首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. 编程技术
    3. 发新帖
[求助]驱动 ObRegisterCallbacks 之IoFileObjectType 返回c000000d
发表于: 2015-8-16 21:43 7848

[求助]驱动 ObRegisterCallbacks 之IoFileObjectType 返回c000000d

MClint 活跃值
2015-8-16 21:43
7848
win7 旗舰版 64位, NT驱动
ObRegisterCallbacks 返回值为0xc000000d, 错误的参数。
在这里, DriverSection->Flags  也OR了 0x20;
(*IoFileObjectType)->TypeInfo.SupportsObjectCallbacks 也设为了 1;       
难道是NT驱动不能用IoFileObjectType 回调。
不过PsProcessType就成功了。请教,谢谢

代码如下:
//    Driver Entry .cpp
PLDR_DATA_TABLE_ENTRY pldrDataTblEntry = (PLDR_DATA_TABLE_ENTRY)DriverObject->DriverSection;
pldrDataTblEntry->Flags |= 0x20;
//    .cpp
(*IoFileObjectType)->TypeInfo.SupportsObjectCallbacks = 1;	

OB_OPERATION_REGISTRATION obCallBackRegs_op;

obCallBackRegs_op.ObjectType = IoFileObjectType;
obCallBackRegs_op.Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE;
obCallBackRegs_op.PreOperation = NSPC_ObjectPreCallback_IoFileObjectType;
obCallBackRegs_op.PostOperation = NSPC_ObjectPostCallback_IoFileObjectType;

OB_CALLBACK_REGISTRATION obCallBackRegs = {0};
	obCallBackRegs.Version = OB_FLT_REGISTRATION_VERSION;//;
	RtlInitUnicodeString(&obCallBackRegs.Altitude, L"321124");
	obCallBackRegs.RegistrationContext = NULL;
	obCallBackRegs.OperationRegistrationCount = 1;
	obCallBackRegs.OperationRegistration = &obCallBackRegs_op;

ntRet = ObRegisterCallbacks(&obCallBackRegs, &m_ObRegisterCallbacks_RegistrationHandle);
if (!NT_SUCCESS(ntRet)){KdPrint(("ObRegisterCallbacks Err: %lx", ntRet));};

win7 旗舰版 64位, NT驱动
ObRegisterCallbacks 返回值为0xc000000d, 错误的参数。
在这里, DriverSection->Flags  也OR了 0x20;
(*IoFileObjectType)->TypeInfo.SupportsObjectCallbacks 也设为了 1;       
难道是NT驱动不能用IoFileObjectType 回调。
不过PsProcessType就成功了。请教,谢谢

另附上根据WinDbg出的两个结构
//	win7 64
//	lkd> dt _LDR_DATA_TABLE_ENTRY
//		ntdll!_LDR_DATA_TABLE_ENTRY
typedef struct _LDR_DATA_TABLE_ENTRY {
	LIST_ENTRY InLoadOrderLinks;				// 		+0x000 InLoadOrderLinks : _LIST_ENTRY
	LIST_ENTRY InMemoryOrderLinks;				// 		+0x010 InMemoryOrderLinks : _LIST_ENTRY
	LIST_ENTRY InInitializationOrderLinks;		// 		+0x020 InInitializationOrderLinks : _LIST_ENTRY
	PVOID DllBase;								// 		+0x030 DllBase          : Ptr64 Void
	PVOID EntryPoint;							// 		+0x038 EntryPoint       : Ptr64 Void
	ULONG SizeOfImage;							// 		+0x040 SizeOfImage      : Uint4B
	UNICODE_STRING FullDllName;					// 		+0x048 FullDllName      : _UNICODE_STRING
	UNICODE_STRING BaseDllName;			// 		+0x058 BaseDllName      : _UNICODE_STRING
	ULONG Flags;						// 		+0x068 Flags            : Uint4B
	USHORT LoadCount;					// 		+0x06c LoadCount        : Uint2B
	USHORT TlsIndex;					// 		+0x06e TlsIndex         : Uint2B
	union {
		LIST_ENTRY HashLinks;			// 		+0x070 HashLinks        : _LIST_ENTRY
		struct {
			PVOID SectionPointer;		// 		+0x070 SectionPointer   : Ptr64 Void
			ULONG CheckSum;				// 		+0x078 CheckSum         : Uint4B
		};
	};
	union {
		struct {
			ULONG TimeDateStamp;		// 		+0x080 TimeDateStamp    : Uint4B
		};
		struct {
			PVOID LoadedImports;		// 		+0x080 LoadedImports    : Ptr64 Void
		};
	};
	LPVOID EntryPointActivationContext;		// 		+0x088 EntryPointActivationContext : Ptr64 _ACTIVATION_CONTEXT
	LPVOID	PatchInformation;				// 		+0x090 PatchInformation : Ptr64 Void
	_LIST_ENTRY ForwarderLinks;				// 		+0x098 ForwarderLinks   : _LIST_ENTRY
	_LIST_ENTRY ServiceTagLinks;			// 		+0x0a8 ServiceTagLinks  : _LIST_ENTRY
	_LIST_ENTRY StaticLinks;				// 		+0x0b8 StaticLinks      : _LIST_ENTRY
	LPVOID ContextInformation;				// 		+0x0c8 ContextInformation : Ptr64 Void
	size_t OriginalBase;					// 		+0x0d0 OriginalBase     : Uint8B
	_LARGE_INTEGER LoadTime;				// 		+0x0d8 LoadTime         : _LARGE_INTEGER
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY, **PPLDR_DATA_TABLE_ENTRY;

//	win7 旗舰版 64位
// WinDbg: lkd> dt _OBJECT_TYPE_INITIALIZER
typedef struct _OBJECT_TYPE_INITIALIZER
{
	WORD Length;					//	+0x000 Length           : Uint2B
	UCHAR ObjectTypeFlags;			//	+0x002 ObjectTypeFlags  : UChar
	UCHAR CaseInsensitive: 1;		//	+0x002 CaseInsensitive  : Pos 0, 1 Bit
	UCHAR UnnamedObjectsOnly: 1;	//	+0x002 UnnamedObjectsOnly : Pos 1, 1 Bit
	UCHAR UseDefaultObject: 1;		//	+0x002 UseDefaultObject : Pos 2, 1 Bit
	UCHAR SecurityRequired: 1;		//	+0x002 SecurityRequired : Pos 3, 1 Bit
	UCHAR MaintainHandleCount: 1;	//	+0x002 MaintainHandleCount : Pos 4, 1 Bit
	UCHAR MaintainTypeList: 1;		//	+0x002 MaintainTypeList : Pos 5, 1 Bit
	UCHAR SupportsObjectCallbacks: 1;		//	+0x002 SupportsObjectCallbacks : Pos 6, 1 Bit
	UCHAR CacheAligned: 1;			//	+0x002 CacheAligned     : Pos 7, 1 Bit
	UINT ObjectTypeCode;			//	+0x004 ObjectTypeCode   : Uint4B
	UINT InvalidAttributes;			//	+0x008 InvalidAttributes : Uint4B
	GENERIC_MAPPING GenericMapping;	//	+0x00c GenericMapping   : _GENERIC_MAPPING
	UINT ValidAccessMask;			//	+0x01c ValidAccessMask  : Uint4B
	UINT RetainAccess;				//	+0x020 RetainAccess     : Uint4B
	POOL_TYPE PoolType;				//	+0x024 PoolType         : _POOL_TYPE
	UINT DefaultPagedPoolCharge;	//	+0x028 DefaultPagedPoolCharge : Uint4B
	UINT DefaultNonPagedPoolCharge;	//	+0x02c DefaultNonPagedPoolCharge : Uint4B
	PVOID DumpProcedure;			//	0x030 DumpProcedure    : Ptr64     void
	LONG * OpenProcedure;			//	 +0x038 OpenProcedure    : Ptr64     long 
	PVOID CloseProcedure;			//	 +0x040 CloseProcedure   : Ptr64     void 
	PVOID DeleteProcedure;			//	+0x048 DeleteProcedure  : Ptr64     void 
	LONG * ParseProcedure;			//	+0x050 ParseProcedure   : Ptr64     long 
	LONG * SecurityProcedure;		//	+0x058 SecurityProcedure : Ptr64     long 
	LONG * QueryNameProcedure;		//	+0x060 QueryNameProcedure : Ptr64     long 
	UCHAR * OkayToCloseProcedure;	//	+0x068 OkayToCloseProcedure : Ptr64     unsigned
}OBJECT_TYPE_INITIALIZER, *POBJECT_TYPE_INITIALIZER, **PPOBJECT_TYPE_INITIALIZER;

//	win7 旗舰版 64位
// WinDbg: lkd> dt _EX_PUSH_LOCK
typedef struct _EX_PUSH_LOCK
{
	union
	{
		struct
		{
			UINT64 Locked: 1;		//	+0x000 Locked           : Pos 0, 1 Bit
			UINT64 Waiting: 1;		//	+0x000 Waiting          : Pos 1, 1 Bit
			UINT64 Waking: 1;		//	+0x000 Waking           : Pos 2, 1 Bit
			UINT64 MultipleShared: 1;	//	+0x000 MultipleShared   : Pos 3, 1 Bit
			UINT64 Shared: 60;			//	+0x000 Shared           : Pos 4, 60 Bits
		};
		ULONG Value;				//	+0x000 Value            : Uint8B
		PVOID Ptr;					//	+0x000 Ptr              : Ptr64 Void
	};
} EX_PUSH_LOCK, *PEX_PUSH_LOCK, **PPEX_PUSH_LOCK;

//	win7 旗舰版 64位
// WinDbg: lkd> dt  _OBJECT_TYPE
typedef struct _OBJECT_TYPE
{
	_LIST_ENTRY TypeList;			// 	+0x000 TypeList         : _LIST_ENTRY
	_UNICODE_STRING name;			// 	+0x010 Name             : _UNICODE_STRING
	LPVOID DefaultObject;			// 	+0x020 DefaultObject    : Ptr64 Void
	UCHAR Index;					// 	+0x028 Index            : UChar
	UINT TotalNumberOfObjects;		// 	+0x02c TotalNumberOfObjects : Uint4B
	UINT TotalNumberOfHandles;		// 	+0x030 TotalNumberOfHandles : Uint4B
	UINT HighWaterNumberOfObjects;	// 	+0x034 HighWaterNumberOfObjects : Uint4B
	UINT HighWaterNumberOfHandles;	// 	+0x038 HighWaterNumberOfHandles : Uint4B
	_OBJECT_TYPE_INITIALIZER TypeInfo;	// 	+0x040 TypeInfo         : _OBJECT_TYPE_INITIALIZER
	_EX_PUSH_LOCK TypeLock;				// 	+0x0b0 TypeLock         : _EX_PUSH_LOCK
	UINT Key;							// 	+0x0b8 Key              : Uint4B
	_LIST_ENTRY CallbackList;			// 	+0x0c0 CallbackList     : _LIST_ENTRY
}OBJECT_TYPE, *POBJECT_TYPE, **PPOBJECT_TYPE;

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

收藏
免费 0
支持
分享
最新回复 (4)
IamHuskar
雪    币: 1392
活跃值: (5207)
能力值: ( LV13,RANK:240 )
在线值:
发帖
回帖
粉丝
私信
2
签名了没?
2015-8-17 08:11
0
elapseyear
雪    币: 326
活跃值: (56)
能力值: ( LV3,RANK:30 )
在线值:
发帖
回帖
粉丝
私信
3
ObjectType:A pointer to the object type (process or thread) that triggers the callback routine. Specify either PsProcessType for process handle operations, or PsThreadType for thread handle operations.

还有估计是要自定义一个自己的object type做hook。
2015-8-17 11:38
0
MClint
雪    币: 11
活跃值: (11)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
4
没有签名, Section->Flag |= 0x20了
2015-8-17 12:26
0
MClint
雪    币: 11
活跃值: (11)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
5
typedef struct _OBJECT_TYPE
typedef struct _OBJECT_TYPE_INITIALIZER
根据WINDBG都做了, 而且都与WinDbg匹配得上
2015-8-17 12:30
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//