热门标签
热门文章
- 1[Android开发]镂空的TextView,镂空字体,TextView实现镂空字体效果_textview空心字体
- 2三元环计数(HDU 6104)
- 3Simulink|光伏阵列模拟多类故障(开路/短路/阴影遮挡/老化)
- 4Android —— Activity的四种启动模式_栈顶复用模式
- 5ICCV 2023 | 腾讯优图16篇论文入选!轻量级主干、异常检测和扩散模型等方向
- 6ahri8.php,松鼠症仓库自行更新规则后无法获取正确的title
- 7FPGA硬件架构
- 82V2无人机红蓝对抗仿真
- 9Docker基础:镜像、容器、仓库、镜像的分层、容器数据卷_镜像仓库,镜像层和镜像
- 10python time操作 格式化字符串转时间戳_python time 如何将字符串转换成时间戳
当前位置: article > 正文
Windows驱动开发学习记录-ObjectType Hook之ObjectType结构相关分析
作者:墨韵书生 | 2024-02-04 13:13:37
赞
踩
objecttype hook
目录
1、目的
在一般情况下,对于系统的常规操作如创建进程、创建互斥体、创建文件等可以进行SSDT Hook进行拦截,但在x64位系统下,有PG的保护,常规的SSDT Hook会导致蓝屏。但基于ObjectType的一些Hook也可以做到相应的功能且不会导致系统 BSOD。
2、相关结构分析
2.1 XP上的相关结构
2.1.1 WinDbg调试结构
首先是 _OBJECT_HEADER结构
- 0: kd> dt _object_header
- nt!_OBJECT_HEADER
- +0x000 PointerCount : Int4B
- +0x004 HandleCount : Int4B
- +0x004 NextToFree : Ptr32 Void
- +0x008 Type : Ptr32 _OBJECT_TYPE
- +0x00c NameInfoOffset : UChar
- +0x00d HandleInfoOffset : UChar
- +0x00e QuotaInfoOffset : UChar
- +0x00f Flags : UChar
- +0x010 ObjectCreateInfo : Ptr32 _OBJECT_CREATE_INFORMATION
- +0x010 QuotaBlockCharged : Ptr32 Void
- +0x014 SecurityDescriptor : Ptr32 Void
- +0x018 Body : _QUAD
在第四个字段就是 _OBJECT_TYPE,其结构如下:
- 0: kd> dt _OBJECT_TYPE
- nt!_OBJECT_TYPE
- +0x000 Mutex : _ERESOURCE
- +0x038 TypeList : _LIST_ENTRY
- +0x040 Name : _UNICODE_STRING
- +0x048 DefaultObject : Ptr32 Void
- +0x04c Index : Uint4B
- +0x050 TotalNumberOfObjects : Uint4B
- +0x054 TotalNumberOfHandles : Uint4B
- +0x058 HighWaterNumberOfObjects : Uint4B
- +0x05c HighWaterNumberOfHandles : Uint4B
- +0x060 TypeInfo : _OBJECT_TYPE_INITIALIZER
- +0x0ac Key : Uint4B
- +0x0b0 ObjectLocks : [4] _ERESOURCE
其中的TypeInfo为 _OBJECT_TYPE_INITIALIZER结构,其内容如下:
- 0: kd> dt _OBJECT_TYPE_INITIALIZER
- nt!_OBJECT_TYPE_INITIALIZER
- +0x000 Length : Uint2B
- +0x002 UseDefaultObject : UChar
- +0x003 CaseInsensitive : UChar
- +0x004 InvalidAttributes : Uint4B
- +0x008 GenericMapping : _GENERIC_MAPPING
- +0x018 ValidAccessMask : Uint4B
- +0x01c SecurityRequired : UChar
- +0x01d MaintainHandleCount : UChar
- +0x01e MaintainTypeList : UChar
- +0x020 PoolType : _POOL_TYPE
- +0x024 DefaultPagedPoolCharge : Uint4B
- +0x028 DefaultNonPagedPoolCharge : Uint4B
- +0x02c DumpProcedure : Ptr32 void
- +0x030 OpenProcedure : Ptr32 long
- +0x034 CloseProcedure : Ptr32 void
- +0x038 DeleteProcedure : Ptr32 void
- +0x03c ParseProcedure : Ptr32 long
- +0x040 SecurityProcedure : Ptr32 long
- +0x044 QueryNameProcedure : Ptr32 long
- +0x048 OkayToCloseProcedure : Ptr32 unsigned char
其中靠后的如 OpenProcedure、CloseProcedure、ParseProcedure等就是我们关注的需要Hook的字段,通过Hook这些字段来实现打开创建相应的对象的过滤操作。
2.1.2 实际中使用的情况
我们经过一些操作来看看XP上的进程对象的相关字段对应的函数
先通过!process命令获取explorer.exe的EPROCESS
- 0: kd> !process 0 0 explorer.exe
- Failed to get VadRoot
- PROCESS 89fc3338 SessionId: 0 Cid: 0604 Peb: 7ffd4000 ParentCid: 05f4
- DirBase: 0aac01c0 ObjectTable: e1835490 HandleCount: 487.
- Image: explorer.exe
获取到的结果为PROCESS 89fc3338, 看看对应的数据如下:
- 0: kd> dt _eprocess 89fc3338
- nt!_EPROCESS
- +0x000 Pcb : _KPROCESS
- +0x06c ProcessLock : _EX_PUSH_LOCK
- +0x070 CreateTime : _LARGE_INTEGER 0x01d99c3e`eb1d80e8
- +0x078 ExitTime : _LARGE_INTEGER 0x0
- +0x080 RundownProtect : _EX_RUNDOWN_REF
- +0x084 UniqueProcessId : 0x00000604 Void
- +0x088 ActiveProcessLinks : _LIST_ENTRY [ 0x8a2a8688 - 0x8a0b8738 ]
- +0x090 QuotaUsage : [3] 0x34a8
- +0x09c QuotaPeak : [3] 0x4650
- +0x0a8 CommitCharge : 0xfe0
- +0x0ac PeakVirtualSize : 0x6aee000
- +0x0b0 VirtualSize : 0x6031000
- +0x0b4 SessionProcessLinks : _LIST_ENTRY [ 0x8a2a86b4 - 0x8a0b8764 ]
- +0x0bc DebugPort : (null)
- +0x0c0 ExceptionPort : 0xe166ca10 Void
- +0x0c4 ObjectTable : 0xe1835490 _HANDLE_TABLE
- +0x0c8 Token : _EX_FAST_REF
- +0x0cc WorkingSetLock : _FAST_MUTEX
- +0x0ec WorkingSetPage : 0x16b59
- +0x0f0 AddressCreationLock : _FAST_MUTEX
- +0x110 HyperSpaceLock : 0
- +0x114 ForkInProgress : (null)
- +0x118 HardwareTrigger : 0
- +0x11c VadRoot : 0x8a32c2a8 Void
- +0x120 VadHint : 0x8a32c2a8 Void
- +0x124 CloneRoot : (null)
- +0x128 NumberOfPrivatePages : 0xa5e
- +0x12c NumberOfLockedPages : 0
- +0x130 Win32Process : 0xe1d749e0 Void
- +0x134 Job : (null)
- +0x138 SectionObject : 0xe1d7bbd0 Void
- +0x13c SectionBaseAddress : 0x01000000 Void
- +0x140 QuotaBlock : 0x8a4b7e58 _EPROCESS_QUOTA_BLOCK
- +0x144 WorkingSetWatch : (null)
- +0x148 Win32WindowStation : 0x00000038 Void
- +0x14c InheritedFromUniqueProcessId : 0x000005f4 Void
- +0x150 LdtInformation : (null)
- +0x154 VadFreeHint : (null)
- +0x158 VdmObjects : (null)
- +0x15c DeviceMap : 0xe19f0990 Void
- +0x160 PhysicalVadList : _LIST_ENTRY [ 0x89fc3498 - 0x89fc3498 ]
- +0x168 PageDirectoryPte : _HARDWARE_PTE
- +0x168 Filler : 0
- +0x170 Session : 0xba5d0000 Void
- +0x174 ImageFileName : [16] "explorer.exe"
- ......
其中用不着EPROCESS的结构,获取这个的地址是为了获取_OBJECT_HEADER的地址,在XP环境的代码中可以用以下来获取到_OBJECT_HEADER地址,因为_OBJECT_HEADER结构中的Body部分就是获取的对应的对象,如EPROCESS。
#define ObObjectToObjectHeader(x) ((POBJECT_HEADER)(((PUCHAR)(x))-0x18))操作如下:
- 0: kd> dt _object_header 89fc3338-0x18
- nt!_OBJECT_HEADER
- +0x000 PointerCount : 0n185
- +0x004 HandleCount : 0n6
- +0x004 NextToFree : 0x00000006 Void
- +0x008 Type : 0x8a4a4ca0 _OBJECT_TYPE
- +0x00c NameInfoOffset : 0 ''
- +0x00d HandleInfoOffset : 0 ''
- +0x00e QuotaInfoOffset : 0 ''
- +0x00f Flags : 0x20 ' '
- +0x010 ObjectCreateInfo : 0x8a4b7e58 _OBJECT_CREATE_INFORMATION
- +0x010 QuotaBlockCharged : 0x8a4b7e58 Void
- +0x014 SecurityDescriptor : 0xe1cd5ed3 Void
- +0x018 Body : _QUAD
再继续打印_OBJECT_TYPE
- 0: kd> dt _object_type 0x8a4a4ca0
- nt!_OBJECT_TYPE
- +0x000 Mutex : _ERESOURCE
- +0x038 TypeList : _LIST_ENTRY [ 0x8a4a4cd8 - 0x8a4a4cd8 ]
- +0x040 Name : _UNICODE_STRING "Process"
- +0x048 DefaultObject : (null)
- +0x04c Index : 5
- +0x050 TotalNumberOfObjects : 0x11
- +0x054 TotalNumberOfHandles : 0x51
- +0x058 HighWaterNumberOfObjects : 0x13
- +0x05c HighWaterNumberOfHandles : 0x51
- +0x060 TypeInfo : _OBJECT_TYPE_INITIALIZER
- +0x0ac Key : 0x636f7250
- +0x0b0 ObjectLocks : [4] _ERESOURCE
然后是_OBJECT_TYPE_INITIALIZER
- 0: kd> dx -id 0,0,8055d0c0 -r1 (*((ntkrpamp!_OBJECT_TYPE_INITIALIZER *)0x8a4a4d00))
- (*((ntkrpamp!_OBJECT_TYPE_INITIALIZER *)0x8a4a4d00)) [Type: _OBJECT_TYPE_INITIALIZER]
- [+0x000] Length : 0x4c [Type: unsigned short]
- [+0x002] UseDefaultObject : 0x0 [Type: unsigned char]
- [+0x003] CaseInsensitive : 0x0 [Type: unsigned char]
- [+0x004] InvalidAttributes : 0xb0 [Type: unsigned long]
- [+0x008] GenericMapping [Type: _GENERIC_MAPPING]
- [+0x018] ValidAccessMask : 0x1f0fff [Type: unsigned long]
- [+0x01c] SecurityRequired : 0x1 [Type: unsigned char]
- [+0x01d] MaintainHandleCount : 0x0 [Type: unsigned char]
- [+0x01e] MaintainTypeList : 0x0 [Type: unsigned char]
- [+0x020] PoolType : NonPagedPool (0) [Type: _POOL_TYPE]
- [+0x024] DefaultPagedPoolCharge : 0x1000 [Type: unsigned long]
- [+0x028] DefaultNonPagedPoolCharge : 0x290 [Type: unsigned long]
- [+0x02c] DumpProcedure : 0x0 [Type: void (*)(void *,_OBJECT_DUMP_CONTROL *)]
- [+0x030] OpenProcedure : 0x0 [Type: long (*)(_OB_OPEN_REASON,_EPROCESS *,void *,unsigned long,unsigned long)]
- [+0x034] CloseProcedure : 0x0 [Type: void (*)(_EPROCESS *,void *,unsigned long,unsigned long,unsigned long)]
- [+0x038] DeleteProcedure : 0x805d263a [Type: void (*)(void *)]
- [+0x03c] ParseProcedure : 0x0 [Type: long (*)(void *,void *,_ACCESS_STATE *,char,unsigned long,_UNICODE_STRING *,_UNICODE_STRING *,void *,_SECURITY_QUALITY_OF_SERVICE *,void * *)]
- [+0x040] SecurityProcedure : 0x805f9a74 [Type: long (*)(void *,_SECURITY_OPERATION_CODE,unsigned long *,void *,unsigned long *,void * *,_POOL_TYPE,_GENERIC_MAPPING *,char)]
- [+0x044] QueryNameProcedure : 0x0 [Type: long (*)(void *,unsigned char,_OBJECT_NAME_INFORMATION *,unsigned long,unsigned long *)]
- [+0x048] OkayToCloseProcedure : 0x0 [Type: unsigned char (*)(_EPROCESS *,void *,void *,char)]
在此就可以看到相关函数的定义及实际地址,如DeleteProcedure : 0x805d263a [Type: void (*)(void *)] 就是地址为0x805d263a 函数声明为 void*(void*)的函数。
2.2 Win7 x64以上64位系统的结构分析
2.2.1 WinDbg调试结构
- 7: kd> dt _object_header
- nt!_OBJECT_HEADER
- +0x000 PointerCount : Int8B
- +0x008 HandleCount : Int8B
- +0x008 NextToFree : Ptr64 Void
- +0x010 Lock : _EX_PUSH_LOCK
- +0x018 TypeIndex : UChar
- +0x019 TraceFlags : UChar
- +0x01a InfoMask : UChar
- +0x01b Flags : UChar
- +0x020 ObjectCreateInfo : Ptr64 _OBJECT_CREATE_INFORMATION
- +0x020 QuotaBlockCharged : Ptr64 Void
- +0x028 SecurityDescriptor : Ptr64 Void
- +0x030 Body : _QUAD
在64位系统上 _OBJECT_HEADER中并没有字段直接包含_OBJECT_TYPE结构,而是一个索引,索引的是一个名叫 ObTypeIndexTable的表,这个表是一个包含所有ObjectType的表结构,详细可见我另一篇文章
而在这种情况下,实现编程中可以直接通过ObGetObjectType函数直接从实际对象获取的ObjectType的指针。
但_OBJECT_TYPE的结构化仍然可以在WinDbg中获取到,如下:
- 7: kd> dt _object_type
- nt!_OBJECT_TYPE
- +0x000 TypeList : _LIST_ENTRY
- +0x010 Name : _UNICODE_STRING
- +0x020 DefaultObject : Ptr64 Void
- +0x028 Index : UChar
- +0x02c TotalNumberOfObjects : Uint4B
- +0x030 TotalNumberOfHandles : Uint4B
- +0x034 HighWaterNumberOfObjects : Uint4B
- +0x038 HighWaterNumberOfHandles : Uint4B
- +0x040 TypeInfo : _OBJECT_TYPE_INITIALIZER
- +0x0b0 TypeLock : _EX_PUSH_LOCK
- +0x0b8 Key : Uint4B
- +0x0c0 CallbackList : _LIST_ENTRY
然后是_OBJECT_TYPE_INITIALIZER
- 7: kd> dt _OBJECT_TYPE_INITIALIZER
- nt!_OBJECT_TYPE_INITIALIZER
- +0x000 Length : Uint2B
- +0x002 ObjectTypeFlags : UChar
- +0x002 CaseInsensitive : Pos 0, 1 Bit
- +0x002 UnnamedObjectsOnly : Pos 1, 1 Bit
- +0x002 UseDefaultObject : Pos 2, 1 Bit
- +0x002 SecurityRequired : Pos 3, 1 Bit
- +0x002 MaintainHandleCount : Pos 4, 1 Bit
- +0x002 MaintainTypeList : Pos 5, 1 Bit
- +0x002 SupportsObjectCallbacks : Pos 6, 1 Bit
- +0x002 CacheAligned : Pos 7, 1 Bit
- +0x004 ObjectTypeCode : Uint4B
- +0x008 InvalidAttributes : Uint4B
- +0x00c GenericMapping : _GENERIC_MAPPING
- +0x01c ValidAccessMask : Uint4B
- +0x020 RetainAccess : Uint4B
- +0x024 PoolType : _POOL_TYPE
- +0x028 DefaultPagedPoolCharge : Uint4B
- +0x02c DefaultNonPagedPoolCharge : Uint4B
- +0x030 DumpProcedure : Ptr64 void
- +0x038 OpenProcedure : Ptr64 long
- +0x040 CloseProcedure : Ptr64 void
- +0x048 DeleteProcedure : Ptr64 void
- +0x050 ParseProcedure : Ptr64 long
- +0x058 SecurityProcedure : Ptr64 long
- +0x060 QueryNameProcedure : Ptr64 long
- +0x068 OkayToCloseProcedure : Ptr64 unsigned char
其结构和xp有些差别,但需要的几个函数大同小异。
2.2.2 实际中使用的情况
先通过 《遍历Windows内核ObjectType》文章的方法得到EPROCESS对象的_OBJECT_TYPE指针:
- 5: kd> g
- 【PrintObjectTypeList】::【DriverEntry】 Hello Kernel World! CurrentProcessId:0x0000000000000004 CurrentIRQL:0x0
- 【ObRegisterCallback】::【GetObTypeIndexTable】Found ObTypeIndexTable Address:0xFFFFF80006678100
- 【PrintObjectTypeList】::【PrintObTypeIndexList】Index:00 Address:0xFFFFFA80610603C0 Name:Type
- 【PrintObjectTypeList】::【PrintObTypeIndexList】Index:01 Address:0xFFFFFA8061060270 Name:Directory
- 【PrintObjectTypeList】::【PrintObTypeIndexList】Index:02 Address:0xFFFFFA806106C700 Name:SymbolicLink
- 【PrintObjectTypeList】::【PrintObTypeIndexList】Index:03 Address:0xFFFFFA806106C4B0 Name:Token
- 【PrintObjectTypeList】::【PrintObTypeIndexList】Index:04 Address:0xFFFFFA806106C290 Name:Job
- 【PrintObjectTypeList】::【PrintObTypeIndexList】Index:05 Address:0xFFFFFA8061065F30 Name:Process
- 【PrintObjectTypeList】::【PrintObTypeIndexList】Index:06 Address:0xFFFFFA8061065DE0 Name:Thread
其地址为0xFFFFFA8061065F30,再格式化其结构如下:
- 5: kd> dt _object_type 0xFFFFFA8061065F30
- nt!_OBJECT_TYPE
- +0x000 TypeList : _LIST_ENTRY [ 0xfffffa80`61065f30 - 0xfffffa80`61065f30 ]
- +0x010 Name : _UNICODE_STRING "Process"
- +0x020 DefaultObject : (null)
- +0x028 Index : 0x7 ''
- +0x02c TotalNumberOfObjects : 0x2f
- +0x030 TotalNumberOfHandles : 0x11a
- +0x034 HighWaterNumberOfObjects : 0x32
- +0x038 HighWaterNumberOfHandles : 0x11e
- +0x040 TypeInfo : _OBJECT_TYPE_INITIALIZER
- +0x0b0 TypeLock : _EX_PUSH_LOCK
- +0x0b8 Key : 0x636f7250
- +0x0c0 CallbackList : _LIST_ENTRY [ 0xfffff8a0`00f59b50 - 0xfffff8a0`00f59b50 ]
再获取_OBJECT_TYPE_INITIALIZER,如下:
- 5: kd> dx -id 0,0,fffffa8061066b00 -r1 (*((ntkrnlmp!_OBJECT_TYPE_INITIALIZER *)0xfffffa8061065f70))
- (*((ntkrnlmp!_OBJECT_TYPE_INITIALIZER *)0xfffffa8061065f70)) [Type: _OBJECT_TYPE_INITIALIZER]
- [+0x000] Length : 0x70 [Type: unsigned short]
- [+0x002] ObjectTypeFlags : 0x4a [Type: unsigned char]
- [+0x002 ( 0: 0)] CaseInsensitive : 0x0 [Type: unsigned char]
- [+0x002 ( 1: 1)] UnnamedObjectsOnly : 0x1 [Type: unsigned char]
- [+0x002 ( 2: 2)] UseDefaultObject : 0x0 [Type: unsigned char]
- [+0x002 ( 3: 3)] SecurityRequired : 0x1 [Type: unsigned char]
- [+0x002 ( 4: 4)] MaintainHandleCount : 0x0 [Type: unsigned char]
- [+0x002 ( 5: 5)] MaintainTypeList : 0x0 [Type: unsigned char]
- [+0x002 ( 6: 6)] SupportsObjectCallbacks : 0x1 [Type: unsigned char]
- [+0x002 ( 7: 7)] CacheAligned : 0x0 [Type: unsigned char]
- [+0x004] ObjectTypeCode : 0x0 [Type: unsigned long]
- [+0x008] InvalidAttributes : 0xb0 [Type: unsigned long]
- [+0x00c] GenericMapping [Type: _GENERIC_MAPPING]
- [+0x01c] ValidAccessMask : 0x1fffff [Type: unsigned long]
- [+0x020] RetainAccess : 0x101000 [Type: unsigned long]
- [+0x024] PoolType : NonPagedPool (0) [Type: _POOL_TYPE]
- [+0x028] DefaultPagedPoolCharge : 0x1000 [Type: unsigned long]
- [+0x02c] DefaultNonPagedPoolCharge : 0x550 [Type: unsigned long]
- [+0x030] DumpProcedure : 0x0 : 0x0 [Type: void (__cdecl*)(void *,_OBJECT_DUMP_CONTROL *)]
- [+0x038] OpenProcedure : 0xfffff80006765ac8 : ntkrnlmp!PspProcessOpen+0x0 [Type: long (__cdecl*)(_OB_OPEN_REASON,char,_EPROCESS *,void *,unsigned long *,unsigned long)]
- [+0x040] CloseProcedure : 0xfffff80006765b10 : ntkrnlmp!PspProcessClose+0x0 [Type: void (__cdecl*)(_EPROCESS *,void *,unsigned __int64,unsigned __int64)]
- [+0x048] DeleteProcedure : 0xfffff8000672b814 : ntkrnlmp!PspProcessDelete+0x0 [Type: void (__cdecl*)(void *)]
- [+0x050] ParseProcedure : 0x0 : 0x0 [Type: long (__cdecl*)(void *,void *,_ACCESS_STATE *,char,unsigned long,_UNICODE_STRING *,_UNICODE_STRING *,void *,_SECURITY_QUALITY_OF_SERVICE *,void * *)]
- [+0x058] SecurityProcedure : 0xfffff80006735dd8 : ntkrnlmp!SeDefaultObjectMethod+0x0 [Type: long (__cdecl*)(void *,_SECURITY_OPERATION_CODE,unsigned long *,void *,unsigned long *,void * *,_POOL_TYPE,_GENERIC_MAPPING *,char)]
- [+0x060] QueryNameProcedure : 0x0 : 0x0 [Type: long (__cdecl*)(void *,unsigned char,_OBJECT_NAME_INFORMATION *,unsigned long,unsigned long *,char)]
- [+0x068] OkayToCloseProcedure : 0x0 : 0x0 [Type: unsigned char (__cdecl*)(_EPROCESS *,void *,void *,char)]
其中的OpenProcedure、CloseProcedure、DeleteProcedure都有相应的值。
3、相应函数的可能原型
3.1 XP x32位
这些结构参考微软泄露出来的源码和ReactOS获取得到:
3.1.1 DumpProcedure
- typedef struct _OBJECT_DUMP_CONTROL {
- PVOID Stream;
- ULONG Detail;
- } OB_DUMP_CONTROL, *POB_DUMP_CONTROL;
-
- typedef VOID (*OB_DUMP_METHOD)(
- IN PVOID Object,
- IN POB_DUMP_CONTROL Control OPTIONAL
- );
3.1.2 OpenProcedure
- typedef NTSTATUS (*OB_OPEN_METHOD)(
- IN OB_OPEN_REASON OpenReason,
- IN PEPROCESS Process OPTIONAL,
- IN PVOID Object,
- IN ACCESS_MASK GrantedAccess,
- IN ULONG HandleCount
- );
3.1.3 CloseProcedure
- typedef VOID (*OB_CLOSE_METHOD)(
- IN PEPROCESS Process OPTIONAL,
- IN PVOID Object,
- IN ACCESS_MASK GrantedAccess,
- IN ULONG ProcessHandleCount,
- IN ULONG SystemHandleCount
- );
3.1.4 DeleteProcedure
- typedef VOID (*OB_DELETE_METHOD)(
- IN PVOID Object
- );
3.1.5 ParseProcedure
- typedef NTSTATUS (*OB_PARSE_METHOD)(
- IN PVOID ParseObject,
- IN PVOID ObjectType,
- IN OUT PACCESS_STATE AccessState,
- IN KPROCESSOR_MODE AccessMode,
- IN ULONG Attributes,
- IN OUT PUNICODE_STRING CompleteName,
- IN OUT PUNICODE_STRING RemainingName,
- IN OUT PVOID Context OPTIONAL,
- IN PSECURITY_QUALITY_OF_SERVICE SecurityQos OPTIONAL,
- OUT PVOID *Object
- );
3.1.6 SecurityProcedure
- typedef NTSTATUS (*OB_SECURITY_METHOD)(
- IN PVOID Object,
- IN SECURITY_OPERATION_CODE OperationCode,
- IN PSECURITY_INFORMATION SecurityInformation,
- IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor,
- IN OUT PULONG CapturedLength,
- IN OUT PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor,
- IN POOL_TYPE PoolType,
- IN PGENERIC_MAPPING GenericMapping
- );
3.1.7 QueryNameProcedure
- typedef NTSTATUS (*OB_QUERYNAME_METHOD)(
- IN PVOID Object,
- IN BOOLEAN HasObjectName,
- OUT POBJECT_NAME_INFORMATION ObjectNameInfo,
- IN ULONG Length,
- OUT PULONG ReturnLength
- );
3.1.8 OkayToCloseProcedure
- typedef BOOLEAN (*OB_OKAYTOCLOSE_METHOD)(
- IN PEPROCESS Process OPTIONAL,
- IN PVOID Object,
- IN HANDLE Handle,
- IN KPROCESSOR_MODE PreviousMode
- );
3.2 Win7 x64及以上
参考XP源代码加上2.2.2节最后WinDbg调试显示的结果
3.2.1 DumpProcedure
- typedef struct _OBJECT_DUMP_CONTROL {
- PVOID Stream;
- ULONG Detail;
- } OB_DUMP_CONTROL, *POB_DUMP_CONTROL;
-
- typedef VOID (*OB_DUMP_METHOD)(
- IN PVOID Object,
- IN POB_DUMP_CONTROL Control OPTIONAL
- );
3.2.2 OpenProcedure
- typedef NTSTATUS (*OB_OPEN_METHOD)(
- IN OB_OPEN_REASON OpenReason,
- IN CHAR Flag,
- IN PEPROCESS Process OPTIONAL,
- IN PVOID Object,
- IN OUT PACCESS_MASK GrantedAccess,
- IN ULONG HandleCount
- );
3.2.3 CloseProcedure
- typedef VOID (*OB_CLOSE_METHOD)(
- IN PEPROCESS Process OPTIONAL,
- IN PVOID Object,
- IN OUT PACCESS_MASK GrantedAccess,
- IN ULONGLONG ReferenceHandleCount
- );
3.2.4 DeleteProcedure
- typedef VOID (*OB_DELETE_METHOD)(
- IN PVOID Object
- );
3.2.5 ParseProcedure
- typedef NTSTATUS (*OB_PARSE_METHOD)(
- IN PVOID ParseObject,
- IN POBJECT_TYPE ObjectType,
- IN OUT PACCESS_STATE AccessState,
- IN CHAR Flag,
- IN ULONG Attributes,
- IN OUT PUNICODE_STRING CompleteName,
- IN OUT PUNICODE_STRING RemainingName,
- IN OUT PVOID Context OPTIONAL,
- IN PSECURITY_QUALITY_OF_SERVICE SecurityQos OPTIONAL,
- OUT PVOID *Object
- );
3.2.6 SecurityProcedure
- typedef NTSTATUS (*OB_SECURITY_METHOD)(
- IN PVOID Object,
- IN SECURITY_OPERATION_CODE OperationCode,
- IN PSECURITY_INFORMATION SecurityInformation,
- IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor,
- IN OUT PULONG CapturedLength,
- IN OUT PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor,
- IN POOL_TYPE PoolType,
- IN PGENERIC_MAPPING GenericMapping,
- IN CHAR Flag
- );
3.2.7 QueryNameProcedure
- typedef NTSTATUS (*OB_QUERYNAME_METHOD)(
- IN PVOID Object,
- IN BOOLEAN HasObjectName,
- OUT POBJECT_NAME_INFORMATION ObjectNameInfo,
- IN ULONG Length,
- OUT PULONG ReturnLength,
- IN CHAR Flag
- );
3.2.8 OkayToCloseProcedure
- typedef BOOLEAN (*OB_OKAYTOCLOSE_METHOD)(
- IN PEPROCESS Process OPTIONAL,
- IN PVOID Object,
- IN HANDLE Handle,
- IN KPROCESSOR_MODE PreviousMode
- );
4、相关链接
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/blog/article/detail/58728
推荐阅读
- 这个二手机器买来只能独显的VGA、DP口可以输入信息,但是DP口不稳定,显示器老黑屏,核显的VGA、HDMI口不能输出信息,现在的显示器一般都是用HDMI口,所以就像让核显能输入信息。我不信邪了,总感觉是哪里设置一些就OK了,百度了一番,找... [详细]
赞
踩
- 本文使用图文详细介绍Windows下通过zip包方式安装MySQL8.1.0最新版本。这种安装方式适合学习和定制,让您轻松搭建学习环境,掌握MySQL数据库的使用和配置,为您的MySQL学习之旅打下坚实基础。_windowsmysql8.1... [详细]
赞
踩
- Windows作为工作机,对于计算机系的同学来说,主要是在于利用图形化的界面直观的创建虚拟机(典型的有代表性的是virtualbox和VMware这两家公司的桌面级虚拟化软件),尤其是小白这样的初学者,更高层次的虚拟机技术才是kvm,xen... [详细]
赞
踩
- article
成功解决RuntimeError: [enforce fail at C:\actions-runner\_work\pytorch\pytorch\builder\windows\pytorch\c
成功解决RuntimeError:[enforcefailatC:\actions-runner\_work\pytorch\pytorch\builder\windows\pytorch\c10\core\impl\alloc_cpu.c... [详细]赞
踩
- 我的笔记本是windowsGPU安装Pytorch3d失败,废了九牛二虎之力才安装好,为了纪念我的坚持我分享给大家。Pytorch3d在WIN下的安装。_pytorch3dpytorch3dWindows下Pytorch3d的安装方法我的笔... [详细]
赞
踩
- linuxdeployqt打包QT程序C++-windows-linux-linuxdeployqt打包QT应用程序1.windows下的qt5.141.1发布:发布这个选项的,也就是左下角改debug为release,设置后,点击编译bu... [详细]
赞
踩
- 目标建立一个开发GUI交互界面程序的环境,要求:以C/C++为主要程序设计语言。最好能充分利用已有的MFC开发经验。以Linux为主要开发环境。可以在Windows中编译并发布程序。根据以上要求选择:Archlinux/WindowsXPC... [详细]
赞
踩
- gin管理k8s_go-clientwindowsdockerk8s如何用代码连接go-clientwindowsdockerk8s如何用代码连接1、创建ServiceAccount账户vimadmin-account.yamlapiVer... [详细]
赞
踩
- article
Error in directive fofo inserted hook: “TypeError: Cannot read properties of null (reading ‘focus‘)_cannot read properties of null (reading 'focus')
本身已经是textarea了不能再获取input了,所以获取了空。_cannotreadpropertiesofnull(reading'focus')cannotreadpropertiesofnull(reading'focus')vu... [详细]赞
踩
Windows64位Windws32位。_postman9.12.2版本postman9.12.2版本Postman-windows-9.12.2版本安装与汉化想用英文版本的可以直接点击如下链接下载最新版本官网最新版本(无法汉化):http... [详细]赞
踩
- windows和ubuntu(20.4)双系统:开机选择系统时,等待时间的设置windows和ubuntu(20.4)双系统:开机选择系统时,等待时间的设置windows和ubuntu(20.4)双系统:开机选择系统时,等待时间的设置使用管... [详细]
赞
踩
- ■前言暂且不谈UTF-8,Unicode(UTF-8只是Unicode的一种实现方式)https://blog.csdn.net/sxzlc/article/details/106084402← win10下,以十六进制形式查看文件关于文件... [详细]
赞
踩
- 前面讲的都是一些基础,比如说拿到sys_call_table地址,简单的hook某个函数,这一节做一个文件/文件夹隐藏,就是hook住文件枚举API-->getdents()&getdents64()fshid.c#include
[详细] 赞
踩
- 在今天的文章中,我们将探讨如何使用Python进行WindowsGUI自动化。GUI自动化可以帮助我们自动执行许多与操作系统交互的任务,比如移动鼠标、点击按钮、输入文本、移动窗口等。Python提供了两个强大的库:pyautogui和pyw... [详细]
赞
踩
- 4、把aes.key跟pwd.txt这2个文件拷贝到域用户能访问到的地方。总结:大家都知道通过下面路径能找到这个脚本,所以密码也会明文暴露出来。3、把SecureString对象转为加密字符串后,保存到文件。5、再创建一个脚本文件Modif... [详细]
赞
踩
- WindowsAPI函数大全,从事软件开发的朋友可以参考下1.API之网络函数WNetAddConnection创建同一个网络资源的永久性连接WNetAddConnection2创建同一个网络资源的连接WNetAddConnection3创... [详细]
赞
踩
- windows夜神模拟器安卓7.0安装mitmproxy证书_夜神安卓7安装证书夜神安卓7安装证书windows:第一步先启动mitmproxy mitmdump-p 8889(端口随意,不冲突就... [详细]
赞
踩
- 假设现在有2台主机A和B,A主机有我的Debug版的Exe文件,但是没有源代码,B主机有源代码,但是不便在此主机上运行Exe程序,这个RemoteDebug就派上用场了。Step1:将远程Debug工具copy到目标主机A,并以管理员权限运... [详细]
赞
踩
- article
Vue3 +ts + eslint 配置 + [git hooks] pre-commit 配置 实现git 提交 阻拦不规则代码(包括console.log、debugger)_vue3添加commit hook
要求在gitcommit之前阻拦不规则代码提交,包括console.logdebugger,包括其他错误。_vue3添加commithookvue3添加commithook需求:要求在gitcommit之前阻拦不规则代码提交,包括conso... [详细]赞
踩
- 需要说明的是,对Win11家庭版,系统并没有预先安装Hyper-V功能。一般来说,即使没有安装Hyper-V功能,也能正常安装并运行wsl,但如果后续配置步骤失败,可以尝试手动安装Hyper-V功能。手动安装Hyper-V流程:在桌面新建文... [详细]
赞
踩
相关标签
