在网上看了一篇用ObReferenceObjectByHandle来禁止记事本关闭的文章,但是一关闭记事本,windbg就出现80000003的错误.找不出原因,望高人指点.
代码如下:
#include "hook.h"
__declspec(naked)
OrigObReferenceObjectByHandle(
__in HANDLE Handle,
__in ACCESS_MASK DesiredAccess,
__in_opt POBJECT_TYPE ObjectType,
__in KPROCESSOR_MODE AccessMode,
__out PVOID *Object,
__out_opt POBJECT_HANDLE_INFORMATION HandleInformation
)
{
UNREFERENCED_PARAMETER( Handle );
UNREFERENCED_PARAMETER( DesiredAccess );
UNREFERENCED_PARAMETER( ObjectType );
UNREFERENCED_PARAMETER( AccessMode );
UNREFERENCED_PARAMETER( Object );
UNREFERENCED_PARAMETER( HandleInformation );
__asm {
mov edi,edi
push ebp
mov ebp,esp
mov eax,ObReferenceObjectByHandle
add eax,5
jmp eax
}
}
NTSTATUS
DetourObReferenceObjectByHandle(
__in HANDLE Handle,
__in ACCESS_MASK DesiredAccess,
__in_opt POBJECT_TYPE ObjectType,
__in KPROCESSOR_MODE AccessMode,
__out PVOID *Object,
__out_opt POBJECT_HANDLE_INFORMATION HandleInformation
)
{
NTSTATUS status;
status = OrigObReferenceObjectByHandle(Handle,
DesiredAccess,
ObjectType,
AccessMode,
Object,
HandleInformation);
if( (status==STATUS_SUCCESS)&&(DesiredAccess==1)&&MmIsAddressValid(*Object))
{
if(ObjectType==*PsProcessType)
{
if(_stricmp((PCHAR)((ULONG)(*Object)+0x174),"notepad.exe")==0)
{
KdPrint(("InlineHook: DetourObReferenceObjectByHandle \n"));
KdPrint(("InlineHook: Detour[0x%08x]\n",*Object));
ObfDereferenceObject(*Object);
Handle = (HANDLE)(-1);
status = STATUS_ACCESS_DENIED;
}
}
}
return status;
}
VOID
Hook()
{
KIRQL Irql;
KdPrint(("ObReferenceObjectByHandle:[0x%08x]\n",ObReferenceObjectByHandle));
RtlCopyMemory(OriginalBytes,(PCHAR)ObReferenceObjectByHandle,5);
*(PULONG)(JmpAddress+1)=(ULONG)DetourObReferenceObjectByHandle-((ULONG)ObReferenceObjectByHandle+5);
__asm {
push eax
mov eax,cr0
mov Cr0Value,eax
and eax,0fffeffffh
mov cr0,eax
pop eax
cli
}
Irql = KeRaiseIrqlToDpcLevel();
RtlCopyMemory((PCHAR)ObReferenceObjectByHandle,JmpAddress,5);
KeLowerIrql(Irql);
__asm {
sti
push eax
mov eax,Cr0Value
mov cr0,eax
pop eax
}
}
VOID Unhook()
{
//把五个字节再写回到原函数
KIRQL Irql;
//关闭写保护
_asm
{
push eax
mov eax, cr0
mov Cr0Value, eax
and eax, 0fffeffffh
mov cr0, eax
pop eax
cli
}
//提升IRQL到Dpc
Irql=KeRaiseIrqlToDpcLevel();
RtlCopyMemory((PCHAR)ObReferenceObjectByHandle,OriginalBytes,5);
KeLowerIrql(Irql);
//开启写保护
__asm
{
sti
push eax
mov eax, Cr0Value
mov cr0, eax
pop eax
}
}
NTSTATUS
DriverEntry(__in PDRIVER_OBJECT DriverObject,
__in PUNICODE_STRING RegisterPath)
{
NTSTATUS status = STATUS_SUCCESS;
UNREFERENCED_PARAMETER( DriverObject );
UNREFERENCED_PARAMETER( RegisterPath );
try{
KdPrint(("InlineHook: DriverEntry \n"));
Hook();
DriverObject->DriverUnload = HookUnload;
} finally{
}
return status;
}
VOID
HookUnload(
__in PDRIVER_OBJECT DriverObject
)
{
UNREFERENCED_PARAMETER( DriverObject );
KdPrint(("InlineHook: HookUnload \n"));
Unhook();
}
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
