自定义NtOpenProcess(搞定了附代码)
本帖最后由 chilun 于 2011-6-19 11:16 编辑#define KeGetPreviousMode() (KeGetCurrentThread()->PreviousMode)
typedef struct _AUX_ACCESS_DATA {
PPRIVILEGE_SET PrivilegesUsed;
GENERIC_MAPPING GenericMapping;
ACCESS_MASK AccessesToAudit;
ACCESS_MASK MaximumAuditMask;
} AUX_ACCESS_DATA, *PAUX_ACCESS_DATA;
NTSTATUS
SeCreateAccessState(
PACCESS_STATE AccessState,
PAUX_ACCESS_DATA AuxData,
ACCESS_MASK DesiredAccess,
PGENERIC_MAPPING GenericMapping
);
POBJECT_TYPE PsProcessType;
extern"C" void _stdcall ProbeForWriteHandle(PVOID);
extern"C" void ProbeForReadSmallStructure(PVOID,ULONG,ULONG);
extern"C" NTSTATUS SeCreateAccessState(PVOID,PVOID,ULONG,PVOID);
LUID SeDebugPrivilege = {0};
NTSTATUS
ObOpenObjectByName (
POBJECT_ATTRIBUTES ObjectAttributes,
POBJECT_TYPE ObjectType,
KPROCESSOR_MODE AccessMode,
PACCESS_STATE AccessState,
ACCESS_MASK DesiredAccess,
PVOID ParseContext,
PHANDLE Handle
);
VOID
SeDeleteAccessState(
PACCESS_STATE AccessState
);
typedef struct _OBJECT_TYPE_INITIALIZER {
USHORT Length;
BOOLEAN UseDefaultObject;
BOOLEAN Reserved;
ULONG InvalidAttributes;
UCHAR GenericMapping;
ULONG ValidAccessMask;
BOOLEAN SecurityRequired;
BOOLEAN MaintainHandleCount;
BOOLEAN MaintainTypeList;
USHORT PoolType;
ULONG DefaultPagedPoolCharge;
ULONG DefaultNonPagedPoolCharge;
PVOID DumpProcedure;
PVOID OpenProcedure;
PVOID CloseProcedure;
PVOID DeleteProcedure;
PVOID ParseProcedure;
PVOID SecurityProcedure;
PVOID QueryNameProcedure;
PVOID OkayToCloseProcedure;
} OBJECT_TYPE_INITIALIZER, *POBJECT_TYPE_INITIALIZER;
typedef struct _OBJECT_TYPE {
UCHAR Mutex;
LIST_ENTRY TypeList;
UNICODE_STRING Name;
PVOID DefaultObject;
ULONG Index;
ULONG TotalNumberOfObjects;
ULONG TotalNumberOfHandles;
ULONG HighWaterNumberOfObjects;
ULONG HighWaterNumberOfHandles;
OBJECT_TYPE_INITIALIZER TypeInfo;
} OBJECT_TYPE, *POBJECT_TYPE;
NTSTATUS
PsLookupProcessThreadByCid(
PCLIENT_ID Cid,
PEPROCESS *Process,
PETHREAD *Thread
);
NTSTATUS
PsLookupProcessByProcessId(
HANDLE ProcessId,
PEPROCESS *Process
);
NTSTATUS
PsLookupThreadByThreadId(
HANDLE ThreadId,
PETHREAD *Thread
);
NTSTATUS
ObOpenObjectByPointer (
PVOID Object,
ULONG HandleAttributes,
PACCESS_STATE PassedAccessState,
ACCESS_MASK DesiredAccess,
POBJECT_TYPE ObjectType,
KPROCESSOR_MODE AccessMode,
PHANDLE Handle
);
NTSTATUS WINAPI
HxNtOpenProcess (
PHANDLE ProcessHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PCLIENT_ID ClientId
)
{
HANDLE Handle;
KPROCESSOR_MODE PreviousMode;
NTSTATUS Status;
PEPROCESS Process;
PETHREAD Thread;
CLIENT_ID CapturedCid={0};
BOOLEAN ObjectNamePresent;
BOOLEAN ClientIdPresent;
ACCESS_STATE AccessState;
AUX_ACCESS_DATA AuxData;
ULONG Attributes;
KIRQL CurrentIrql;
PAGED_CODE();
CurrentIrql = KeGetCurrentIrql();
if(CurrentIrql>PASSIVE_LEVEL)
{
KeLowerIrql(PASSIVE_LEVEL);
}
//DbgPrint("HxNtOpenProcess IRQL: %u \n",CurrentIrql);
DbgPrint("OD已经调用过我们的HxNtOpenProcess ()函数 \n");
PreviousMode = KeGetPreviousMode();
if (PreviousMode != KernelMode) {
_try {
ProbeForWriteHandle (ProcessHandle);
ProbeForReadSmallStructure (ObjectAttributes,
sizeof(OBJECT_ATTRIBUTES),
sizeof(ULONG));
ObjectNamePresent = (BOOLEAN)ARGUMENT_PRESENT (ObjectAttributes->ObjectName);
//Attributes = ObSanitizeHandleAttributes (ObjectAttributes->Attributes, UserMode);
Attributes=ObjectAttributes->Attributes;
if (ARGUMENT_PRESENT (ClientId)) {
ProbeForReadSmallStructure (ClientId, sizeof (CLIENT_ID), sizeof (ULONG));
CapturedCid = *ClientId;
ClientIdPresent = TRUE;
} else {
ClientIdPresent = FALSE;
}
} _except (EXCEPTION_EXECUTE_HANDLER) {
return GetExceptionCode();
}
} else {
ObjectNamePresent = (BOOLEAN)ARGUMENT_PRESENT (ObjectAttributes->ObjectName);
//Attributes = ObSanitizeHandleAttributes (ObjectAttributes->Attributes, KernelMode);
Attributes=ObjectAttributes->Attributes;
if (ARGUMENT_PRESENT (ClientId)) {
CapturedCid = *ClientId;
ClientIdPresent = TRUE;
} else {
ClientIdPresent = FALSE;
}
}
if (ObjectNamePresent && ClientIdPresent) {
return STATUS_INVALID_PARAMETER_MIX;
}
Status = SeCreateAccessState(
&AccessState,
&AuxData,
DesiredAccess,
&(*PsProcessType)->TypeInfo.GenericMapping
);
if ( !NT_SUCCESS(Status) ) {
return Status;
}
if (SeSinglePrivilegeCheck( SeDebugPrivilege, PreviousMode )) {
if ( AccessState.RemainingDesiredAccess & MAXIMUM_ALLOWED ) {
AccessState.PreviouslyGrantedAccess |= PROCESS_ALL_ACCESS;
} else {
AccessState.PreviouslyGrantedAccess |= ( AccessState.RemainingDesiredAccess );
}
AccessState.RemainingDesiredAccess = 0;
}
if (ObjectNamePresent) {
Status = ObOpenObjectByName(
ObjectAttributes,
*PsProcessType,
PreviousMode,
&AccessState,
0,
NULL,
&Handle
);
SeDeleteAccessState( &AccessState );
if ( NT_SUCCESS(Status) ) {
_try {
*ProcessHandle = Handle;
} _except (EXCEPTION_EXECUTE_HANDLER) {
return GetExceptionCode ();
}
}
return Status;
}
if ( ClientIdPresent ) {
Thread = NULL;
if (CapturedCid.UniqueThread) {
Status = PsLookupProcessThreadByCid(
&CapturedCid,
&Process,
&Thread
);
if (!NT_SUCCESS(Status)) {
SeDeleteAccessState( &AccessState );
return Status;
}
} else {
Status = PsLookupProcessByProcessId(
CapturedCid.UniqueProcess,
&Process
);
if ( !NT_SUCCESS(Status) ) {
SeDeleteAccessState( &AccessState );
return Status;
}
}
Status = ObOpenObjectByPointer(
Process,
Attributes,
&AccessState,
0,
*PsProcessType,
PreviousMode,
&Handle
); //得到进程句柄
SeDeleteAccessState( &AccessState );
if (Thread) {
ObDereferenceObject(Thread);
}
ObDereferenceObject(Process);
if (NT_SUCCESS (Status)) {
_try {
*ProcessHandle = Handle;
} _except (EXCEPTION_EXECUTE_HANDLER) {
return GetExceptionCode ();
}
}
return Status;
}
return STATUS_INVALID_PARAMETER_MIX;
//}
}
自定义NtOpenProcess编译通不过,,哪位帮帮忙改一下,给点资料
Compiling...
Driver.cpp
d:\我的文档\桌面\Driver.cpp(663) : error C2027: use of undefined type '_KTHREAD'
C:\WINDDK\2600\INC\DDK\W2K\NTDDK.h(75) : see declaration of '_KTHREAD'
d:\我的文档\桌面\Driver.cpp(663) : error C2227: left of '->PreviousMode' must point to class/struct/union
d:\我的文档\桌面\Driver.cpp(701) : error C2819: type '_OBJECT_TYPE' does not have an overloaded member 'operator ->'
d:\我的文档\桌面\Driver.h(164) : see declaration of '_OBJECT_TYPE'
d:\我的文档\桌面\Driver.cpp(701) : error C2227: left of '->TypeInfo' must point to class/struct/union
d:\我的文档\桌面\\Driver.cpp(702) : error C2228: left of '.GenericMapping' must have class/struct/union type
d:\我的文档\桌面\Driver.cpp(723) : error C2664: 'ObOpenObjectByName' : cannot convert parameter 2 from 'struct _OBJECT_TYPE' to 'struct _OBJECT_TYPE *'
No user-defined-conversion operator available that can perform this conversion, or the operator cannot be called
d:\我的文档\桌面\Driver.cpp(764) : error C2664: 'ObOpenObjectByPointer' : cannot convert parameter 5 from 'struct _OBJECT_TYPE' to 'struct _OBJECT_TYPE *'
No user-defined-conversion operator available that can perform this conversion, or the operator cannot be called
Error executing cl.exe.
HelloDDK.sys - 7 error(s), 0 warning(s)
WRK搬过来就行了~ 哥哥,就是人wrk上找的,,但有很多没定义呀,,我定义了部分,,后面的分析不出来了,帮看看 回复 chilun 的帖子
怎么修改~你发的代码,又没行数~不知道哪行的问题~
HANDLE OpenProcess(HANDLE 进程ID)
{
PEPROCESS Process;
HANDLE hprocess;
PsLoopupProcessByProcessId(进程ID,&Process);
ObOpenObjectByPointer(Process,0,0,0,0,0,&hprocess) ;
return hprocess;
}
实际使用时需要一些安全性判断。
没有声明ntddk.h
而且这样也没用,别人直接hook ObOpenObjectByPointer就可以了 回复 chenhui530 的帖子
楼主你真是赚到了,陈辉亲自回复你的帖子!!!
他上次来此发帖已经是2007-1-25 08:45了。。。 Tesla.Angela 发表于 2011-6-12 21:33 static/image/common/back.gif
回复 chenhui530 的帖子
楼主你真是赚到了,陈辉亲自回复你的帖子!!!
挖卡~陈辉~~ ywledoc 发表于 2011-6-13 18:22 static/image/common/back.gif
挖卡~陈辉~~
据老马说他是comodo的工程师。 Tesla.Angela 发表于 2011-6-13 23:03 static/image/common/back.gif
据老马说他是comodo的工程师。
比较想去趋势,绿盟,启明星这三个的 ywledoc 发表于 2011-6-13 23:12 static/image/common/back.gif
比较想去趋势,绿盟,启明星这三个的
帮政府工作吧。。。 Tesla.Angela 发表于 2011-6-13 23:36 static/image/common/back.gif
帮政府工作吧。。。
蓝军啊?不去~感觉政府我惹不起~而且那工资还不知道高不高,还不知道能不能接私活~ 本帖最后由 chilun 于 2011-6-15 22:14 编辑
感谢各位大牛,这几天论坛老是登不上,,其实我是看了,《基于OD插件的内核调试器的设计与实现_过一般性游戏保护》这篇文章,百度上有。想搞个ssdt ,增加服务函数,,想增加个自已定义的NtOpenProcess,,因为原来哪个已经被hook了,,现在我的NtopenProcess编译是通过了,(我觉得写的不对),但是用OD附加记事本时附加窗口什么也没有。。用DbgPrint输出进程的ID是对的,,,唉搞了几个周了,,,哪位指点一下 ntopenprocess搞定,,附上代码
NTSTATUS WINAPI
MyNtOpenProcess (
__out PHANDLE ProcessHandle,
__in ACCESS_MASK DesiredAccess,
__in POBJECT_ATTRIBUTES ObjectAttributes,
__in_opt PCLIENT_ID ClientId
)
{
HANDLE Handle;
KPROCESSOR_MODE PreviousMode;
NTSTATUS Status;
PEPROCESS Process;
PETHREAD Thread;
CLIENT_ID CapturedCid={0};
BOOLEAN ObjectNamePresent;
BOOLEAN ClientIdPresent;
ACCESS_STATE AccessState;
AUX_ACCESS_DATA AuxData;
ULONG Attributes;
KIRQL CurrentIrql;
PAGED_CODE();
CurrentIrql = KeGetCurrentIrql();
if(CurrentIrql>PASSIVE_LEVEL)
{
KeLowerIrql(PASSIVE_LEVEL);
}
//DbgPrint("HxNtOpenProcess IRQL: %u \n",CurrentIrql);
DbgPrint("OD已经调用过我们的MyNtOpenProcess ()函数 \n");
ULONG www=(ULONG)ClientId->UniqueProcess;
//DbgPrint("传入ID%d\n",www);
//DbgPrint("id====%d",*(int*)ClientId);
PreviousMode = KeGetPreviousMode();
if (PreviousMode != KernelMode) {
__try {
ProbeForWriteHandle (ProcessHandle);
ProbeForReadSmallStructure (ObjectAttributes,
sizeof(OBJECT_ATTRIBUTES),
sizeof(ULONG));
ObjectNamePresent = (BOOLEAN)ARGUMENT_PRESENT (ObjectAttributes->ObjectName);
//Attributes = ObSanitizeHandleAttributes (ObjectAttributes->Attributes, UserMode);
Attributes=ObjectAttributes->Attributes;
if (ARGUMENT_PRESENT (ClientId)) {
ProbeForReadSmallStructure (ClientId, sizeof (CLIENT_ID), sizeof (ULONG));
CapturedCid = *ClientId;
ClientIdPresent = TRUE;
} else {
ClientIdPresent = FALSE;
}
} __except (EXCEPTION_EXECUTE_HANDLER) {
//DbgPrint("xxmm");
return GetExceptionCode();
}
//DbgPrint("11");
} else {
ObjectNamePresent = (BOOLEAN)ARGUMENT_PRESENT (ObjectAttributes->ObjectName);
//Attributes = ObSanitizeHandleAttributes (ObjectAttributes->Attributes, KernelMode);
Attributes=ObjectAttributes->Attributes;
if (ARGUMENT_PRESENT (ClientId)) {
CapturedCid = *ClientId;
ClientIdPresent = TRUE;
} else {
ClientIdPresent = FALSE;
}
//DbgPrint("22");
}
if (ObjectNamePresent && ClientIdPresent) {
//DbgPrint("33");
return STATUS_INVALID_PARAMETER_MIX;
}
Status = SeCreateAccessState(
&AccessState,
&AuxData,
DesiredAccess,
&(*PsProcessType)->TypeInfo.GenericMapping
);
if ( !NT_SUCCESS(Status) ) {
//DbgPrint("44");
return Status;
}
if (SeSinglePrivilegeCheck( SeDebugPrivilege, PreviousMode )) {
if ( AccessState.RemainingDesiredAccess & MAXIMUM_ALLOWED ) {
AccessState.PreviouslyGrantedAccess |= PROCESS_ALL_ACCESS;
} else {
AccessState.PreviouslyGrantedAccess |= ( AccessState.RemainingDesiredAccess );
}
AccessState.RemainingDesiredAccess = 0;
//DbgPrint("55");
}
if (ObjectNamePresent) {
Status = ObOpenObjectByName(
ObjectAttributes,
*PsProcessType,
PreviousMode,
&AccessState,
0,
NULL,
&Handle
);
SeDeleteAccessState( &AccessState );
if ( NT_SUCCESS(Status) ) {
__try {
*ProcessHandle = Handle;
} __except (EXCEPTION_EXECUTE_HANDLER) {
return GetExceptionCode ();
}
}
//DbgPrint("66");
return Status;
}
if ( ClientIdPresent ) {
Thread = NULL;
if (CapturedCid.UniqueThread) {
Status = PsLookupProcessThreadByCid(
&CapturedCid,
&Process,
&Thread
);
if (!NT_SUCCESS(Status)) {
SeDeleteAccessState( &AccessState );
//DbgPrint("77");
return Status;
}
} else {
Status = PsLookupProcessByProcessId(
CapturedCid.UniqueProcess,
&Process
);
if ( !NT_SUCCESS(Status) ) {
SeDeleteAccessState( &AccessState );
//DbgPrint("88");
return Status;
}
}
Status = ObOpenObjectByPointer(
Process,
Attributes,
&AccessState,
0,
*PsProcessType,
PreviousMode,
&Handle
); //得到进程句柄
/*Status = ObOpenObjectByPointer(
Process,
Attributes,
&AccessState,
PROCESS_ALL_ACCESS,
NULL,
KernelMode,//PreviousMode,
&Handle
);*/
SeDeleteAccessState( &AccessState );
if (Thread) {
ObDereferenceObject(Thread);
//DbgPrint("99");
}
ObDereferenceObject(Process);
if (NT_SUCCESS (Status)) {
__try {
*ProcessHandle = Handle;
} __except (EXCEPTION_EXECUTE_HANDLER) {
//DbgPrint("yyuu");
return GetExceptionCode ();
}
}
//DbgPrint("1010");
return Status;
}
//DbgPrint("1111");
return STATUS_INVALID_PARAMETER_MIX;
}
陈辉这臭小子,哈哈.
恭喜一下楼主:) 楼主,我编译了你的代码,最后还有两个链接错误:1>nt.obj : error LNK2019: unresolved external symbol _ProbeForReadSmallStructure@12 referenced in function _MyNtOpenProcess@16
1>nt.obj : error LNK2019: unresolved external symbol _ProbeForWriteHandle@4 referenced in function _MyNtOpenProcess@16 这个是怎么解决的? 支持!
页:
[1]