免費論壇 繁體 | 簡體
Sclub交友聊天~加入聊天室當版主
分享
返回列表 发帖

Object Hook的讲解,为了后续的HP保护做准备

Driver.h
  1. #ifdef __cplusplus
  2. extern "C"
  3. {
  4. #endif
  5. #include <ntddk.h>
  6. NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath);

  7. #ifdef __cplusplus
  8. }
  9. #endif

  10. #define PAGEDCODE code_seg("PAGE")
  11. #define LOCKEDCODE code_seg()
  12. #define INITCODE code_seg("INIT")

  13. #define PAGEDDATA data_seg("PAGE")
  14. #define LOCKEDDATA data_seg()
  15. #define INITDATA data_seg("INIT")

  16. #define arraysize(p) (sizeof(p)/sizeof((p)[0]))

  17. VOID DriverUnload(IN PDRIVER_OBJECT DriverObject);

  18. typedef NTSTATUS (*OB_SECURITY_METHOD)(
  19.     IN PVOID Object,
  20.     IN SECURITY_OPERATION_CODE OperationCode,
  21.     IN PSECURITY_INFORMATION SecurityInformation,
  22.     IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor,
  23.     IN OUT PULONG CapturedLength,
  24.     IN OUT PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor,
  25.     IN POOL_TYPE PoolType,
  26.     IN PGENERIC_MAPPING GenericMapping,
  27.         IN PVOID unknown
  28.     );


  29. typedef struct _OBJECT_CREATE_INFORMATION {
  30.         ULONG Attributes;
  31.         HANDLE RootDirectory;
  32.         PVOID ParseContext;
  33.         KPROCESSOR_MODE ProbeMode;
  34.         ULONG PagedPoolCharge;
  35.         ULONG NonPagedPoolCharge;
  36.         ULONG SecurityDescriptorCharge;
  37.         PSECURITY_DESCRIPTOR SecurityDescriptor;
  38.         PSECURITY_QUALITY_OF_SERVICE SecurityQos;
  39.         SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService;
  40. } OBJECT_CREATE_INFORMATION;

  41. typedef struct _OBJECT_CREATE_INFORMATION *POBJECT_CREATE_INFORMATION;;

  42. typedef struct _OBJECT_HEADER {
  43.         LONG_PTR PointerCount;
  44.         union {
  45.                 LONG_PTR HandleCount;
  46.                 PVOID NextToFree;
  47.         };
  48.         POBJECT_TYPE Type;
  49.         UCHAR NameInfoOffset;
  50.         UCHAR HandleInfoOffset;
  51.         UCHAR QuotaInfoOffset;
  52.         UCHAR Flags;

  53.         union {
  54.                 POBJECT_CREATE_INFORMATION ObjectCreateInfo;
  55.                 PVOID QuotaBlockCharged;
  56.         };

  57.         PSECURITY_DESCRIPTOR SecurityDescriptor;
  58.         QUAD Body;
  59. } OBJECT_HEADER, *POBJECT_HEADER;

  60. #define OBJECT_TO_OBJECT_HEADER( o ) \
  61.         CONTAINING_RECORD( (o), OBJECT_HEADER, Body )



  62. EXTERN_C NTKERNELAPI UCHAR * PsGetProcessImageFileName(
  63.      __in PEPROCESS Process
  64.      );

  65. void HandleObjectHook(BOOLEAN bHook);
复制代码
Driver.cpp
  1. #include "Driver.h"


  2. OB_SECURITY_METHOD g_pfnSecurityProcedure;

  3. void PageProtectOn()
  4. {
  5.         //恢复内存保护
  6.         __asm
  7.         {
  8.                 mov eax, cr0
  9.                 or eax, 10000h
  10.                 mov cr0, eax
  11.                 sti
  12.         }
  13. }

  14. void PageProtectOff()
  15. {
  16.         //去掉内存保护
  17.         __asm
  18.         {
  19.                 cli
  20.                 mov eax, cr0
  21.                 and eax, not 10000h
  22.                 mov cr0, eax
  23.         }
  24. }

  25. NTSTATUS MySecurityProcedure(
  26.     IN PVOID Object,
  27.     IN SECURITY_OPERATION_CODE OperationCode,
  28.     IN PSECURITY_INFORMATION SecurityInformation,
  29.     IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor,
  30.     IN OUT PULONG CapturedLength,
  31.     IN OUT PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor,
  32.     IN POOL_TYPE PoolType,
  33.     IN PGENERIC_MAPPING GenericMapping,
  34.         IN PVOID unknown
  35.     )
  36. {

  37.         KdPrint(("Current Eprocess: 0x%08x Object:0x%08x\n", IoGetCurrentProcess(), Object));

  38.         PUCHAR pTargetName = PsGetProcessImageFileName((PEPROCESS)Object);
  39.         if (_stricmp((const char *)pTargetName, "calc.exe") == 0)
  40.         {
  41.                 return STATUS_INVALID_PARAMETER;
  42.         }

  43.         return g_pfnSecurityProcedure(
  44.                 Object,
  45.                 OperationCode,
  46.                 SecurityInformation,
  47.                 SecurityDescriptor,
  48.                 CapturedLength,
  49.                 ObjectsSecurityDescriptor,
  50.                 PoolType,
  51.                 GenericMapping,
  52.                 unknown);
  53. }

  54. void HandleObjectHook(BOOLEAN bHook)
  55. {

  56.         PVOID pTypeInfo = (PVOID)((ULONG)*PsProcessType + 0x60);

  57.         if (bHook)
  58.         {
  59.                 g_pfnSecurityProcedure = (OB_SECURITY_METHOD)*(PULONG)((ULONG)pTypeInfo + 0x40);
  60.                 *(PULONG)((ULONG)pTypeInfo + 0x40) = (ULONG)MySecurityProcedure;
  61.         }
  62.         else
  63.         {
  64.                 *(PULONG)((ULONG)pTypeInfo + 0x40) = (ULONG)g_pfnSecurityProcedure;
  65.         }
  66. }


  67. #pragma INITCODE
  68. NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
  69. {
  70.   NTSTATUS status = STATUS_SUCCESS;

  71.   HandleObjectHook(TRUE);
  72.   DriverObject->DriverUnload = DriverUnload;
  73.   return status;
  74. }

  75. #pragma PAGEDCODE
  76. VOID DriverUnload(IN PDRIVER_OBJECT DriverObject)
  77. {
  78.   
  79.   HandleObjectHook(FALSE);
  80.   KdPrint(("DriverEntry unLoading...\n"));
  81.   
  82. }
复制代码

返回列表