線程進(jìn)程模塊回調(diào)1.模塊監(jiān)視 LoadLibraryA NtLoadDriver 2.進(jìn)程監(jiān)視 進(jìn)程創(chuàng)建,進(jìn)程銷毀 3.線程監(jiān)視 線程創(chuàng)建����,線程銷毀 #include <ntifs.h>
typedef struct _LDR_DATA_TABLE_ENTRY
{
struct _LIST_ENTRY InLoadOrderLinks; //0x0
struct _LIST_ENTRY InMemoryOrderLinks; //0x8
struct _LIST_ENTRY InInitializationOrderLinks; //0x10
VOID* DllBase; //0x18
VOID* EntryPoint; //0x1c
ULONG SizeOfImage; //0x20
struct _UNICODE_STRING FullDllName; //0x24
struct _UNICODE_STRING BaseDllName; //0x2c
ULONG Flags; //0x34
}LDR_DATA_TABLE_ENTRY,*PLDR_DATA_TABLE_ENTRY;
VOID createProcessCallbackEx (
_Inout_ PEPROCESS Process,
_In_ HANDLE ProcessId,
_Inout_opt_ PPS_CREATE_NOTIFY_INFO CreateInfo
)
{
if (CreateInfo)
{
DbgPrintEx(77, 0, "[db]: 創(chuàng)建了 ProcessId = %d ,%wZ, CreationStatus = %x\r\n", ProcessId,CreateInfo->ImageFileName,CreateInfo->CreationStatus);
}
else
{
DbgPrintEx(77, 0, "[db]: 銷毀了 ProcessId = %d\r\n ", ProcessId);
}
}
//隱藏驅(qū)動(dòng)會(huì)PG 要加跳板
VOID createProcessCallback(
_In_ HANDLE ParentId,
_In_ HANDLE ProcessId,
_In_ BOOLEAN Create
)
{
if (Create)
{
DbgPrintEx(77, 0, "[db]:parentid = %d 創(chuàng)建了 ProcessId = %d \r\n", ParentId, ProcessId);
}
else
{
DbgPrintEx(77, 0, "[db]:parentid = %d 銷毀了 ProcessId = %d\r\n", ParentId, ProcessId);
}
}
VOID CreateThreadCallback(
_In_ HANDLE ProcessId,
_In_ HANDLE ThreadId,
_In_ BOOLEAN Create
)
{
if (Create)
{
DbgPrintEx(77, 0, "[db]:ProcessId = %d 創(chuàng)建了 ThreadId = %d \r\n", ProcessId, ThreadId);
}
else
{
DbgPrintEx(77, 0, "[db]:ProcessId = %d 銷毀了 ThreadId = %d \r\n", ProcessId, ThreadId);
}
}
VOID LoadImageCallback(
_In_opt_ PUNICODE_STRING FullImageName,
_In_ HANDLE ProcessId,
_In_ PIMAGE_INFO ImageInfo
)
{
if (ImageInfo->SystemModeImage)
{
DbgPrintEx(77, 0, "[db]:加載驅(qū)動(dòng) FullImageName = %wZ,ProcessId = %d\r\n",FullImageName, ProcessId);
}
else
{
DbgPrintEx(77, 0, "[db]:dll路徑 FullImageName = %wZ�,ProcessId = %d\r\n",FullImageName, ProcessId);
}
}
VOID DriverUnload(PDRIVER_OBJECT pDriver)
{
//PsSetCreateProcessNotifyRoutine(createProcessCallback, TRUE);
//PsSetCreateProcessNotifyRoutineEx(createProcessCallbackEx, TRUE);
//PsRemoveCreateThreadNotifyRoutine(CreateThreadCallback);
PsRemoveLoadImageNotifyRoutine(LoadImageCallback);
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING pReg)
{
NTSTATUS st = STATUS_SUCCESS;
//PsSetCreateProcessNotifyRoutine;
//PsSetCreateProcessNotifyRoutineEx;
//PsSetCreateThreadNotifyRoutine;
//PsRemoveCreateThreadNotifyRoutine;
//PsSetLoadImageNotifyRoutine;
//PsRemoveLoadImageNotifyRoutine;
//PsSetCreateProcessNotifyRoutine(createProcessCallback,FALSE);
PLDR_DATA_TABLE_ENTRY ex = (PLDR_DATA_TABLE_ENTRY)pDriver->DriverSection;
ex->Flags |= 0x20;
//st = PsSetCreateProcessNotifyRoutineEx(createProcessCallbackEx,FALSE);
//st = PsSetCreateThreadNotifyRoutine(CreateThreadCallback);
st = PsSetLoadImageNotifyRoutine(LoadImageCallback);
DbgPrintEx(77, 0, "[db]:st = %x\r\n", st);
pDriver->DriverUnload = DriverUnload;
return STATUS_SUCCESS;
}
如何阻止回調(diào)
對(duì)象句柄回調(diào)
kd> dd PsProcessType
83f7302c 85cdc040 85c3b488 85cdceb0 85cdcde8
83f7303c 85cdcab0 83f3e640 8abf60f8 00010000
83f7304c 00000cd8 00000258 00000000 00000001
83f7305c 00000001 0000004b 00000001 00989680
83f7306c 00000000 00000029 00000002 c0ffffff
83f7307c c0607ff8 00000000 00000000 c0403080
83f7308c 00000000 00000100 00000500 00000000
83f7309c 00000001 00000000 00000001 00040107
kd> dt _OBJECT_TYPE 85cdc040
ntdll!_OBJECT_TYPE
+0x000 *** WARNING: Unable to verify timestamp for ntkrnlpa.exe
TypeList : _LIST_ENTRY [ 0x85cdc040 - 0x85cdc040 ]
+0x008 Name : _UNICODE_STRING "Process"
+0x010 DefaultObject : (null)
+0x014 Index : 0x7 ''
+0x018 TotalNumberOfObjects : 0x2c
+0x01c TotalNumberOfHandles : 0x144
+0x020 HighWaterNumberOfObjects : 0x2f
+0x024 HighWaterNumberOfHandles : 0x149
+0x028 TypeInfo : _OBJECT_TYPE_INITIALIZER
+0x078 TypeLock : _EX_PUSH_LOCK
+0x07c Key : 0x636f7250
+0x080 CallbackList : _LIST_ENTRY [ 0x85cdc0c0 - 0x85cdc0c0 ]
kd> dt _OBJECT_TYPE_INITIALIZER 85cdc040+0x28
ntdll!_OBJECT_TYPE_INITIALIZER
+0x000 Length : 0x50
+0x002 ObjectTypeFlags : 0x4a 'J'
+0x002 CaseInsensitive : 0y0
+0x002 UnnamedObjectsOnly : 0y1
+0x002 UseDefaultObject : 0y0
+0x002 SecurityRequired : 0y1
+0x002 MaintainHandleCount : 0y0
+0x002 MaintainTypeList : 0y0
+0x002 SupportsObjectCallbacks : 0y1
+0x004 ObjectTypeCode : 0
+0x008 InvalidAttributes : 0xb0
+0x00c GenericMapping : _GENERIC_MAPPING
+0x01c ValidAccessMask : 0x1fffff
+0x020 RetainAccess : 0x101000
+0x024 PoolType : 0 ( NonPagedPool )
+0x028 DefaultPagedPoolCharge : 0x1000
+0x02c DefaultNonPagedPoolCharge : 0x2f0
+0x030 DumpProcedure : (null)
+0x034 OpenProcedure : 0x8401accb long nt!PspProcessOpen+0
+0x038 CloseProcedure : 0x8407ad2e void nt!PspProcessClose+0
+0x03c DeleteProcedure : 0x8407d5f5 void nt!PspProcessDelete+0
+0x040 ParseProcedure : (null)
+0x044 SecurityProcedure : 0x8406f5b6 long nt!SeDefaultObjectMethod+0
+0x048 QueryNameProcedure : (null)
+0x04c OkayToCloseProcedure : (null)
監(jiān)視句柄回調(diào) #include <ntifs.h>
typedef struct _LDR_DATA_TABLE_ENTRY
{
struct _LIST_ENTRY InLoadOrderLinks; //0x0
struct _LIST_ENTRY InMemoryOrderLinks; //0x8
struct _LIST_ENTRY InInitializationOrderLinks; //0x10
VOID* DllBase; //0x18
VOID* EntryPoint; //0x1c
ULONG SizeOfImage; //0x20
struct _UNICODE_STRING FullDllName; //0x24
struct _UNICODE_STRING BaseDllName; //0x2c
ULONG Flags; //0x34
}LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
EXTERN_C PUCHAR NTAPI PsGetProcessImageFileName(PEPROCESS Process);
PVOID RegistrationHandle = NULL;
OB_PREOP_CALLBACK_STATUS ProcessPreCallback(
_In_ PVOID RegistrationContext,
_Inout_ POB_PRE_OPERATION_INFORMATION OperationInformation
)
{
PEPROCESS CurProcess = IoGetCurrentProcess();
PEPROCESS TargetProcess = (PEPROCESS)OperationInformation->Object;
PUCHAR CurName = PsGetProcessImageFileName(CurProcess);
PUCHAR TargetName = PsGetProcessImageFileName(TargetProcess);
if (OperationInformation->Operation == OB_OPERATION_HANDLE_CREATE)
{
if (strstr(TargetName, "1.exe"))
{
OperationInformation->Parameters->CreateHandleInformation.DesiredAccess = 0;
//OperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess = 0;
DbgPrintEx(77, 0, "[db]:Open : curName = %s,TargetName = %s,Context = %d \r\n", CurName, TargetName, RegistrationContext);
}
}
else
{
if (strstr(TargetName, "1.exe"))
{
OperationInformation->Parameters->DuplicateHandleInformation.DesiredAccess = 0;
//OperationInformation->Parameters->DuplicateHandleInformation.OriginalDesiredAccess = 0;
DbgPrintEx(77, 0, "[db]:Dump : curName = %s,TargetName = %s,Context = %d \r\n", CurName, TargetName, RegistrationContext);
}
}
return OB_PREOP_SUCCESS;
}
VOID ProcessPostCallback(
_In_ PVOID RegistrationContext,
_In_ POB_POST_OPERATION_INFORMATION OperationInformation
)
{
/*
PEPROCESS CurProcess = IoGetCurrentProcess();
PEPROCESS TargetProcess = OperationInformation->Object;
PUCHAR CurName = PsGetProcessImageFileName(CurProcess);
PUCHAR TargetName = PsGetProcessImageFileName(TargetProcess);
if (OperationInformation->Operation = OB_OPERATION_HANDLE_CREATE)
{
if (strstr(TargetName, "1.exe"))
{
//OperationInformation->Parameters->CreateHandleInformation.GrantedAccess = 0;
DbgPrintEx(77, 0, "[db]:Open : curName = %s,TargetName = %s,Context = %d \r\n", CurName, TargetName, RegistrationContext);
}
}
*/
}
VOID DriverUnload(PDRIVER_OBJECT pDriver)
{
if (RegistrationHandle)
{
ObUnRegisterCallbacks(RegistrationHandle);
}
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING pReg)
{
OB_CALLBACK_REGISTRATION obRegInfo = { 0 };
obRegInfo.Version = ObGetFilterVersion();
obRegInfo.OperationRegistrationCount = 1;
obRegInfo.RegistrationContext = (PVOID)123456; //自定義回調(diào)參數(shù)
RtlInitUnicodeString(&obRegInfo.Altitude, L"12345");
//回調(diào)函數(shù)結(jié)構(gòu)
OB_OPERATION_REGISTRATION obCallbackInfo = { 0 };
obCallbackInfo.ObjectType = *PsProcessType;
obCallbackInfo.Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE;
//OB_OPERATION_HANDLE_CREATE OpenProcess 回調(diào)
//OB_OPERATION_HANDLE_DUPLICATE DumplicateHandle 回調(diào)
obCallbackInfo.PreOperation = ProcessPreCallback;
obCallbackInfo.PostOperation = ProcessPostCallback;
obRegInfo.OperationRegistration = &obCallbackInfo;
PLDR_DATA_TABLE_ENTRY ex = (PLDR_DATA_TABLE_ENTRY)pDriver->DriverSection;
ex->Flags |= 0x20;
NTSTATUS st = ObRegisterCallbacks(&obRegInfo,&RegistrationHandle);
if (NT_SUCCESS(st))
{
}
pDriver->DriverUnload = DriverUnload;
return STATUS_SUCCESS;
}
多進(jìn)程保護(hù)��,給pid保護(hù) AddProtectProcess#include <ntifs.h>
#include"AddProtectProcess.h"
#define _DRIVER_NAME L"\\Driver\\Null"
#define _DRIVER_COMP_NAME L"Null.sys"
#define _DEVICE_NAME L"\\Device\\Null"
#define _SYM_NAME L"\\??\\NUL" //..\\\\.\\xxxxxx...\\dosDevices\\ \\??\\
#define CODE_CTR_INDEX 0x800
#define TEST CTL_CODE(FILE_DEVICE_UNKNOWN,CODE_CTR_INDEX,METHOD_BUFFERED,FILE_ANY_ACCESS)
typedef struct _LDR_DATA_TABLE_ENTRY
{
struct _LIST_ENTRY InLoadOrderLinks; //0x0
struct _LIST_ENTRY InMemoryOrderLinks; //0x8
struct _LIST_ENTRY InInitializationOrderLinks; //0x10
VOID* DllBase; //0x18
VOID* EntryPoint; //0x1c
ULONG SizeOfImage; //0x20
struct _UNICODE_STRING FullDllName; //0x24
struct _UNICODE_STRING BaseDllName; //0x2c
ULONG Flags; //0x34
}LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
typedef struct __CMD
{
ULONG64 code;
ULONG64 in;
ULONG64 inLen;
ULONG64 out;
ULONG64 outLen;
}CMD, *PCMD;
PDRIVER_OBJECT LookForDriver = NULL;
static PDRIVER_DISPATCH OriginalDeviceControl = NULL;
typedef struct _KLDR_DATA_TABLE_ENTRY {
LIST_ENTRY InLoadOrderLinks;
LIST_ENTRY exp;
ULONG UN;
ULONG NonPagedDebugInfo;
ULONG D1lBase;
ULONG EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDIIName;
UNICODE_STRING BaseDllName;
ULONG Flags;
USHORT LoadCount;
USHORT Undefined5;
ULONG Undefined6;
ULONG CheckSum;
ULONG TimeDateStamp;
}KLDR_DATA_TABLE_ENTRY, *PKLDR_DATA_TABLE_ENTRY;
NTKERNELAPI NTSTATUS ObReferenceObjectByName(
__in PUNICODE_STRING ObjectName,
__in ULONG Attributes,
__in_opt PACCESS_STATE AccessState,
__in_opt ACCESS_MASK DesiredAccess,
__in POBJECT_TYPE ObjectType,
__in KPROCESSOR_MODE AccessMode,
__inout_opt PVOID ParseContext,
__out PVOID *Object
);
extern POBJECT_TYPE *IoDriverObjectType;
EXTERN_C PUCHAR NTAPI PsGetProcessImageFileName(PEPROCESS Process);
PVOID RegistrationHandle = NULL;
OB_PREOP_CALLBACK_STATUS ProcessPreCallback(
_In_ PVOID RegistrationContext,
_Inout_ POB_PRE_OPERATION_INFORMATION OperationInformation
)
{
PEPROCESS CurProcess = IoGetCurrentProcess();
PEPROCESS TargetProcess = (PEPROCESS)OperationInformation->Object;
PUCHAR CurName = PsGetProcessImageFileName(CurProcess);
PUCHAR TargetName = PsGetProcessImageFileName(TargetProcess);
ULONG64 TargetPid = PsGetProcessId(TargetProcess);
if (OperationInformation->Operation == OB_OPERATION_HANDLE_CREATE)
{
if (TargetPid == RegistrationContext)
{
OperationInformation->Parameters->CreateHandleInformation.DesiredAccess = 0;
DbgPrintEx(77, 0, "[db]:Open : curName = %s,TargetName = %s,Context = %d \r\n", CurName, TargetName, RegistrationContext);
}
}
else
{
if (TargetPid == RegistrationContext)
{
OperationInformation->Parameters->DuplicateHandleInformation.DesiredAccess = 0;
//OperationInformation->Parameters->DuplicateHandleInformation.OriginalDesiredAccess = 0;
DbgPrintEx(77, 0, "[db]:Dump : curName = %s,TargetName = %s,Context = %d \r\n", CurName, TargetName, RegistrationContext);
}
}
return OB_PREOP_SUCCESS;
}
NTSTATUS MakeCallBack(ULONG Pid){
//設(shè)置句柄回調(diào)函數(shù)
OB_CALLBACK_REGISTRATION obRegInfo = { 0 };
obRegInfo.Version = ObGetFilterVersion();
obRegInfo.OperationRegistrationCount = 1;
obRegInfo.RegistrationContext = Pid;
RtlInitUnicodeString(&obRegInfo.Altitude, L"12345");
OB_OPERATION_REGISTRATION obCallbackInfo = { 0 };
obCallbackInfo.ObjectType = *PsProcessType;
obCallbackInfo.Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE;
obCallbackInfo.PreOperation = ProcessPreCallback;
obRegInfo.OperationRegistration = &obCallbackInfo;
NTSTATUS st = ObRegisterCallbacks(&obRegInfo, &RegistrationHandle);
if (!NT_SUCCESS(st))
{
DbgBreakPoint();
return st;
}
}
NTSTATUS DefDispatch(
_In_ struct _DEVICE_OBJECT *DeviceObject,
_Inout_ struct _IRP *Irp
)
{
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
IoCompleteRequest(Irp, 0);
return STATUS_SUCCESS;
}
NTSTATUS Dispatch(
_In_ struct _DEVICE_OBJECT *DeviceObject,
_Inout_ struct _IRP *Irp
)
{
DbgBreakPoint();
PIO_STACK_LOCATION io = IoGetCurrentIrpStackLocation(Irp);
DbgPrintEx(77, 0, "[db]:MajorFunction = %x\r\n", io->MajorFunction);
DbgPrintEx(77, 0, "[db]:InputBufferLength = %x\r\n", io->Parameters.DeviceIoControl.InputBufferLength);
DbgPrintEx(77, 0, "[db]:OutputBufferLength = %x\r\n", io->Parameters.DeviceIoControl.OutputBufferLength);
DbgPrintEx(77, 0, "[db]:IoControlCode = %x\r\n", io->Parameters.DeviceIoControl.IoControlCode);
DbgPrintEx(77, 0, "[db]:SystemBuffer = %x,%x\r\n", Irp->AssociatedIrp.SystemBuffer, *(ULONG*)Irp->AssociatedIrp.SystemBuffer);
if (io->Parameters.DeviceIoControl.IoControlCode == TEST)
{
PCMD pcmd = (PCMD)Irp->AssociatedIrp.SystemBuffer;
switch (pcmd->code)
{
case 1:
{
MakeCallBack(pcmd->in);
break;
}
case 2:
break;
}
}
Irp->IoStatus.Status = STATUS_SUCCESS;
DbgPrintEx(77, 0, "[db]:\r\n,__FUNCTION__");
IoCompleteRequest(Irp, 0);
return STATUS_SUCCESS;
}
VOID DriverUnload(PDRIVER_OBJECT pDriver)
{
if (LookForDriver && OriginalDeviceControl)
{
LookForDriver->MajorFunction[IRP_MJ_DEVICE_CONTROL] = OriginalDeviceControl;
//恢復(fù)驅(qū)動(dòng)對(duì)象引用計(jì)數(shù)管理
ObDereferenceObject(LookForDriver);
}
if (pDriver->DeviceObject)
{
UNICODE_STRING UnSymName = { 0 };
RtlInitUnicodeString(&UnSymName, _SYM_NAME);
IoDeleteSymbolicLink(&UnSymName);
IoDeleteDevice(pDriver->DeviceObject);
}
if (RegistrationHandle)
{
ObUnRegisterCallbacks(RegistrationHandle);
}
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING pReg)
{
//劫持目標(biāo)驅(qū)動(dòng)設(shè)備回調(diào)函數(shù)
UNICODE_STRING UnDeviceName = { 0 };
RtlInitUnicodeString(&UnDeviceName, _DEVICE_NAME);
UNICODE_STRING UnSymName = { 0 };
RtlInitUnicodeString(&UnSymName, _SYM_NAME);
PKLDR_DATA_TABLE_ENTRY ldr = (PKLDR_DATA_TABLE_ENTRY)pDriver->DriverSection;
PKLDR_DATA_TABLE_ENTRY pre = (PKLDR_DATA_TABLE_ENTRY)ldr->InLoadOrderLinks.Flink;
PKLDR_DATA_TABLE_ENTRY next = (PKLDR_DATA_TABLE_ENTRY)pre->InLoadOrderLinks.Flink;
int count = 0;
UNICODE_STRING driverName = { 0 };
RtlInitUnicodeString(&driverName, _DRIVER_COMP_NAME);
UNICODE_STRING driverName1 = { 0 };
RtlInitUnicodeString(&driverName1, _DRIVER_NAME);
while (next != pre)
{
if (&next->BaseDllName != 0 && RtlCompareUnicodeString(&driverName, &next->BaseDllName, TRUE))
{
NTSTATUS status = ObReferenceObjectByName(&driverName1, FILE_ALL_ACCESS, 0, 0, *IoDriverObjectType, KernelMode, NULL, &LookForDriver);
if (!NT_SUCCESS(status))
{
DbgBreakPoint();
return status;
}
DbgPrintEx(77, 0, "[db]: %x driver name = %wZ\r\n", count++, &next->FullDIIName);
break;
}
next = (PKLDR_DATA_TABLE_ENTRY)next->InLoadOrderLinks.Flink;
}
LookForDriver->Flags |= DO_BUFFERED_IO;
OriginalDeviceControl = LookForDriver->MajorFunction[IRP_MJ_DEVICE_CONTROL];
LookForDriver->MajorFunction[IRP_MJ_DEVICE_CONTROL] = Dispatch;
PLDR_DATA_TABLE_ENTRY ex = (PLDR_DATA_TABLE_ENTRY)pDriver->DriverSection;
ex->Flags |= 0x20;
pDriver->DriverUnload = DriverUnload;
return STATUS_SUCCESS;
}
#include <iostream>
#include <Windows.h>
#define _SYM_NAME "\\\\.\\NUL" //..\\\\.\\xxxxxx...\\dosDevices\\ \\??\\
#define CODE_CTR_INDEX 0x800
#define TEST CTL_CODE(FILE_DEVICE_UNKNOWN,CODE_CTR_INDEX,METHOD_BUFFERED,FILE_ANY_ACCESS)
typedef struct __CMD
{
ULONG64 code;
ULONG64 in;
ULONG64 inLen;
ULONG64 out;
ULONG64 outLen;
}CMD, *PCMD;
int main()
{
HANDLE hDevice = CreateFileA(_SYM_NAME, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (!hDevice)
{
printf("打開設(shè)備失敗%d\r\n", GetLastError());
}
else
{
CMD xxx;
xxx.code = 1;
xxx.in = 0;
xxx.inLen = sizeof(ULONG);
xxx.out = 0;
xxx.outLen = 0;
printf("請(qǐng)輸入要保護(hù)進(jìn)程的PID:");
scanf("%d", &xxx.in);
ULONG retLen = 0;
BOOL isSuccess = DeviceIoControl(hDevice, TEST, &xxx, sizeof(CMD), &xxx, sizeof(ULONG_PTR), &retLen, 0);
if (retLen == 1)
{
printf("sucess %d,%d,xout = %llx\r\n", isSuccess, GetLastError(), retLen);
}
}
return 0;
}
[size=2.25em]回調(diào)結(jié)構(gòu)分析_OBJECT_TYPE kd> dt _object_Type
ntdll!_OBJECT_TYPE
+0x000 TypeList : _LIST_ENTRY
+0x008 Name : _UNICODE_STRING
+0x010 DefaultObject : Ptr32 Void
+0x014 Index : UChar
+0x018 TotalNumberOfObjects : Uint4B
+0x01c TotalNumberOfHandles : Uint4B
+0x020 HighWaterNumberOfObjects : Uint4B
+0x024 HighWaterNumberOfHandles : Uint4B
+0x028 TypeInfo : _OBJECT_TYPE_INITIALIZER
+0x078 TypeLock : _EX_PUSH_LOCK
+0x07c Key : Uint4B
+0x080 CallbackList : _OBJECT_LIST_ENTRY
_OBJECT_HANDLE 00 _OB_HANDLE struc
00 Version
02 OperationRegistrationCount
04 RegistrationContext
08 Altitude
10 obListcallback _OBJECT_LIST_ENTRY
34 _OB_HANDLE ends_OBJECT_LIST_ENTRY 00 _OBJECT_LIST_ENTRY struc
00 callbackList
08 Operations
0C flags
10 Self
14 _OBJECT_TYPE
18 PreOperation
1C PostOperation
20 PVOID
24 _OBJECT_LIST_ENTRY ends拉滿權(quán)限過句柄保護(hù)OperationInformation->Parameters->CreateHandleInformation.DesiredAccess = PROCESS_ALL_ACCESS;
如何隱藏搜索內(nèi)存 1.CE私有句柄斷鏈 2.進(jìn)程斷鏈 3.修改CE進(jìn)程名字 csrss.exe lass.exe 4.注冊(cè)句柄回調(diào)�����。優(yōu)先級(jí)小于保護(hù)優(yōu)先級(jí)。也就是海拔數(shù)字大于保護(hù)的回調(diào)海拔數(shù)字
|
QQ好友和群
QQ空間
騰訊微博
騰訊朋友
收藏
淘帖
頂
踩
