以下代码是sysnap早期发表的inlinehook ObReferenceObjectByHandle()的代码。大部分看懂了,但是有些看不懂,google也查了,qq群也问了。哪位高手有时间给科普下哈~ 可怜下偶们菜鸟吧。。。
__declspec(naked) T_ObReferenceObjectByHandle(
IN HANDLE Handle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_TYPE ObjectType OPTIONAL,
IN KPROCESSOR_MODE AccessMode,
OUT PVOID *Object,
OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL
)
{
_asm
{
mov edi,edi //执行被修改的前5个字节
push ebp
mov ebp,esp
push [ebp+0x1c] //参数压栈
push [ebp+0x18]
push [ebp+0x14]
push [ebp+0x10]
push [ebp+0xc]
push [ebp+8] //this parameter is object handle
call MyObReferenceObjectByHandle //调用我们的功能函数
cmp eax,1
jz end
mov eax,ObReferenceObjectByHandle //正常运行原来的函数
add eax,5
jmp eax
end:
mov [ebp+8],-1 //如果不想让这个函数正常运行..无效句柄就可以
mov eax,ObReferenceObjectByHandle
add eax,5 //protected the function can success runing
jmp eax //start run ObReferenceObjectByHandle
}
//对原来函数是否要让其正常运行的判断由MyObReferenceObjectByHandle完成
int MyObReferenceObjectByHandle(
IN HANDLE Handle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_TYPE ObjectType OPTIONAL,
IN KPROCESSOR_MODE AccessMode,
OUT PVOID *Object,
OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL
)
{
PEPROCESS Process;
KIRQL oldIrql;
int JmpOffSet;
unsigned char Code[5]={0x8b,0xff,0x55,0x8b,0xec}; //mov edi,edi push ebp mov ebp,esp
unsigned char JmpCode[5] = { 0xe9, 0x00, 0x00, 0x00, 0x00 }; //jmp address
if(*PsProcessType == ObjectType) //判断句柄所属对象类型是不是*PsProcessType
{
oldIrql = KeRaiseIrqlToDpcLevel();
__asm
{
CLI
MOV eax, CR0
AND eax, NOT 10000H
MOV CR0, eax
}
RtlCopyMemory(ObReferenceObjectByHandle,Code,5);//恢复inline hook以便正确调用ObReferenceObjectByHandle
ObReferenceObjectByHandle(Handle,DesiredAccess,ObjectType,AccessMode,&Process,NULL);
//Procee + 0x174 is this process file name
//this file is im protected
if(_stricmp((char*)((char*)Process+0x174), ProtectName) == 0 )//判断是不是我们要保护的进程
{
//JmpOffset is int type
//JmpOffset Pointer the function qian 5 byte
JmpOffSet = (char*)T_ObReferenceObjectByHandle - (char*)ObReferenceObjectByHandle - 5;
//get jmp address to jmp+1 - jmp+4
RtlCopyMemory ( JmpCode+1, &JmpOffSet, 4 );
RtlCopyMemory ( ObReferenceObjectByHandle, JmpCode, 5 );
__asm
{
MOV eax, CR0
OR eax, 10000H
MOV CR0, eax
STI
}
KeLowerIrql(oldIrql);
return 1;
}
//否则再次HOOK这个函数
JmpOffSet= (char*)T_ObReferenceObjectByHandle - (char*)ObReferenceObjectByHandle - 5;
RtlCopyMemory ( JmpCode+1, &JmpOffSet, 4 );
RtlCopyMemory ( ObReferenceObjectByHandle, JmpCode, 5 );
__asm
{
MOV eax, CR0
OR eax, 10000H
MOV CR0, eax
STI
}
KeLowerIrql(oldIrql);
}
return 0;
}
PsProcessType
这个是什么,在哪定义?一般是用来做什么的。。。
oldIrql = KeRaiseIrqlToDpcLevel();
这条语句做什么的?并且返回值oldIrql是什么啊?
__asm
{
CLI
MOV eax, CR0
AND eax, NOT 10000H
MOV CR0, eax
}
和
__asm
{
MOV eax, CR0
OR eax, 10000H
MOV CR0, eax
STI
}
是什么意思,大概在google上查了下,貌似和打开/管理 中断请求有关系。。。
JmpOffSet = (char*)T_ObReferenceObjectByHandle - (char*)ObReferenceObjectByHandle - 5;
为什么最后还要减5呀?
__declspec(naked) T_ObReferenceObjectByHandle(
IN HANDLE Handle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_TYPE ObjectType OPTIONAL,
IN KPROCESSOR_MODE AccessMode,
OUT PVOID *Object,
OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL
)
{
_asm
{
mov edi,edi //执行被修改的前5个字节
push ebp
mov ebp,esp
push [ebp+0x1c] //参数压栈
push [ebp+0x18]
push [ebp+0x14]
push [ebp+0x10]
push [ebp+0xc]
push [ebp+8] //this parameter is object handle
call MyObReferenceObjectByHandle //调用我们的功能函数
cmp eax,1
jz end
mov eax,ObReferenceObjectByHandle //正常运行原来的函数
add eax,5
jmp eax
end:
mov [ebp+8],-1 //如果不想让这个函数正常运行..无效句柄就可以
mov eax,ObReferenceObjectByHandle
add eax,5 //protected the function can success runing
jmp eax //start run ObReferenceObjectByHandle
}
//对原来函数是否要让其正常运行的判断由MyObReferenceObjectByHandle完成
int MyObReferenceObjectByHandle(
IN HANDLE Handle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_TYPE ObjectType OPTIONAL,
IN KPROCESSOR_MODE AccessMode,
OUT PVOID *Object,
OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL
)
{
PEPROCESS Process;
KIRQL oldIrql;
int JmpOffSet;
unsigned char Code[5]={0x8b,0xff,0x55,0x8b,0xec}; //mov edi,edi push ebp mov ebp,esp
unsigned char JmpCode[5] = { 0xe9, 0x00, 0x00, 0x00, 0x00 }; //jmp address
if(*PsProcessType == ObjectType) //判断句柄所属对象类型是不是*PsProcessType
{
oldIrql = KeRaiseIrqlToDpcLevel();
__asm
{
CLI
MOV eax, CR0
AND eax, NOT 10000H
MOV CR0, eax
}
RtlCopyMemory(ObReferenceObjectByHandle,Code,5);//恢复inline hook以便正确调用ObReferenceObjectByHandle
ObReferenceObjectByHandle(Handle,DesiredAccess,ObjectType,AccessMode,&Process,NULL);
//Procee + 0x174 is this process file name
//this file is im protected
if(_stricmp((char*)((char*)Process+0x174), ProtectName) == 0 )//判断是不是我们要保护的进程
{
//JmpOffset is int type
//JmpOffset Pointer the function qian 5 byte
JmpOffSet = (char*)T_ObReferenceObjectByHandle - (char*)ObReferenceObjectByHandle - 5;
//get jmp address to jmp+1 - jmp+4
RtlCopyMemory ( JmpCode+1, &JmpOffSet, 4 );
RtlCopyMemory ( ObReferenceObjectByHandle, JmpCode, 5 );
__asm
{
MOV eax, CR0
OR eax, 10000H
MOV CR0, eax
STI
}
KeLowerIrql(oldIrql);
return 1;
}
//否则再次HOOK这个函数
JmpOffSet= (char*)T_ObReferenceObjectByHandle - (char*)ObReferenceObjectByHandle - 5;
RtlCopyMemory ( JmpCode+1, &JmpOffSet, 4 );
RtlCopyMemory ( ObReferenceObjectByHandle, JmpCode, 5 );
__asm
{
MOV eax, CR0
OR eax, 10000H
MOV CR0, eax
STI
}
KeLowerIrql(oldIrql);
}
return 0;
}
PsProcessType
这个是什么,在哪定义?一般是用来做什么的。。。
oldIrql = KeRaiseIrqlToDpcLevel();
这条语句做什么的?并且返回值oldIrql是什么啊?
__asm
{
CLI
MOV eax, CR0
AND eax, NOT 10000H
MOV CR0, eax
}
和
__asm
{
MOV eax, CR0
OR eax, 10000H
MOV CR0, eax
STI
}
是什么意思,大概在google上查了下,貌似和打开/管理 中断请求有关系。。。
JmpOffSet = (char*)T_ObReferenceObjectByHandle - (char*)ObReferenceObjectByHandle - 5;
为什么最后还要减5呀?