object hook实现禁止创建文件

原理不说了,大伙都懂得..

要解决的问题：

1. 怎么在windbg中看到_OBJECT_TYPE和_OBJECT_TYPE_INITIALIZER结构的内容。

2. 如何得到pOldParseProcedure的地址

3. 如何改写((POBJECT_TYPE)*IoDeviceObjectType)->TypeInfo.ParseProcedure=pNewProcedure

对于第一个问题:

nt!_OBJECT_HEADER

+0x000 PointerCount : Int4B

+0x004 HandleCount : Int4B

+0x004 NextToFree : Ptr32 Void

+0x008 Type : Ptr32 _OBJECT_TYPE

+0x00c NameInfoOffset : UChar

+0x00d HandleInfoOffset : UChar

+0x00e QuotaInfoOffset : UChar

+0x00f Flags : UChar

+0x010 ObjectCreateInfo : Ptr32 _OBJECT_CREATE_INFORMATION

+0x010 QuotaBlockCharged : Ptr32 Void

+0x014 SecurityDescriptor : Ptr32 Void

+0x018 Body : _QUAD

lkd> dt _OBJECT_TYPE

nt!_OBJECT_TYPE

+0x000 Mutex : _ERESOURCE

+0x038 TypeList : _LIST_ENTRY

+0x040 Name : _UNICODE_STRING

+0x048 DefaultObject : Ptr32 Void

+0x04c Index : Uint4B

+0x050 TotalNumberOfObjects : Uint4B

+0x054 TotalNumberOfHandles : Uint4B

+0x058 HighWaterNumberOfObjects : Uint4B

+0x05c HighWaterNumberOfHandles : Uint4B

+0x060 TypeInfo : _OBJECT_TYPE_INITIALIZER

+0x0ac Key : Uint4B

+0x0b0 ObjectLocks : [4] _ERESOURCE

lkd> dt _OBJECT_TYPE_INITIALIZER

nt!_OBJECT_TYPE_INITIALIZER

+0x000 Length : Uint2B

+0x002 UseDefaultObject : UChar

+0x003 CaseInsensitive : UChar

+0x004 InvalidAttributes : Uint4B

+0x008 GenericMapping : _GENERIC_MAPPING

+0x018 ValidAccessMask : Uint4B

+0x01c SecurityRequired : UChar

+0x01d MaintainHandleCount : UChar

+0x01e MaintainTypeList : UChar

+0x020 PoolType : _POOL_TYPE

+0x024 DefaultPagedPoolCharge : Uint4B

+0x028 DefaultNonPagedPoolCharge : Uint4B

+0x02c DumpProcedure : Ptr32 void

+0x030 OpenProcedure : Ptr32 long

+0x034 CloseProcedure : Ptr32 void

+0x038 DeleteProcedure : Ptr32 void

+0x03c ParseProcedure : Ptr32 long

+0x040 SecurityProcedure : Ptr32 long

+0x044 QueryNameProcedure : Ptr32 long

+0x048 OkayToCloseProcedure : Ptr32 unsigned char

对于第二个问题:

2. 如何得到pOldParseProcedure的地址

1. 打开一个文件得到文件句柄 ZwOpenFile

2. 根据文件句柄得到文件 ObReferenceObjectByHandle得到pObject

3. pObject是_OBJECT_HEADER 结构中Body的数值,现在要得到_OBJECT_HEADER 的地址,用宏CONTAINING_RECORD((o),OBJECT_HEADER,Body)

4. POBJECT_HEADER结构的Type指向了一个OBJECT_TYPE( pType)

4. OldParseProcedure = pType->TypeInfo.ParseProcedure就是要的结果

整理一下结构间的关系:

#define OBJECT_TO_OBJECT_HEADER(o) CONTAINING_RECORD((o),OBJECT_HEADER,Body)
POBJECT_HEADER addrs=NULL;
POBJECT_TYPE pType= NULL;

addrs=OBJECT_TO_OBJECT_HEADER(pObject);//获取对象头

pType=addrs->Type;//获取对象类型结构 object-10h
OldParseProcedure = pType->TypeInfo.ParseProcedure;//获取服务函数原始地址OBJECT_TYPE+9C位置为打开

typedef struct _OBJECT_HEADER {

LONG PointerCount;

union {

LONG HandleCount;

PSINGLE_LIST_ENTRY SEntry;

};

POBJECT_TYPE Type;

UCHAR NameInfoOffset;

UCHAR HandleInfoOffset;

UCHAR QuotaInfoOffset;

UCHAR Flags;

union

{

POBJECT_CREATE_INFORMATION ObjectCreateInfo;

PVOID QuotaBlockCharged;

};

PSECURITY_DESCRIPTOR SecurityDescriptor;

QUAD Body;

} OBJECT_HEADER, *POBJECT_HEADER;

pType的值为0x821ebe70

lkd> dt _object_type 0x821ebe70

nt!_OBJECT_TYPE

+0x000 Mutex : _ERESOURCE

+0x038 TypeList : _LIST_ENTRY [ 0x821ebea8 - 0x821ebea8 ]

+0x040 Name : _UNICODE_STRING "File"

+0x048 DefaultObject : 0x0000005c

+0x04c Index : 0x1c

+0x050 TotalNumberOfObjects : 0xcd6

+0x054 TotalNumberOfHandles : 0x316

+0x058 HighWaterNumberOfObjects : 0xd6e

+0x05c HighWaterNumberOfHandles : 0x3ad

+0x060 TypeInfo : _OBJECT_TYPE_INITIALIZER

+0x0ac Key : 0x656c6946

+0x0b0 ObjectLocks : [4] _ERESOURCE

3. 如何改写((POBJECT_TYPE)*IoDeviceObjectType)->TypeInfo.ParseProcedure=pNewProcedure

关闭写保护

HOOK

打开写保护

函数定义方法:

NTSTATUS (*oldParseProcedure)(IN PVOID ParseObject,

IN PVOID ObjectType,

IN OUT PACCESS_STATE AccessState,

IN KPROCESSOR_MODE AccessMode,

IN ULONG Attributes,

IN OUT PUNICODE_STRING CompleteName,

IN OUT PUNICODE_STRING RemainingName,

IN OUT PVOID Context OPTIONAL,

IN PSECURITY_QUALITY_OF_SERVICE SecurityQos OPTIONAL,

OUT PVOID *Object);

此时,就已经HOOK成功了

解决完上面的困难,真正的代码来了






//PVOID oldParseProcedure;

//typedef int (*FP_CALC)(int, int);

NTSTATUS (*oldParseProcedure)(IN PVOID ParseObject,

	IN PVOID ObjectType,

	IN OUT PACCESS_STATE AccessState,

	IN KPROCESSOR_MODE AccessMode,

	IN ULONG Attributes,

	IN OUT PUNICODE_STRING CompleteName,

	IN OUT PUNICODE_STRING RemainingName,

	IN OUT PVOID Context OPTIONAL,

	IN PSECURITY_QUALITY_OF_SERVICE SecurityQos OPTIONAL,

	OUT PVOID *Object);



VOID MyObjectHook()

{

	UNICODE_STRING uFileName;

	OBJECT_ATTRIBUTES ob;

	NTSTATUS status;

	HANDLE hFile;

	IO_STATUS_BLOCK ioStaBlock;

	PVOID pObject;

	POBJECT_HEADER addr;

	POBJECT_TYPE pType;

	OBJECT_TYPE_INITIALIZER  obTypeInit;

	KIRQL irql;



	dprintf("enter myObjectHook...\n");

	DbgBreakPoint();



	RtlInitUnicodeString(&uFileName,L"\\Device\\HarddiskVolume1\\123.txt");//这个文件必需存在

	InitializeObjectAttributes(&ob,&uFileName,OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE ,NULL, NULL);

	status = ZwOpenFile(&hFile,GENERIC_ALL,&ob,&ioStaBlock,0,FILE_NON_DIRECTORY_FILE);

	if (!NT_SUCCESS(status))

	{

		dprintf("ZwOpenFile error..\n");

		return ;

	}

	status = ObReferenceObjectByHandle(hFile,GENERIC_ALL,NULL,KernelMode,&pObject,NULL);

	if (!NT_SUCCESS(status))

	{

		dprintf("ObReferenceObjectByHandle:Object is Null\n");

		return ;

	}

	dprintf("pObject is 0x%08X\n",pObject);



	addr = OBJECT_TO_OBJECT_HEADER(pObject);



	dprintf("addr is 0x%08X\n",addr);  //这里是pObject-0x18的位置



	pType = addr->Type;



	dprintf("pType is 0x%08X\n",pType);  



	//oldParseProcedure = (PVOID)(pType->TypeInfo.ParseProcedure);

	oldParseProcedure = pType->TypeInfo.ParseProcedure;

	dprintf("OldParseProcedure addrs is %08X\n",oldParseProcedure);



	//HOOK 一下下

	irql =  WPOFF();

	pType->TypeInfo.ParseProcedure = NewParseProcedure;//hook

	WPON(irql);

	//关闭句柄 

	ZwClose(hFile);

}





//OBJECT HOOK 函数

NTSTATUS NewParseProcedure(IN PVOID ParseObject,

	IN PVOID ObjectType,

	IN OUT PACCESS_STATE AccessState,

	IN KPROCESSOR_MODE AccessMode,

	IN ULONG Attributes,

	IN OUT PUNICODE_STRING CompleteName,

	IN OUT PUNICODE_STRING RemainingName,

	IN OUT PVOID Context OPTIONAL,

	IN PSECURITY_QUALITY_OF_SERVICE SecurityQos OPTIONAL,

	OUT PVOID *Object)

{

	NTSTATUS status = STATUS_UNSUCCESSFUL;

	PVOID namePool;



	if (RemainingName->Buffer)

	{

		namePool = ExAllocatePool(NonPagedPool, RemainingName->Buffer+2);

		RtlZeroMemory(namePool, RemainingName->Buffer+2);

		if (namePool)

		{

			RtlCopyMemory(namePool, RemainingName->Buffer,RemainingName->Length);

			_wcsupr((wchar_t*)namePool);

			if (wcsstr(namePool, L"TEST.TXT"))

			{

				ExFreePool(namePool);

				return STATUS_ACCESS_DENIED;

			}

		}

	}



	return oldParseProcedure(ParseObject, 

							ObjectType,

							AccessState,

							AccessMode,

							Attributes,

							CompleteName,

							RemainingName,

							Context,

							SecurityQos,

							*Object);

}




//object hook

VOID MyObjectHook();

#define OBJECT_TO_OBJECT_HEADER(o)\

	CONTAINING_RECORD((o),OBJECT_HEADER,Body)

typedef struct _OBJECT_HEADER {

	LONG PointerCount;

	union {

		LONG HandleCount;

		PSINGLE_LIST_ENTRY SEntry;

	};

	POBJECT_TYPE Type;

	UCHAR NameInfoOffset;

	UCHAR HandleInfoOffset;

	UCHAR QuotaInfoOffset;

	UCHAR Flags;

	union

	{

		PVOID ObjectCreateInfo;

		PVOID QuotaBlockCharged;

	};

	PSECURITY_DESCRIPTOR SecurityDescriptor;

	QUAD Body;

} OBJECT_HEADER, *POBJECT_HEADER;



NTSTATUS NewParseProcedure(IN PVOID ParseObject,

	IN PVOID ObjectType,

	IN OUT PACCESS_STATE AccessState,

	IN KPROCESSOR_MODE AccessMode,

	IN ULONG Attributes,

	IN OUT PUNICODE_STRING CompleteName,

	IN OUT PUNICODE_STRING RemainingName,

	IN OUT PVOID Context OPTIONAL,

	IN PSECURITY_QUALITY_OF_SERVICE SecurityQos OPTIONAL,

	OUT PVOID *Object);

时间： 2024-10-27 18:42:24

object hook实现禁止创建文件的相关文章

劫持系统进程禁止创建文件

body { font-family: 微软雅黑,"Microsoft YaHei", Georgia,Helvetica,Arial,sans-serif,宋体, PMingLiU,serif; font-size: 10.5pt; line-height: 1.5; } html, body { } h1 { font-size:1.5em; font-weight:bold; } h2 { font-size:1.4em; font-weight:bold; } h3 { fon

HOOK NTFS 禁止格式化

? 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 if(bHooked == FALSE) { RtlInitUnicodeString (&HookDriverName, L"\\FileSys

python在windows系统上创建文件

正确方法为:open("test1.txt",'wb')或open("test1.txt",'w') 以下是网上的方法创建遇到的问题使用Python2.7在windows系统中os.mknod调用错误一直想学习一门脚本语言,用来做一些快速的脚本处理.在同事的强烈推荐下,我选择了Python.最开始被它吸引的是缩进即代码块的风格.在c++开发中,不规范的缩进风格让人总是产生一种不舒服的代码阅读体验.我非常欣赏这种新的语言可以优雅的解决这个问题. 开始安装Pty

.net 创建文件夹

private void Page_Load(object sender, System.EventArgs e) { // 在此处放置用户代码以初始化页面 string str=UserName.Text; //获得用户名 if(!ispostback) { string TimePath = Server.MapPath(str).ToString() + "\\";//获取上传路径的物理地址 if (!Directory.Exists(TimePath))//判断文件夹是否存在

98）PHP，文件类型获取和创建文件夹

看手册 finfo这个类:This class provides an object oriented interface into the fileinfo functions. 这个$mime_type就是文件的类型,这个文件的类型是在服务器端自己获取的 (2)创建文件夹 __set() 方法用于设置私有属性值.

JavaSE8基础 File createNewFile 在一个不存在的文件夹中创建文件时会抛IO异常(绝对路径)

os :windows7 x64 jdk:jdk-8u131-windows-x64 ide:Eclipse Oxygen Release (4.7.0) information: 在编写代码时,javase8文件夹的情况截图. code: package jizuiku0; import java.io.File; import java.io.IOException; /* * @version V17.09 */ public class FileDemo_1 { public

mac中如何创建文件列表清单介绍详情

相信很多苹果电脑用户们一定都在困惑mac系统到底如何创建列表清单呢?其实方法还是比较简单的,想了解吗?有兴趣不妨来mac中如何创建文件列表清单介绍中仔细瞧瞧哦,相信它可以给你使用mac系统带来有效的帮助哦,还是先来mac中如何创建文件列表清单介绍中看看再说吧.mac中如何创建文件列表清单介绍: 1. 打开Finder定位到要生成文件清单的文件夹,将文件按照想要的方式排序,例如:创建时间 2. 直接全选(Command+A)所有文件,然后复制(Command+C)它们. 3. 接下来打开文本编辑器

mac中如何创建文件列表清单介绍

C#创建文件夹和文件

一.创建文件夹,例: 1 if (!Directory.Exists(path)) 2 { 3 Directory.CreateDirectory(path); 4 } 二.创建文件,例: 1 global::System.IO.FileInfo josnfile = new global::System.IO.FileInfo(JsonPath); 2 if (!josnfile.Exists) 3 { 4 // 创建map.json文件 5 FileStream fs = new FileS