您的位置:首页 > 移动开发 > Objective-C

逆WIN7X64内核调试之NTCreateDebugObject

2015-09-28 17:01 495 查看
NTSTATUS __fastcall proxyNtCreateDebugObject(

OUT PHANDLE DebugObjectHandle,

IN ACCESS_MASK DesiredAccess,

IN POBJECT_ATTRIBUTES ObjectAttributes,

IN ULONG Flags

)

{

NTSTATUS status;

HANDLE Handle;

PDEBUG_OBJECT DebugObject;

KPROCESSOR_MODE PreviousMode;

PreviousMode = ExGetPreviousMode();

//判断用户层句柄地址是否合法

try {

if (PreviousMode != KernelMode) {

ProbeForWriteHandle (DebugObjectHandle);

*DebugObjectHandle = *DebugObjectHandle;

}

*DebugObjectHandle = NULL;

} except(ExSystemExceptionFilter()) {

return GetExceptionCode();

}

if (Flags & ~DEBUG_KILL_ON_CLOSE) {

return STATUS_INVALID_PARAMETER;

}

//创建调试对象

status = ObCreateObject(

PreviousMode,

NewDbgObject, //调试对象类型,后面我们要换成我们新建的调试对象类型

ObjectAttributes,

PreviousMode,

NULL,

sizeof(DEBUG_OBJECT),

0,

0,

(PVOID*)&DebugObject);

if (!NT_SUCCESS(status)) {

return status;

}

//初始化调试对象

ExInitializeFastMutex(&DebugObject->Mutex);

InitializeListHead(&DebugObject->EventList);

KeInitializeEvent(&DebugObject->EventsPresent, NotificationEvent, FALSE);

if (Flags & DEBUG_KILL_ON_CLOSE) {

DebugObject->Flags = DEBUG_OBJECT_KILL_ON_CLOSE;

}

else {

DebugObject->Flags = 0;

}

//调试对象插入句柄表

status = ObInsertObject(

DebugObject,

NULL,

DesiredAccess,

0,

NULL,

&Handle);

if (!NT_SUCCESS(status)) {

return status;

}

try {

*DebugObjectHandle = Handle;

} except(ExSystemExceptionFilter()) {

status = GetExceptionCode();

}

return status;

}

内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 点击这里给我发消息
标签: 
相关文章推荐
新的分享
章节导航