-
-
[求助]ring3 hook ntdll!NtCreateSection,为什么获取的ObjectAttributes经常无效
-
发表于: 2012-5-10 16:15
-
NTSTATUS __stdcall Fake_NtCreateSection(
OUT PHANDLE SectionHandle,
IN ULONG DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN PLARGE_INTEGER MaximumSize OPTIONAL,
IN ULONG PageAttributes,
IN ULONG SectionAttributes,
IN HANDLE FileHandle OPTIONAL)
{
NTSTATUS status;
status = NtCreateSection(SectionHandle,DesiredAccess,ObjectAttributes,MaximumSize,PageAttributes,SectionAttributes,FileHandle);
if (STATUS_SUCCESS != status)
{
return status;
}
if (SectionHandle == NULL)
{
return STATUS_ACCESS_VIOLATION;
}
WCHAR szFilePath[MAX_NAME] = {0};
GetPath(ObjectAttributes,szFilePath);
DbgPrint("%s: [%s] Enter! %S \n",__MYNAME__,__FUNCTION__,szFilePath);
return status;
}
调用GetPath的时候,发现ObjectAttributes经常无效,也就是一堆???,那么就无法取得section的名字了,如何解决啊
BOOL GetPath(IN POBJECT_ATTRIBUTES ObjectAttributes,OUT WCHAR* strPath)
{
//ObjectAttributes结构体经常无效???
if (NULL == ObjectAttributes->RootDirectory && NULL == ObjectAttributes->ObjectName)
{
return FALSE;
}
if (NULL != ObjectAttributes->RootDirectory)
{
if (STATUS_SUCCESS != GetFullPathByHandle(ObjectAttributes->RootDirectory, strPath))
{
return FALSE;
}
}
if (NULL != ObjectAttributes && NULL != ObjectAttributes->ObjectName && ObjectAttributes->ObjectName->Length > 0)
{
lstrcatW(strPath,L"\\");
lstrcatW(strPath,ObjectAttributes->ObjectName->Buffer);
}
return TRUE;
}
NTSTATUS GetFullPathByHandle(IN HANDLE ObjectHandle,OUT WCHAR* strFullPath)
{
NTSTATUS status;
BOOL bRet = FALSE;
POBJECT_NAME_INFORMATION pNameInfo = NULL;
while (true)
{
ULONG uResultLength = 0;
pNameInfo = (POBJECT_NAME_INFORMATION)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, 0x200);
status = NtQueryObject(ObjectHandle, ObjectNameInformation, pNameInfo, 0x200, &uResultLength);
if (STATUS_INFO_LENGTH_MISMATCH == status ||
STATUS_BUFFER_OVERFLOW == status ||
STATUS_BUFFER_TOO_SMALL == status)
{
pNameInfo = (POBJECT_NAME_INFORMATION)HeapReAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, pNameInfo, 0x100);
continue;
}
else if (STATUS_SUCCESS == status)
{
lstrcpyW(strFullPath,pNameInfo->Name.Buffer);
break;
}
else
{
break;
}
}
if (NULL != pNameInfo )
{
HeapFree(GetProcessHeap(),0,pNameInfo);
pNameInfo = NULL;
}
return status;
}
|
|
|---|---|
|
|
|
|
|
 ring3下能调用ObReferenceObjectByHandle,IoQueryFileDosDeviceName,ObDereferenceObject。。。。。这些不是ntdll导出的吧。。。。 |
|
|
|
