|
阅读:992回复:3
两个关于驱动问题和hook问题
文件过滤驱动问题:
在文件过滤驱动中,能否获得文件对象的句柄呢?注意是HANDLE而不是OBJECT!如果不能,有办法做到吗? 如我hook ZwCreateFile函数获得文件handle,然后。。。,使文件过滤驱动能够知道当前的io操作是针对那一个句柄。 (Handle --> object ,应该是在对象管理器里面管理) hook 问题: HOOK SERVICE TABLE表中的函数地址是否根据ntoskrnl.exe获得,还是硬编码成的呢? |
|
|
|
沙发#
发布于:2005-04-23 06:06
ObOpenObjectByPointer
|
|
|
板凳#
发布于:2005-04-23 08:58
可以用ObReferenceObjectByHandle
ObReferenceObjectByHandle provides access validation on the object handle, and, if access can be granted, returns the corresponding pointer to the object\'s body. NTSTATUS ObReferenceObjectByHandle( IN HANDLE Handle, IN ACCESS_MASK DesiredAccess, IN POBJECT_TYPE ObjectType OPTIONAL, IN KPROCESSOR_MODE AccessMode, OUT PVOID *Object, OUT POBJECT_HANDLE_INFORMATION HandleInformation OPTIONAL ); Parameters Handle Specifies an open handle for an object. DesiredAccess Specifies the requested types of access to the object. The interpretation of this field is dependent on the object type. ObjectType Points to the object type, which can be either of IoFileObjectType or ExEventObjectType. This parameter can be NULL if AccessMode is KernelMode. AccessMode Specifies the access mode to use for the access check. It must be either UserMode or KernelMode. Lower-level drivers should specify KernelMode. Object Points to a variable that receives a pointer to the object\'s body. HandleInformation Points to a structure that receives the handle attributes and the granted access rights for the object. |
|
|
地板#
发布于:2005-04-25 09:48
大家可能误会了我得意思。
我是想通过object获得handle!handle是应用层的handle,如CreateFile获得的文件句柄! |
|
|