这个代码可以在WIN8.1上面跑的 测试成功 自己测试的时候呢 把ObInsertObjectEx,DbgkDebugObjectType替换一下 最后用符号连接就完美了
这个不像昨天的那个伪代码 这个可以跑的 我跟着调试了一遍代码也是没有用IDA了 IDA太坑
NTSTATUS NTCreateDebugObject(OUT PHANDLE DebugObjectHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN ULONG Flags){
typedef NTSTATUS (__stdcall *OBCREATEOBJECT)(
__in KPROCESSOR_MODE ProbeMode,
__in POBJECT_TYPE ObjectType,
__in POBJECT_ATTRIBUTES ObjectAttributes,
__in KPROCESSOR_MODE OwnershipMode,
__inout_opt PVOID ParseContext,
__in ULONG ObjectBodySize,
__in ULONG PagedPoolCharge,
__in ULONG NonPagedPoolCharge,
__out PVOID *Object
);
PHANDLE handle;
UNICODE_STRING usFuncName;
KPROCESSOR_MODE PreviousMode;
OBCREATEOBJECT ObCreateObject;
POBJECT_TYPE DebugObject;
POBJECT_TYPE DbgkDebugObjectType=(POBJECT_TYPE)0x84939eb0 ;
ULONG ObInsertObjectEx=(ULONG)0x814ad106 ;
NTSTATUS status;
RtlInitUnicodeString(&usFuncName,L"ObCreateObject");
ObCreateObject = MmGetSystemRoutineAddress(&usFuncName);
PreviousMode=ExGetPreviousMode();
if (PreviousMode==KernelMode)
{
return STATUS_INVALID_PARAMETER;
}
if (Flags & 0xFFFFFFFE)
{
return STATUS_INVALID_PARAMETER;
}
status= ObCreateObject(PreviousMode,DbgkDebugObjectType,ObjectAttributes,PreviousMode,NULL,0x3c,0, 0,(PVOID)&DebugObject);
if (!NT_SUCCESS(status))
{
return status;
}
*(ULONG*)((ULONG)DebugObject+0x10)=1;
*(ULONG*)((ULONG)DebugObject+0x14)=0;
*(ULONG*)((ULONG)DebugObject+0x18)=0;
__asm{
mov esi,dword ptr [DebugObject]
xor edi,edi
xor eax,eax
inc eax
}
KeInitializeEvent((PRKEVENT)((ULONG)DebugObject+0x1c),1,0);
*(ULONG*)((ULONG)DebugObject+0x30+4)= ((ULONG)DebugObject+0x30);
*(ULONG*)((ULONG)DebugObject+0x30)=((ULONG)DebugObject+0x30);
KeInitializeEvent((PRKEVENT)DebugObject,0,0);
*(ULONG*)((ULONG)DebugObject+0x38)=2;
__asm{
lea eax,[handle]
push eax
push edi
push edi
push edi
push DWORD ptr [DesiredAccess]
xor edx,edx
mov ecx,esi
call ObInsertObjectEx
}
KdPrint(("handle %X",handle));
*(ULONG*)DebugObjectHandle=handle;
return 0;
}