今天在调试自己编写的inline hook时,蓝屏了,然后用windbg调试dump文件,下面是windbg得到的信息:
PEB is paged out (Peb.Ldr = 7ffd500c). Type ".hh dbgerr001" for details
PEB is paged out (Peb.Ldr = 7ffd500c). Type ".hh dbgerr001" for details
我已经看了peb 和 _PEB_LDE_DATA结构,但是还是不明白上面的信息是什么意思.高手帮我看看,改怎么解决。
我是inline hook ObReferenceObjectByHandle(),下面是我的代码:
#include <ntddk.h>
#include <string.h>
extern POBJECT_TYPE *PsProcessType;
void close_write_protected()
{
//cancel write protected
__asm
{
CLI
MOV eax, CR0
AND eax, NOT 10000H
MOV CR0, eax
}
}
void open_write_protected()
{
__asm
{
MOV eax, CR0
OR eax, 10000H
MOV CR0, eax
STI
}
}
//this routine unload current driver
VOID DriverUnload(IN PDRIVER_OBJECT DriverObject)
{
KIRQL irql;
unsigned char routine_head[5] = {0x8b,0xff,0x55,0x8b,0xec};
irql = KeRaiseIrqlToDpcLevel();
close_write_protected();
//unload inline hook
RtlCopyMemory(ObReferenceObjectByHandle,routine_head,5);
open_write_protected();
KeLowerIrql(irql);
DbgPrint("inline hook success unload.");
return;
}
int call_failed(
IN HANDLE Handle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_TYPE ObjectType,
IN KPROCESSOR_MODE AccessMode,
OUT PVOID *Object,
OUT POBJECT_HANDLE_INFORMATION HandleInfo
)
{
KIRQL irql;
//mov edi,edi
//push ebp
//mov ebp,esp
unsigned char routine_head[5] = {0x8b,0xff,0x55,0x8b,0xec};
//jmp address
unsigned char jmp_code[5] = {0xe9,0x00,0x00,0x00,0x00};
if(ObjectType == *PsProcessType) //this object is a process
{
irql = KeRaiseIrqlToDpcLevel();
close_write_protected();
//unload inline hook
RtlCopyMemory(ObReferenceObjectByHandle,routine_head,5);
ObReferenceObjectByHandle(
Handle,
DesiredAccess,
ObjectType,
AccessMode,
Object,
HandleInfo
);
open_write_protected();
KeLowerIrql(irql);
if(_stricmp((const char *)Object+0x174,"notepad.exe") != 0) //this process is protected
{
return 1;
}
else
{
*Object = (PVOID)-1;
return 0;
}
}
return 0;
}
//jmp this routine
__declspec(naked) my_routine()
{
__asm
{
mov edi,edi
push ebp
mov ebp,esp
//parameter enter the stack
push [ebp+0x1c]
push [ebp+0x18]
push [ebp+0x14]
push [ebp+0x10]
push [ebp+0xc]
push [ebp+8]
call call_failed
}
}
//driver program entry routine
//rewrite ObReferenceObjectByHandle() start 5 byte for jmp address to my_routine
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegistryPath)
{
int jmp_offset; //a jmp operation from current to my_routine
KIRQL irql;
unsigned char jmp_code[5] = {0xe9,0x00,0x00,0x00,0x00};
DriverObject -> DriverUnload = DriverUnload; //set this driver unload routinue
irql = KeRaiseIrqlToDpcLevel();
close_write_protected();
//inline hook ObReferenceObjectByHandle()
jmp_offset = (char *)my_routine - (char *)ObReferenceObjectByHandle - 5;
RtlCopyMemory(jmp_code+1,&jmp_offset,4);
RtlCopyMemory(ObReferenceObjectByHandle,jmp_code,5);
open_write_protected();
KeLowerIrql(irql);
DbgPrint("install inline hook success.");
return STATUS_SUCCESS;
}
[课程]Android-CTF解题方法汇总!