[源码] 过TP之创建CreateMyDbgkDebugObjectType
<p>ULONG DbgkDebugObjectTypeAddr = 0;POBJECT_TYPE DbgkDebugObjectType = NULL, MyDbgkDebugObjectType = NULL;
OBJECT_TYPE_INITIALIZER ObjectTypeInitializer;
BOOLEAN bEditDbgkDebugObjectType = FALSE;</p><p>BOOLEAN CreateMyDbgkDebugObjectType()
{
ULONG NtDebugActiveProcess;
UNICODE_STRING MyObjectTypeName;</p><p> NtDebugActiveProcess = GetSSDTFunctionAddr(SysFuncIdx.NtDebugActiveProcess);
DbgkDebugObjectTypeAddr = *(PULONG)(NtDebugActiveProcess + 0x5a + 2);
KdPrint(("DbgkDebugObjectTypeAddr: 0x%8x\n", DbgkDebugObjectTypeAddr)); //8055a540
if (DbgkDebugObjectTypeAddr == 0)
{
KdPrint(("DbgkDebugObjectTypeAddr == 0!"));
return FALSE;
}
DbgkDebugObjectType = (POBJECT_TYPE)(*(PULONG)DbgkDebugObjectTypeAddr);
KdPrint(("DbgkDebugObjectType: 0x%8x\n", DbgkDebugObjectType)); //863bb040
KdPrint(("DbgkDebugObjectType->Name: %ws\n", DbgkDebugObjectType->Name.Buffer));
KdPrint(("TypeInfo.GenericMapping.GenericRead: 0x%08x\n", DbgkDebugObjectType->TypeInfo.GenericMapping.GenericRead)); //00020001
KdPrint(("TypeInfo.GenericMapping.GenericWrite: 0x%08x\n", DbgkDebugObjectType->TypeInfo.GenericMapping.GenericWrite)); //00020002
KdPrint(("TypeInfo.GenericMapping.GenericExecute: 0x%08x\n", DbgkDebugObjectType->TypeInfo.GenericMapping.GenericExecute)); //00120000
KdPrint(("TypeInfo.GenericMapping.GenericAll: 0x%08x\n", DbgkDebugObjectType->TypeInfo.GenericMapping.GenericAll)); //001f000f
KdPrint(("TypeInfo.ValidAccessMask: 0x%08x\n", DbgkDebugObjectType->TypeInfo.ValidAccessMask)); //001f000f
if (wcscmp(DbgkDebugObjectType->Name.Buffer, L"MyDebugObject") == 0)
{
KdPrint(("已经修改为MyDebugObject.\n"));
return FALSE;
}</p><p> RtlCopyMemory(&ObjectTypeInitializer, &DbgkDebugObjectType->TypeInfo, sizeof(ObjectTypeInitializer));
if (DbgkDebugObjectType->TypeInfo.ValidAccessMask == 0)
{
KdPrint(("DbgkDebugObjectType->TypeInfo.ValidAccessMask被清零,开始恢复.\n"));
ObjectTypeInitializer.GenericMapping.GenericRead = 0x00020001;
ObjectTypeInitializer.GenericMapping.GenericWrite = 0x00020002;
ObjectTypeInitializer.GenericMapping.GenericExecute = 0x00120000;
ObjectTypeInitializer.GenericMapping.GenericAll = 0x001f000f;
ObjectTypeInitializer.ValidAccessMask = 0x001f000f;
}
RtlInitUnicodeString(&MyObjectTypeName, L"MyDebugObject");
return (STATUS_SUCCESS == ObCreateObjectType(&MyObjectTypeName, &ObjectTypeInitializer, (PSECURITY_DESCRIPTOR)NULL, &MyDbgkDebugObjectType));</p><p> //0: kd> uf nt!NtDebugActiveProcess
//nt!NtDebugActiveProcess:
//80644cb2 8bff mov edi,edi
//80644cb4 55 push ebp
//80644cb5 8bec mov ebp,esp
//...
//nt!NtDebugActiveProcess+0x51:
//80644d03 6a00 push 0
//80644d05 8d4508 lea eax,
//80644d08 50 push eax
//80644d09 ff75fc push dword ptr
//80644d0c ff3540a55580 push dword ptr
//80644d12 6a02 push 2
//80644d14 ff750c push dword ptr
//80644d17 e8ee77f7ff call nt!ObReferenceObjectByHandle (805bc50a)
}</p><p>VOID EditDbgkDebugObjectType()
{
if (bEditDbgkDebugObjectType)
return;
if (CreateMyDbgkDebugObjectType())
{
WPOFF();
*(PULONG)DbgkDebugObjectTypeAddr = (ULONG)MyDbgkDebugObjectType;
WPON();
bEditDbgkDebugObjectType = TRUE;
}</p><p> //lkd> dd nt!DbgkDebugObjectType
//8055a540863bb040 00000000 00000000 00000000</p><p> //加载tp前:
//0: kd> dd 863bb040+68
//863bb0a800020001 00020002 00120000 001f000f
//863bb0b8001f000f 00000001 00000000 00000000</p><p> //加载tp后:
//0: kd> dd 863bb040+68
//863bb0a800000000 00000000 00000000 00000000
//863bb0b800000000 00000001 00000000 00000000
}</p><p>VOID UnEditDbgkDebugObjectType()
{
if (!bEditDbgkDebugObjectType)
return;
WPOFF();
*(PULONG)DbgkDebugObjectTypeAddr = (ULONG)DbgkDebugObjectType;
WPON();
ObfDereferenceObject(MyDbgkDebugObjectType);
bEditDbgkDebugObjectType = FALSE;
}
</p><p> </p>
//原:
lkd> dt _object_type 863bb040
nt!_OBJECT_TYPE
+0x000 Mutex : _ERESOURCE
+0x038 TypeList : _LIST_ENTRY [ 0x863bb078 - 0x863bb078 ]
+0x040 Name : _UNICODE_STRING "DebugObject"
+0x048 DefaultObject : (null)
+0x04c Index : 8
+0x050 TotalNumberOfObjects : 0
+0x054 TotalNumberOfHandles : 0
+0x058 HighWaterNumberOfObjects : 0
+0x05c HighWaterNumberOfHandles : 0
+0x060 TypeInfo : _OBJECT_TYPE_INITIALIZER
+0x0ac Key : 0x75626544
+0x0b0 ObjectLocks : _ERESOURCE
//新:
lkd> dt _object_type 85adec38
nt!_OBJECT_TYPE
+0x000 Mutex : _ERESOURCE
+0x038 TypeList : _LIST_ENTRY [ 0x85adec70 - 0x85adec70 ]
+0x040 Name : _UNICODE_STRING "MyDebugObject"
+0x048 DefaultObject : (null)
+0x04c Index : 0x20
+0x050 TotalNumberOfObjects : 0
+0x054 TotalNumberOfHandles : 0
+0x058 HighWaterNumberOfObjects : 0
+0x05c HighWaterNumberOfHandles : 0
+0x060 TypeInfo : _OBJECT_TYPE_INITIALIZER
+0x0ac Key : 0x6544794d
+0x0b0 ObjectLocks : _ERESOURCE 看看,楼主您辛苦了。。。 强烈支持楼主ing…… 帮你顶.... 当然是要支持了! 支持一下:lol 这不错!终于等到了! 看帖要回,回帖才健康,在踩踩,楼主辛苦了! LZ是天才,坚定完毕 太生气了,无法HOLD啦 >_<......