NTSTATUS FakedNtCreateUserProcess (PHANDLE ProcessHandle,
PHANDLE ThreadHandle,
PVOID Parameter2,
PVOID Parameter3,
PVOID ProcessSecurityDescriptor,
PVOID ThreadSecurityDescriptor,
PVOID Parameter6,
PVOID Parameter7,
PRTL_USER_PROCESS_PARAMETERS ProcessParameters,
PVOID Parameter9,
PVOID pProcessUnKnow)
{
char aProcessName[MAXPATHLEN];
char aPathName[MAXPATHLEN];
PWCHAR wszFilePath ;
ULONG TempCurrentProcess;
TempCurrentProcess=(ULONG)PsGetCurrentProcess();
if (HipsCurrentProcess==TempCurrentProcess)
{
return ((NtCreateUserProcess)RealNtCreateUserProcess) (ProcessHandle,
ThreadHandle,
Parameter2,
Parameter3,
ProcessSecurityDescriptor,
ThreadSecurityDescriptor,
Parameter6,
Parameter7,
ProcessParameters,
Parameter9,
pProcessUnKnow);
}
else
{
ZeroMemory(aProcessName,MAXPATHLEN);
//拒绝漏洞
ConvertFileNameWCHARToCHAR(ProcessParameters->ImagePathName.Buffer,aPathName);
GetProcessName2(aProcessName);
strcat(aProcessName,"##");
if (GoOrNot(aProcessName,aPathName))
{
return ((NtCreateUserProcess)RealNtCreateUserProcess) (ProcessHandle,
ThreadHandle,
Parameter2,
Parameter3,
ProcessSecurityDescriptor,
ThreadSecurityDescriptor,
Parameter6,
Parameter7,
ProcessParameters,
Parameter9,
pProcessUnKnow);
}
else
{
ProcessHandle = NULL;
return RETURN_ERRO_NOBOX;
}
}
return 0;
}
如上面函数 如何检测参数 PRTL_USER_PROCESS_PARAMETERS ProcessParameters,地址是真实有效的呢而且保证其子结构指针如ProcessParameters->ImagePathName.Buffer也真实有效呢?
希望向各位学习,积累宝贵的驱动开发经验和知识
[课程]Android-CTF解题方法汇总!