那个时候刚接触ObjectHook
我对进程对象下的OpenProcedure进行HOOK 保护程序
OBJECT_TYPE->OBJECT_TYPE_INITIALIZER ->OpenProcedure
帖子发在了看雪
http://bbs.pediy.com/showthread.php?t=203767
那个时候理解错了 应该rsp+28h 我是除了8 = 5 要在4个寄存器 一共是9个参数
那天写完测试后没有蓝屏,就放下了
前几天,我给学校弄教学程序保护的时候用了此方法,
发现蓝屏了,于是回来看了看
才发现自己SB了
这个OpenProcedure历程的参数就是5个(IDA解析是5个)(但符号解析工具是6个)
IDA解析:
signed __int64 __fastcall PspProcessOpen(__int64 a1, char a2, __int64 a3, __int64 a4, __int64 a5)
符号解析
typedef LONG32 (NEAR CDECL FUNCT_005B_0FC1_OpenProcedure) (enum _OB_OPEN_REASON, CHAR, UINT64 /*struct _EPROCESS**/, UINT64 /*VOID**/, UINT64 /*ULONG32**/, ULONG32);
typedef enum _OB_OPEN_REASON // 5 elements, 0x4 bytes
{
ObCreateHandle = 0 /*0x0*/,
ObOpenHandle = 1 /*0x1*/,
ObDuplicateHandle = 2 /*0x2*/,
ObInheritHandle = 3 /*0x3*/,
ObMaxOpenReason = 4 /*0x4*/
}OB_OPEN_REASON, *POB_OPEN_REASON;
保险期限,我使用了6个参数进行HOOK
代码如下:
代码有很多不严谨的地方,我是测试写的,如果需要应用到真正的软件中,请务必严谨一些
strstr是很危险的,当如很多时候不是判断文件名,Hook的时候请使用安全的hook方式,否则一定几率蓝屏,最好使用原子操作
#include "ntifs.h"
typedef LONG32 (*PSPPROCESSOPEN) (__int64 a1, CHAR a2, UINT64 eprocess/*struct _EPROCESS**/, UINT64 tagEprocess/*VOID**/, UINT64 a5 /*ULONG32**/, ULONG32 a6);
PSPPROCESSOPEN g_org_pspopenprocess = NULL;
NTSTATUS MyPspProcessOpen(__int64 a1, char a2, UINT64 eprocess, UINT64 tagEprocss, UINT64 a5,ULONG32 a6)
{
if(strstr((char*)tagEprocss+0x2e0,"haha.exe")!=0)
{
if(strstr((char*)eprocess+0x2e0,"explorer.exe")!=0 ||
strstr((char*)eprocess+0x2e0,"csrss.exe")!=0 ||
strstr((char*)eprocess+0x2e0,"System")!=0 ||
strstr((char*)eprocess+0x2e0,"svchost.exe")!=0)//过滤explorer.exe
{
if(g_org_pspopenprocess)
return g_org_pspopenprocess(a1,a2,eprocess,tagEprocss,a5,a6);
else
return STATUS_SUCCESS;
}
DbgPrint("%s OpenProcess %s\n",(char*)eprocess+0x2e0,(char*)tagEprocss+0x2e0);
return STATUS_UNSUCCESSFUL;
}
if(g_org_pspopenprocess)
return g_org_pspopenprocess(a1,a2,eprocess,tagEprocss,a5,a6);
else
return STATUS_SUCCESS;
}
void SetObjectHook()
{
g_org_pspopenprocess = (PSPPROCESSOPEN)*(ULONG_PTR*)((ULONG_PTR)*PsProcessType + 0x78);
*(ULONG_PTR*)((ULONG_PTR)*PsProcessType + 0x78) = (ULONG_PTR)MyPspProcessOpen;
if(g_org_pspopenprocess == NULL)
DbgPrint("PspProcessOpen is NULL!\n");
}
void ResObjectHook()
{
if(g_org_pspopenprocess)
*(ULONG_PTR*)((ULONG_PTR)*PsProcessType+0x78) = (ULONG_PTR)g_org_pspopenprocess;
}
void DriverUnLoad(PDRIVER_OBJECT pDriverObject)
{
ResObjectHook();
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject,PUNICODE_STRING usRegistPath)
{
SetObjectHook();
pDriverObject->DriverUnload = DriverUnLoad;
return STATUS_SUCCESS;
}
效果跟看雪上的一致
线程思路一致