注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

熊猫正正的博客

熊猫正正的天空

 
 
 

日志

 
 

Obejct Hook  

2012-03-16 12:50:24|  分类: window驱动学习 |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |
OBJECT的组成 主要是3部分 如下图
              
         |---------| 
             | 附加信息| --->  主要的几个结构是 OBJECT_HEADER_CREATOR_INFO 创建信息 
                              OBJECT_HEADER_NAME_INFO 这里面有对象名等主要信息 
                              OBJECT_HEADER_HANDLE_INFO 一些句柄信息          
         |_________|                 
             |                   | 
             | 对象头      |---->     一个重要的结构   OBJECT_HEADER              
             |_________|  
             |                  | 
             | OBJECT      | --->       对象                
         |_________|  
 我们主要看下OBJECT_HEADER这个数据结构几个重要我成员我注释出来
typedef struct _OBJECT_HEADER {
LONG PointerCount;
union {
LONG HandleCount;
PSINGLE_LIST_ENTRY SEntry;
};
POBJECT_TYPE Type; //这个很重要HOOK就靠它,对象类型结构也是一个对象,TYPE它是系统第一个创建出来的对象类型
UCHAR NameInfoOffset; //OBJECT_HEADER_NAME_INFO 偏移
UCHAR HandleInfoOffset; //OBJECT_HEADER_HANDLE_INFO 偏移
UCHAR QuotaInfoOffset;
UCHAR Flags;
union
{
POBJECT_CREATE_INFORMATION ObjectCreateInfo;
PVOID QuotaBlockCharged;
};
PSECURITY_DESCRIPTOR SecurityDescriptor;
QUAD Body;//对象本身
} OBJECT_HEADER, *POBJECT_HEADER;
对象类型结构
typedef struct _OBJECT_TYPE {
ERESOURCE Mutex;
LIST_ENTRY TypeList; //队列
UNICODE_STRING Name;
PVOID DefaultObject;
ULONG Index;
ULONG TotalNumberOfObjects;
ULONG TotalNumberOfHandles;
ULONG HighWaterNumberOfObjects;
ULONG HighWaterNumberOfHandles;
OBJECT_TYPE_INITIALIZER TypeInfo; //这个很重要,下面讲这个结构
#ifdef POOL_TAGGING
ULONG Key;
#endif
} OBJECT_TYPE, *POBJECT_TYPE;
对象类型结构主要是创建对象类型比如*IoFileObjectType,*PsProcessType,*PsThreadType这些类型
系统初始化的时候第一个创建的对象类型结构就是TYPE类型结构生成对象目录\ObjectTypes 其它后面的
比如文件对象类型就挂在\ObjectTypes\File 再比如\ObjectTypes\Device
说白点就是你要生成对象就会创建(指定)相对应的对象类型结构
最重要的一个数据结构
typedef struct _OBJECT_TYPE_INITIALIZER {
USHORT Length;
BOOLEAN UseDefaultObject;
BOOLEAN CaseInsensitive;
ULONG InvalidAttributes;
GENERIC_MAPPING GenericMapping;
ULONG ValidAccessMask;
BOOLEAN SecurityRequired;
BOOLEAN MaintainHandleCount;
BOOLEAN MaintainTypeList;
POOL_TYPE PoolType;
ULONG DefaultPagedPoolCharge;
ULONG DefaultNonPagedPoolCharge;
PVOID DumpProcedure;/*
PVOID OpenProcedure; 这几个函数指针就是我们最需要的
PVOID CloseProcedure; 这些函数都是决定你的对象的的一些
PVOID DeleteProcedure; 操作或者叫方法,比如打开 创建 删除
PVOID ParseProcedure; 不同的对象类型(OBJECT_TYPE)操作也不同
PVOID SecurityProcedure; 所以要清楚的知道(OBJECT_TYPE)对象是什么类型
PVOID QueryNameProcedure; 如果没有配置系统调用的对象类型 都是用NtOpenFile
PVOID OkayToCloseProcedure;*/
} OBJECT_TYPE_INITIALIZER, *POBJECT_TYPE_INITIALIZER;
这些方法何时被调用呢,我举个例子
当你调用NtCreateFile->IoCreateFile->ObOpenObjectByName->ObpLookupObjectName->IopParseFile->IopParseDevice
IopParseFile最终也会调用IopParseDevice
ObjectHook其实就是比如你要HOOK 创建打开就是OBJECT_TYPE_INITIALIZER->ParseProcedure

以上转自www.tdcqjslt.com技术论坛
/***************************************************************************************
* AUTHOR : pandazheng
* DATE   : 2012-3-16
* MODULE : ObjectHook.C
* Command: 
* Source of IOCTRL Sample Driver
*
* Description:
* Demonstrates communications between USER and KERNEL.
*
****************************************************************************************
* Copyright (C) 2010 pandazheng.
****************************************************************************************/
#include <ntddk.h>

#define OBJECT_TO_OBJECT_HEADER(o) CONTAINING_RECORD((o),OBJECT_HEADER,Body)
#define CONTAINING_RECORD(address,type,field) ((type*)(((ULONG_PTR)address)-(ULONG_PTR)(&(((type*)0)->field))))

typedef struct _OBJECT_TYPE_INITIALIZER {
USHORT Length;
BOOLEAN UseDefaultObject;
BOOLEAN CaseInsensitive;
ULONG InvalidAttributes;
GENERIC_MAPPING GenericMapping;
ULONG ValidAccessMask;
BOOLEAN SecurityRequired;
BOOLEAN MaintainHandleCount;
BOOLEAN MaintainTypeList;
POOL_TYPE PoolType;
ULONG DefaultPagedPoolCharge;
ULONG DefaultNonPagedPoolCharge;
PVOID DumpProcedure;
PVOID OpenProcedure;
PVOID CloseProcedure;
PVOID DeleteProcedure;
PVOID ParseProcedure;
PVOID SecurityProcedure;
PVOID QueryNameProcedure;
PVOID OkayToCloseProcedure;
} OBJECT_TYPE_INITIALIZER, *POBJECT_TYPE_INITIALIZER;
typedef struct _OBJECT_TYPE {
ERESOURCE Mutex;
LIST_ENTRY TypeList;
UNICODE_STRING Name;
PVOID DefaultObject;
ULONG Index;
ULONG TotalNumberOfObjects;
ULONG TotalNumberOfHandles;
ULONG HighWaterNumberOfObjects;
ULONG HighWaterNumberOfHandles;
OBJECT_TYPE_INITIALIZER TypeInfo;
#ifdef POOL_TAGGING
ULONG Key;
#endif
} OBJECT_TYPE, *POBJECT_TYPE;
typedef struct _OBJECT_CREATE_INFORMATION {
ULONG Attributes;
HANDLE RootDirectory;
PVOID ParseContext;
KPROCESSOR_MODE ProbeMode;
ULONG PagedPoolCharge;
ULONG NonPagedPoolCharge;
ULONG SecurityDescriptorCharge;
PSECURITY_DESCRIPTOR SecurityDescriptor;
PSECURITY_QUALITY_OF_SERVICE SecurityQos;
SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService;
} OBJECT_CREATE_INFORMATION, *POBJECT_CREATE_INFORMATION;
typedef struct _OBJECT_HEADER {
LONG PointerCount;
union {
LONG HandleCount;
PSINGLE_LIST_ENTRY SEntry;
};
POBJECT_TYPE Type;
UCHAR NameInfoOffset;
UCHAR HandleInfoOffset;
UCHAR QuotaInfoOffset;
UCHAR Flags;
union
{
POBJECT_CREATE_INFORMATION ObjectCreateInfo;
PVOID QuotaBlockCharged;
};
PSECURITY_DESCRIPTOR SecurityDescriptor;
QUAD Body;
} OBJECT_HEADER, *POBJECT_HEADER;

POBJECT_TYPE pType = NULL;
POBJECT_HEADER addrs = NULL;
PVOID OldParseProcedure = NULL;

NTSTATUS NewParseProcedure(IN PVOID ParseObject,
IN PVOID ObjectType,
IN OUT PACCESS_STATE AccessState,
IN KPROCESSOR_MODE AccessMode,
IN ULONG Attributes,
IN OUT PUNICODE_STRING CompleteName,
IN OUT PUNICODE_STRING RemainingName,
IN OUT PVOID Context OPTIONAL,
IN PSECURITY_QUALITY_OF_SERVICE SecurityQos OPTIONAL,
OUT PVOID *Object)
{
NTSTATUS Status;
DbgPrint("Object is Hook\n");

__asm
{
push eax
push Object
push SecurityQos
push Context
push RemainingName
push CompleteName
push Attributes
movzx eax,AccessMode
push eax
push AccessState
push ObjectType
push ParseObject
call OldParseProcedure
mov Status,eax
pop eax
}

return Status;
}

NTSTATUS Hook()
{
NTSTATUS Status;
HANDLE hFile;
UNICODE_STRING Name;
OBJECT_ATTRIBUTES Attributes;
IO_STATUS_BLOCK IoStatusBlock;
PVOID pObject = NULL;

RtlInitUnicodeString(&Name,L"\\??\\C:\\1.txt");
InitializeObjectAttributes(&Attributes,&Name,OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,0,NULL);

Status = ZwOpenFile(&hFile,
GENERIC_ALL,
&Attributes,
&IoStatusBlock,
0,
FILE_NON_DIRECTORY_FILE);

if (!NT_SUCCESS(Status))
{
DbgPrint("File is NULL\n");
return Status;
}

Status = ObReferenceObjectByHandle(hFile,GENERIC_ALL,NULL,KernelMode,&pObject,NULL);

if (!NT_SUCCESS(Status))
{
DbgPrint("Object is NULL\n");
return Status;
}

DbgPrint("pObject is %08x\n",pObject);

addrs = OBJECT_TO_OBJECT_HEADER(pObject); //获取对象头

pType = addrs->Type; //获取对象类型结构

DbgPrint("pType is %08x\n",pType);

OldParseProcedure = pType->TypeInfo.ParseProcedure; //获取服务函数原始地址OJBECT_TYPE + 9C位置打开
DbgPrint("OldParseProcedure address is %08X\n",OldParseProcedure);
DbgPrint("address is %08X\n",addrs);

/*这里最好检查一下OllParseProcedure*/

__asm
{
cli
mov eax,cr0
and eax,not 10000h
mov cr0,eax
}

pType->TypeInfo.ParseProcedure = NewParseProcedure; //Hook

__asm
{
mov eax,cr0
or eax,10000h
mov cr0,eax
sti
}

Status = ZwClose(hFile);

return Status;
}

VOID DriverUnload(IN PDRIVER_OBJECT pDriverObject)
{
PDEVICE_OBJECT pDevObj;
UNICODE_STRING SymLinkName;

DbgPrint("DriverUnload Enter...\n");
RtlInitUnicodeString(&SymLinkName,L"\\??\\ObjectHook");
pDevObj = pDriverObject->DeviceObject;
IoDeleteDevice(pDevObj);

IoDeleteSymbolicLink(&SymLinkName);
DbgPrint("DriverUnload Leave...\n");
}

NTSTATUS ObjectHookDispatchRoutine(IN PDEVICE_OBJECT pDevObj,IN PIRP pIrp)
{
DbgPrint("ObjectHookDispatchRoutine Enter...\n");
pIrp->IoStatus.Status = STATUS_SUCCESS;
pIrp->IoStatus.Information = 0;

IoCompleteRequest(pIrp,IO_NO_INCREMENT);
DbgPrint("ObjectHookDispatchRoutine Leave...\n");

return STATUS_SUCCESS;
}

NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject,IN PUNICODE_STRING pRegistryPath)
{
NTSTATUS ntStatus;
UNICODE_STRING DevName,SymLinkName;
PDEVICE_OBJECT pDevObj;

DbgPrint("DriverEntry Enter...\n");

RtlInitUnicodeString(&DevName,L"\\Device\\ObjectHook");
ntStatus = IoCreateDevice(pDriverObject,
NULL,
&DevName,
FILE_DEVICE_UNKNOWN,
0,
TRUE,
&pDevObj);

if (!NT_SUCCESS(ntStatus))
{
DbgPrint("Create Device Failed...\n");
return ntStatus;
}
else
{
DbgPrint("Create Device Successfully...\n");
}

pDevObj->Flags |= DO_BUFFERED_IO;

RtlInitUnicodeString(&SymLinkName,L"\\??\\ObjectHook");
ntStatus = IoCreateSymbolicLink(&SymLinkName,&DevName);
if (!NT_SUCCESS(ntStatus))
{
DbgPrint("Create SymbolicLink Failed...\n");
return ntStatus;
}
else
{
DbgPrint("Create SymbolicLink Successfully...\n");
}

pDriverObject->MajorFunction[IRP_MJ_CREATE] = ObjectHookDispatchRoutine;
pDriverObject->MajorFunction[IRP_MJ_CLOSE] = ObjectHookDispatchRoutine;
pDriverObject->MajorFunction[IRP_MJ_READ] = ObjectHookDispatchRoutine;
pDriverObject->MajorFunction[IRP_MJ_WRITE] = ObjectHookDispatchRoutine;

pDriverObject->DriverUnload = DriverUnload;

ntStatus = Hook();

DbgPrint("Driver Entry Leave...\n");

return ntStatus;
}
  评论这张
 
阅读(72)| 评论(0)
推荐 转载

历史上的今天

在LOFTER的更多文章

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2017