-
-
[求助]新建调试对象类型 NtDebugActiveProcess中ObReferenceObjectByHandle返回错误
-
发表于:
2017-7-28 19:53
6838
-
[求助]新建调试对象类型 NtDebugActiveProcess中ObReferenceObjectByHandle返回错误
下面代码
POBJECT_TYPE DbgkDebugObjectType;//自建的OBJECT对象
POBJECT_TYPE SysDebugObject;//系统的OBJECT对象
//PS:SysDebugObject这个是获取系统原始的
/////////////////////创建调试对象的代码片段//////////////////////////////////////
RtlInitUnicodeString(&Name, L"NewDebugObject");
RtlMoveMemory(&oti,&SysDebugObject->TypeInfo,sizeof(OBJECT_TYPE_INITIALIZER ));
oti.Length = sizeof (oti);
oti.SecurityRequired = TRUE;
oti.InvalidAttributes = 0;
oti.PoolType = NonPagedPool;
oti.DeleteProcedure = SysDebugObject->TypeInfo.DeleteProcedure;
oti.CloseProcedure = SysDebugObject->TypeInfo.CloseProcedure;
oti.ValidAccessMask = DEBUG_ALL_ACCESS;
oti.GenericMapping = GenericMapping;
oti.DefaultPagedPoolCharge = 0;
oti.DefaultNonPagedPoolCharge = 0;
Status = ObCreateObjectType(&Name, &oti, 0, &DbgkDebugObjectType);//这里是创建成功的
///////////////////////////////////////////////////////////
///////////////////////////NtDebugActiveProcess的代码片段///////////////////////////////
Status = ObReferenceObjectByHandle(DebugObjectHandle,
DEBUG_PROCESS_ASSIGN,
DbgkDebugObjectType,
PreviousMode,
&DebugObject,
NULL);
//就是这个ObReferenceObjectByHandle出错返回STATUS_OBJECT_TYPE_MISMATCH
//想跟进去看哪里出错,但是好像系统下了异常,进去就改成NtReadfile访问的
//参数什么的不懂看,感觉很乱
//下面是自建的DbgkDebugObjectType的结构体数据
lkd> dt _OBJECT_TYPE 88694270
ntdll!_OBJECT_TYPE
+0x000 TypeList : _LIST_ENTRY [ 0x88694270 - 0x88694270 ]
+0x008 Name : _UNICODE_STRING "NewDebugObject"
+0x010 DefaultObject : (null)
+0x014 Index : 0x2c ','
+0x018 TotalNumberOfObjects : 1
+0x01c TotalNumberOfHandles : 1
+0x020 HighWaterNumberOfObjects : 1
+0x024 HighWaterNumberOfHandles : 1
+0x028 TypeInfo : _OBJECT_TYPE_INITIALIZER
+0x078 TypeLock : _EX_PUSH_LOCK
+0x07c Key : 0x69746e41
+0x080 CallbackList : _LIST_ENTRY [ 0x886942f0 - 0x886942f0 ]
lkd> DT _OBJECT_TYPE_INITIALIZER 88694270+28
ntdll!_OBJECT_TYPE_INITIALIZER
+0x000 Length : 0x50
+0x002 ObjectTypeFlags : 0x8 ''
+0x002 CaseInsensitive : 0y0
+0x002 UnnamedObjectsOnly : 0y0
+0x002 UseDefaultObject : 0y0
+0x002 SecurityRequired : 0y1
+0x002 MaintainHandleCount : 0y0
+0x002 MaintainTypeList : 0y0
+0x002 SupportsObjectCallbacks : 0y0
+0x004 ObjectTypeCode : 0
+0x008 InvalidAttributes : 0
+0x00c GenericMapping : _GENERIC_MAPPING
+0x01c ValidAccessMask : 0x1f000f
+0x020 RetainAccess : 0
+0x024 PoolType : 0 ( NonPagedPool )
+0x028 DefaultPagedPoolCharge : 0
+0x02c DefaultNonPagedPoolCharge : 0x30
+0x030 DumpProcedure : (null)
+0x034 OpenProcedure : (null)
+0x038 CloseProcedure : 0x83ec4d37 void nt!DbgkpCloseObject+0
+0x03c DeleteProcedure : 0x83e94c24 void nt!FsRtlInitializeOplock+0
+0x040 ParseProcedure : (null)
+0x044 SecurityProcedure : 0x83e7c946 long nt!SeDefaultObjectMethod+0
+0x048 QueryNameProcedure : (null)
+0x04c OkayToCloseProcedure : (null)
系统是WIN7 SP1
麻烦谁能告诉我下为什么会出错啊,网上搜索居然没人碰到这情况?
[课程]Android-CTF解题方法汇总!
hzqst
