模拟HP的object hook 保护 :
driver.h- #ifdef __cplusplus
- extern "C"
- {
- #endif
- #include <ntddk.h>
- NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath);
- #ifdef __cplusplus
- }
- #endif
- #define PAGEDCODE code_seg("PAGE")
- #define LOCKEDCODE code_seg()
- #define INITCODE code_seg("INIT")
- #define PAGEDDATA data_seg("PAGE")
- #define LOCKEDDATA data_seg()
- #define INITDATA data_seg("INIT")
- #define arraysize(p) (sizeof(p)/sizeof((p)[0]))
- VOID DriverUnload(IN PDRIVER_OBJECT DriverObject);
- typedef NTSTATUS (*OB_SECURITY_METHOD)(
- IN PVOID Object,
- IN SECURITY_OPERATION_CODE OperationCode,
- IN PSECURITY_INFORMATION SecurityInformation,
- IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor,
- IN OUT PULONG CapturedLength,
- IN OUT PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor,
- IN POOL_TYPE PoolType,
- IN PGENERIC_MAPPING GenericMapping,
- IN PVOID unknown
- );
- EXTERN_C NTKERNELAPI UCHAR * PsGetProcessImageFileName(__in PEPROCESS Process);
复制代码 driver.cpp- #include "Driver.h"
- OB_SECURITY_METHOD g_pfnSecurityProcedure;
- NTSTATUS MySecurityProcedure(
- IN PVOID Object,
- IN SECURITY_OPERATION_CODE OperationCode,
- IN PSECURITY_INFORMATION SecurityInformation,
- IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor,
- IN OUT PULONG CapturedLength,
- IN OUT PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor,
- IN POOL_TYPE PoolType,
- IN PGENERIC_MAPPING GenericMapping,
- IN PVOID unknown
- )
- {
-
- PUCHAR pTargetName = PsGetProcessImageFileName(IoGetCurrentProcess());
- if (strstr((const char *)pTargetName, "ollydbg") != 0)
- {
- __asm int 3;
- }
- return g_pfnSecurityProcedure(
- Object,
- OperationCode,
- SecurityInformation,
- SecurityDescriptor,
- CapturedLength,
- ObjectsSecurityDescriptor,
- PoolType,
- GenericMapping,
- unknown);
- }
- void HandleObjectHook(BOOLEAN bHook)
- {
- PVOID pTypeInfo = (PVOID)((ULONG)*PsThreadType + 0x60);
- if (bHook)
- {
- g_pfnSecurityProcedure = (OB_SECURITY_METHOD)*(PULONG)((ULONG)pTypeInfo + 0x40);
- *(PULONG)((ULONG)pTypeInfo + 0x40) = (ULONG)MySecurityProcedure;
- }
- else
- {
- *(PULONG)((ULONG)pTypeInfo + 0x40) = (ULONG)g_pfnSecurityProcedure;
- }
- }
- #pragma INITCODE
- NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
- {
- NTSTATUS status = STATUS_SUCCESS;
- HandleObjectHook(TRUE);
- DriverObject->DriverUnload = DriverUnload;
- return status;
- }
- #pragma PAGEDCODE
- VOID DriverUnload(IN PDRIVER_OBJECT DriverObject)
- {
-
- HandleObjectHook(FALSE);
- KdPrint(("DriverEntry unLoading...\n"));
-
- }
复制代码 恢复hp的object hook:
Driver.h- #ifdef __cplusplus
- extern "C"
- {
- #endif
- #include <ntddk.h>
- NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath);
- #ifdef __cplusplus
- }
- #endif
- #define PAGEDCODE code_seg("PAGE")
- #define LOCKEDCODE code_seg()
- #define INITCODE code_seg("INIT")
- #define PAGEDDATA data_seg("PAGE")
- #define LOCKEDDATA data_seg()
- #define INITDATA data_seg("INIT")
- #define arraysize(p) (sizeof(p)/sizeof((p)[0]))
- VOID DriverUnload(IN PDRIVER_OBJECT DriverObject);
- EXTERN_C NTKERNELAPI NTSTATUS ObAssignSecurity(
- __in PACCESS_STATE AccessState,
- __in_opt PSECURITY_DESCRIPTOR ParentDescriptor,
- __in PVOID Object,
- __in POBJECT_TYPE ObjectType);
复制代码 Driver.cpp- #include "Driver.h"
- //global
- ULONG g_uSeDefaultObjectMethod;
- ULONG g_ObpGetObjectSecurity_hookpointer;
- ULONG g_retn_ObpGetObjectSecurity;
- UCHAR g_szBackupObpGetObjectSecurity[5];
- ULONG g_ObAssignSecurity_hookpointer;
- ULONG g_retn_ObAssignSecurity;
- UCHAR g_szBackupObAssignSecurity[5];
- void PageProtectOn()
- {
- //恢复内存保护
- __asm
- {
- mov eax, cr0
- or eax, 10000h
- mov cr0, eax
- sti
- }
- }
- void PageProtectOff()
- {
- //去掉内存保护
- __asm
- {
- cli
- mov eax, cr0
- and eax, not 10000h
- mov cr0, eax
- }
- }
- void Jmp_HookFunction(ULONG HookAddr, ULONG Source, UCHAR *Ori_Code)
- {
- ULONG jmp_offset;
- UCHAR jmp_code[5] = {0xe9};
- KSPIN_LOCK lock;
- KIRQL irql;
- if (HookAddr == 0 || Source == 0)
- {
- KdPrint(("Params error!\n"));
- return;
- }
- RtlCopyMemory(Ori_Code, (PVOID)HookAddr, 5);
- jmp_offset = Source - HookAddr - 5;
- *(PULONG)&jmp_code[1] = jmp_offset;
- KeInitializeSpinLock(&lock);
- KeAcquireSpinLock(&lock, &irql);
- PageProtectOff();
- RtlCopyMemory((PVOID)HookAddr, jmp_code, 5);
- PageProtectOn();
- KeReleaseSpinLock(&lock, irql);
- return;
- }
- void Res_HookFunction(ULONG HookAddr, UCHAR *Ori_Code, ULONG Length)
- {
- KSPIN_LOCK lock;
- KIRQL irql;
- if (HookAddr == 0 || Ori_Code == 0)
- {
- KdPrint(("Params error!\n"));
- return;
- }
- KeInitializeSpinLock(&lock);
- KeAcquireSpinLock(&lock, &irql);
- PageProtectOff();
- RtlCopyMemory((PVOID)HookAddr, Ori_Code, Length);
- PageProtectOn();
- KeReleaseSpinLock(&lock, irql);
- return;
- }
- ULONG GetObpGetObjectSecurityAddr()
- {
- ULONG uAddr = (ULONG)ObGetObjectSecurity;
- PUCHAR p = (PUCHAR)uAddr;
- ULONG i = 0;
- BOOLEAN bFind = FALSE;
- while(i < 0x50)
- {
- if (*p == 0xe8
- && *(p + 5) == 0x5d
- && *(p + 6) == 0xc2
- && *(p + 7) == 0x0c
- && *(p - 3) == 0xff
- && *(p - 2) == 0x75)
- {
- bFind = TRUE;
- break;
- }
- i++;
- p++;
- }
- if (!bFind)
- {
- KdPrint(("Find GetObpGetObjectSecurityAddr faile!\n"));
- return 0;
- }
- ULONG uFindAddr = (ULONG)( *(PULONG)(p + 1) + p + 5);
- return uFindAddr;
- }
- ULONG SearchObpGetObjectSecurityHookPointer(ULONG StartAddress)
- {
- PUCHAR p = (PUCHAR)StartAddress;
- ULONG i = 0;
- BOOLEAN bFind = FALSE;
- while(i < 0x200)
- {
- if (*p == 0x81
- && *(p + 1) == 0xbe
- && *(p + 2) == 0xa0
- && *(p - 1) == 0xfc
- && *(p - 2) == 0x4d)
- {
- bFind = TRUE;
- break;
- }
- i++;
- p++;
- }
- if (!bFind)
- {
- KdPrint(("Find SearchHookPointer faile!\n"));
- return 0;
- }
- ULONG uFindAddr = (ULONG)p;
- return uFindAddr;
- }
- ULONG SearchObAssignSecurityHookPointer(ULONG StartAddress)
- {
- PUCHAR p = (PUCHAR)StartAddress;
- ULONG i = 0;
- BOOLEAN bFind = FALSE;
- while(i < 0x200)
- {
- if (*p == 0xff
- && *(p + 1) == 0x96
- && *(p + 2) == 0xa0
- && *(p - 1) == 0x10
- && *(p - 2) == 0x75)
- {
- bFind = TRUE;
- break;
- }
- i++;
- p++;
- }
- if (!bFind)
- {
- KdPrint(("Find SearchHookPointer faile!\n"));
- return 0;
- }
- ULONG uFindAddr = (ULONG)p;
- return uFindAddr;
- }
- ULONG FilterObjectType(ULONG ObjectType)
- {
- if (ObjectType == (ULONG)*PsThreadType || ObjectType == (ULONG)*PsProcessType)
- {
- return 1;
- }
- return 0;
- }
- __declspec(naked) void NewGetObpGetObjectSecurity()
- {
- __asm
- {
- pushad
- pushfd
- push esi
- call FilterObjectType
- test eax, eax
- je __exit
- popfd
- popad
- cmp eax,eax
- jmp g_retn_ObpGetObjectSecurity
- __exit:
- popfd
- popad
-
- push eax
- mov eax, g_uSeDefaultObjectMethod
- cmp dword ptr [esi + 0A0h], eax
- pop eax
- jmp g_retn_ObpGetObjectSecurity
- }
- }
- __declspec(naked) void NewObAssignSecurity()
- {
- __asm
- {
- pushad
- pushfd
- push esi
- call FilterObjectType
- test eax, eax
- je __exit
- popfd
- popad
- mov ebx, g_uSeDefaultObjectMethod
- call ebx
- xor ebx,ebx
- //mov dword ptr [esi + 0A0h], ebx
- //call dword ptr [esi + 0A0h]
- jmp g_retn_ObAssignSecurity
- __exit:
- popfd
- popad
-
- call dword ptr [esi + 0A0h]
- jmp g_retn_ObAssignSecurity
- }
- }
- void PassObjectHook()
- {
- ULONG uObpGetObjectSecurity = GetObpGetObjectSecurityAddr();
-
- g_ObpGetObjectSecurity_hookpointer = SearchObpGetObjectSecurityHookPointer(uObpGetObjectSecurity);
- g_retn_ObpGetObjectSecurity = g_ObpGetObjectSecurity_hookpointer + 10;
- g_uSeDefaultObjectMethod = *(PULONG)(g_ObpGetObjectSecurity_hookpointer + 6);
- Jmp_HookFunction(g_ObpGetObjectSecurity_hookpointer, (ULONG)NewGetObpGetObjectSecurity, g_szBackupObpGetObjectSecurity);
- //////////////////////////////////////////
- ULONG uObAssignSecurity = (ULONG)ObAssignSecurity;
- g_ObAssignSecurity_hookpointer = SearchObAssignSecurityHookPointer(uObAssignSecurity);
- g_retn_ObAssignSecurity = g_ObAssignSecurity_hookpointer + 6;
- Jmp_HookFunction(g_ObAssignSecurity_hookpointer, (ULONG)NewObAssignSecurity, g_szBackupObAssignSecurity);
- }
- void UnPassObjectHook()
- {
- Res_HookFunction(g_ObpGetObjectSecurity_hookpointer, g_szBackupObpGetObjectSecurity, 5);
- Res_HookFunction(g_ObAssignSecurity_hookpointer, g_szBackupObAssignSecurity, 5);
- }
- #pragma INITCODE
- NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
- {
- NTSTATUS status = STATUS_SUCCESS;
- PassObjectHook();
- DriverObject->DriverUnload = DriverUnload;
- return status;
- }
- #pragma PAGEDCODE
- VOID DriverUnload(IN PDRIVER_OBJECT DriverObject)
- {
-
- UnPassObjectHook();
- KdPrint(("DriverEntry unLoading...\n"));
-
- }
复制代码 |