inline ObReferenceObject-编程技术-看雪-安全社区|安全招聘|kanxue.com

inline ObReferenceObject
发表于: 2009-8-5 02:12 5015
inline ObReferenceObject

竹君
2009-8-5 02:12
5015
//=======================================inline HOOK ObReferenceObjectByHandle===========================
//ObReferenceObjectByHandle是ntoskrnl.exe导出函数，采用HOOK前五个字节的方式
//字节型数据  unsigned char
BYTE  OriginalBytes[5]={0};             //保存原始函数前五个字节           
BYTE JmpAddress[5]={0xE9,0,0,0,0};       //跳转到HOOK函数的地址

extern POBJECT_TYPE *PsProcessType;

NTKERNELAPI NTSTATUS 
ObReferenceObjectByHandle(
						  IN HANDLE  Handle,
						  IN ACCESS_MASK  DesiredAccess,
						  IN POBJECT_TYPE  ObjectType  OPTIONAL,
						  IN KPROCESSOR_MODE  AccessMode,
						  OUT PVOID  *Object,
						  OUT POBJECT_HANDLE_INFORMATION  HandleInformation  OPTIONAL
						  );
//HOOK函数
NTSTATUS DetourMyObReferenceObjectByHandle(
									   IN HANDLE  Handle,
									   IN ACCESS_MASK  DesiredAccess,
									   IN POBJECT_TYPE  ObjectType  OPTIONAL,
									   IN KPROCESSOR_MODE  AccessMode,
									   OUT PVOID  *Object,
									   OUT POBJECT_HANDLE_INFORMATION  HandleInformation  OPTIONAL);
//

//hook流程 HookObReferenceObjectByHandle---DetourMyObReferenceObjectByHandle---UnHookObReferenceObjectByHandle
void  HookObReferenceObjectByHandle()
{
	//赋值前面定义的数组
	KIRQL Irql;
	KdPrint(("[ObReferenceObjectByHandle] :0x%x",ObReferenceObjectByHandle));  //地址验证
	//保存函数前五个字节内容
	RtlCopyMemory(OriginalBytes,(BYTE *)ObReferenceObjectByHandle,5);
	//保存新函数五个字节之后偏移
	*(ULONG *)(JmpAddress+1)=(ULONG)DetourMyObReferenceObjectByHandle-((ULONG)ObReferenceObjectByHandle+5);
	//开始inline hook
	//关闭内存写保护
	_asm
	{
		push eax
			mov eax, cr0 
			mov CR0VALUE, eax 
			and eax, 0fffeffffh  
			mov cr0, eax
			pop eax
	}
	//提升IRQL中断级
	Irql=KeRaiseIrqlToDpcLevel();
	//函数开头五个字节写JMP 
	RtlCopyMemory((BYTE *)ObReferenceObjectByHandle,JmpAddress,5);
	//恢复Irql
	KeLowerIrql(Irql);
	//开启内存写保护
	__asm
	{       
		push eax
			mov eax, CR0VALUE 
			mov cr0, eax
			pop eax
	}
}

_declspec (naked) NTSTATUS OriginalObReferenceObjectByHandle(IN HANDLE  Handle,
														 IN ACCESS_MASK  DesiredAccess,
														 IN POBJECT_TYPE  ObjectType  OPTIONAL,
														 IN KPROCESSOR_MODE  AccessMode,
														 OUT PVOID  *Object,
														 OUT POBJECT_HANDLE_INFORMATION  HandleInformation  OPTIONAL)
{
	_asm
	{   
		    mov edi,edi
			push ebp
			mov ebp,esp

			mov eax,ObReferenceObjectByHandle
			add eax,5
			jmp eax		
	}
	
}

NTSTATUS DetourMyObReferenceObjectByHandle(
									   IN HANDLE  Handle,
									   IN ACCESS_MASK  DesiredAccess,
									   IN POBJECT_TYPE  ObjectType  OPTIONAL,
									   IN KPROCESSOR_MODE  AccessMode,
									   OUT PVOID  *Object,
									   OUT POBJECT_HANDLE_INFORMATION  HandleInformation  OPTIONAL)
{
	NTSTATUS status;
	//调用原函数
	status=OriginalObReferenceObjectByHandle(Handle,DesiredAccess,ObjectType,AccessMode,Object,HandleInformation);
	if(status==STATUS_SUCCESS )
	{   
		
		if(ObjectType== *PsProcessType)
		{
		   if( _stricmp((char *)((ULONG)(*Object)+0x174),"notepad.exe")==0)
		   {   
			   ObDereferenceObject(*Object);
			   return STATUS_ACCESS_DENIED;
		   }
		}
	}
	return status;
}

void UnHookObReferenceObjectByHandle()
{
	//把五个字节再写回到原函数
	KIRQL Irql;
    //关闭写保护
	_asm
	{
		push eax
			mov eax, cr0 
			mov CR0VALUE, eax 
			and eax, 0fffeffffh  
			mov cr0, eax
			pop eax
	}
    //提升IRQL到Dpc
    Irql=KeRaiseIrqlToDpcLevel();
	RtlCopyMemory((BYTE *)ObReferenceObjectByHandle,OriginalBytes,5);
	KeLowerIrql(Irql);
    //开启写保护
	__asm
	{       
		push eax
			mov eax, CR0VALUE 
			mov cr0, eax
			pop eax
	}
}
[招生]科锐逆向工程师培训(2024年11月15日实地，远程教学同时开班, 第51期)
收藏・3
免费・0
支持