For GETTING porthandle

Question

1.00/5 (1 vote)

See more:

I want to use NtQueryInformationPort function below in DriverEntry function to know all of the listening ports number. However, I don't know how to get PortHandle which is the first parameter in NtQueryInformationPort.
Is there someway to get PortHandle?

/*++

Copyright (c) Microsoft Corporation. All rights reserved.

You may only use this code if you agree to the terms of the Windows Research Kernel Source Code License agreement (see License.txt).
If you do not agree to the terms, do not use the code.

Module Name:

lpcquery.c

Abstract:

Local Inter-Process Communication (LPC) query services

--*/

#include "lpcp.h"

#ifdef ALLOC_PRAGMA
#pragma alloc_text(PAGE,NtQueryInformationPort)
#endif

NTSTATUS
NTAPI
NtQueryInformationPort (
__in HANDLE PortHandle,
__in PORT_INFORMATION_CLASS PortInformationClass,
__out_bcount(Length) PVOID PortInformation,
__in ULONG Length,
__out_opt PULONG ReturnLength
)

/*++

Routine Description:

This routine should be used to query an lpc port, but is pretty much a
noop. Currently it can only indicate if the input handle is for a port
object.

Arguments:

PortHandle - Supplies the handle for the port being queried

PortInformationClass - Specifies the type information class being asked
for. Currently ignored.

PortInformation - Supplies a pointer to the buffer to receive the
information. Currently just probed and then ignored.

Length - Specifies, in bytes, the size of the port information buffer.

ReturnLength - Optionally receives the size, in bytes, of the information
being returned. Currently just probed and then ignored.

Return Value:

NTSTATUS - An appropriate status value.

--*/

{

KPROCESSOR_MODE PreviousMode;
NTSTATUS Status;
PLPCP_PORT_OBJECT PortObject;

PAGED_CODE();

UNREFERENCED_PARAMETER ( PortInformationClass );

//
// Get previous processor mode and probe output argument if necessary.
//

PreviousMode = KeGetPreviousMode();

if (PreviousMode != KernelMode) {

try {

ProbeForWrite( PortInformation,
Length,
sizeof( ULONG ));

if (ARGUMENT_PRESENT( ReturnLength )) {

ProbeForWriteUlong( ReturnLength );
}

} except( EXCEPTION_EXECUTE_HANDLER ) {

return( GetExceptionCode() );
}
}

//
// If the user gave us a handle then reference the object. And return
// success if we got a good reference and an error otherwise.
//

if (ARGUMENT_PRESENT( PortHandle )) {

Status = ObReferenceObjectByHandle( PortHandle,
GENERIC_READ,
LpcPortObjectType,
PreviousMode,
&PortObject,
NULL );

if (!NT_SUCCESS( Status )) {

//
// It might be a waitable port object.
// Let's try again as this object type
//

Status = ObReferenceObjectByHandle( PortHandle,
GENERIC_READ,
LpcWaitablePortObjectType,
PreviousMode,
&PortObject,
NULL );

//
// If this one fails too we'll return that status
//

if (!NT_SUCCESS( Status )) {

return( Status );
}
}

ObDereferenceObject( PortObject );

return STATUS_SUCCESS;

} else {

return STATUS_INVALID_INFO_CLASS;
}
}

*******

What I have tried:

------------------------------------------------------

Posted 7-May-17 20:24pm

MinYoung Lee

Updated 7-May-17 22:08pm

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Jochen Arndt · Answer 1 · 2017-05-07T22:08:00

Solution 1

Quote:
to know all of the listening ports

If you don't know the ports you can't use a function that queries information for a specific port number defined by a handle.

Even if you would have a handle calling that undocumented function would give you no useful information because no information is returned:

Quote:
Currently just probed and then ignored.

It is not clear what you finally want to achieve. The DriverEntry function is called first for initialisation. At that stage your driver has not opened anything so far. So you may only enumerate listening ports of other services.

Posted 7-May-17 22:08pm

Jochen Arndt

Comments

MinYoung Lee 8-May-17 6:06am

Yeah listening ports of other services(all services) are what I want to get and I guess LPCP_PORT_OBJECT structure has the next one linked each other by LIST_ENTRY structure.
My thought is that if I have LPCP_PORT_OBJECT data, I can access and get all of the ports info by using LIST_ENTRYstructure.

Jochen Arndt 8-May-17 6:17am

There is a command line utility that allows enumerating listening ports: netstat
You can call that from your program and parse the output.

Alternatively you have to implement it yourself. I had not done such so far but I think you need to use the GetExtendedTcpTable() function.

MinYoung Lee 8-May-17 6:48am

Thanks a lot, I will look through that.
GetExtendedTcpTable() function can be accessible in kernel though?

Richard Deeming 8-May-17 14:01pm

"It is not clear what you finally want to achieve."

Based on yesterday's (now deleted) question, the final target is a rootkit.

But it's OK; it's just for "research purposes", you know. 🤔