看了好几遍了,就是不理解这句代码:
status=OriginalObReferenceObjectByHandle(Handle,DesiredAccess,ObjectType,AccessMode,Object,HandleInformation);
if((status==STATUS_SUCCESS)&&(DesiredAccess==1))
为什么要调用原函数呢?请解释一下~~
谢谢!
//=======================================inline HOOK ObReferenceObjectByHandle===========================
//ObReferenceObjectByHandle是ntoskrnl.exe导出函数,采用HOOK前五个字节的方式
//字节型数据 unsigned char
ULONG CR0VALUE;
BYTE OriginalBytes[5]={0}; //保存原始函数前五个字节
BYTE JmpAddress[5]={0xE9,0,0,0,0}; //跳转到HOOK函数的地址
extern POBJECT_TYPE *PsProcessType;
NTKERNELAPI NTSTATUS ObReferenceObjectByHandle(
IN HANDLE Handle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_TYPE ObjectType OPTIONAL,
IN KPROCESSOR_MODE AccessMode,
OUT PVOID *Object,
OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL
);
//HOOK函数
NTSTATUS DetourMyObReferenceObjectByHandle(
IN HANDLE Handle,
IN ACCESS_MASK DesiredAccess
IN POBJECT_TYPE ObjectType OPTIONAL,
IN KPROCESSOR_MODE AccessMode,
OUT PVOID *Object,
OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL);
//
//hook流程 HookObReferenceObjectByHandle---DetourMyObReferenceObjectByHandle---UnHookObReferenceObjectByHandle
void HookObReferenceObjectByHandle()
{
//赋值前面定义的数组
KIRQL Irql;
KdPrint(("[ObReferenceObjectByHandle] :0x%x",ObReferenceObjectByHandle)); //地址验证
//保存函数前五个字节内容
RtlCopyMemory(OriginalBytes,(BYTE *)ObReferenceObjectByHandle,5);
//保存新函数五个字节之后偏移
*(ULONG *)(JmpAddress+1)=(ULONG)DetourMyObReferenceObjectByHandle-((ULONG)ObReferenceObjectByHandle+5);
//开始inline hook
//关闭内存写保护
_asm
{
push eax
mov eax, cr0
mov CR0VALUE, eax
and eax, 0fffeffffh
mov cr0, eax
pop eax
}
//提升IRQL中断级
Irql=KeRaiseIrqlToDpcLevel();
//函数开头五个字节写JMP
RtlCopyMemory((BYTE *)ObReferenceObjectByHandle,JmpAddress,5);
//恢复Irql
KeLowerIrql(Irql);
//开启内存写保护
__asm
{
push eax
mov eax, CR0VALUE
mov cr0, eax
pop eax
}
}
_declspec (naked) NTSTATUS OriginalObReferenceObjectByHandle(IN HANDLE Handle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_TYPE ObjectType OPTIONAL,
IN KPROCESSOR_MODE AccessMode,
OUT PVOID *Object,
OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL)
{
_asm
{
mov edi,edi
push ebp
mov ebp,esp
mov eax,ObReferenceObjectByHandle
add eax,5
jmp eax
}
}
NTSTATUS DetourMyObReferenceObjectByHandle(
IN HANDLE Handle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_TYPE ObjectType OPTIONAL,
IN KPROCESSOR_MODE AccessMode,
OUT PVOID *Object,
OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL)
{
NTSTATUS status;
//调用原函数
status=OriginalObReferenceObjectByHandle(Handle,DesiredAccess,ObjectType,AccessMode,Object,HandleInformation);
if((status==STATUS_SUCCESS)&&(DesiredAccess==1))
{
if(ObjectType== *PsProcessType)
{
if( _stricmp((char *)((ULONG)(*Object)+0x174),"notepad.exe")==0)
{
ObDereferenceObject(*Object);
return STATUS_INVALID_HANDLE;
}
}
}
return status;
}
void UnHookObReferenceObjectByHandle()
{
//把五个字节再写回到原函数
KIRQL Irql;
//关闭写保护
_asm
{
push eax
mov eax, cr0
mov CR0VALUE, eax
and eax, 0fffeffffh
mov cr0, eax
pop eax
}
//提升IRQL到Dpc
Irql=KeRaiseIrqlToDpcLevel();
RtlCopyMemory((BYTE *)ObReferenceObjectByHandle,OriginalBytes,5);
KeLowerIrql(Irql);
//开启写保护
__asm
{
push eax
mov eax, CR0VALUE
mov cr0, eax
pop eax
}
}
[课程]FART 脱壳王!加量不加价!FART作者讲授!