标 题: inline hook ObReferenceObjectByHandle() 实现拒绝指定进程执行
作 者: emc
时 间: 2009-07-18
链 接: hi.baidu.com/mc0066_
此代码借鉴了sysnap早期代码,并且我从中学到了很多东西。本来我打算使用新的程序架构和流程来实现此功能,可惜由于本人是初学者,最后还是放弃了,改用sysnap早期的代码流程与架构。
在调试本程序的过程中,受到了部分网友的关注,再次向他们的崇高精神表示感谢:
flowercode
iceboy
轩辕小聪
...
参考文献: http://bbs.pediy.com/showthread.php?t=65731
#include <ntddk.h>
#include <string.h>
extern POBJECT_TYPE *PsProcessType;
//mov edi,edi
//push ebp
//mov ebp,esp
unsigned char routine_head[5] = {0x8b,0xff,0x55,0x8b,0xec};
//jmp address
unsigned char jmp_code[5] = {0xe9,0x00,0x00,0x00,0x00};
void close_write_protected()
{
//cancel write protected
__asm
{
CLI
MOV eax, CR0
AND eax, NOT 10000H
MOV CR0, eax
}
}
void open_write_protected()
{
__asm
{
MOV eax, CR0
OR eax, 10000H
MOV CR0, eax
STI
}
}
//this routine unload current driver
VOID DriverUnload(IN PDRIVER_OBJECT DriverObject)
{
KIRQL irql;
irql = KeRaiseIrqlToDpcLevel();
close_write_protected();
//unload inline hook
RtlCopyMemory(ObReferenceObjectByHandle,routine_head,5);
open_write_protected();
KeLowerIrql(irql);
DbgPrint("inline hook success unload.");
return;
}
//this routine return 0 success run ObReferenceObjectByHandle()
//this routine return 1 failed run ObReferenceObjectByHandle()
int call_failed(
IN HANDLE Handle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_TYPE ObjectType,
IN KPROCESSOR_MODE AccessMode,
OUT PVOID *Object,
OUT POBJECT_HANDLE_INFORMATION HandleInfo
)
{
PEPROCESS process;
KIRQL irql;
//this object is a process
if(ObjectType == *PsProcessType)
{
irql = KeRaiseIrqlToDpcLevel();
close_write_protected();
//Unload inline hook in ObReferenceObjectByHandle()
RtlCopyMemory(ObReferenceObjectByHandle,routine_head,5);
//run the kernel routine
if(ObReferenceObjectByHandle(Handle,DesiredAccess,ObjectType,AccessMode,&process,NULL) == STATUS_SUCCESS)
{
//this request point to notepad.exe
if(_stricmp((char *)((char *)process+0x174),"notepad.exe") == 0)
{
//install inline hook to ObReferenceObjectByHandle()
RtlCopyMemory(ObReferenceObjectByHandle,jmp_code,5);
open_write_protected();
KeLowerIrql(irql);
return 1;
}
else
{
//install inline hook to ObReferenceObjectByHandle()
RtlCopyMemory(ObReferenceObjectByHandle,jmp_code,5);
open_write_protected();
KeLowerIrql(irql);
return 0;
}
}
else
{
//install inline hook to ObReferenceObjectByHandle()
RtlCopyMemory(ObReferenceObjectByHandle,jmp_code,5);
open_write_protected();
KeLowerIrql(irql);
return 0;
}
}
else //this object not a process
{
return 0;
}
}
//jmp this routine
__declspec(naked) my_routine(
IN HANDLE Handle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_TYPE ObjectType,
IN KPROCESSOR_MODE AccessMode,
OUT PVOID *Object,
OUT POBJECT_HANDLE_INFORMATION HandleInfor
)
{
__asm
{
mov edi,edi
//create next stack for sub routine using
push ebp
mov ebp,esp
//parameter enter the stack
push [ebp+0x1c]
push [ebp+0x18]
push [ebp+0x14]
push [ebp+0x10]
push [ebp+0xc]
push [ebp+8]
//enter the routine
call call_failed
cmp eax,1
jz start_new
mov eax,ObReferenceObjectByHandle
add eax,5
jmp eax
start_new:
mov [ebp+8],-1
mov eax,ObReferenceObjectByHandle
add eax,5
jmp eax
}
}
//in this routine install inline hook
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegistryPath)
{
//this is offset of jmp to my routine
int jmp_offset;
KIRQL irql;
//set current driver unload routine
DriverObject->DriverUnload = DriverUnload;
irql = KeRaiseIrqlToDpcLevel();
close_write_protected();
//count and get to my_routine offset
jmp_offset = (char *)my_routine - (char *)ObReferenceObjectByHandle - 5;
//create the jmp offset to jmp_offset
RtlCopyMemory(jmp_code+1,&jmp_offset,4);
//inline hook ObReferenceObjectByHandle routine
RtlCopyMemory(ObReferenceObjectByHandle,jmp_code,5);
open_write_protected();
KeLowerIrql(irql);
DbgPrint("install inline hook success.");
return STATUS_SUCCESS;
}
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法