search

lab52io / LeakedHandlesFinder

Leaked Windows processes handles identification tool
267 stars 42 forks source link

Question about section handles #1

Closed carlospolop closed 2 years ago

carlospolop commented 2 years ago

Hey, Thanks for the tool and the talk at RootedCON! I have a question if you don't mind. Do you have any information about what a section handle is and potential ways to abuse it? I ask this because even if in the presentation you indicate it's not possible to attack a section handle in the code you contemplate that possibility in https://github.com/lab52io/LeakedHandlesFinder/blob/b81f2f8d7129330e9ef0f5851db923630a4e6e5c/LeakedHandlesFinder/LeakedHandlesFinder.cpp#L1079

Thanks!

lab52io commented 2 years ago

Hi Carlos, thanks for coming to my talk, your talk was amazing too (Linux mutants). A Section handle is just like a File handle, the common name of this kinds of objects is "File Mapping" you can get more info here --> https://docs.microsoft.com/en-us/windows/win32/memory/file-mapping but basically it's a feature of Windows systems for working with big files, not keeping the entire file in the memory and reading it in chunks of data. So you can abuse it like a normal file, frankly speaking I've never exploited it but in theory it's possible. If I said it was not possible during my talk It was a mistake :) (Confirmed, I checked my slides and It was an error).

carlospolop commented 2 years ago

Cool! Thanks for the info! Do you know if then I can use a function like GetFullPathName to get the path of the opened file (like if it was a File handle) or do you know any other function I could use for that purpose? (I'm trying to add these nice techniques to winpeas, so thannks again)

haha, I don't think you said that, or I don't remember, but there is a slide in the presentation saying so (the 9th one in case you want to modify it)

lab52io commented 2 years ago

Try this:

carlospolop commented 2 years ago

nice, I will try that Thanks!