-
-
[求助]Object Hook的和对象打开操作的问题
-
发表于: 2013-7-30 22:38
-
typedef struct _OBJECT_TYPE_INITIALIZER {
USHORT Length;
BOOLEAN UseDefaultObject;
BOOLEAN CaseInsensitive;
ULONG InvalidAttributes;
GENERIC_MAPPING GenericMapping;
ULONG ValidAccessMask;
BOOLEAN SecurityRequired;
BOOLEAN MaintainHandleCount;
BOOLEAN MaintainTypeList;
POOL_TYPE PoolType;
ULONG DefaultPagedPoolCharge;
ULONG DefaultNonPagedPoolCharge;
OB_DUMP_METHOD DumpProcedure;
OB_OPEN_METHOD OpenProcedure;
OB_CLOSE_METHOD CloseProcedure;
OB_DELETE_METHOD DeleteProcedure;
OB_PARSE_METHOD ParseProcedure;
OB_SECURITY_METHOD SecurityProcedure;
OB_QUERYNAME_METHOD QueryNameProcedure;
OB_OKAYTOCLOSE_METHOD OkayToCloseProcedure;
} OBJECT_TYPE_INITIALIZER, *POBJECT_TYPE_INITIALIZER;
一开始以为,HOOK的是OpenProcedure,后来发现HOOK进程对象的时候,这行不通
,默认情况下OpenProcedure为NULL,后来调试一下发现,只除了SecurityProcedure和DeleteProcedure外都是NULL。
下面的问题是……HOOK在SecurityProcedure内或者直接改它的地址?
另外就是请教一下,内核在打开一个对象的时候,对OpenProcedure到底采取啥态度?莫非OpenProcedure为NULL则采取默认的例程,非NULL则调用?翻了下WRK好像没看明白
USHORT Length;
BOOLEAN UseDefaultObject;
BOOLEAN CaseInsensitive;
ULONG InvalidAttributes;
GENERIC_MAPPING GenericMapping;
ULONG ValidAccessMask;
BOOLEAN SecurityRequired;
BOOLEAN MaintainHandleCount;
BOOLEAN MaintainTypeList;
POOL_TYPE PoolType;
ULONG DefaultPagedPoolCharge;
ULONG DefaultNonPagedPoolCharge;
OB_DUMP_METHOD DumpProcedure;
OB_OPEN_METHOD OpenProcedure;
OB_CLOSE_METHOD CloseProcedure;
OB_DELETE_METHOD DeleteProcedure;
OB_PARSE_METHOD ParseProcedure;
OB_SECURITY_METHOD SecurityProcedure;
OB_QUERYNAME_METHOD QueryNameProcedure;
OB_OKAYTOCLOSE_METHOD OkayToCloseProcedure;
} OBJECT_TYPE_INITIALIZER, *POBJECT_TYPE_INITIALIZER;
一开始以为,HOOK的是OpenProcedure,后来发现HOOK进程对象的时候,这行不通
,默认情况下OpenProcedure为NULL,后来调试一下发现,只除了SecurityProcedure和DeleteProcedure外都是NULL。下面的问题是……HOOK在SecurityProcedure内或者直接改它的地址?
另外就是请教一下,内核在打开一个对象的时候,对OpenProcedure到底采取啥态度?莫非OpenProcedure为NULL则采取默认的例程,非NULL则调用?翻了下WRK好像没看明白
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
