hook ObOpenObjectByPointer/ReadMem/writemem/kiattach,debugport!->0

最新推荐文章于 2022-08-17 15:19:53 发布
最新推荐文章于 2022-08-17 15:19:53 发布
阅读量2.4k 收藏
点赞数 1
文章标签: hook object string byte null access
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/rryr2/article/details/5679107
版权

#include "getSSDTfun.h"

 

//#include "HookShadowSSDT.h"

 

VOID InitCallNumber();

VOID UnloadDriver(IN PDRIVER_OBJECT DriverObject);

NTSTATUS  HideProcess_Create(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);

NTSTATUS  HideProcess_Close(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);

NTSTATUS  HideProcess_IoControl(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp);

 

 

///声明Native API///

typedef HDC (*NTUSERGETDC)(HWND hWnd );

 

typedef HDC (*NTUSERGETDCEX)(HWND hWnd OPTIONAL, HANDLE ClipRegion, ULONG Flags);

typedef NTSTATUS (*NTUSERFINDWINDOWEX)(

  IN HWND hwndParent, 

  IN HWND hwndChild, 

  IN PUNICODE_STRING pstrClassName OPTIONAL, 

  IN PUNICODE_STRING pstrWindowName OPTIONAL, 

  IN DWORD dwType);

 

typedef NTSTATUS (*NTUSERBUILDHWNDLIST)(

IN HDESK hdesk,

IN HWND hwndNext, 

IN ULONG fEnumChildren, 

IN DWORD idThread, 

IN UINT cHwndMax, 

OUT HWND *phwndFirst, 

OUT ULONG *pcHwndNeeded);

 

typedef UINT_PTR (*NTUSERQUERYWINDOW)(

 IN ULONG WindowHandle,

 IN ULONG TypeInformation);

 

typedef ULONG (*NTUSERGETFOREGROUNDWINDOW)(VOID);

 

typedef HWND (*NTUSERWINDOWFROMPOINT)(LONG, LONG);

 

 

HDC

 MyNtUserGetDC(      

HWND hWnd

);

 HDC MyNtUserGetDCEx(HWND hWnd OPTIONAL, HANDLE ClipRegion, ULONG Flags);

NTSTATUS MyNtUserFindWindowEx(

 IN HWND hwndParent, 

 IN HWND hwndChild, 

 IN PUNICODE_STRING pstrClassName OPTIONAL, 

 IN PUNICODE_STRING pstrWindowName OPTIONAL, 

 IN DWORD dwType);

 

NTSTATUS MyNtUserBuildHwndList(

  IN HDESK hdesk, 

  IN HWND hwndNext, 

  IN ULONG fEnumChildren, 

  IN DWORD idThread, 

  IN UINT cHwndMax,

  OUT HWND *phwndFirst, 

  OUT ULONG* pcHwndNeeded);

 

UINT_PTR MyNtUserQueryWindow(

IN ULONG WindowHandle,

IN ULONG TypeInformation);

 

ULONG MyNtUserGetForegroundWindow(VOID);

 

HWND MyNtUserWindowFromPoint(LONG x, LONG y);

 

unsigned long OldCr0;

UNICODE_STRING DeviceNameString;

UNICODE_STRING LinkDeviceNameString;

NTUSERGETDC               g_OriginalNtUserGetDC;

NTUSERGETDCEX               g_OriginalNtUserGetDCEx;

NTUSERFINDWINDOWEX          g_OriginalNtUserFindWindowEx;

NTUSERBUILDHWNDLIST         g_OriginalNtUserBuildHwndList;

NTUSERQUERYWINDOW           g_OriginalNtUserQueryWindow;

NTUSERGETFOREGROUNDWINDOW   g_OriginalNtUserGetForegroundWindow;

NTUSERWINDOWFROMPOINT       g_OriginalNtUserWindowFromPoint;

 

PEPROCESS crsEProc;

CCHAR     outBuf[1024];                        //输入缓冲区大小

PVOID gpEventObject = NULL;               //事件句柄

HANDLE ProcessIdToProtect = (HANDLE)0;        //保护的句柄

ULONG NtUserGetDC_callnumber = 0;

ULONG NtUserGetDCEx_callnumber = 0;

ULONG NtUserFindWindowEx_callnumber = 0;          //NtUserFindWindowEx的服号

ULONG NtUserGetForegroundWindow_callnumber = 0;

ULONG NtUserQueryWindow_callnumber = 0;

ULONG NtUserBuildHwndList_callnumber = 0;

ULONG NtUserWindowFromPoint_callnumber = 0;

ULONG LastForegroundWindow;

//--------------inline openprocess openthread call obbypoint-----------//

 

NTKERNELAPI PEPROCESS IoThreadToProcess (IN PETHREAD Thread);

 

NTKERNELAPI NTSTATUS ObOpenObjectByPointer(

 

IN PVOID Object,

IN ULONG HandleAttributes,

IN PACCESS_STATE PassedAccessState OPTIONAL,

IN ACCESS_MASK DesiredAccess OPTIONAL,

IN POBJECT_TYPE ObjectType OPTIONAL,

IN KPROCESSOR_MODE AccessMode,

OUT PHANDLE Handle

);

ULONG ObOpenObjectByPointeradd;

ULONG OldCallThreadCode,OldCallProcessCode; 

ULONG OldThread,OldProcess,AddrRead,AddrWrite,OldWriteMemory,OldReadMemory,AddrGet,AddrSet;

ULONG readMemI,writeMemI,NtOpenProcessI,NtOpenThreadI;

BYTE JmpAddressReadM[5]={0xe9,0,0,0,0},JmpAddressWriteM[5]={0xe9,0,0,0,0};

PUCHAR pNtOpenThread=NULL;

PUCHAR pNtOpenProcess=NULL;

BYTE  OriginalReadMemBytes[7]={0}, OriginalWriteMemBytes[7]={0}; 

BYTE  OldKiAttachBytes[7]={0};

ULONG KiAttachAddr;

char* ProtectName = "notepad.exe";

 ULONG g_NtGetThreadContext = 0;

 ULONG g_NtSetThreadContext = 0;

 //ULONG g_PsCreateSystemThread=0;

// ULONG g_Jmp_PsCreateSystemThread = 0;

// ULONG g_PsCreateSystemThread_fn = 0;

//ULONG g_StartRoutine = 0;

//BYTE g_PsCreateSystemThread_Head[5] = {0};

//--------------------------------------------------------------------------//

//爲NtOpenThread準備的 

NTSTATUS MyObOpenObjectByPointer_forThread(IN PVOID Object,IN ULONG HandleAttributes,

  IN PACCESS_STATE PassedAccessState OPTIONAL,

  IN ACCESS_MASK DesiredAccess OPTIONAL,

  IN POBJECT_TYPE ObjectType OPTIONAL,

  IN KPROCESSOR_MODE AccessMode,OUT PHANDLE Handle)

{

 

//if (IoThreadToProcess(Object)==MyProcess)

 

if( _stricmp((char *)((ULONG)IoThreadToProcess(Object)+0x174),ProtectName)==0)

{

return STATUS_ACCESS_DENIED;

}

else

{

 

return ObOpenObjectByPointer (Object, HandleAttributes,PassedAccessState,

DesiredAccess,ObjectType,AccessMode,Handle);

}

}

 

//NtOpenProcess

NTSTATUS MyObOpenObjectByPointer_forProcess(IN PVOID Object,IN ULONG HandleAttributes,

IN PACCESS_STATE PassedAccessState OPTIONAL,

IN ACCESS_MASK DesiredAccess OPTIONAL,

IN POBJECT_TYPE ObjectType OPTIONAL,

IN KPROCESSOR_MODE AccessMode,OUT PHANDLE Handle)

{

if( _stricmp((char *)((ULONG)(Object)+0x174),ProtectName)==0)

// if (Object==MyProcess)

{

return STATUS_ACCESS_DENIED;

}

else

{

 

return ObOpenObjectByPointer (Object, HandleAttributes,PassedAccessState,

DesiredAccess,ObjectType,AccessMode,Handle);

}

}

__declspec(naked) NTSTATUS __stdcall MyNtReadVirtualMemory(HANDLE ProcessHandle,

  PVOID BaseAddress,

  PVOID Buffer,

  ULONG NumberOfBytesToRead,

  PULONG NumberOfBytesReaded) 

{

__asm

{

push    0x1c

push    804daef0h  //共7个字节

jmp     [OldReadMemory+7]   //跳转到原函数7字节后 过INLINE hook头7字节 

}

}

 

__declspec(naked) NTSTATUS __stdcall MyNtWriteVirtualMemory(HANDLE ProcessHandle,

PVOID BaseAddress,

PVOID Buffer,

ULONG NumberOfBytesToWrite,

PULONG NumberOfBytesReaded) 

{

__asm

{

push    0x1c

push    804eb560h  

jmp     [OldWriteMemory+7]

}

}

// 從StartAddr地址 開始找OldAddr 替換爲NewAddr地址 長度是 SIZE 

PUCHAR CallAddrHook( ULONG StartAddr,ULONG OldAddr,ULONG Size,PVOID NewAddr)//

{

PUCHAR cPtr, pOpcode;

ULONG Length,Tmp;

for (cPtr=(PUCHAR)StartAddr;(ULONG)cPtr<(ULONG)StartAddr+Size;cPtr += Length)

{

Length = SizeOfCode(cPtr, &pOpcode);//計算當前指令長度

if (!Length) break;

if (Length ==5 && *cPtr==0xE8)// 當前長度5 且第一字節爲E8 

{//因爲CALL用的是相對偏移 所以我們還需要進行計算相對偏移

if ( OldAddr-(ULONG)cPtr-5 == *(PULONG)(cPtr+1)) //判斷當前是否爲OldAddr的CALL相對地址 

{

KIRQL Irql;

Tmp=(ULONG)NewAddr-(ULONG)cPtr-5;//我們的CALL地址相對偏移

MemOpen();

Irql=KeRaiseIrqlToDpcLevel();

*(PULONG)(cPtr+1)=Tmp;//直接替換爲我們的FAKE函數地址 (微點在這裏不是直接替換它的FAKE地址 還加了一層跳闆) 

KeLowerIrql(Irql);

MemClose();

return cPtr;

}

}

}

return (PUCHAR)1;

}

 

 

__declspec(naked) NTSTATUS _MyNtGetThreadContext(HANDLE hThread, PCONTEXT pContext)

{

    __asm

    {

        jmp dword ptr[g_NtGetThreadContext]

    }

}

 

__declspec(naked) NTSTATUS _MyNtSetThreadContext(HANDLE hThread, PCONTEXT pContext)

{

    __asm

    {

        jmp dword ptr[g_NtSetThreadContext]

    }

}

 

NTSTATUS MyNtGetThreadContext(HANDLE hThread, PCONTEXT pContext)

{

    if ( _stricmp((const char*)PsGetProcessImageFileName(PsGetCurrentProcess()),"dnf.exe") )

    {

        return _MyNtGetThreadContext(hThread, pContext);

    }

    /*

    if ( NT_SUCCESS(st) )

    {

     if ( !_stricmp(PsGetProcessImageFileName(PsGetCurrentProcess()),

 

    "dnf.exe") )

     {

     if ( MmIsAddressValid(pContext) )

     {

     pContext->Dr0 = 0;

     pContext->Dr1 = 0;

     pContext->Dr2 = 0;

     pContext->Dr3 = 0;

     pContext->Dr7 = 0;

     dprintf("清除Drx/n");

     }

     }

    }

    */

    return STATUS_UNSUCCESSFUL;

}

 

NTSTATUS MyNtSetThreadContext(HANDLE hThread, PCONTEXT pContext)

{

    if ( _stricmp((const char*)PsGetProcessImageFileName(PsGetCurrentProcess()),"dnf.exe") )

    {

        return _MyNtSetThreadContext(hThread, pContext); 

    }

    //DbgPrint("Dr7:%08X/n", pContext->Dr7);

    if ( pContext->Dr7 == 0x101 )

    {

        return _MyNtSetThreadContext(hThread, pContext); 

    }

    return STATUS_UNSUCCESSFUL; 

}

 

void Rstore_fn()

{

KIRQL Irql;

PBYTE pBase;

PDWORD pdebug; 

 

/*KeAttachProcess(crsEProc);

 

//UnHook ZwQuerySystemInformation/

 

__try

{

MemOpen();

 

if ((KeServiceDescriptorTableShadow!=NULL) && (NtUserFindWindowEx_callnumber!=0) && (NtUserGetForegroundWindow_callnumber!=0) && (NtUserBuildHwndList_callnumber!=0) && (NtUserQueryWindow_callnumber!=0)) 

{

(NTUSERFINDWINDOWEX)(KeServiceDescriptorTableShadow[1].ServiceTableBase[NtUserFindWindowEx_callnumber]) = g_OriginalNtUserFindWindowEx;

(NTUSERQUERYWINDOW)KeServiceDescriptorTableShadow[1].ServiceTableBase[NtUserQueryWindow_callnumber] = g_OriginalNtUserQueryWindow;

(NTUSERBUILDHWNDLIST)KeServiceDescriptorTableShadow[1].ServiceTableBase[NtUserBuildHwndList_callnumber] = g_OriginalNtUserBuildHwndList;

(NTUSERGETFOREGROUNDWINDOW)KeServiceDescriptorTableShadow[1].ServiceTableBase[NtUserGetForegroundWindow_callnumber]    = g_OriginalNtUserGetForegroundWindow;

(NTUSERWINDOWFROMPOINT)KeServiceDescriptorTableShadow[1].ServiceTableBase[NtUserWindowFromPoint_callnumber] = g_OriginalNtUserWindowFromPoint;

(NTUSERGETDC)KeServiceDescriptorTableShadow[1].ServiceTableBase[NtUserGetDC_callnumber]=g_OriginalNtUserGetDC;

(NTUSERGETDCEX)KeServiceDescriptorTableShadow[1].ServiceTableBase[NtUserGetDCEx_callnumber]=g_OriginalNtUserGetDCEx;

}

 

MemClose();

}

__finally

{

KeDetachProcess();

Sleep(50);

}*/

//修改dnf dbgport偏移 清零线程中内存值bc为70

pBase =(PBYTE)KernelGetModuleBase("TesSafe.sys");

if ( pBase )

{

//DbgPrint("发现模块 TesSafe.sys/n");

if ( MmIsAddressValid(pBase) )//判断TesSafe是否有效

{

pBase=pBase+0x1590;

do

{

pBase++; 

}while(*(PDWORD)pBase != 0xC0330a03);

//特征码

if ( *(PDWORD)pBase == 0xC0330a03 )

{

//DbgPrint("debugportfind地址 %08X",(*(PDWORD)(*(PDWORD)(pBase -10))+0x4));

pdebug=(PDWORD) (*(PDWORD)(*(PDWORD)(pBase -10))+0x4);

//DbgPrint("debugport:地址 %08X", (ULONG)pdebug);

MemOpen();

*pdebug= 0x70;

MemClose(); // 修改debugport的偏移

}

//下面不明 但在上面过程下面一过程开头

do

{

pBase++;

}while(*(PDWORD)pBase != 0x3D80CCCC);

if (*(PDWORD)pBase == 0x3D80CCCC){

DbgPrint("modify 0x3D80CCCC!/n");

pdebug=(PDWORD)(*(PDWORD)(pBase +0x4));

//DbgPrint("debugport:地址 %08X", (ULONG)pdebug);

MemOpen(); *pdebug= 0x0;MemClose(); }

}

}

//恢复kiattach

Irql=KeRaiseIrqlToDpcLevel();

MemOpen();

 

RtlCopyMemory((BYTE *)KiAttachAddr,OldKiAttachBytes,7);

KeLowerIrql(Irql);

MemClose();

}

/*

__declspec(naked) NTSTATUS NTAPI Inline_PsCreateSystemThread(//蓝屏

OUT PHANDLE ThreadHandle,

    IN ULONG DesiredAccess,

    IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,

    IN HANDLE ProcessHandle OPTIONAL,

    OUT PCLIENT_ID ClientId OPTIONAL,

    IN PKSTART_ROUTINE StartRoutine,

    IN PVOID StartContext

    )

{

KIRQL Irql;

ULONG CMPs;

//11000

__asm

{

pushad

}

g_StartRoutine = (ULONG)StartRoutine;

if( *(PCHAR)(g_StartRoutine-1) == 0xCC )

{

if(*(PCHAR)(g_StartRoutine) == 0xE9 )

{MemOpen();

Irql=KeRaiseIrqlToDpcLevel();

do

{

g_StartRoutine--;

CMPs=*(ULONG *)(g_StartRoutine);

}while(( CMPs!= 0x0187C033)&&(((ULONG)StartRoutine-g_StartRoutine)<0x15a9));

KeLowerIrql(Irql);

MemClose();

if (CMPs == 0x0187C033)

{

MemOpen();

Irql=KeRaiseIrqlToDpcLevel();

*(ULONG *)(*(ULONG *)(*(ULONG *)(g_StartRoutine-0x0C)) + 0x04) = 0x70;

KeLowerIrql(Irql);

MemClose();

}

MemOpen();

Irql=KeRaiseIrqlToDpcLevel();

do

{

g_StartRoutine++;CMPs=*(ULONG *)(g_StartRoutine);

}while(( CMPs!= 0x3D80CCCC));

KeLowerIrql(Irql);

MemClose();

if (CMPs == 0x3D80CCCC)

{

MemOpen();

Irql=KeRaiseIrqlToDpcLevel();

*(ULONG *)(*(ULONG *)(g_StartRoutine+0x04)) = 0;

KeLowerIrql(Irql);

MemClose();

}//ki

Rstore_fn();

}

}

__asm

{

popad

mov     edi, edi

push    ebp

mov     ebp, esp

jmp     g_Jmp_PsCreateSystemThread

}

}*/

//保存原函数内容

void  Save_fn()

{// 跳转头7字节

ULONG ke;

KIRQL Irql;

MemOpen();

Irql=KeRaiseIrqlToDpcLevel();

 

//保存原函数

if ((ULONG)pNtOpenProcess!=1)//1表示没搜索到

{

OldCallProcessCode=ObOpenObjectByPointeradd-(ULONG)pNtOpenProcess-5 ;

// DbgPrint("OldNtOpenProcess callTc:%08X/n",OldCallProcessCode);

}

if ((ULONG)pNtOpenThread!=1)

{

OldCallThreadCode=ObOpenObjectByPointeradd-(ULONG)pNtOpenThread-5 ;

// DbgPrint("OldNtOpenThread callTc:%08X/n",OldCallThreadCode);

}

// RtlCopyMemory(g_PsCreateSystemThread_Head,(BYTE *)(g_PsCreateSystemThread_fn),5);

RtlCopyMemory(OldKiAttachBytes,(BYTE *)(KiAttachAddr),7);

RtlCopyMemory(OriginalReadMemBytes,(BYTE *)OldReadMemory,7);

RtlCopyMemory(OriginalWriteMemBytes,(BYTE *)OldWriteMemory,7);

*(ULONG *)(JmpAddressReadM+1)=(OldReadMemory)-(ULONG)MyNtReadVirtualMemory-5;

*(ULONG *)(JmpAddressWriteM+1)=(OldWriteMemory)-(ULONG)MyNtWriteVirtualMemory-5;

// g_Jmp_PsCreateSystemThread = g_PsCreateSystemThread_fn + 5;

 

//memset((PULONG)OldProcess, 0x90, 10);

//拷贝原函数7字节到自己的函数

RtlCopyMemory((BYTE *)((ULONG)MyNtReadVirtualMemory),OriginalReadMemBytes,7);

RtlCopyMemory((BYTE *)((ULONG)MyNtWriteVirtualMemory),OriginalWriteMemBytes,7);

//自己函数的第7字节后一句为跳转到原函数7字节后

RtlCopyMemory((BYTE *)((ULONG)MyNtReadVirtualMemory+7),JmpAddressReadM,5);

RtlCopyMemory((BYTE *)((ULONG)MyNtWriteVirtualMemory+7),JmpAddressWriteM,5);

//hook ssdt

*(PULONG)AddrRead = (ULONG)MyNtReadVirtualMemory;

*(PULONG)AddrWrite = (ULONG)MyNtWriteVirtualMemory;

*((ULONG*)AddrGet)  = (ULONG)MyNtGetThreadContext;

    *((ULONG*)AddrSet) = (ULONG)MyNtSetThreadContext;

/* DbgPrint("g_PsCreateSystemThread_fn callTc:%08X/n",g_PsCreateSystemThread_fn);

*(UCHAR *)(g_PsCreateSystemThread_fn) = 0xE9;

*(ULONG *)(g_PsCreateSystemThread_fn + 1) = (ULONG)Inline_PsCreateSystemThread - g_PsCreateSystemThread_fn - 5;*/

KeLowerIrql(Irql);

MemClose();

 

/* DbgPrint("JmpAddressReadM:%08X/n",(ULONG)JmpAddressReadM+1);

DbgPrint("JmpAddressWriteM:%08X/n",(ULONG)JmpAddressWriteM+1);

DbgPrint("MyNtReadVirtualMemory:%08X/n",(ULONG)MyNtReadVirtualMemory);

DbgPrint("MyNtWriteVirtualMemory:%08X/n",(ULONG)MyNtWriteVirtualMemory);*/

}

VOID UnSSDTNtMemory()

{

KIRQL Irql;

MemOpen();

Irql=KeRaiseIrqlToDpcLevel();

//恢复 SSDT

*(PULONG)AddrRead = OldReadMemory;

*(PULONG)AddrWrite = OldWriteMemory;

*((ULONG*)AddrSet) = (ULONG)g_NtSetThreadContext;//还原SSDT= *(ULONG*)g_NtSetThreadContext;

    *((ULONG*)AddrGet) = (ULONG)g_NtGetThreadContext;

/*

*(ULONG *)(g_PsCreateSystemThread_fn) = *(ULONG *)g_PsCreateSystemThread_Head;

*(UCHAR *)(g_PsCreateSystemThread_fn + 0x04) = g_PsCreateSystemThread_Head[4];*/

KeLowerIrql(Irql);

MemClose();

}

 

VOID UnHookCallAndMemory()

{

KIRQL Irql;

if ((ULONG)pNtOpenThread!=1)

{

MemOpen();

Irql=KeRaiseIrqlToDpcLevel();

*(PULONG)(pNtOpenThread+1)=OldCallThreadCode;//直接替換爲我們的FAKE函數地址 (微點在這裏不是直接替換它的FAKE地址 還加了一層跳闆) 

KeLowerIrql(Irql);

MemClose();

}

if ((ULONG)pNtOpenProcess!=1)

{

MemOpen();

Irql=KeRaiseIrqlToDpcLevel();

*(PULONG)(pNtOpenProcess+1)=OldCallProcessCode;

KeLowerIrql(Irql);

MemClose();

}

 

UnSSDTNtMemory();

DbgPrint("Unhooked!/n");

}

//初始化地址

VOID Init_fn()

{

UNICODE_STRING uniPsLookup;

ObOpenObjectByPointeradd = GetFuncAddr(L"ObOpenObjectByPointer"); 

OldThread = GetFuncAddr(L"NtOpenThread");

OldProcess = GetFuncAddr(L"NtOpenProcess");

// DbgPrint("NtOpenProcess:%08X/n",OldProcess);

// DbgPrint("ObOpenObjectByPointeradd:%08X/n",ObOpenObjectByPointeradd);

//DbgPrint("MyObOpenObjectByPointer_forThread:%08X/n",MyObOpenObjectByPointer_forThread);

// HOOK call ObOpenObjectByPointer

pNtOpenThread= CallAddrHook(OldThread,ObOpenObjectByPointeradd,600,MyObOpenObjectByPointer_forThread);

pNtOpenProcess=CallAddrHook(OldProcess,ObOpenObjectByPointeradd,600,MyObOpenObjectByPointer_forProcess);

AddrRead = (ULONG)KeServiceDescriptorTable->ServiceTableBase +GetFunctionIndex("ZwReadVirtualMemory") * 4;

AddrWrite = (ULONG)KeServiceDescriptorTable->ServiceTableBase + GetFunctionIndex("ZwWriteVirtualMemory") * 4;

    OldReadMemory = *(PULONG)AddrRead;

OldWriteMemory = *(PULONG)AddrWrite;

AddrSet = (ULONG)KeServiceDescriptorTable->ServiceTableBase+0xD5 * 4;

    AddrGet = (ULONG)KeServiceDescriptorTable->ServiceTableBase+0x55 * 4;

g_NtGetThreadContext =  *(ULONG*)AddrGet ;

    g_NtSetThreadContext = *(ULONG*)AddrSet ;

//DbgPrint("ZwSetThreadContext:%08X/n",(ULONG)AddrSet);

//g_PsCreateSystemThread_fn = GetFuncAddr(L"PsCreateSystemThread");

// DbgPrint("NtOpenThread call:%08X/n",(ULONG)pNtOpenThread);

// DbgPrint("NtOpenProcess call:%08X/n",(ULONG)pNtOpenProcess);

    //保存原CALL地址

KiAttachAddr=GetFuncAddr(L"KeAttachProcess");

do

{

//定位KiAttachProcess

KiAttachAddr++;

}while(*(UCHAR *)(KiAttachAddr) != 0xE8);

KiAttachAddr=*(ULONG *)(KiAttachAddr+1) + KiAttachAddr + 5;

Save_fn();

}

 

//--------------------------------------------------------------------//

//根据操作系统来确定具体函数的服务号 

VOID InitCallNumber()

{

ULONG majorVersion, minorVersion;

PsGetVersion( &majorVersion, &minorVersion, NULL, NULL );

if ( majorVersion == 5 && minorVersion == 2 )

{

DbgPrint("comint32: Running on Windows 2003/n");

NtUserFindWindowEx_callnumber = 0x179;

NtUserGetForegroundWindow_callnumber = 0x193;

NtUserBuildHwndList_callnumber = 0x137;

NtUserQueryWindow_callnumber = 0x1E1;

NtUserWindowFromPoint_callnumber = 0x24C;

 

}

else if ( majorVersion == 5 && minorVersion == 1 )

{

DbgPrint("comint32: Running on Windows XP/n");

NtUserFindWindowEx_callnumber = 0x17A;

NtUserGetForegroundWindow_callnumber = 0x194;

NtUserBuildHwndList_callnumber = 0x138;

NtUserQueryWindow_callnumber = 0x1E3;

NtUserWindowFromPoint_callnumber = 0x250;

NtUserGetDC_callnumber =401;

NtUserGetDCEx_callnumber =402;

}

else if ( majorVersion == 5 && minorVersion == 0 )

{

DbgPrint("comint32: Running on Windows 2000/n");

NtUserFindWindowEx_callnumber = 0x170;

NtUserGetForegroundWindow_callnumber = 0x189;

NtUserBuildHwndList_callnumber = 0x12E;

NtUserQueryWindow_callnumber = 0x1D2;

NtUserWindowFromPoint_callnumber = 0x238;

}

}

VOID hookShadowSSDT()

{

KeAttachProcess(crsEProc);//嵌入csrss.exe

__try

{

MemOpen();

if ((KeServiceDescriptorTableShadow!=NULL) && (NtUserFindWindowEx_callnumber!=0) && (NtUserGetForegroundWindow_callnumber!=0) && (NtUserBuildHwndList_callnumber!=0) && (NtUserQueryWindow_callnumber!=0))

{

(NTUSERFINDWINDOWEX)(KeServiceDescriptorTableShadow[1].ServiceTableBase[NtUserFindWindowEx_callnumber]) = MyNtUserFindWindowEx;

(NTUSERQUERYWINDOW)KeServiceDescriptorTableShadow[1].ServiceTableBase[NtUserQueryWindow_callnumber]  = MyNtUserQueryWindow;

(NTUSERBUILDHWNDLIST)KeServiceDescriptorTableShadow[1].ServiceTableBase[NtUserBuildHwndList_callnumber] = MyNtUserBuildHwndList;

(NTUSERGETFOREGROUNDWINDOW)KeServiceDescriptorTableShadow[1].ServiceTableBase[NtUserGetForegroundWindow_callnumber] = MyNtUserGetForegroundWindow;

(NTUSERWINDOWFROMPOINT)KeServiceDescriptorTableShadow[1].ServiceTableBase[NtUserWindowFromPoint_callnumber] = MyNtUserWindowFromPoint;

   (NTUSERGETDC)KeServiceDescriptorTableShadow[1].ServiceTableBase[NtUserGetDC_callnumber] = MyNtUserGetDC;

(NTUSERGETDCEX)KeServiceDescriptorTableShadow[1].ServiceTableBase[NtUserGetDCEx_callnumber] = MyNtUserGetDCEx;

}

 

MemClose();

}

__finally

{

KeDetachProcess(); 

}

 

KdPrint(("Hook ZwQuerySystemInformation'status is Succeessfully "));

 

}

 

 

VOID UnloadDriver(IN PDRIVER_OBJECT DriverObject)

{

UNICODE_STRING uniWin32NameString;

UNICODE_STRING LinkNameString;

PDEVICE_OBJECT deviceObject;

NTSTATUS status;

 

status = PsLookupProcessByProcessId((ULONG)GetCsrPid(), &crsEProc);

if (!NT_SUCCESS( status ))

{

DbgPrint("PsLookupProcessByProcessId() error/n");

return ;

}

//unhookShadowSSDT();

 

Sleep(50);

//恢复call和内存读写函数

UnHookCallAndMemory();

 

deviceObject= DriverObject->DeviceObject;

IoDeleteSymbolicLink(&LinkDeviceNameString);

ASSERT(!deviceObject->AttachedDevice);

if ( deviceObject != NULL )

{

IoDeleteDevice( deviceObject );

}

}

 

NTSTATUS DriverEntry (IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegistryPath)

{

NTSTATUS status;

PDEVICE_OBJECT   deviceObject;

 

RtlInitUnicodeString( &DeviceNameString,    HIDE_PROCESS_WIN32_DEV_NAME );

RtlInitUnicodeString( &LinkDeviceNameString,HIDE_PROCESS_DEV_NAME );

 

KdPrint(("DriverEntry Enter............................/n"));

 

status = IoCreateDevice(

DriverObject,

0,                      

&DeviceNameString,

FILE_DEVICE_DISK_FILE_SYSTEM,

FILE_DEVICE_SECURE_OPEN,

FALSE,

& deviceObject );

 

if (!NT_SUCCESS( status )) 

{

 

KdPrint(( "DriverEntry: Error creating control device object, status=%08x/n", status ));

return status;

}

 

status = IoCreateSymbolicLink(

(PUNICODE_STRING) &LinkDeviceNameString,

(PUNICODE_STRING) &DeviceNameString

);

 

if (!NT_SUCCESS(status))

{

IoDeleteDevice(deviceObject);

return status;

}

 

//获得shadow的地址

// getShadowTable();

//根据不同的系统获得不同的函数服务号

// InitCallNumber();

 

DriverObject->MajorFunction[IRP_MJ_CREATE] = HideProcess_Create;

DriverObject->MajorFunction[IRP_MJ_CLOSE] = HideProcess_Close;

DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = HideProcess_IoControl;

 

DriverObject->DriverUnload=UnloadDriver;

/*//获取csrss.exe

status = PsLookupProcessByProcessId((ULONG)GetCsrPid(), &crsEProc);

if (!NT_SUCCESS( status ))

{

DbgPrint("PsLookupProcessByProcessId() error/n");

return status;

}

KeAttachProcess(crsEProc);//嵌入csrss.exe

__try

{//保存shadowssdt原始地址

if ((KeServiceDescriptorTableShadow!=NULL) /

&& (NtUserFindWindowEx_callnumber!=0) && (NtUserGetForegroundWindow_callnumber!=0) /

&& (NtUserBuildHwndList_callnumber!=0) && (NtUserQueryWindow_callnumber!=0) /

&& (NtUserWindowFromPoint_callnumber!=0)

&&(NtUserGetDC_callnumber)!=0 )

{

g_OriginalNtUserGetDCEx= (NTUSERGETDCEX)KeServiceDescriptorTableShadow[1].ServiceTableBase[NtUserGetDCEx_callnumber];

g_OriginalNtUserGetDC= (NTUSERGETDC)KeServiceDescriptorTableShadow[1].ServiceTableBase[NtUserGetDC_callnumber];

g_OriginalNtUserFindWindowEx     = (NTUSERFINDWINDOWEX)KeServiceDescriptorTableShadow[1].ServiceTableBase[NtUserFindWindowEx_callnumber];

g_OriginalNtUserQueryWindow=(NTUSERQUERYWINDOW)KeServiceDescriptorTableShadow[1].ServiceTableBase[NtUserQueryWindow_callnumber];

g_OriginalNtUserBuildHwndList=(NTUSERBUILDHWNDLIST)KeServiceDescriptorTableShadow[1].ServiceTableBase[NtUserBuildHwndList_callnumber];

g_OriginalNtUserGetForegroundWindow=(NTUSERGETFOREGROUNDWINDOW)KeServiceDescriptorTableShadow[1].ServiceTableBase[NtUserGetForegroundWindow_callnumber];

g_OriginalNtUserWindowFromPoint = (NTUSERWINDOWFROMPOINT)KeServiceDescriptorTableShadow[1].ServiceTableBase[NtUserWindowFromPoint_callnumber];

}

else

KeServiceDescriptorTableShadow=NULL;

}

__finally

{

KeDetachProcess(); 

} */

//HOOK CALL 和内存两个函数SSDT+7字节

Init_fn();

return status ;

}

 

NTSTATUS HideProcess_Create(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)

{

DbgPrint("HideProcess_Create/n");

 

Irp->IoStatus.Status = STATUS_SUCCESS;

Irp->IoStatus.Information = 0;

IoCompleteRequest(Irp, IO_NO_INCREMENT);

 

return Irp->IoStatus.Status;

}

 

NTSTATUS HideProcess_Close(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)

{

DbgPrint("HideProcess_Close/n");

 

Irp->IoStatus.Status = STATUS_SUCCESS;

Irp->IoStatus.Information = 0;

IoCompleteRequest(Irp, IO_NO_INCREMENT);

 

return Irp->IoStatus.Status;

}

 

 

NTSTATUS HideProcess_IoControl(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)

{

NTSTATUS                    status = STATUS_SUCCESS;

ULONG controlCode;

PIO_STACK_LOCATION irpStack;

HANDLE hEvent;

OBJECT_HANDLE_INFORMATION objHandleInfo;

ULONG                       outputLength, inputLength;

PVOID                       inputBuffer;

DWORD dd;

 

irpStack = IoGetCurrentIrpStackLocation(Irp);

outputLength = irpStack->Parameters.DeviceIoControl.OutputBufferLength;

inputLength=irpStack->Parameters.DeviceIoControl.InputBufferLength;

controlCode = irpStack->Parameters.DeviceIoControl.IoControlCode;

 

DbgPrint("IN CONTROL/r/n");

switch(controlCode)

{

case IO_PROTECT:

ProcessIdToProtect = (HANDLE)irpStack->Parameters.DeviceIoControl.Type3InputBuffer;

DbgPrint("IO_PROTECT:%d", ProcessIdToProtect);

break;

case IO_REFERENCE_EVENT:   

Rstore_fn();//hookShadowSSDT();

break;

case IO_DEREFERENCE_EVENT:

//unhookShadowSSDT();

break;

default:

break;

}

 

Irp->IoStatus.Status = STATUS_SUCCESS;

Irp->IoStatus.Information = 0;

IoCompleteRequest(Irp, IO_NO_INCREMENT);

 

return status;

}

 

NTSTATUS MyNtUserFindWindowEx(

 IN HWND hwndParent, 

 IN HWND hwndChild, 

 IN PUNICODE_STRING pstrClassName OPTIONAL, 

 IN PUNICODE_STRING pstrWindowName OPTIONAL, 

 IN DWORD dwType)

{

ULONG result;

 

result = g_OriginalNtUserFindWindowEx(hwndParent, hwndChild, pstrClassName, pstrWindowName, dwType);

 

if (PsGetCurrentProcessId()!=ProcessIdToProtect)

{

ULONG ProcessID;

 

ProcessID = g_OriginalNtUserQueryWindow(result, 0);

DbgPrint("ProcessID:%d", ProcessID);

if (ProcessID==(ULONG)ProcessIdToProtect)

return 0;

}

return result;

}

 

NTSTATUS MyNtUserBuildHwndList(IN HDESK hdesk, IN HWND hwndNext, IN ULONG fEnumChildren, IN DWORD idThread, IN UINT cHwndMax, OUT HWND *phwndFirst, OUT ULONG* pcHwndNeeded)

{

NTSTATUS result;

 

if (PsGetCurrentProcessId()!=ProcessIdToProtect)

{

ULONG ProcessID;

 

if (fEnumChildren==1)

{

ProcessID = g_OriginalNtUserQueryWindow((ULONG)hwndNext, 0);

if (ProcessID==(ULONG)ProcessIdToProtect)

return STATUS_UNSUCCESSFUL;

}

result = g_OriginalNtUserBuildHwndList(hdesk,hwndNext,fEnumChildren,idThread,cHwndMax,phwndFirst,pcHwndNeeded);

 

if (result==STATUS_SUCCESS)

{

ULONG i=0;

ULONG j;

 

while (i<*pcHwndNeeded)

{

ProcessID=g_OriginalNtUserQueryWindow((ULONG)phwndFirst[i],0);

if (ProcessID==(ULONG)ProcessIdToProtect)

{

for (j=i; j<(*pcHwndNeeded)-1; j++)

phwndFirst[j]=phwndFirst[j+1]; 

 

phwndFirst[*pcHwndNeeded-1]=0; 

 

(*pcHwndNeeded)--;

continue; 

}

i++;

}

 

}

return result;

}

return g_OriginalNtUserBuildHwndList(hdesk,hwndNext,fEnumChildren,idThread,cHwndMax,phwndFirst,pcHwndNeeded);

}

 

ULONG MyNtUserGetForegroundWindow(VOID)

{

ULONG result;

 

result= g_OriginalNtUserGetForegroundWindow();

 

if (PsGetCurrentProcessId()!=ProcessIdToProtect)

{

ULONG ProcessID;

 

ProcessID=g_OriginalNtUserQueryWindow(result, 0);

if (ProcessID == (ULONG)ProcessIdToProtect)

result=LastForegroundWindow;

else

LastForegroundWindow=result;

}

return result;

}

 

UINT_PTR MyNtUserQueryWindow(IN ULONG WindowHandle,IN ULONG TypeInformation)

{

ULONG WindowHandleProcessID;

 

if (PsGetCurrentProcessId()!=ProcessIdToProtect)

{

WindowHandleProcessID = g_OriginalNtUserQueryWindow(WindowHandle,0);

if (WindowHandleProcessID==(ULONG)ProcessIdToProtect)

return 0;

}

return g_OriginalNtUserQueryWindow(WindowHandle,TypeInformation);

}

 

HWND MyNtUserWindowFromPoint(LONG x, LONG y)

{

return 0;

}

HDC MyNtUserGetDC(HWND hWnd)

{ return NULL;

}

HDC MyNtUserGetDCEx(HWND hWnd OPTIONAL, HANDLE ClipRegion, ULONG Flags)

{ return NULL;

}

不明白请联系群Q q 11698962

rryr2
关注
Android之ndk中JNIENV env->NewStringUTF (*env)->NewStringUTF
码莎拉蒂
05-08 1万+
JNIEnv是指向可用JNI函数表的接口指针,原生代码通过JNIEnv接口指针提供的各种函数来使用虚拟机的功能。JNIEnv是一个指向线程-局部数据的指针,而线程-局部数据中包含指向线程表的指针。实现原生方法的函数将JNIEnv接口指针作为它们的第一个参数。 原生代码是C以及原生代码是C++其调用JNI函数的语法不同,C代码中,JNIEnv是指向JNINativeInterface结构的指针
#Bug# [Vue warn]: Error in onLoad hook (Promise/async): “[object Object]“报错
互关互粉,相互学习。
01-11 5427
#[Vue warn]: Error in onLoad hook (Promise/async): "[object Object]"#生命周期#uniapp框架开发#vue2#
ObOpenObjectByPointer获取进程句柄
水墨画
12-20 4599
内核函数:根据进程id获取进程句柄NTSTATUS  ObOpenObjectByPointer(    IN PVOID  Object,    IN ULONG  HandleAttributes,    IN PACCESS_STATE  PassedAccessState OPTIONAL,    IN ACCESS_MASK  DesiredAccess,    IN POBJECT_T
更深入的保护 - 从ssdt到ObOpenObjectByPointer
zhq445078388的专栏
06-26 1016
/*注意这里的所有偏移仅为xp sp3中的*/ 我在之前的一篇文章提到了监控进程启动的方法 同理可以监控进程结束 打开  我之前使用ssdt+inline的方式保护我自己的进程不被结束 但是显然太单薄了 这只能拦截r3的动作 以及r0直接使用ZWopenprocess的动作  一旦使用了更底层的 将无能为力 所以我尝试跟踪ntopenprocess来看看他到底怎么获取句柄的
进程创建时 ObOpenObjectByPointer 导致蓝屏
02-04 2187
找到一篇有关文章,先摘抄下来。剩下最后一段以后再翻译 原文地址:http://uninformed.org/index.cgi?v=1&a=5&p=5 进程执行的临界时段是指在新的进程对象实例被nt!ObCreateObject创建 和该进程对象被nt!ObInsertObject插入到进程对象类型表之间的时段。在该时段尝试获取进程的句柄是不安全的,比如使用nt!ObOpe
objectHook简单介绍
o330820350的专栏
09-12 1107
标 题: 【原创】objectHook简单介绍 作 者: ggdd 时 间: 2011-01-15,13:13:20 链 接: http://bbs.pediy.com/showthread.php?t=128161 其实这东西很多大牛多玩腻了的东西,看下论坛上比较少这类的,就来献献丑,科普一下 大牛们直接 可以飘过,这东西主要是自我复习一下OBJECT的一些知识,技术这东西久了不弄
nachos源码阅读(内存管理)-2 ReadMem()
zzxiaopengyou
04-30 2092
ReadMem(int addr, int size, int *value)传入下一条指令地址,每次读取字节数,存放指令位置 Translate(int virtAddr, int* physAddr, int size, bool writing) 传入虚拟地址,物理地址指针,每次读取字节数,读写权限,将虚拟地址addr翻译为物理地址,entry是虚拟机对应的页表项指针,用来保存查询记录 计算下一条指令的虚拟页号和偏移量 取出虚拟页 取出虚拟页对应的物理页 ...
wsl,Ubuntu,关于解决E: Could not read response to hello message from hook [ ! -f /usr/bin/snap ] || /usr/
热门推荐
ChanYipFan的博客
06-07 1万+
大坑。 出现问题: 今天安装mysql, sudo apt-get install mysql-server 一直报错: E: Could not read response to hello message from hook [ ! -f /usr/bin/snap ] || /usr/bin/snap advise-snap --from-apt 2>/dev/null || tru...
gitlab 迁移、升级打怪之路:8.8.5--> 8.10.8 --> 8.17.8 --> 9.5.9 --> 10.1.4 --> 10.2.5
weixin_33775572的博客
07-04 3927
 gitlab 迁移、升级打怪之路:8.8.5--&gt; 8.10.8 --&gt; 8.17.8 --&gt; 9.5.9 --&gt; 10.1.4 --&gt; 10.2.5gitlab 数据迁移、升级打怪之路:8.8.5--&gt; 8.10.8 --&gt; 8.17.8 --&gt; 9.5.9 --&gt; 10.1.4 --&gt; 10.2.5打怪之路背景介绍:    我们的g...
移动安全-IOS逆向第三天——实战HOOK RSA/DES加密
cdyunaq的博客
02-16 4987
一、车联网APP加密破解 APP抓包发现有加密 1、首先使用frida-ios-dump下文件之后,找到Ipa中的match-O可执行文件 2、脱入ida中、直接搜索rsa xxx函数 3、使用frida-trace ios-trace脚本进行Hook查看是否调用,发现没有命中Hook函数 4、再次搜索rsa发现如下,使用相同方法进行验证 5、发现没有调用 6、继续搜索 7、发现命中加密函数,trace BKRSA类下encrypt关键字的函数 8、如下是objec
(转)反远程线程注入 的思路
gxj1680的专栏
12-20 1002
作者: churui 2005-11-05 12:22 某日,遇到一个奇怪的程序(你也许并不关心它的名字,我们就姑且称它为程序A)。这个程序是十分霸道的,在与我的程序(你也肯定不会关心它的名字,所以我们称为程序B)同时执行的时候,总能从程序B(这里也就是进程B了)的数据段中读取到一些内容。这一点让我非常不爽,于是我决定给B加入自我保护的功能,让A不能轻易的读取。听起来有点象“磁心大战”?呵呵
过NtOpenProcess保护的方法总结
xrain_zh的专栏
05-03 2178
来自:http://blog.csdn.net/jepco1/article/details/5531449 过NtOpenProcess保护的方法总结,搜集了一下网上的方案,自己整理了一下。 一般的保护程序喜欢在NtOpenProcess中设置inline hook,修改返回句柄。调试程序使用该程序附加附加到被保护进程的时候,就得不到正确的进程访问句柄,因而附加失败。 反此类保
在windbg中测试shadow ssdt , win32k!NtUserGetForegroundWindow , hook shadow ssdt
a65783305的博客
06-27 509
在windbg中查看shadow ssdt: 0: kd> lm start end module name 804d8000 806e3000 nt (pdb symbols) I:\Symbols\ntkrpamp.pdb\966DF78E558F483199141B029DF5A9D51\ntkrpamp.p...
过TP驱动4(硬件断点部分)
guoyi987的专栏
03-17 2760
NtGetThreadContext NtSetThreadContext 需要处理一下    概念性代码:   NTSTATUS MyNtGetThreadContext(HANDLE hThread, PCONTEXT pContext) { PEPROCESS p = IoGetCurrentProcess(); NTSTATUS status ; if ( s
驱动编程:注册表回调,进程回调,文件回调,进程隐藏断链,窗口保护
追逐光芒,追随内心
10-28 1950
#include "struct.h" #define debug_pott_offset 0x298 //#define debug_pott_offset 0x1f0 DWORD changge_size_NtClose = 0; //NtClose被修改了N字节 PUCHAR ori_head_NtClose = NULL; //NtClose的前N字节数组 PVOID ori_addr_NtClose = NULL; //NtCl..
模拟PspTerminateProcess结束进程-学习笔记
MichaelJScofield的专栏
05-27 5593
此文是阅读黑防上胡文亮大牛《模拟实现NT系统通用PspTerminateProcess》后作为学习笔记记录下来的,仅作学习记录,理解错的请勿拍砖。和通过特征暴力搜索定位PspTerminateProcess的地址的方法相比,亮点就是模拟了实现PspTerminateProcess,PspTerminateThreadByPointer等函数。 此前先看PJF大牛的一篇《进程终止的内幕》
详解Windows渗透测试工具Mimikatz的内核驱动
weixin_60043341的博客
08-17 1276
Mimikatz通过其中包含的Mimidrv驱动程序,提供了利用内核模式的功能。Mimidrv是已经签名的Windows驱动模型(WDM)内核模式软件驱动程序,在相关命令前加上感叹号(!)即可与标准Mimikatz可执行文件共同使用。Mimidrv没有相应文档,并且很少被人使用,但它却提供了一个非常值得关注的方式,让我们可以在ring 0执行一些操作。本文详细分析Mimidrv提供的功能,提出了一些可供大家参考的文档,同时向不太了解内核的读者介绍一些核心概念,最后将提出用于缓解基于驱动的威胁的防范建议。..
YJX基础44 __declspec(naked)
mfmfmmf1的专栏
08-25 2424
(在写驱动时)如果函数前不加__declspec(naked) 编译时编译器会自作主张补上栈移动和return,这样会破坏栈平衡 void __declspec(naked) NTSTATUS _MyNtGetThreadContext(HANDLE hThread, PCONTEXTpcontext) { __asm{ jmp dword ptr[g_NtGetThreadContext] //...
Idle --- off hook event ---> Dialing Dialing --- valid number event ---> Connecting Dialing --- invalid/wrong number event---> Disconnected Connecting --- timeout event---> TimeOut Connecting --- called phone answers event---> Connected Ringing --- called phone answers event---> Connected Connected --- on hook event---> Idle Connected --- line busy event---> Busy Tone Connected --- timeout event-- Connected --- timeout event---> Disconnected Connected --- Play Message event---> Ringing,然后将这个在plantUML以代码的形式描绘出电话线路图状态
最新发布
06-12
好的,以下是代码形式的电话线路图状态: ``` @startuml title Telephone State Diagram [*] --> Idle : Initial State Idle --> Dialing : Off Hook Event Dialing --> Connecting : Valid Number Event Dialing --> Disconnected : Invalid/Wrong Number Event Connecting --> TimeOut : Timeout Event Connecting --> Connected : Called Phone Answers Event Ringing --> Connected : Called Phone Answers Event Connected --> Idle : On Hook Event Connected --> Busy Tone : Line Busy Event Connected --> TimeOut : Timeout Event Connected --> Disconnected : Timeout Event Connected --> Ringing : Play Message Event @enduml ``` 解释一下: - 初始状态为空闲状态(`[*] --> Idle : Initial State`)。 - 当电话机摘机时,电话状态从空闲状态转入拨号状态(`Idle --> Dialing : Off Hook Event`)。 - 当拨号有效号码时,电话状态从拨号状态转入连接状态(`Dialing --> Connecting : Valid Number Event`)。 - 当拨号号码无效或错误时,电话状态从拨号状态转入未连接状态(`Dialing --> Disconnected : Invalid/Wrong Number Event`)。 - 当连接超时时,电话连接状态从连接状态转入超时状态(`Connecting --> TimeOut : Timeout Event`)。 - 当被拨打的电话接听时,电话连接状态从连接状态或响铃状态转入已连接状态(`Connecting --> Connected : Called Phone Answers Event` 或 `Ringing --> Connected : Called Phone Answers Event`)。 - 当已连接状态的电话机挂机时,电话状态从已连接状态转入空闲状态(`Connected --> Idle : On Hook Event`)。 - 当已连接状态的电话线路忙碌时,电话状态从已连接状态转入忙音状态(`Connected --> Busy Tone : Line Busy Event`)。 - 当已连接状态的电话连接超时时,电话状态从已连接状态转入未连接状态(`Connected --> TimeOut : Timeout Event`)。 - 当已连接状态的电话播放信息时,电话状态从已连接状态转入响铃状态(`Connected --> Ringing : Play Message Event`)。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值