- #pragma once
- typedef struct _OBJECT_DUMP_CONTROL {
- PVOID Stream;
- ULONG Detail;
- } OB_DUMP_CONTROL, *POB_DUMP_CONTROL;
- typedef VOID (*OB_DUMP_METHOD)(
- IN PVOID Object,
- IN POB_DUMP_CONTROL Control OPTIONAL
- );
- typedef enum _OB_OPEN_REASON {
- ObCreateHandle,
- ObOpenHandle,
- ObDuplicateHandle,
- ObInheritHandle,
- ObMaxOpenReason
- } OB_OPEN_REASON;
- typedef NTSTATUS (*OB_OPEN_METHOD)(
- IN OB_OPEN_REASON OpenReason,
- IN PEPROCESS Process OPTIONAL,
- IN PVOID Object,
- IN ACCESS_MASK GrantedAccess,
- IN ULONG HandleCount
- );
- typedef VOID (*OB_CLOSE_METHOD)(
- IN PEPROCESS Process OPTIONAL,
- IN PVOID Object,
- IN ACCESS_MASK GrantedAccess,
- IN ULONG_PTR ProcessHandleCount,
- IN ULONG_PTR SystemHandleCount
- );
- typedef VOID (*OB_DELETE_METHOD)(
- IN PVOID Object
- );
- typedef NTSTATUS (*OB_SECURITY_METHOD)(
- IN PVOID Object,
- IN SECURITY_OPERATION_CODE OperationCode,
- IN PSECURITY_INFORMATION SecurityInformation,
- IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor,
- IN OUT PULONG CapturedLength,
- IN OUT PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor,
- IN POOL_TYPE PoolType,
- IN PGENERIC_MAPPING GenericMapping,
- IN PVOID unknown
- );
- typedef NTSTATUS (*OB_PARSE_METHOD)(
- IN PVOID ParseObject,
- IN PVOID ObjectType,
- IN OUT PACCESS_STATE AccessState,
- IN KPROCESSOR_MODE AccessMode,
- IN ULONG Attributes,
- IN OUT PUNICODE_STRING CompleteName,
- IN OUT PUNICODE_STRING RemainingName,
- IN OUT PVOID Context OPTIONAL,
- IN PSECURITY_QUALITY_OF_SERVICE SecurityQos OPTIONAL,
- OUT PVOID *Object
- );
- typedef BOOLEAN (*OB_OKAYTOCLOSE_METHOD)(
- IN PEPROCESS Process OPTIONAL,
- IN PVOID Object,
- IN HANDLE Handle,
- IN KPROCESSOR_MODE PreviousMode
- );
- typedef NTSTATUS (*OB_QUERYNAME_METHOD)(
- IN PVOID Object,
- IN BOOLEAN HasObjectName,
- OUT POBJECT_NAME_INFORMATION ObjectNameInfo,
- IN ULONG Length,
- OUT PULONG ReturnLength,
- IN KPROCESSOR_MODE Mode
- );
- typedef struct _OBJECT_TYPE_INITIALIZER {
- USHORT Length;
- BOOLEAN UseDefaultObject;
- BOOLEAN CaseInsensitive;
- ULONG InvalidAttributes;
- GENERIC_MAPPING GenericMapping;
- ULONG ValidAccessMask;
- BOOLEAN SecurityRequired;
- BOOLEAN MaintainHandleCount;
- BOOLEAN MaintainTypeList;
- POOL_TYPE PoolType;
- ULONG DefaultPagedPoolCharge;
- ULONG DefaultNonPagedPoolCharge;
- OB_DUMP_METHOD DumpProcedure;
- OB_OPEN_METHOD OpenProcedure;
- OB_CLOSE_METHOD CloseProcedure;
- OB_DELETE_METHOD DeleteProcedure;
- OB_PARSE_METHOD ParseProcedure;
- OB_SECURITY_METHOD SecurityProcedure;
- OB_QUERYNAME_METHOD QueryNameProcedure;
- OB_OKAYTOCLOSE_METHOD OkayToCloseProcedure;
- } OBJECT_TYPE_INITIALIZER, *POBJECT_TYPE_INITIALIZER;
- #define OBJECT_LOCK_COUNT 4
- typedef struct _OBJECT_TYPE {
- ERESOURCE Mutex;
- LIST_ENTRY TypeList;
- UNICODE_STRING Name; // Copy from object header for convenience
- PVOID DefaultObject;
- ULONG Index;
- ULONG TotalNumberOfObjects;
- ULONG TotalNumberOfHandles;
- ULONG HighWaterNumberOfObjects;
- ULONG HighWaterNumberOfHandles;
- OBJECT_TYPE_INITIALIZER TypeInfo;
- #ifdef POOL_TAGGING
- ULONG Key;
- #endif //POOL_TAGGING
- ERESOURCE ObjectLocks[ OBJECT_LOCK_COUNT ];
- } OBJECT_TYPE, *POBJECT_TYPE;
- VOID HandleObjectHook(BOOLEAN bHook);
复制代码- #include "StdAfx.h"
- #include "ObjectHook.h"
- OB_SECURITY_METHOD g_OB_SECURITY_METHOD = NULL;
- extern "C" NTKERNELAPI
- UCHAR *
- PsGetProcessImageFileName(
- __in PEPROCESS Process
- );
- NTSTATUS Hook_OB_SECURITY_METHOD(
- IN PVOID Object,
- IN SECURITY_OPERATION_CODE OperationCode,
- IN PSECURITY_INFORMATION SecurityInformation,
- IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor,
- IN OUT PULONG CapturedLength,
- IN OUT PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor,
- IN POOL_TYPE PoolType,
- IN PGENERIC_MAPPING GenericMapping,
- IN PVOID unknown
- )
- {
- UCHAR* szProcName = PsGetProcessImageFileName((PEPROCESS)Object);
- DbgPrint("EPROCESS Addr: 0x08%x\tObject Name: %s\n", IoGetCurrentProcess(), (char*)szProcName);
- if (strcmp("calc.exe", (char*)szProcName) == 0)
- {
- return STATUS_INVALID_PARAMETER;
- }
- return g_OB_SECURITY_METHOD(Object,
- OperationCode,
- SecurityInformation,
- SecurityDescriptor,
- CapturedLength,
- ObjectsSecurityDescriptor,
- PoolType,
- GenericMapping,
- unknown);
- }
- VOID HandleObjectHook(BOOLEAN bHook)
- {
- OBJECT_TYPE_INITIALIZER* ptypeinfo = &((*PsProcessType)->TypeInfo);
- if (bHook)
- {
- g_OB_SECURITY_METHOD = ptypeinfo->SecurityProcedure;
- ptypeinfo->SecurityProcedure = Hook_OB_SECURITY_METHOD;
- }
- else
- {
- ptypeinfo->SecurityProcedure = g_OB_SECURITY_METHOD;
- }
-
- }
复制代码 |