写的Object Hook原始地址查找通用性似乎还可以
2009-02-15 11:46
如题。
有关于SecurityProcedure:
部分ObjectType在创建的时候没有提供SecurityProcedure,所以无法得到,但是ObCreateObjectType发现SecurityProcedure被提供为NULL的时候会自行设置为SeDefaultObjectMethod,这导致了搜索结果为NULL而实际结果不为NULL。
试图加载 ntkrnlpa.exe. 成功加载 ntkrnlpa.exe. 成功创建 Section. 成功映射 Section 于 7FD90000 长度 2150400 , 状态号 1073741827 . 开始查找 Object Procedure. 开始查找 Process. OpenProcedure: 00000000 CloseProcedure: 00000000 DeleteProcedure: 004FACDC DumpProcedure: 00000000 OkayToCloseProcedure: 00000000 ParseProcedure: 00000000 QueryNameProcedure: 00000000 SecurityProcedure: 00000000 开始查找 Thread. OpenProcedure: 00000000 CloseProcedure: 00000000 DeleteProcedure: 004FAE64 DumpProcedure: 00000000 OkayToCloseProcedure: 00000000 ParseProcedure: 00000000 QueryNameProcedure: 00000000 SecurityProcedure: 00000000 开始查找 KeyObject. OpenProcedure: 00000000 CloseProcedure: 0056006E DeleteProcedure: 0055FF54 DumpProcedure: 00000000 OkayToCloseProcedure: 00000000 ParseProcedure: 00557F1C QueryNameProcedure: 0055EDEE SecurityProcedure: 0055FDB8 开始查找 File. OpenProcedure: 00000000 CloseProcedure: 004AC6E8 DeleteProcedure: 004AC9C6 DumpProcedure: 00000000 OkayToCloseProcedure: 00000000 ParseProcedure: 004AC5D6 QueryNameProcedure: 004AB680 SecurityProcedure: 004ACD4A 开始查找 Driver. OpenProcedure: 00000000 CloseProcedure: 00000000 DeleteProcedure: 004AC62E DumpProcedure: 00000000 OkayToCloseProcedure: 00000000 ParseProcedure: 00000000 QueryNameProcedure: 00000000 SecurityProcedure: 00000000 开始查找 Device. OpenProcedure: 00000000 CloseProcedure: 00000000 DeleteProcedure: 004AC6A8 DumpProcedure: 00000000 OkayToCloseProcedure: 00000000 ParseProcedure: 004AB7E8 QueryNameProcedure: 00000000 SecurityProcedure: 004ACD4A 查找 Object Procedure 完成. 退出.
lkd> dt _OBJECT_TYPE_INITIALIZER poi(PsProcessType)+0x60 nt!_OBJECT_TYPE_INITIALIZER +0x000 Length : 0x4c +0x002 UseDefaultObject : 0 '' +0x003 CaseInsensitive : 0 '' +0x004 InvalidAttributes : 0xb0 +0x008 GenericMapping : _GENERIC_MAPPING +0x018 ValidAccessMask : 0x1f0fff +0x01c SecurityRequired : 0x1 '' +0x01d MaintainHandleCount : 0 '' +0x01e MaintainTypeList : 0 '' +0x020 PoolType : 0 ( NonPagedPool ) +0x024 DefaultPagedPoolCharge : 0x1000 +0x028 DefaultNonPagedPoolCharge : 0x290 +0x02c DumpProcedure : (null) +0x030 OpenProcedure : (null) +0x034 CloseProcedure : (null) +0x038 DeleteProcedure : 0x805d2cdc void nt!PspProcessDelete+0 +0x03c ParseProcedure : (null) +0x040 SecurityProcedure : 0x805f9150 long nt!SeDefaultObjectMethod+0 +0x044 QueryNameProcedure : (null) +0x048 OkayToCloseProcedure : (null) lkd> dt _OBJECT_TYPE_INITIALIZER poi(PsThreadType)+0x60 nt!_OBJECT_TYPE_INITIALIZER +0x000 Length : 0x4c +0x002 UseDefaultObject : 0 '' +0x003 CaseInsensitive : 0 '' +0x004 InvalidAttributes : 0xb0 +0x008 GenericMapping : _GENERIC_MAPPING +0x018 ValidAccessMask : 0x1f03ff +0x01c SecurityRequired : 0x1 '' +0x01d MaintainHandleCount : 0 '' +0x01e MaintainTypeList : 0 '' +0x020 PoolType : 0 ( NonPagedPool ) +0x024 DefaultPagedPoolCharge : 0 +0x028 DefaultNonPagedPoolCharge : 0x288 +0x02c DumpProcedure : (null) +0x030 OpenProcedure : (null) +0x034 CloseProcedure : (null) +0x038 DeleteProcedure : 0x805d2e64 void nt!PspThreadDelete+0 +0x03c ParseProcedure : (null) +0x040 SecurityProcedure : 0x805f9150 long nt!SeDefaultObjectMethod+0 +0x044 QueryNameProcedure : (null) +0x048 OkayToCloseProcedure : (null) lkd> dt _OBJECT_TYPE_INITIALIZER poi(CmpKeyObjectType)+0x60 nt!_OBJECT_TYPE_INITIALIZER +0x000 Length : 0x4c +0x002 UseDefaultObject : 0x1 '' +0x003 CaseInsensitive : 0 '' +0x004 InvalidAttributes : 0x30 +0x008 GenericMapping : _GENERIC_MAPPING +0x018 ValidAccessMask : 0x1f003f +0x01c SecurityRequired : 0x1 '' +0x01d MaintainHandleCount : 0 '' +0x01e MaintainTypeList : 0 '' +0x020 PoolType : 1 ( PagedPool ) +0x024 DefaultPagedPoolCharge : 0x74 +0x028 DefaultNonPagedPoolCharge : 0 +0x02c DumpProcedure : (null) +0x030 OpenProcedure : (null) +0x034 CloseProcedure : 0x8063806e void nt!CmpCloseKeyObject+0 +0x038 DeleteProcedure : 0x80637f54 void nt!CmpDeleteKeyObject+0 +0x03c ParseProcedure : 0x8062ff1c long nt!CmpParseKey+0 +0x040 SecurityProcedure : 0x80637db8 long nt!CmpSecurityMethod+0 +0x044 QueryNameProcedure : 0x80636dee long nt!CmpQueryKeyName+0 +0x048 OkayToCloseProcedure : (null) lkd> dt _OBJECT_TYPE_INITIALIZER poi(IoFileObjectType)+0x60 nt!_OBJECT_TYPE_INITIALIZER +0x000 Length : 0x4c +0x002 UseDefaultObject : 0 '' +0x003 CaseInsensitive : 0x1 '' +0x004 InvalidAttributes : 0x130 +0x008 GenericMapping : _GENERIC_MAPPING +0x018 ValidAccessMask : 0x1f01ff +0x01c SecurityRequired : 0 '' +0x01d MaintainHandleCount : 0x1 '' +0x01e MaintainTypeList : 0 '' +0x020 PoolType : 0 ( NonPagedPool ) +0x024 DefaultPagedPoolCharge : 0x400 +0x028 DefaultNonPagedPoolCharge : 0xe8 +0x02c DumpProcedure : (null) +0x030 OpenProcedure : (null) +0x034 CloseProcedure : 0x805846e8 void nt!IopCloseFile+0 +0x038 DeleteProcedure : 0x805849c6 void nt!IopDeleteFile+0 +0x03c ParseProcedure : 0x805845d6 long nt!IopParseFile+0 +0x040 SecurityProcedure : 0x80584d4a long nt!IopGetSetSecurityObject+0 +0x044 QueryNameProcedure : 0x80583680 long nt!IopQueryName+0 +0x048 OkayToCloseProcedure : (null) lkd> dt _OBJECT_TYPE_INITIALIZER poi(IoDriverObjectType)+0x60 nt!_OBJECT_TYPE_INITIALIZER +0x000 Length : 0x4c +0x002 UseDefaultObject : 0x1 '' +0x003 CaseInsensitive : 0x1 '' +0x004 InvalidAttributes : 0x100 +0x008 GenericMapping : _GENERIC_MAPPING +0x018 ValidAccessMask : 0x1f01ff +0x01c SecurityRequired : 0 '' +0x01d MaintainHandleCount : 0 '' +0x01e MaintainTypeList : 0 '' +0x020 PoolType : 0 ( NonPagedPool ) +0x024 DefaultPagedPoolCharge : 0 +0x028 DefaultNonPagedPoolCharge : 0xd8 +0x02c DumpProcedure : (null) +0x030 OpenProcedure : (null) +0x034 CloseProcedure : (null) +0x038 DeleteProcedure : 0x8058462e void nt!IopDeleteDriver+0 +0x03c ParseProcedure : (null) +0x040 SecurityProcedure : 0x805f9150 long nt!SeDefaultObjectMethod+0 +0x044 QueryNameProcedure : (null) +0x048 OkayToCloseProcedure : (null) lkd> dt _OBJECT_TYPE_INITIALIZER poi(IoDeviceObjectType)+0x60 nt!_OBJECT_TYPE_INITIALIZER +0x000 Length : 0x4c +0x002 UseDefaultObject : 0x1 '' +0x003 CaseInsensitive : 0x1 '' +0x004 InvalidAttributes : 0x100 +0x008 GenericMapping : _GENERIC_MAPPING +0x018 ValidAccessMask : 0x1f01ff +0x01c SecurityRequired : 0 '' +0x01d MaintainHandleCount : 0 '' +0x01e MaintainTypeList : 0 '' +0x020 PoolType : 0 ( NonPagedPool ) +0x024 DefaultPagedPoolCharge : 0 +0x028 DefaultNonPagedPoolCharge : 0xe8 +0x02c DumpProcedure : (null) +0x030 OpenProcedure : (null) +0x034 CloseProcedure : (null) +0x038 DeleteProcedure : 0x805846a8 void nt!IopDeleteDevice+0 +0x03c ParseProcedure : 0x805837e8 long nt!IopParseDevice+0 +0x040 SecurityProcedure : 0x80584d4a long nt!IopGetSetSecurityObject+0 +0x044 QueryNameProcedure : (null) +0x048 OkayToCloseProcedure : (null)
|