首页
论坛
课程
招聘
[分享]hook ObOpenObjectByPointer
2008-6-26 11:04 16113

[分享]hook ObOpenObjectByPointer

2008-6-26 11:04
16113
大牛们分析透了的东西,该我们小菜玩了.
#include "ntddk.h"
#include <windef.h>
#include <stdlib.h>
#include "dayed.h"

#define OBJECT_TO_OBJECT_HEADER( o ) CONTAINING_RECORD( (o), OBJECT_HEADER, Body )    
extern POBJECT_TYPE *PsProcessType;
extern POBJECT_TYPE *PsThreadType;
KSPIN_LOCK SDTSpinLock;
KIRQL  oldIrql;

BYTE g_HookCode[5] = { 0xe9, 0, 0, 0, 0 };
BYTE g_OrigCode[5] = { 0 };
BYTE jmp_orig_code[7] = { 0xEA, 0, 0, 0, 0, 0x08, 0x00 }; 
char* MyProtectName = "notepad.exe";
int MyProtectPID=0;

PEPROCESS EPROCESS,ProtectedProcess;

void StartHook ();

NTSYSAPI
NTSTATUS
NTAPI ObOpenObjectByPointer(
  IN PVOID  Object,
  IN ULONG  HandleAttributes,
  IN PACCESS_STATE  PassedAccessState  OPTIONAL,
  IN ACCESS_MASK  DesiredAccess  OPTIONAL,
  IN POBJECT_TYPE  ObjectType  OPTIONAL,
  IN KPROCESSOR_MODE  AccessMode,
  OUT PHANDLE  Handle);

NTKERNELAPI
NTSTATUS
PsLookupProcessByProcessId (
      IN ULONG          ProcessId,
      OUT PEPROCESS     *Process
);

NTKERNELAPI
PEPROCESS
NTAPI
IoThreadToProcess (
    IN PETHREAD Thread
);

void StopHook ()
{
	WPOFF();
	KeAcquireSpinLock( &SDTSpinLock, &oldIrql );
	RtlCopyMemory ( (BYTE*)ObOpenObjectByPointer, g_OrigCode, 5 );
	KeReleaseSpinLock( &SDTSpinLock, oldIrql );
	WPON();
}

__declspec (naked) 
NTSTATUS
Proxy_ObOpenObjectByPointer(
  IN PVOID  Object,
  IN ULONG  HandleAttributes,
  IN PACCESS_STATE  PassedAccessState  OPTIONAL,
  IN ACCESS_MASK  DesiredAccess  OPTIONAL,
  IN POBJECT_TYPE  ObjectType  OPTIONAL,
  IN KPROCESSOR_MODE  AccessMode,
  OUT PHANDLE  Handle)
{
	__asm {  // 共12字节
			_emit 0x90
			_emit 0x90
			_emit 0x90
			_emit 0x90
			_emit 0x90  // 前5字节实现原函数的头5字节功能
			_emit 0x90  // 这个填充jmp
			_emit 0x90
			_emit 0x90
			_emit 0x90
			_emit 0x90  // 这4字节保存原函数+5处的地址
			_emit 0x90  
			_emit 0x90  // 因为是长转移,所以必须是 0x0080
	}
}


NTSTATUS __stdcall 
fake_ObOpenObjectByPointer(
  IN PVOID  Object,
  IN ULONG  HandleAttributes,
  IN PACCESS_STATE  PassedAccessState  OPTIONAL,
  IN ACCESS_MASK  DesiredAccess  OPTIONAL,
  IN POBJECT_TYPE  ObjectType  OPTIONAL,
  IN KPROCESSOR_MODE  AccessMode,
  OUT PHANDLE  Handle)
{
     if ((Object != NULL) && (MmIsAddressValid(Object))) // 地址有效性验证
    {
        if (((POBJECT_HEADER)(OBJECT_TO_OBJECT_HEADER(Object)))->Type == *PsProcessType) // 若为进程对象
        {
            if ((ProtectedProcess !=PsGetCurrentProcess())) // 若操作者不是受保护的进程自己
            {
                if (Object == ProtectedProcess) // 若被操作进程是受保护进程
                {
                    return STATUS_ACCESS_DENIED; // 拒绝访问
                }

             }
         }
        else
             if (OBJECT_TO_OBJECT_HEADER(Object) -> Type == *PsThreadType) // 若为线程对象
            {
                EPROCESS = IoThreadToProcess(Object); // 获取线程对应进程的 EPROCESS
                if (EPROCESS == ProtectedProcess) // 若是受保护进程
                {
                    if ((PsGetCurrentProcess() != ProtectedProcess)) // 若操作者不是受保护进程自己
                    {
                        return STATUS_ACCESS_DENIED; // 拒绝访问
                    }
                 }
             }
    }
    return Proxy_ObOpenObjectByPointer (Object, HandleAttributes,PassedAccessState,DesiredAccess,ObjectType,AccessMode,Handle);
}


void StartHook ()
{ 
	RtlCopyMemory (g_OrigCode, (BYTE*)ObOpenObjectByPointer, 5);
	DbgPrint("g_OrigCode address at %x\n",g_OrigCode);
	*( (ULONG*)(g_HookCode + 1) ) = (ULONG)fake_ObOpenObjectByPointer - (ULONG)ObOpenObjectByPointer - 5;
	DbgPrint("fake_ObOpenObjectByPointer address at %x\n",fake_ObOpenObjectByPointer);
	DbgPrint("ObOpenObjectByPointer address at %x\n",ObOpenObjectByPointer);
	WPOFF();
	KeAcquireSpinLock( &SDTSpinLock, &oldIrql );
	RtlCopyMemory ( (BYTE*)ObOpenObjectByPointer, g_HookCode, 5 );
	*( (ULONG*)(jmp_orig_code + 1) ) = (ULONG) ( (BYTE*)ObOpenObjectByPointer + 5 );
	RtlCopyMemory ( (BYTE*)Proxy_ObOpenObjectByPointer, g_OrigCode, 5);
	RtlCopyMemory ( (BYTE*)Proxy_ObOpenObjectByPointer+ 5, jmp_orig_code, 7);
	KeReleaseSpinLock( &SDTSpinLock, oldIrql );
	WPON();
	DbgPrint("Proxy_ObOpenObjectByPointer address at %x\n",Proxy_ObOpenObjectByPointer);
}

VOID Unload(PDRIVER_OBJECT  DriverObject)
{  
if (MyProtectPID!=0)
{
   StopHook();
}
}

NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING str)
{
	NTSTATUS      ntStatus;
	char ProcessName[256];
	ULONG cbBuffer = 0x8000; 
	PSYSTEM_PROCESS_INFORMATION pInfo;
	VOID* pBuffer = NULL;
	
	DriverObject->DriverUnload = Unload;
	        pBuffer = ExAllocatePool (NonPagedPool, cbBuffer); 
        if (pBuffer == NULL) 
        {
            return 1;
        }
        ntStatus = ZwQuerySystemInformation(5, pBuffer, cbBuffer, NULL);
    
        if (!NT_SUCCESS(ntStatus))
        {
            ExFreePool(pBuffer); 
            return 1; 
        }
   
    pInfo = (PSYSTEM_PROCESS_INFORMATION)pBuffer;
    
    while(1){
        LPWSTR pszProcessName = pInfo->ProcessName.Buffer;
        if (pszProcessName == NULL) 
        pszProcessName = L"NULL"; 

        wcstombs(ProcessName,pszProcessName,256); 
    //    DbgPrint("%s\tPid=%d\n",ProcessName,pInfo->ProcessId);
        	 if(_stricmp(MyProtectName,ProcessName)==0)
        	 {
        	 	 MyProtectPID=pInfo->ProcessId;
        	 	 DbgPrint("the MyProtectPID is %d\n",pInfo->ProcessId);
        	 }
        	 	
        
                if (pInfo->NextEntryDelta == 0) 
            break; 

        pInfo = (PSYSTEM_PROCESS_INFORMATION)(((PUCHAR)pInfo)+ pInfo->NextEntryDelta);
    }
    ExFreePool(pBuffer); 
	
	if (MyProtectPID!=0)
	{
	ntStatus = PsLookupProcessByProcessId(MyProtectPID, &ProtectedProcess);
	if(NT_SUCCESS(ntStatus))
	{
    ObDereferenceObject(ProtectedProcess);
	}
    StartHook(); 
    DbgPrint("ObOpenObjectByPointer address at %x\n",ObOpenObjectByPointer);
    DbgPrint("Hook Start");
    return STATUS_SUCCESS;
    }
    DbgPrint("Can't Hook");
	return STATUS_SUCCESS;
}

[注意] 欢迎加入看雪团队!base上海,招聘安全工程师、逆向工程师多个坑位等你投递!

上传的附件:
收藏
点赞0
打赏
分享
最新回复 (11)
雪    币: 319
活跃值: 活跃值 (10)
能力值: ( LV8,RANK:120 )
在线值:
发帖
回帖
粉丝
DiYhAcK 活跃值 2 2008-6-26 11:12
2
0
锁不是这样用的。。。
雪    币: 211
活跃值: 活跃值 (10)
能力值: ( LV5,RANK:60 )
在线值:
发帖
回帖
粉丝
dayed 活跃值 1 2008-6-26 11:15
3
0
没懂什么意思
雪    币: 207
活跃值: 活跃值 (30)
能力值: ( LV9,RANK:290 )
在线值:
发帖
回帖
粉丝
sislcb 活跃值 7 2008-6-26 11:18
4
0
呵呵,看过fc的分析,不过没有完整代码,谢谢楼主分享了
雪    币: 211
活跃值: 活跃值 (10)
能力值: ( LV5,RANK:60 )
在线值:
发帖
回帖
粉丝
dayed 活跃值 1 2008-6-26 11:19
5
0
我也是看了fc的分析
雪    币: 1613
活跃值: 活跃值 (33)
能力值: (RANK:1010 )
在线值:
发帖
回帖
粉丝
北极星2003 活跃值 25 2008-6-26 11:20
6
0
帖是好贴,不过我以个人身份严重抗议LZ的头像,直接损害了我的眼睛  
雪    币: 211
活跃值: 活跃值 (10)
能力值: ( LV5,RANK:60 )
在线值:
发帖
回帖
粉丝
dayed 活跃值 1 2008-6-26 11:21
7
0
雪    币: 109
活跃值: 活跃值 (134)
能力值: ( LV13,RANK:1050 )
在线值:
发帖
回帖
粉丝
combojiang 活跃值 26 2008-6-26 11:25
8
0
嗯,这个头像的确看着反胃。
雪    币: 207
活跃值: 活跃值 (30)
能力值: ( LV9,RANK:290 )
在线值:
发帖
回帖
粉丝
sislcb 活跃值 7 2008-6-26 11:30
9
0
哈哈,影响大大们的心情,情况不妙
雪    币: 211
活跃值: 活跃值 (10)
能力值: ( LV5,RANK:60 )
在线值:
发帖
回帖
粉丝
dayed 活跃值 1 2008-6-26 11:31
10
0
雪    币: 33
活跃值: 活跃值 (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
PEBOSS 活跃值 2009-11-14 17:29
11
0
FC 的分析是哪个?
雪    币: 38
活跃值: 活跃值 (31)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
chilun 活跃值 2010-11-15 20:03
12
0
ObOpenObjectByPointer学习了
游客
登录 | 注册 方可回帖
返回