Anthor:emc
While debugging inline hook wirtten by oneself,BSOD was be emerged.Then windbg was be used to debug file of dump.The information as:
PEB is paged out (Peb.Ldr =7ffd500c) . Type " . hh dbgerr001" for details
PEB is paged out (Peb.Ldr =7ffd500c) . Type " . hh dbgerr001" for details
PEB is paged out (Peb.Ldr =7ffd500c) . Type " . hh dbgerr001" for details
I had already check up peb structure and _ PEB_LDE_DATA structure,But does not understand what meaning the information above is.Past master helps me to have a watch for change it.
Inline hook was on ObReferenceObjectByHandle,That is code:
#include <ntddk.h >
#include <string.h >
extern POBJECT_TYPE *PsProcessType;
void close_write_protected()
{
//cancel write protected
__asm
{
CLI
MOV eax, CR0
AND eax, NOT 10000H
MOV CR0, eax
}
}
void open_write_protected()
{
__asm
{
MOV eax, CR0
OR eax, 10000H
MOV CR0, eax
STI
}
}
//this routine unload current driver
VOID DriverUnload(IN PDRIVER_OBJECT DriverObject)
{
KIRQL irql;
unsigned char routine_head[5] = {0x8b,0xff,0x55,0x8b,0xec} ;
irql = KeRaiseIrqlToDpcLevel() ;
close_write_protected() ;
//unload inline hook
RtlCopyMemory(ObReferenceObjectByHandle,routine_head ,5);
open_write_protected() ;
KeLowerIrql(irql) ;
DbgPrint(" inline hook success unload." );
return;
}
int call_failed(
IN HANDLE Handle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_TYPE ObjectType,
IN KPROCESSOR_MODE AccessMode,
OUT PVOID *Object,
OUT POBJECT_HANDLE_INFORMATION HandleInfo
)
{
KIRQL irql;
//mov edi,edi
//push ebp
//mov ebp,esp
unsigned char routine_head[5] = {0x8b,0xff,0x55,0x8b,0xec} ;
//jmp address
unsigned char jmp_code[5] = {0xe9,0x00,0x00,0x00,0x00} ;
if(ObjectType == *PsProcessType) //this object is a process
{
irql = KeRaiseIrqlToDpcLevel() ;
close_write_protected() ;
//unload inline hook
RtlCopyMemory(ObReferenceObjectByHandle,routine_head ,5);
ObReferenceObjectByHandle(
Handle,
DesiredAccess,
ObjectType,
AccessMode,
Object,
HandleInfo
);
open_write_protected() ;
KeLowerIrql(irql) ;
if(_stricmp((const char *) Object+0x174," notepad.exe" ) ! =0) //this process is protected
{
return 1;
}
else
{
*Object = (PVOID) -1;
return 0;
}
}
return 0;
}
//jmp this routine
__declspec(naked) my_routine()
{
__asm
{
mov edi,edi
push ebp
mov ebp,esp
//parameter enter the stack
push [ebp+0x1c]
push [ebp+0x18]
push [ebp+0x14]
push [ebp+0x10]
push [ebp+0xc]
push [ebp+8]
call call_failed
}
}
//driver program entry routine
//rewrite ObReferenceObjectByHandle() start 5 byte for jmp address to my_routine
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegistryPath)
{
int jmp_offset; //a jmp operation from current to my_routine
KIRQL irql;
unsigned char jmp_code[5] = {0xe9,0x00,0x00,0x00,0x00} ;
DriverObject -> DriverUnload = DriverUnload; //set this driver unload routinue
irql = KeRaiseIrqlToDpcLevel() ;
close_write_protected() ;
//inline hook ObReferenceObjectByHandle()
jmp_offset = (char *) my_routine - (char *) ObReferenceObjectByHandle - 5;
RtlCopyMemory(jmp_code+1,&jmp_offset ,4);
RtlCopyMemory(ObReferenceObjectByHandle,jmp_code ,5);
open_write_protected() ;
KeLowerIrql(irql) ;
DbgPrint(" install inline hook success." );
return STATUS_SUCCESS;
}
#include <string.h >
extern POBJECT_TYPE *PsProcessType;
void close_write_protected()
{
//cancel write protected
__asm
{
CLI
MOV eax, CR0
AND eax, NOT 10000H
MOV CR0, eax
}
}
void open_write_protected()
{
__asm
{
MOV eax, CR0
OR eax, 10000H
MOV CR0, eax
STI
}
}
//this routine unload current driver
VOID DriverUnload(IN PDRIVER_OBJECT DriverObject)
{
KIRQL irql;
unsigned char routine_head[5] = {0x8b,0xff,0x55,0x8b,0xec} ;
irql = KeRaiseIrqlToDpcLevel() ;
close_write_protected() ;
//unload inline hook
RtlCopyMemory(ObReferenceObjectByHandle,routine_head ,5);
open_write_protected() ;
KeLowerIrql(irql) ;
DbgPrint(" inline hook success unload." );
return;
}
int call_failed(
IN HANDLE Handle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_TYPE ObjectType,
IN KPROCESSOR_MODE AccessMode,
OUT PVOID *Object,
OUT POBJECT_HANDLE_INFORMATION HandleInfo
)
{
KIRQL irql;
//mov edi,edi
//push ebp
//mov ebp,esp
unsigned char routine_head[5] = {0x8b,0xff,0x55,0x8b,0xec} ;
//jmp address
unsigned char jmp_code[5] = {0xe9,0x00,0x00,0x00,0x00} ;
if(ObjectType == *PsProcessType) //this object is a process
{
irql = KeRaiseIrqlToDpcLevel() ;
close_write_protected() ;
//unload inline hook
RtlCopyMemory(ObReferenceObjectByHandle,routine_head ,5);
ObReferenceObjectByHandle(
Handle,
DesiredAccess,
ObjectType,
AccessMode,
Object,
HandleInfo
);
open_write_protected() ;
KeLowerIrql(irql) ;
if(_stricmp((const char *) Object+0x174," notepad.exe" ) ! =0) //this process is protected
{
return 1;
}
else
{
*Object = (PVOID) -1;
return 0;
}
}
return 0;
}
//jmp this routine
__declspec(naked) my_routine()
{
__asm
{
mov edi,edi
push ebp
mov ebp,esp
//parameter enter the stack
push [ebp+0x1c]
push [ebp+0x18]
push [ebp+0x14]
push [ebp+0x10]
push [ebp+0xc]
push [ebp+8]
call call_failed
}
}
//driver program entry routine
//rewrite ObReferenceObjectByHandle() start 5 byte for jmp address to my_routine
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegistryPath)
{
int jmp_offset; //a jmp operation from current to my_routine
KIRQL irql;
unsigned char jmp_code[5] = {0xe9,0x00,0x00,0x00,0x00} ;
DriverObject -> DriverUnload = DriverUnload; //set this driver unload routinue
irql = KeRaiseIrqlToDpcLevel() ;
close_write_protected() ;
//inline hook ObReferenceObjectByHandle()
jmp_offset = (char *) my_routine - (char *) ObReferenceObjectByHandle - 5;
RtlCopyMemory(jmp_code+1,&jmp_offset ,4);
RtlCopyMemory(ObReferenceObjectByHandle,jmp_code ,5);
open_write_protected() ;
KeLowerIrql(irql) ;
DbgPrint(" install inline hook success." );
return STATUS_SUCCESS;
}
Answer:
Refer to code:
No comments:
Post a Comment