NTSTATUS __stdcall
fake_ObReferenceObjectByHandle(
IN HANDLE Handle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_TYPE ObjectType OPTIONAL,
IN KPROCESSOR_MODE AccessMode,
OUT PVOID *Object,
OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL )
{
PVOID ProcessObject;
PEPROCESS Process;
NTSTATUS Status;
char* findpointer=NULL;
char* ProtectName = "XXX.exe";
if(*PsProcessType==ObjectType) //要检查的是*Object的type,而不是ObjectType
{
Status = org_ObReferenceObjectByHandle(Handle, DesiredAccess, ObjectType,AccessMode, &Process, NULL);
if (NT_SUCCESS(Status))
{
//函数虽然返回成功,但是你确定已经取到PEPROCESS了吗?不对Process检查会蓝死你
if(DesiredAccess == PROCESS_TERMINATE )
{
if((findpointer=strstr((char*)((char*)Process + g_ImageFileName), ProtectName)) != NULL)
{
//检查IRQL了吗? strstr这个函数是无法在高级别的IRQL上跑,最好是 IRQL < APC_LEVEL
return STATUS_ACCESS_DENIED;
}
}
}
}
//return org_ObReferenceObjectByHandle(Handle,DesiredAccess,ObjectType,AccessMode,Object,HandleInformation);
return org_ObReferenceObjectByHandle(Handle,DesiredAccess,ObjectType,AccessMode,*Object,HandleInformation);
}
单纯fake函数上看就发现存在N个问题了~~~