Hey,
Thanks for the tool and the talk at RootedCON!
I have a question if you don't mind.
Do you have any information about what a section handle is and potential ways to abuse it?
I ask this because even if in the presentation you indicate it's not possible to attack a section handle in the code you contemplate that possibility in

Thanks!

Hi Carlos,
thanks for coming to my talk, your talk was amazing too (Linux mutants). A Section handle is just like a File handle, the common name of this kinds of objects is "File Mapping" you can get more info here --> https://docs.microsoft.com/en-us/windows/win32/memory/file-mapping but basically it's a feature of Windows systems for working with big files, not keeping the entire file in the memory and reading it in chunks of data. So you can abuse it like a normal file, frankly speaking I've never exploited it but in theory it's possible. If I said it was not possible during my talk It was a mistake :)
(Confirmed, I checked my slides and It was an error).

Cool! Thanks for the info!
Do you know if then I can use a function like GetFullPathName to get the path of the opened file (like if it was a File handle) or do you know any other function I could use for that purpose? (I'm trying to add these nice techniques to winpeas, so thannks again)

haha, I don't think you said that, or I don't remember, but there is a slide in the presentation saying so (the 9th one in case you want to modify it)

Try this:

• First create a file view --> use MapViewOfFile(SectionHandleDuplicated, FILE_MAP_READ, 0, 0, 1);
• Then get the file name --> GetMappedFileName(GetCurrentProcess(),pMem, pszFilename, MAX_PATH))
  It works for most of the Section handles, but for some of them it doesn't (for example \Sessions\1\BaseNamedObjects\SessionImmersiveColorPreference) I need to make a further research on these ones.
• Finally unmap--> UnmapViewOfFile(pMem);

nice, I will try that
Thanks!