandle))
ZwClose(SourceProcessKernelHandle);
}
}
}
//

View File

@ -554,6 +554,30 @@ _FX PROCESS *Process_FindSandboxed(HANDLE ProcessId, KIRQL *out_irql)
}
//---------------------------------------------------------------------------
// Process_Find_ByHandle
//---------------------------------------------------------------------------
_FX PROCESS *Process_Find_ByHandle(HANDLE Handle, KIRQL *out_irql)
{
NTSTATUS Status;
PEPROCESS ProcessObject = NULL;
PROCESS* Process = NULL;
Status = ObReferenceObjectByHandle(Handle, PROCESS_QUERY_INFORMATION, *PsProcessType, UserMode, (PVOID*)&ProcessObject, NULL);
if (NT_SUCCESS(Status)) {
Process = Process_Find(PsGetProcessId(ProcessObject), out_irql);
// Dereference the process object
ObDereferenceObject(ProcessObject);
}
return Process;
}
//---------------------------------------------------------------------------
// Process_CreateTerminated
//---------------------------------------------------------------------------

View File

@ -239,6 +239,7 @@ PROCESS *Process_Find(HANDLE ProcessId, KIRQL *out_irql);
PROCESS *Process_FindSandboxed(HANDLE ProcessId, KIRQL *out_irql);
PROCESS *Process_Find_ByHandle(HANDLE Handle, KIRQL *out_irql);
// Start supervising a new process