Object Hook原始地址查找

最新推荐文章于 2024-04-22 00:11:24 发布

yeook

最新推荐文章于 2024-04-22 00:11:24 发布

阅读量3k

点赞数

知识点专栏收录该内容

23 篇文章

订阅专栏

探讨了在特定系统环境下，ObjectHook原始地址查找的通用性和实现方式，重点关注了ObjectProcedure的查找过程及其与不同Object类型（如Process、Thread、KeyObject等）之间的交互。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

写的Object Hook原始地址查找通用性似乎还可以

2009-02-15 11:46

如题。

有关于SecurityProcedure：

部分ObjectType在创建的时候没有提供SecurityProcedure，所以无法得到，但是ObCreateObjectType发现SecurityProcedure被提供为NULL的时候会自行设置为SeDefaultObjectMethod，这导致了搜索结果为NULL而实际结果不为NULL。

试图加载 ntkrnlpa.exe.
成功加载 ntkrnlpa.exe.
成功创建 Section.
成功映射 Section 于 7FD90000 长度 2150400 , 状态号 1073741827 .
开始查找 Object Procedure.
开始查找 Process.
OpenProcedure: 00000000
CloseProcedure: 00000000
DeleteProcedure: 004FACDC
DumpProcedure: 00000000
OkayToCloseProcedure: 00000000
ParseProcedure: 00000000
QueryNameProcedure: 00000000
SecurityProcedure: 00000000
开始查找 Thread.
OpenProcedure: 00000000
CloseProcedure: 00000000
DeleteProcedure: 004FAE64
DumpProcedure: 00000000
OkayToCloseProcedure: 00000000
ParseProcedure: 00000000
QueryNameProcedure: 00000000
SecurityProcedure: 00000000
开始查找 KeyObject.
OpenProcedure: 00000000
CloseProcedure: 0056006E
DeleteProcedure: 0055FF54
DumpProcedure: 00000000
OkayToCloseProcedure: 00000000
ParseProcedure: 00557F1C
QueryNameProcedure: 0055EDEE
SecurityProcedure: 0055FDB8
开始查找 File.
OpenProcedure: 00000000
CloseProcedure: 004AC6E8
DeleteProcedure: 004AC9C6
DumpProcedure: 00000000
OkayToCloseProcedure: 00000000
ParseProcedure: 004AC5D6
QueryNameProcedure: 004AB680
SecurityProcedure: 004ACD4A
开始查找 Driver.
OpenProcedure: 00000000
CloseProcedure: 00000000
DeleteProcedure: 004AC62E
DumpProcedure: 00000000
OkayToCloseProcedure: 00000000
ParseProcedure: 00000000
QueryNameProcedure: 00000000
SecurityProcedure: 00000000
开始查找 Device.
OpenProcedure: 00000000
CloseProcedure: 00000000
DeleteProcedure: 004AC6A8
DumpProcedure: 00000000
OkayToCloseProcedure: 00000000
ParseProcedure: 004AB7E8
QueryNameProcedure: 00000000
SecurityProcedure: 004ACD4A
查找 Object Procedure 完成.
退出.

lkd> dt _OBJECT_TYPE_INITIALIZER poi(PsProcessType)+0x60
nt!_OBJECT_TYPE_INITIALIZER
   +0x000 Length           : 0x4c
   +0x002 UseDefaultObject : 0 ''
   +0x003 CaseInsensitive : 0 ''
   +0x004 InvalidAttributes : 0xb0
   +0x008 GenericMapping   : _GENERIC_MAPPING
   +0x018 ValidAccessMask : 0x1f0fff
   +0x01c SecurityRequired : 0x1 ''
   +0x01d MaintainHandleCount : 0 ''
   +0x01e MaintainTypeList : 0 ''
   +0x020 PoolType         : 0 ( NonPagedPool )
   +0x024 DefaultPagedPoolCharge : 0x1000
   +0x028 DefaultNonPagedPoolCharge : 0x290
   +0x02c DumpProcedure    : (null)
   +0x030 OpenProcedure    : (null)
   +0x034 CloseProcedure   : (null)
   +0x038 DeleteProcedure : 0x805d2cdc     void nt!PspProcessDelete+0
   +0x03c ParseProcedure   : (null)
   +0x040 SecurityProcedure : 0x805f9150     long nt!SeDefaultObjectMethod+0
   +0x044 QueryNameProcedure : (null)
   +0x048 OkayToCloseProcedure : (null)
lkd> dt _OBJECT_TYPE_INITIALIZER poi(PsThreadType)+0x60
nt!_OBJECT_TYPE_INITIALIZER
   +0x000 Length           : 0x4c
   +0x002 UseDefaultObject : 0 ''
   +0x003 CaseInsensitive : 0 ''
   +0x004 InvalidAttributes : 0xb0
   +0x008 GenericMapping   : _GENERIC_MAPPING
   +0x018 ValidAccessMask : 0x1f03ff
   +0x01c SecurityRequired : 0x1 ''
   +0x01d MaintainHandleCount : 0 ''
   +0x01e MaintainTypeList : 0 ''
   +0x020 PoolType         : 0 ( NonPagedPool )
   +0x024 DefaultPagedPoolCharge : 0
   +0x028 DefaultNonPagedPoolCharge : 0x288
   +0x02c DumpProcedure    : (null)
   +0x030 OpenProcedure    : (null)
   +0x034 CloseProcedure   : (null)
   +0x038 DeleteProcedure : 0x805d2e64     void nt!PspThreadDelete+0
   +0x03c ParseProcedure   : (null)
   +0x040 SecurityProcedure : 0x805f9150     long nt!SeDefaultObjectMethod+0
   +0x044 QueryNameProcedure : (null)
   +0x048 OkayToCloseProcedure : (null)
lkd> dt _OBJECT_TYPE_INITIALIZER poi(CmpKeyObjectType)+0x60
nt!_OBJECT_TYPE_INITIALIZER
   +0x000 Length           : 0x4c
   +0x002 UseDefaultObject : 0x1 ''
   +0x003 CaseInsensitive : 0 ''
   +0x004 InvalidAttributes : 0x30
   +0x008 GenericMapping   : _GENERIC_MAPPING
   +0x018 ValidAccessMask : 0x1f003f
   +0x01c SecurityRequired : 0x1 ''
   +0x01d MaintainHandleCount : 0 ''
   +0x01e MaintainTypeList : 0 ''
   +0x020 PoolType         : 1 ( PagedPool )
   +0x024 DefaultPagedPoolCharge : 0x74
   +0x028 DefaultNonPagedPoolCharge : 0
   +0x02c DumpProcedure    : (null)
   +0x030 OpenProcedure    : (null)
   +0x034 CloseProcedure   : 0x8063806e     void nt!CmpCloseKeyObject+0
   +0x038 DeleteProcedure : 0x80637f54     void nt!CmpDeleteKeyObject+0
   +0x03c ParseProcedure   : 0x8062ff1c     long nt!CmpParseKey+0
   +0x040 SecurityProcedure : 0x80637db8     long nt!CmpSecurityMethod+0
   +0x044 QueryNameProcedure : 0x80636dee     long nt!CmpQueryKeyName+0
   +0x048 OkayToCloseProcedure : (null)
lkd> dt _OBJECT_TYPE_INITIALIZER poi(IoFileObjectType)+0x60
nt!_OBJECT_TYPE_INITIALIZER
   +0x000 Length           : 0x4c
   +0x002 UseDefaultObject : 0 ''
   +0x003 CaseInsensitive : 0x1 ''
   +0x004 InvalidAttributes : 0x130
   +0x008 GenericMapping   : _GENERIC_MAPPING
   +0x018 ValidAccessMask : 0x1f01ff
   +0x01c SecurityRequired : 0 ''
   +0x01d MaintainHandleCount : 0x1 ''
   +0x01e MaintainTypeList : 0 ''
   +0x020 PoolType         : 0 ( NonPagedPool )
   +0x024 DefaultPagedPoolCharge : 0x400
   +0x028 DefaultNonPagedPoolCharge : 0xe8
   +0x02c DumpProcedure    : (null)
   +0x030 OpenProcedure    : (null)
   +0x034 CloseProcedure   : 0x805846e8     void nt!IopCloseFile+0
   +0x038 DeleteProcedure : 0x805849c6     void nt!IopDeleteFile+0
   +0x03c ParseProcedure   : 0x805845d6     long nt!IopParseFile+0
   +0x040 SecurityProcedure : 0x80584d4a     long nt!IopGetSetSecurityObject+0
   +0x044 QueryNameProcedure : 0x80583680     long nt!IopQueryName+0
   +0x048 OkayToCloseProcedure : (null)
lkd> dt _OBJECT_TYPE_INITIALIZER poi(IoDriverObjectType)+0x60
nt!_OBJECT_TYPE_INITIALIZER
   +0x000 Length           : 0x4c
   +0x002 UseDefaultObject : 0x1 ''
   +0x003 CaseInsensitive : 0x1 ''
   +0x004 InvalidAttributes : 0x100
   +0x008 GenericMapping   : _GENERIC_MAPPING
   +0x018 ValidAccessMask : 0x1f01ff
   +0x01c SecurityRequired : 0 ''
   +0x01d MaintainHandleCount : 0 ''
   +0x01e MaintainTypeList : 0 ''
   +0x020 PoolType         : 0 ( NonPagedPool )
   +0x024 DefaultPagedPoolCharge : 0
   +0x028 DefaultNonPagedPoolCharge : 0xd8
   +0x02c DumpProcedure    : (null)
   +0x030 OpenProcedure    : (null)
   +0x034 CloseProcedure   : (null)
   +0x038 DeleteProcedure : 0x8058462e     void nt!IopDeleteDriver+0
   +0x03c ParseProcedure   : (null)
   +0x040 SecurityProcedure : 0x805f9150     long nt!SeDefaultObjectMethod+0
   +0x044 QueryNameProcedure : (null)
   +0x048 OkayToCloseProcedure : (null)
lkd> dt _OBJECT_TYPE_INITIALIZER poi(IoDeviceObjectType)+0x60
nt!_OBJECT_TYPE_INITIALIZER
   +0x000 Length           : 0x4c
   +0x002 UseDefaultObject : 0x1 ''
   +0x003 CaseInsensitive : 0x1 ''
   +0x004 InvalidAttributes : 0x100
   +0x008 GenericMapping   : _GENERIC_MAPPING
   +0x018 ValidAccessMask : 0x1f01ff
   +0x01c SecurityRequired : 0 ''
   +0x01d MaintainHandleCount : 0 ''
   +0x01e MaintainTypeList : 0 ''
   +0x020 PoolType         : 0 ( NonPagedPool )
   +0x024 DefaultPagedPoolCharge : 0
   +0x028 DefaultNonPagedPoolCharge : 0xe8
   +0x02c DumpProcedure    : (null)
   +0x030 OpenProcedure    : (null)
   +0x034 CloseProcedure   : (null)
   +0x038 DeleteProcedure : 0x805846a8     void nt!IopDeleteDevice+0
   +0x03c ParseProcedure   : 0x805837e8     long nt!IopParseDevice+0
   +0x040 SecurityProcedure : 0x80584d4a     long nt!IopGetSetSecurityObject+0
   +0x044 QueryNameProcedure : (null)
   +0x048 OkayToCloseProcedure : (null)