首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 看雪峰会 看雪商城 证书查询
  1. 社区
  2. 编程技术
    3. 发新帖
[求助]HOOK NtCreateEvent 问题
发表于: 2013-9-16 20:15 6185

[求助]HOOK NtCreateEvent 问题

轻灵秋水 活跃值
2013-9-16 20:15
6185
这个MyNtCreateEvent在XP下没有蓝屏用到Vista 就蓝屏了

请问下我这个写得对没!。。

[/CODE]
MyNtCreateEvent(
  _Out_     PHANDLE EventHandle,
  _In_      ACCESS_MASK DesiredAccess,
  _In_opt_  POBJECT_ATTRIBUTES ObjectAttributes,
  _In_      EVENT_TYPE EventType,
  _In_      BOOLEAN InitialState
)
{
  NTSTATUS nStatus;
  UNICODE_STRING DestinationString,DestinationString2;
  WCHAR WC_MyId;

  RtlInitUnicodeString(&DestinationString, L"XXX");  
  RtlInitUnicodeString(&DestinationString2, L"XXX");

  if (ObjectAttributes && RtlEqualUnicodeString(&DestinationString, ObjectAttributes->ObjectName, 0))
  {

    ULONG MyId = (ULONG)PsGetCurrentProcessId();
    KdPrint(("PsGetCurrentProcessId = %u\r\n",MyId));
    UNICODE_STRING UnicodeString2={0};
    UnicodeString2.Buffer = (PWSTR)ExAllocatePool(PagedPool,1024);
    UnicodeString2.MaximumLength = 1024;
    nStatus = RtlIntegerToUnicodeString(MyId,10,&UnicodeString2);

    if ( NT_SUCCESS(nStatus))
    {

      RtlCopyUnicodeString(ObjectAttributes->ObjectName,&UnicodeString2);
      return (NTSTATUS)RealNtCreateEvent(EventHandle,DesiredAccess,ObjectAttributes,EventType,InitialState);
    }else
    {
      return STATUS_SUCCESS;
    }
    
  }
  return (NTSTATUS)RealNtCreateEvent(EventHandle,DesiredAccess,ObjectAttributes,EventType,InitialState);
}
[CODE]

[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法

收藏
免费 0
支持
分享
最新回复 (2)
惊电
雪    币: 209
活跃值: (778)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
2
NTSTATUS
NtCreateEvent (
    __out PHANDLE EventHandle,
    __in ACCESS_MASK DesiredAccess,
    __in_opt POBJECT_ATTRIBUTES ObjectAttributes,
    __in EVENT_TYPE EventType,
    __in BOOLEAN InitialState
    )

/*++

Routine Description:

    This function creates an event object, sets it initial state to the
    specified value, and opens a handle to the object with the specified
    desired access.

Arguments:

    EventHandle - Supplies a pointer to a variable that will receive the
        event object handle.

    DesiredAccess - Supplies the desired types of access for the event object.

    ObjectAttributes - Supplies a pointer to an object attributes structure.

    EventType - Supplies the type of the event (autoclearing or notification).

    InitialState - Supplies the initial state of the event object.

Return Value:

    NTSTATUS.

--*/

{

    PVOID Event;
    HANDLE Handle;
    KPROCESSOR_MODE PreviousMode;
    NTSTATUS Status;

    //
    // Get previous processor mode and probe output handle address if
    // necessary.
    //

    PreviousMode = KeGetPreviousMode();
    if (PreviousMode != KernelMode) {
        try {
            ProbeForWriteHandle(EventHandle);

        } except(EXCEPTION_EXECUTE_HANDLER) {
            return GetExceptionCode();
        }
    }

    //
    // Check argument validity.
    //

    if ((EventType != NotificationEvent) && (EventType != SynchronizationEvent)) {
        return STATUS_INVALID_PARAMETER;
    }

    //
    // Allocate event object.
    //

    Status = ObCreateObject(PreviousMode,
                            ExEventObjectType,
                            ObjectAttributes,
                            PreviousMode,
                            NULL,
                            sizeof(KEVENT),
                            0,
                            0,
                            &Event);

    //
    // If the event object was successfully allocated, then initialize the
    // event object and attempt to insert the event object in the current
    // process' handle table.
    //

    if (NT_SUCCESS(Status)) {
        KeInitializeEvent((PKEVENT)Event, EventType, InitialState);
        Status = ObInsertObject(Event,
                                NULL,
                                DesiredAccess,
                                0,
                                NULL,
                                &Handle);

        //
        // If the event object was successfully inserted in the current
        // process' handle table, then attempt to write the event object
        // handle value. If the write attempt fails, then do not report
        // an error. When the caller attempts to access the handle value,
        // an access violation will occur.
        //

        if (NT_SUCCESS(Status)) {
            if (PreviousMode != KernelMode) {
                try {
                    *EventHandle = Handle;

                } except(EXCEPTION_EXECUTE_HANDLER) {
                    NOTHING;
                }

            } else {
                *EventHandle = Handle;
            }
        }
    }

    //
    // Return service status.
    //

    return Status;
}
2013-9-16 22:27
0
轻灵秋水
雪    币: 97
活跃值: (50)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
3
这流程看得不太明白
2013-9-18 08:11
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//