逆WIN7X64内核调试体系之NtDebugActiveProcess
本帖最后由 落笔飞花 于 2015-9-28 04:19 编辑NTSTATUS __fastcall proxyNtDebugActiveProcess(HANDLE ProcessHandle, HANDLE DebugObjectHandle){
PMY_OBJECT_TYPE object;
PMY_OBJECT_TYPE debugobject;
OBJECT_HANDLE_INFORMATION objecthandleinformation;
NTSTATUS status;
PETHREAD LastThread;
status=ObReferenceObjectByHandle(ProcessHandle, 0x800, *PsProcessType, UserMode, &object, &objecthandleinformation);
if (NT_SUCCESS(status)){
if (object == PsGetCurrentProcess() || object == PsInitialSystemProcess){
ObfDereferenceObject(object);
return status = STATUS_INVALID_HANDLE;
}
}
DbgPrint("获取进程对象成功!:%p", object);
status = ObReferenceObjectByHandle(DebugObjectHandle, 0x2, DbgkDebugObjectType, UserMode, &debugobject, &objecthandleinformation);
DbgPrint("获取调试对象成功!:%p", debugobject);
if (!NT_SUCCESS(status)){
status = STATUS_INVALID_HANDLE;
ObfDereferenceObject(debugobject);
ObfDereferenceObject(object);
}
if (ExAcquireRundownProtection((ULONG64)object + 0x178)){
((pfnDbgkpPostFakeProcessCreateMessages)DbgkpPostFakeProcessCreateMessages)(object, debugobject, &LastThread);
((pfnDbgkpSetProcessDebugObject)DbgkpSetProcessDebugObject)(object, debugobject, status, LastThread);
DbgPrint("已经发送调试消息!");//发送调试消息
}
else{
status = STATUS_INVALID_HANDLE;
}
ExReleaseRundownProtection((ULONG64)object + 0x178);
ObfDereferenceObject(debugobject);
ObfDereferenceObject(object);
return status ;;
}
修正一下= = =蛋疼搞快了 没测试 这样直接就可用的 好!再接再厉!
页:
[1]