There have been many articles on process and port ing. I have also written my fport analysis to let everyone know how fport works.
Fport.exe is a free software produced by foundstone team. It can list all open ports in the system that are opened by those processes.
The method described in this section is based on fport v1.33. If there is any difference with the fport on your machine, check the fport version.
First, it checks whether the current user has administrator permissions. (read the token of the current process to check whether the current user has administrative permissions. For more information, see
If no prompt is printed, exit and set the token of the current process. Then, use the ZwOpenSection function to open the kernel object.
The DevicePhysicalMemory object is used to access the physical memory of the system. The prototype of the ZwOpenSection function is as follows:
NTSYSAPI
NTSTSTUS
NTAPI
ZwOpenSection (
Out PHANDLE sectionHandle;
IN ACCESS_MASK DesiredAccess;
IN POBJECT_ATTRIBUTES ObjectAttributes
};
(See ntddk. h)
The first parameter gets the handle after the function is successfully executed.
The second parameter, DesiredAccess, can be a constant of the following values:
# Define SECTION_QUERY 0x0001
# Define SECTION_MAP_WRITE 0x0002
# Define SECTION_MAP_READ 0x0004
# Define SECTION_MAP_EXECUTE 0x0008
# Define SECTION_EXTEND_SIZE 0x0010
# Define SECTION_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SECTION_QUERY |
SECTION_MAP_WRITE |
SECTION_MAP_READ |
SECTION_MAP_EXECUTE |
SECTION_EXTEND_SIZE)
(See ntddk. h)
The third parameter is a structure that contains the information such as the object type to be opened. The structure definition is as follows:
Typedef struct _ OBJECT_ATTRIBUTES {
ULONG Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor; // Points to type SECURITY_DESCRIPTOR
PVOID SecurityQualityOfService; // Points to type SECURITY_QUALITY_OF_SERVICE
} OBJECT_ATTRIBUTES;
Typedef OBJECT_ATTRIBUTES * POBJECT_ATTRIBUTES;
(See ntdef. h)
Use a macro to initialize the structure:
# Define InitializeObjectAttributes (p n a r s ){
(P)-> Length = sizeof (OBJECT_ATTRIBUTES );
(P)-> RootDirectory = r;
(P)-> Attributes =;
(P)-> ObjectName = n;
(P)-> SecurityDescriptor = s;
(P)-> SecurityQualityOfService = NULL;
}
(See ntdef. h)
The command to enable the kernel object DevicePhysicalMemory is as follows:
WCHAR PhysmemName [] = L "\ Device \ PhysicalMemory ";
Void * pMapPhysicalMemory;
HANDLE pHandle;
Bool OpenPhysicalMemory ()
{
NTSTATUS status;
UNICODE_STRING physmemString;
OBJECT_ATTRIBUTES attributes;
RtlInitUnicodeString (& physmemString PhysmemName); // For the initialization Unicode string function prototype, see ntddk. h.
InitializeObjectAttributes (& attributes & physmemString
OBJ_CASE_INSENSITIVE NULL); // initialize the OBJECT_ATTRIBUTES Structure
Status = ZwOpenSection (pHandle SECTION_MAP_READ & attributes); // open the kernel object DevicePhysicalMemory to get the handle
If (! NT_SUCCESS (status ))
Return false;
PMapPhysicalMemory = MapViewOfFile (pHandleFILE_MAP_READ
00x300000x1000 );
// Map 0 x bytes from the memory address 0x30000
If (GetLastError ()! = 0)
Return false;
Return true;
}
Why do we need to start 0xing from 0x30000? We know that in Windows NT/2000, the system is divided into kernel mode and user mode, that is, we
Ring0 and Ring3 in Windows NT/2000, we can see that all processes run in Ring3. Generally, the System process (that is, the System
The physical address of the page Directory (PDE) of the process is 0x30000, or the physical address of the smallest page directory in the system is 0x30000.
1024 items each item points to a page table (PTE) each page table also consists of 1024 pages, and the size of each page is 4K1024*4 = 4096 (0x1000) therefore
The IP address 0x2000 starts to map 0 x bytes. (For details, see the WebCrazy article <I slightly discuss the paging mechanism of Windows NT/>)
The program opens the kernel object DevicePhysicalMemory and continues to use the ZwOpenFile function to open the kernel objects DeviceTcp and DeviceUdpZwOpenFile.
The function prototype is as follows:
NTSYSAPI
NTSTATUS
NTAPI
ZwOpenFile (
Out phandle FileHandle
IN ACCESS_MASK DesiredAccess
IN POBJECT_ATTRIBUTES ObjectAttributes
OUT PIO_STATUS_BLOCK IoStatusBlock
In ulong internal access
In ulong OpenOptions
);
(See ntddk. h)
The first parameter returns the handle of the opened object.
The second parameter, DesiredAccess, can be a constant of the following values:
# Define FILE_READ_DATA (0x0001) // file & pipe
# Define FILE_LIST_DIRECTORY (0x0001) // directory
# Define FILE_WRITE_DATA (0x0002) // file & pipe
# Define FILE_ADD_FILE (0x0002) // directory
# Define FILE_APPEND_DATA (0x0004) // file
# Define FILE_ADD_SUBDIRECTORY (0x0004) // directory
# Define FILE_CREATE_PIPE_INSTANCE (0x0004) // named pipe
# Define FILE_READ_EA (0x0008) // file & directory
# Define FILE_WRITE_EA (0x0010) // file & directory
# Define FILE_EXECUTE (0x0020) // file
# Define FILE_TRAVERSE (0x0020) // directory
# Define FILE_DELETE_CHILD (0x0040) // directory
# Define FILE_READ_ATTRIBUTES (0x0080) // all
# Define FILE_WRITE_ATTRIBUTES (0x0100) // all
# Define FILE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 0x1FF)
# Define FILE_GENERIC_READ (STANDARD_RIGHTS_READ |
FILE_READ_DATA |
FILE_READ_ATTRIBUTES |
FILE_READ_EA |
SYNCHRONIZE)
# Define FILE_GENERIC_WRITE (STANDARD_RIGHTS_WRITE |
FILE_WRITE_DATA |
FILE_WRITE_ATTRIBUTES |
FILE_WRITE_EA |
FILE_APPEND_DATA |
SYNCHRONIZE)
# Define FILE_GENERIC_EXECUTE (STANDARD_RIGHTS_EXECUTE |
FILE_READ_ATTRIBUTES |
FILE_EXECUTE |
SYNCHRONIZE)
(See ntdef. h)
The third parameter is a structure that contains information about the object type to be opened. For details, see the preceding description.
The fourth parameter returns the attribute of the open object, which is defined as follows:
Typedef struct _ IO_STATUS_BLOCK {
Union {
NTSTATUS Status;
PVOID Pointer;
};
ULONG_PTR Information;
} IO_STATUS_BLOCK * PIO_STATUS_BLOCK;
# If defined (_ WIN64)
Typedef struct _ IO_STATUS_BLOCK32 {
NTSTATUS Status;
ULONG Information;
} IO_STATUS_BLOCK32 * PIO_STATUS_BLOCK32;
# Endif
(See ntddk. h)
The fifth parameter 'Allow access' is a constant which can be the following values:
# Define file_1__read 0x00000001 // winnt
# Define file_pai_write 0x00000002 // winnt
# Define file_1__delete 0x00000004 // winnt
(See ntddk. h)
The sixth parameter OpenOptions is also a constant which can be the following values:
# Define FILE_DIRECTORY_FILE 0x00000001
# Define FILE_WRITE_THROUGH 0x00000002
# Define FILE_SEQUENTIAL_ONLY 0x00000004
# Define FILE_NO_INTERMEDIATE_BUFFERING 0x00000008
# Define FILE_SYNCHRONOUS_IO_ALERT 0x00000010
# Define FILE_SYNCHRONOUS_IO_NONALERT 0x00000020
# Define FILE_NON_DIRECTORY_FILE 0x00000040
# Define FILE_CREATE_TREE_CONNECTION 0x00000080
# Define FILE_COMPLETE_IF_OPLOCKED 0x00000100
# Define FILE_NO_EA_KNOWLEDGE 0x00000200
# Define file_open_for_rediscovery 0x00000400
# Define FILE_RANDOM_ACCESS 0x00000800
# Define FILE_DELETE_ON_CLOSE 0x00001000
# Define FILE_OPEN_BY_FILE_ID 0x00002000
# Define FILE_OPEN_FOR_BACKUP_INTENT 0x00004000
# Define FILE_NO_COMPRESSION 0x00008000
# Define FILE_RESERVE_OPFILTER 0x00100000
# Define FILE_OPEN_REPARSE_POINT 0x00200000
# Define file_open_no_recalling 0x00400000
# Define FILE_OPEN_FOR_FREE_SPACE_QUERY 0x00800000
# Define FILE_COPY_STRUCTURED_STORAGE 0x00000041
# Define FILE_STRUCTURED_STORAGE 0x00000441
# Define FILE_VALID_OPTION_FLAGS 0x00ffffff
# Define FILE_VALID_PIPE_OPTION_FLAGS 0x00000032
# Define FILE_VALID_MAILSLOT_OPTION_FLAGS 0x00000032
# Define FILE_VALID_SET_FLAGS 0x00000036
(See ntddk. h)
The following statements enable the kernel objects DeviceTcp and DeviceUdp:
WCHAR physmemNameTcp [] = L "\ Device \ TCP ";
WCHAR physmemNameUdp [] = L "\ Device \ UDP ";
HANDLE pTcpHandle;
HANDLE pUdpHandle;
HANDLE OpenDeviceTcpUdp (WCHAR * deviceName)
{
NTSTATUS status;
UNICODE_STRING physmemString;
OBJECT_ATTRIBUTES attributes;
IO_STATUS_BLOCK iosb;
HANDLE pDeviceHandle;
RtlInitUnicodeString (& physmemString deviceName );
If (GetLastError ()! = 0)
Return NULL;
InitializeObjectAttributes (& attributes & physmemString
OBJ_CASE_INSENSITIVE0 NULL );
Status = ZwOpenFile (& pDeviceHandle0x100000 & attributes & iosb 30 );
If (! NT_SUCCESS (status ))
Return NULL;
}
Then the program uses the ZwQuerySystemInformation function to obtain the handle created by the current process of the system and its related information.