Object Hook原始地址查找

 

写的Object Hook原始地址查找通用性似乎还可以

2009-02-15 11:46

如题。 有关于SecurityProcedure： 部分ObjectType在创建的时候没有提供SecurityProcedure，所以无法得到，但是ObCreateObjectType发现SecurityProcedure被提供为NULL的时候会自行设置为SeDefaultObjectMethod，这导致了搜索结果为NULL而实际结果不为NULL。 试图加载 ntkrnlpa.exe. 成功加载 ntkrnlpa.exe. 成功创建 Section. 成功映射 Section 于 7FD90000 长度 2150400 , 状态号 1073741827 . 开始查找 Object Procedure. 开始查找 Process. OpenProcedure: 00000000 CloseProcedure: 00000000 DeleteProcedure: 004FACDC DumpProcedure: 00000000 OkayToCloseProcedure: 00000000 ParseProcedure: 00000000 QueryNameProcedure: 00000000 SecurityProcedure: 00000000 开始查找 Thread. OpenProcedure: 00000000 CloseProcedure: 00000000 DeleteProcedure: 004FAE64 DumpProcedure: 00000000 OkayToCloseProcedure: 00000000 ParseProcedure: 00000000 QueryNameProcedure: 00000000 SecurityProcedure: 00000000 开始查找 KeyObject. OpenProcedure: 00000000 CloseProcedure: 0056006E DeleteProcedure: 0055FF54 DumpProcedure: 00000000 OkayToCloseProcedure: 00000000 ParseProcedure: 00557F1C QueryNameProcedure: 0055EDEE SecurityProcedure: 0055FDB8 开始查找 File. OpenProcedure: 00000000 CloseProcedure: 004AC6E8 DeleteProcedure: 004AC9C6 DumpProcedure: 00000000 OkayToCloseProcedure: 00000000 ParseProcedure: 004AC5D6 QueryNameProcedure: 004AB680 SecurityProcedure: 004ACD4A 开始查找 Driver. OpenProcedure: 00000000 CloseProcedure: 00000000 DeleteProcedure: 004AC62E DumpProcedure: 00000000 OkayToCloseProcedure: 00000000 ParseProcedure: 00000000 QueryNameProcedure: 00000000 SecurityProcedure: 00000000 开始查找 Device. OpenProcedure: 00000000 CloseProcedure: 00000000 DeleteProcedure: 004AC6A8 DumpProcedure: 00000000 OkayToCloseProcedure: 00000000 ParseProcedure: 004AB7E8 QueryNameProcedure: 00000000 SecurityProcedure: 004ACD4A 查找 Object Procedure 完成. 退出. lkd> dt _OBJECT_TYPE_INITIALIZER poi(PsProcessType)+0x60 nt!_OBJECT_TYPE_INITIALIZER    +0x000 Length           : 0x4c    +0x002 UseDefaultObject : 0 ''    +0x003 CaseInsensitive : 0 ''    +0x004 InvalidAttributes : 0xb0    +0x008 GenericMapping   : _GENERIC_MAPPING    +0x018 ValidAccessMask : 0x1f0fff    +0x01c SecurityRequired : 0x1 ''    +0x01d MaintainHandleCount : 0 ''    +0x01e MaintainTypeList : 0 ''    +0x020 PoolType         : 0 ( NonPagedPool )    +0x024 DefaultPagedPoolCharge : 0x1000    +0x028 DefaultNonPagedPoolCharge : 0x290    +0x02c DumpProcedure    : (null)    +0x030 OpenProcedure    : (null)    +0x034 CloseProcedure   : (null)    +0x038 DeleteProcedure : 0x805d2cdc     void nt!PspProcessDelete+0    +0x03c ParseProcedure   : (null)    +0x040 SecurityProcedure : 0x805f9150     long nt!SeDefaultObjectMethod+0    +0x044 QueryNameProcedure : (null)    +0x048 OkayToCloseProcedure : (null) lkd> dt _OBJECT_TYPE_INITIALIZER poi(PsThreadType)+0x60 nt!_OBJECT_TYPE_INITIALIZER    +0x000 Length           : 0x4c    +0x002 UseDefaultObject : 0 ''    +0x003 CaseInsensitive : 0 ''    +0x004 InvalidAttributes : 0xb0    +0x008 GenericMapping   : _GENERIC_MAPPING    +0x018 ValidAccessMask : 0x1f03ff    +0x01c SecurityRequired : 0x1 ''    +0x01d MaintainHandleCount : 0 ''    +0x01e MaintainTypeList : 0 ''    +0x020 PoolType         : 0 ( NonPagedPool )    +0x024 DefaultPagedPoolCharge : 0    +0x028 DefaultNonPagedPoolCharge : 0x288    +0x02c DumpProcedure    : (null)    +0x030 OpenProcedure    : (null)    +0x034 CloseProcedure   : (null)    +0x038 DeleteProcedure : 0x805d2e64     void nt!PspThreadDelete+0    +0x03c ParseProcedure   : (null)    +0x040 SecurityProcedure : 0x805f9150     long nt!SeDefaultObjectMethod+0    +0x044 QueryNameProcedure : (null)    +0x048 OkayToCloseProcedure : (null) lkd> dt _OBJECT_TYPE_INITIALIZER poi(CmpKeyObjectType)+0x60 nt!_OBJECT_TYPE_INITIALIZER    +0x000 Length           : 0x4c    +0x002 UseDefaultObject : 0x1 ''    +0x003 CaseInsensitive : 0 ''    +0x004 InvalidAttributes : 0x30    +0x008 GenericMapping   : _GENERIC_MAPPING    +0x018 ValidAccessMask : 0x1f003f    +0x01c SecurityRequired : 0x1 ''    +0x01d MaintainHandleCount : 0 ''    +0x01e MaintainTypeList : 0 ''    +0x020 PoolType         : 1 ( PagedPool )    +0x024 DefaultPagedPoolCharge : 0x74    +0x028 DefaultNonPagedPoolCharge : 0    +0x02c DumpProcedure    : (null)    +0x030 OpenProcedure    : (null)    +0x034 CloseProcedure   : 0x8063806e     void nt!CmpCloseKeyObject+0    +0x038 DeleteProcedure : 0x80637f54     void nt!CmpDeleteKeyObject+0    +0x03c ParseProcedure   : 0x8062ff1c     long nt!CmpParseKey+0    +0x040 SecurityProcedure : 0x80637db8     long nt!CmpSecurityMethod+0    +0x044 QueryNameProcedure : 0x80636dee     long nt!CmpQueryKeyName+0    +0x048 OkayToCloseProcedure : (null) lkd> dt _OBJECT_TYPE_INITIALIZER poi(IoFileObjectType)+0x60 nt!_OBJECT_TYPE_INITIALIZER    +0x000 Length           : 0x4c    +0x002 UseDefaultObject : 0 ''    +0x003 CaseInsensitive : 0x1 ''    +0x004 InvalidAttributes : 0x130    +0x008 GenericMapping   : _GENERIC_MAPPING    +0x018 ValidAccessMask : 0x1f01ff    +0x01c SecurityRequired : 0 ''    +0x01d MaintainHandleCount : 0x1 ''    +0x01e MaintainTypeList : 0 ''    +0x020 PoolType         : 0 ( NonPagedPool )    +0x024 DefaultPagedPoolCharge : 0x400    +0x028 DefaultNonPagedPoolCharge : 0xe8    +0x02c DumpProcedure    : (null)    +0x030 OpenProcedure    : (null)    +0x034 CloseProcedure   : 0x805846e8     void nt!IopCloseFile+0    +0x038 DeleteProcedure : 0x805849c6     void nt!IopDeleteFile+0    +0x03c ParseProcedure   : 0x805845d6     long nt!IopParseFile+0    +0x040 SecurityProcedure : 0x80584d4a     long nt!IopGetSetSecurityObject+0    +0x044 QueryNameProcedure : 0x80583680     long nt!IopQueryName+0    +0x048 OkayToCloseProcedure : (null) lkd> dt _OBJECT_TYPE_INITIALIZER poi(IoDriverObjectType)+0x60 nt!_OBJECT_TYPE_INITIALIZER    +0x000 Length           : 0x4c    +0x002 UseDefaultObject : 0x1 ''    +0x003 CaseInsensitive : 0x1 ''    +0x004 InvalidAttributes : 0x100    +0x008 GenericMapping   : _GENERIC_MAPPING    +0x018 ValidAccessMask : 0x1f01ff    +0x01c SecurityRequired : 0 ''    +0x01d MaintainHandleCount : 0 ''    +0x01e MaintainTypeList : 0 ''    +0x020 PoolType         : 0 ( NonPagedPool )    +0x024 DefaultPagedPoolCharge : 0    +0x028 DefaultNonPagedPoolCharge : 0xd8    +0x02c DumpProcedure    : (null)    +0x030 OpenProcedure    : (null)    +0x034 CloseProcedure   : (null)    +0x038 DeleteProcedure : 0x8058462e     void nt!IopDeleteDriver+0    +0x03c ParseProcedure   : (null)    +0x040 SecurityProcedure : 0x805f9150     long nt!SeDefaultObjectMethod+0    +0x044 QueryNameProcedure : (null)    +0x048 OkayToCloseProcedure : (null) lkd> dt _OBJECT_TYPE_INITIALIZER poi(IoDeviceObjectType)+0x60 nt!_OBJECT_TYPE_INITIALIZER    +0x000 Length           : 0x4c    +0x002 UseDefaultObject : 0x1 ''    +0x003 CaseInsensitive : 0x1 ''    +0x004 InvalidAttributes : 0x100    +0x008 GenericMapping   : _GENERIC_MAPPING    +0x018 ValidAccessMask : 0x1f01ff    +0x01c SecurityRequired : 0 ''    +0x01d MaintainHandleCount : 0 ''    +0x01e MaintainTypeList : 0 ''    +0x020 PoolType         : 0 ( NonPagedPool )    +0x024 DefaultPagedPoolCharge : 0    +0x028 DefaultNonPagedPoolCharge : 0xe8    +0x02c DumpProcedure    : (null)    +0x030 OpenProcedure    : (null)    +0x034 CloseProcedure   : (null)    +0x038 DeleteProcedure : 0x805846a8     void nt!IopDeleteDevice+0    +0x03c ParseProcedure   : 0x805837e8     long nt!IopParseDevice+0    +0x040 SecurityProcedure : 0x80584d4a     long nt!IopGetSetSecurityObject+0    +0x044 QueryNameProcedure : (null)    +0x048 OkayToCloseProcedure : (null)