Hook ObReferenceObjectByHandle
做个记录
HANDLE g_MyProcessPid = NULL;
ULONG g_ulObReferenceObjectByHandle = 0; // g_ulObReferenceObjectByHandle保存ObReferenceObjectByHandle函数首地址
ULONG g_ulOffsetOfImageFileName = 0;
VOID GetOffsetOfImageFileName()
{
PBYTE i, j, pMax;
j = i = (PBYTE)PsGetCurrentProcess();
for( pMax = i + 0x258; i < pMax; i++ )
{
if( _stricmp( (char*)i, "System" ) == 0 )
{
g_ulOffsetOfImageFileName = (ULONG)( i - j );
break;
}
}
DbgOutput( "In GetOffsetOfImageFileName(), g_ulOffsetOfImageFileName:%#x...", g_ulOffsetOfImageFileName );
}
BOOL IsMyProcess( IN PEPROCESS pEProcess )
{
BOOL bRet = FALSE;
PEPROCESS pMyEProcess = NULL;
if( NT_SUCCESS( PsLookupProcessByProcessId( g_MyProcessPid, &pMyEProcess ) ) )
{
bRet = ( _stricmp( (char *)( (PBYTE)pMyEProcess + g_ulOffsetOfImageFileName ), (char *)( (PBYTE)pEProcess + g_ulOffsetOfImageFileName ) ) == 0 ); // 比较进程名
ObDereferenceObject( pMyEProcess );
}
return bRet;
}
NTSTATUS My_ObReferenceObjectByHandle(
IN HANDLE Handle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_TYPE ObjectType /*OPTIONAL*/,
IN KPROCESSOR_MODE AccessMode,
OUT PVOID *Object,
OUT POBJECT_HANDLE_INFORMATION HandleInformation /*OPTIONAL*/ )
{
BOOL bIsNeedCheckDestProcess = FALSE;
NTSTATUS ulRet = STATUS_SUCCESS;
if( DesiredAccess == PROCESS_TERMINATE && ObjectType== *PsProcessType )
{
if( PsGetCurrentProcessId() == g_MyProcessPid ) // 当前进程是 自己的进程
DesiredAccess = 0; // 允许 自己的进程 杀不能杀的进程
else
bIsNeedCheckDestProcess = TRUE;
}
_asm
{
push dword ptr [ebp+0x1c] // 参数6
push dword ptr [ebp+0x18] // 参数5
push dword ptr [ebp+0x14] // 参数4
push dword ptr [ebp+0x10] // 参数3
push dword ptr [ebp+0x0c] // 参数2
push dword ptr [ebp+0x8] // 参数1
mov eax,g_ulObReferenceObjectByHandle
add eax,5
call JmpObReferenceObjectByHandle
mov ulRet,eax
}
if( bIsNeedCheckDestProcess && NT_SUCCESS( ulRet ) )
{
if( IsMyProcess( *( (PEPROCESS*)Object ) ) ) // 保护 自己的进程 不被别人杀掉
{
ObDereferenceObject( *Object );
ulRet = STATUS_INVALID_HANDLE;
}
}
return ulRet;
}
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
