|
阅读:3615回复:4
自己写的 NtOpenProcess 总是打不开进程
代码全部是抄 WRK1.2 里面的,我只是把一些未导出的函数做了一下 jmp 处理,这个函数打不开进程, 总是在
ObOpenObjectByPointer 这步返回0xC0000024 ,STATUS_OBJECT_TYPE_MISMATCH 这个错误,我的代码如下: NTSTATUS MyNtOpenProcess ( __out PHANDLE ProcessHandle, __in ACCESS_MASK DesiredAccess, __in POBJECT_ATTRIBUTES ObjectAttributes, __in_opt PCLIENT_ID ClientId ) { HANDLE Handle; KPROCESSOR_MODE PreviousMode; NTSTATUS Status = 0; PEPROCESS Process; PETHREAD Thread; CLIENT_ID CapturedCid={0}; BOOLEAN ObjectNamePresent = 1; BOOLEAN ClientIdPresent = 1; ACCESS_STATE AccessState; AUX_ACCESS_DATA AuxData; ULONG Attributes = 1; UNICODE_STRING uniObXXX; //PreviousMode = KeGetPreviousMode(); if (KeGetCurrentIrql() > APC_LEVEL) { DbgPrint(("EX: Pageable code called at IRQL %d\n", KeGetCurrentIrql())); NT_ASSERT(FALSE); } // // Make sure that only one of either ClientId or ObjectName is // present. // PreviousMode = KeGetPreviousMode(); if (PreviousMode != KernelMode) { // // Since we need to look at the ObjectName field, probe // ObjectAttributes and capture object name present indicator. // try { ProbeForWriteHandle (ProcessHandle); ProbeForReadSmallStructure (ObjectAttributes,sizeof(OBJECT_ATTRIBUTES),sizeof(ULONG)); ObjectNamePresent = (BOOLEAN)ARGUMENT_PRESENT (ObjectAttributes->ObjectName); Attributes = ObSanitizeHandleAttributes (ObjectAttributes->Attributes, UserMode); if (ARGUMENT_PRESENT (ClientId)) { ProbeForReadSmallStructure (ClientId, sizeof (CLIENT_ID), sizeof (ULONG)); CapturedCid = *ClientId; ClientIdPresent = TRUE; } else { ClientIdPresent = FALSE; } } except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } } else { ObjectNamePresent = (BOOLEAN)ARGUMENT_PRESENT (ObjectAttributes->ObjectName); Attributes = ObSanitizeHandleAttributes (ObjectAttributes->Attributes, KernelMode); if (ARGUMENT_PRESENT (ClientId)) { CapturedCid = *ClientId; ClientIdPresent = TRUE; } else { ClientIdPresent = FALSE; } } if (ObjectNamePresent && ClientIdPresent) { return STATUS_INVALID_PARAMETER_MIX; } // // Create an AccessState here, because the caller may have // DebugPrivilege, which requires us to make special adjustments // to his desired access mask. We do this by modifying the // internal fields in the AccessState to achieve the effect // we desire. // Status = MySeCreateAccessState(&AccessState,&AuxData,DesiredAccess,(&PsProcessType+0x68));//&PsProcessType->TypeInfo.GenericMapping if ( !NT_SUCCESS(Status) ) { return Status; } // // Check here to see if the caller has SeDebugPrivilege. If // he does, we will allow him any access he wants to the process. // We do this by clearing the DesiredAccess in the AccessState // and recording what we want him to have in the PreviouslyGrantedAccess // field. // // Note that this routine performs auditing as appropriate. // memcpy( &SeDebugPrivilege , g_pSeDebugPrivilege , 8 ); if (SeSinglePrivilegeCheck( SeDebugPrivilege , PreviousMode )) //SeDebugPrivilege { if ( AccessState.RemainingDesiredAccess & MAXIMUM_ALLOWED ) { AccessState.PreviouslyGrantedAccess |= PROCESS_ALL_ACCESS; } else { AccessState.PreviouslyGrantedAccess |= ( AccessState.RemainingDesiredAccess ); } AccessState.RemainingDesiredAccess = 0; } if (ObjectNamePresent) { // // Open handle to the process object with the specified desired access, // set process handle value, and return service completion status. // //● RtlInitUnicodeString( &uniObXXX, L"ObOpenObjectByName"); MyObOpenObjectByName = (SYS_ObOpenObjectByName)MmGetSystemRoutineAddress(&uniObXXX); Status = MyObOpenObjectByName(ObjectAttributes,PsProcessType,PreviousMode,&AccessState,0,NULL,&Handle); MySeDeleteAccessState( &AccessState ); if ( NT_SUCCESS(Status) ) { try { *ProcessHandle = Handle; } except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode (); } } return Status; } if ( ClientIdPresent ) { Thread = NULL; if (CapturedCid.UniqueThread) { Status = MyPsLookupProcessThreadByCid(&CapturedCid,&Process,&Thread); if (!NT_SUCCESS(Status)) { MySeDeleteAccessState( &AccessState ); return Status; } } else { Status = PsLookupProcessByProcessId(CapturedCid.UniqueProcess,&Process); if ( !NT_SUCCESS(Status) ) { MySeDeleteAccessState( &AccessState ); return Status; } } // // OpenObjectByAddress // Status = ObOpenObjectByPointer( Process, Attributes, &AccessState, 0, PsProcessType, KernelMode,//PreviousMode, &Handle );//#define STATUS_OBJECT_TYPE_MISMATCH ((NTSTATUS)0xC0000024L) MySeDeleteAccessState( &AccessState ); if (Thread) { ObDereferenceObject(Thread); } ObDereferenceObject(Process); if (NT_SUCCESS (Status)) { try { *ProcessHandle = Handle; } except (EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode (); } } return Status; } return STATUS_INVALID_PARAMETER_MIX; } |
|
|
沙发#
发布于:2008-07-07 11:28
抄代码是不行的 打好基础再学别人玩内核吧
|
|
|
|
板凳#
发布于:2008-07-07 14:02
把ObOpenObjectByPointer里面的东西全自己实现一遍,抄的地方不对.
|
|
|
|
地板#
发布于:2008-07-07 14:16
引用第1楼WQXNETQIQI于2008-07-07 11:28发表的 : 抄代码不行,那应该怎么弄? 大牛指点一下~ |
|
|
地下室#
发布于:2008-07-07 14:20
引用第2楼wowocock于2008-07-07 14:02发表的 : 我这个只是没有装任何安全软件和 rootkit 的内核下做的一个测试而已哦。。。 ObOpenObjectByPointer 肯定是微软原来的那个 ObOpenObjectByPointer , 就这样也需要自己实现么? 抄的地方不对?那应该从什么地方抄起? |
|