摘要:本文主要向大家介绍了 C/C++知识点之InlineHookObReferenceObjectByHandle(0环),通过具体的内容向大家展示,希望对大家学习C/C++知识点有所帮助。
本文主要向大家介绍了 C/C++知识点之InlineHookObReferenceObjectByHandle(0环),通过具体的内容向大家展示,希望对大家学习C/C++知识点有所帮助。
ObReferenceObjectByHandle是通过句柄(Handle)来访问对象。
#include "ntddk.h"
#include <windef.h>
extern POBJECT_TYPE *PsProcessType;
VOID InlineHookObReferenceObjectByHandle();
VOID UnHook();
//根据提供的 Handle 值得到 Object
//NTSTATUS ObReferenceObjectByHandle(
// IN HANDLE Handle,
// IN ACCESS_MASK DesiredAccess,
// IN POBJECT_TYPE ObjectType,
// IN KPROCESSOR_MODE AccessMode,
// OUT PVOID *Object,
// OUT POBJECT_HANDLE_INFORMATION HandleInformation
//);
T_ObReferenceObjectByHandle(
IN HANDLE Handle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_TYPE ObjectType OPTIONAL,
IN KPROCESSOR_MODE AccessMode,
OUT PVOID *Object,
OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL
);
char* ProtectName = "notepad.exe";
int MyObReferenceObjectByHandle(
IN HANDLE Handle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_TYPE ObjectType OPTIONAL,
IN KPROCESSOR_MODE AccessMode,
OUT PVOID *Object,
OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL
)
{
PEPROCESS Process = NULL;
KIRQL oldIrql = 0;
int JmpOffSet = 0;
UCHAR Code[5] = {0x8b,0xff,0x55,0x8b,0xec};
UCHAR JmpCode[5] = {0xe9,0x00,0x00,0x00,0x00 };
if(*PsProcessType==ObjectType)
{
oldIrql = KeRaiseIrqlToDpcLevel();
__asm
{
CLI
MOV eax, CR0
AND eax, NOT 10000H
MOV CR0, eax
}
//防止重入
RtlCopyMemory ( ObReferenceObjectByHandle, Code, 5 );
ObReferenceObjectByHandle(Handle,
DesiredAccess,
ObjectType,
AccessMode,
&Process,
NULL);
if (_stricmp((char*)((char*)Process+0x174),
ProtectName) == 0 )
{
JmpOffSet= (char*)T_ObReferenceObjectByHandle -
(char*)ObReferenceObjectByHandle - 5;
RtlCopyMemory ( JmpCode+1, &JmpOffSet, 4 );
RtlCopyMemory ( ObReferenceObjectByHandle, JmpCode, 5 );
__asm
{
MOV eax, CR0
OR eax, 10000H
MOV CR0, eax
STI
}
KeLowerIrql(oldIrql);
return 1;
}
JmpOffSet= (char*)T_ObReferenceObjectByHandle -
(char*)ObReferenceObjectByHandle - 5;
RtlCopyMemory ( JmpCode+1, &JmpOffSet, 4 );
RtlCopyMemory ( ObReferenceObjectByHandle, JmpCode, 5 );
__asm
{
MOV eax, CR0
OR eax, 10000H
MOV CR0, eax
STI
}
KeLowerIrql(oldIrql);
}
return 0;
}
__declspec(naked) T_ObReferenceObjectByHandle(
IN HANDLE Handle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_TYPE ObjectType OPTIONAL,
IN KPROCESSOR_MODE AccessMode,
OUT PVOID *Object,
OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL
)
{
_asm
{
mov edi,edi
push ebp
mov ebp,esp
push [ebp+0x1c]
push [ebp+0x18]
push [ebp+0x14]
push [ebp+0x10]
push [ebp+0xc]
push [ebp+8]
call MyObReferenceObjectByHandle
cmp eax,1
jz end
mov eax,ObReferenceObjectByHandle
add eax,5
jmp eax
end:
mov [ebp+8],-1
mov eax,ObReferenceObjectByHandle
add eax,5
jmp eax
}
}
VOID InlineHookObReferenceObjectByHandle()
{
int JmpOffSet = 0;
UCHAR JmpCode[5] = {0xe9, 0x00, 0x00, 0x00, 0x00 };
KIRQL oldIrql = 0;
JmpOffSet= (char*)T_ObReferenceObjectByHandle - (char*)ObReferenceObjectByHandle - 5;
RtlCopyMemory ( JmpCode+1, &JmpOffSet, 4 );
oldIrql = KeRaiseIrqlToDpcLevel();
_asm
{
CLI
MOV EAX, CR0
AND EAX, NOT 10000H
MOV CR0, EAX
}
RtlCopyMemory( ObReferenceObjectByHandle, JmpCode, 5 );
_asm
{
MOV EAX, CR0
OR EAX, 10000H
MOV CR0, EAX
STI
}
KeLowerIrql(oldIrql);
}
VOID Unload(PDRIVER_OBJECT DriverObject)
{
KIRQL oldIrql = 0;
LARGE_INTEGER Delay = {0};
unsigned char Code[5] = {0x8b,0xff,0x55,0x8b,0xec};
Delay.QuadPart = -5000000;
KeDelayExecutionThread(KernelMode, TRUE, &Delay);
oldIrql = KeRaiseIrqlToDpcLevel();
__asm
{
CLI
MOV eax, CR0
AND eax, NOT 10000H
MOV CR0, eax
}
RtlCopyMemory ( ObReferenceObjectByHandle, Code, 5 );
__asm
{
MOV eax, CR0
OR eax, 10000H
MOV CR0, eax
STI
}
KeLowerIrql(oldIrql);
}
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING str)
{
DriverObject->DriverUnload = Unload;
InlineHookObReferenceObjectByHandle();
return STATUS_SUCCESS;
}
本文由职坐标整理并发布,希望对同学们有所帮助。了解更多详情请关注职坐标编程语言C/C+频道!
您输入的评论内容中包含违禁敏感词
我知道了
请输入正确的手机号码
请输入正确的验证码
您今天的短信下发次数太多了,明天再试试吧!
我们会在第一时间安排职业规划师联系您!
您也可以联系我们的职业规划师咨询:
版权所有 职坐标-一站式IT培训就业服务领导者 沪ICP备13042190号-4
上海海同信息科技有限公司 Copyright ©2015 www.zhizuobiao.com,All Rights Reserved.
沪公网安备 31011502005948号