Object Hook原始地址查找
2016-07-12 19:57
465 查看
写的Object Hook原始地址查找通用性似乎还可以
2009-02-15 11:46
| 如题。 有关于SecurityProcedure: 部分ObjectType在创建的时候没有提供SecurityProcedure,所以无法得到,但是ObCreateObjectType发现SecurityProcedure被提供为NULL的时候会自行设置为SeDefaultObjectMethod,这导致了搜索结果为NULL而实际结果不为NULL。 试图加载 ntkrnlpa.exe. 成功加载 ntkrnlpa.exe. 成功创建 Section. 成功映射 Section 于 7FD90000 长度 2150400 , 状态号 1073741827 . 开始查找 Object Procedure. 开始查找 Process. OpenProcedure: 00000000 CloseProcedure: 00000000 DeleteProcedure: 004FACDC DumpProcedure: 00000000 OkayToCloseProcedure: 00000000 ParseProcedure: 00000000 QueryNameProcedure: 00000000 SecurityProcedure: 00000000 开始查找 Thread. OpenProcedure: 00000000 CloseProcedure: 00000000 DeleteProcedure: 004FAE64 DumpProcedure: 00000000 OkayToCloseProcedure: 00000000 ParseProcedure: 00000000 QueryNameProcedure: 00000000 SecurityProcedure: 00000000 开始查找 KeyObject. OpenProcedure: 00000000 CloseProcedure: 0056006E DeleteProcedure: 0055FF54 DumpProcedure: 00000000 OkayToCloseProcedure: 00000000 ParseProcedure: 00557F1C QueryNameProcedure: 0055EDEE SecurityProcedure: 0055FDB8 开始查找 File. OpenProcedure: 00000000 CloseProcedure: 004AC6E8 DeleteProcedure: 004AC9C6 DumpProcedure: 00000000 OkayToCloseProcedure: 00000000 ParseProcedure: 004AC5D6 QueryNameProcedure: 004AB680 SecurityProcedure: 004ACD4A 开始查找 Driver. OpenProcedure: 00000000 CloseProcedure: 00000000 DeleteProcedure: 004AC62E DumpProcedure: 00000000 OkayToCloseProcedure: 00000000 ParseProcedure: 00000000 QueryNameProcedure: 00000000 SecurityProcedure: 00000000 开始查找 Device. OpenProcedure: 00000000 CloseProcedure: 00000000 DeleteProcedure: 004AC6A8 DumpProcedure: 00000000 OkayToCloseProcedure: 00000000 ParseProcedure: 004AB7E8 QueryNameProcedure: 00000000 SecurityProcedure: 004ACD4A 查找 Object Procedure 完成. 退出. lkd> dt _OBJECT_TYPE_INITIALIZER poi(PsProcessType)+0x60 nt!_OBJECT_TYPE_INITIALIZER +0x000 Length : 0x4c +0x002 UseDefaultObject : 0 '' +0x003 CaseInsensitive : 0 '' +0x004 InvalidAttributes : 0xb0 +0x008 GenericMapping : _GENERIC_MAPPING +0x018 ValidAccessMask : 0x1f0fff +0x01c SecurityRequired : 0x1 '' +0x01d MaintainHandleCount : 0 '' +0x01e MaintainTypeList : 0 '' +0x020 PoolType : 0 ( NonPagedPool ) +0x024 DefaultPagedPoolCharge : 0x1000 +0x028 DefaultNonPagedPoolCharge : 0x290 +0x02c DumpProcedure : (null) +0x030 OpenProcedure : (null) +0x034 CloseProcedure : (null) +0x038 DeleteProcedure : 0x805d2cdc void nt!PspProcessDelete+0 +0x03c ParseProcedure : (null) +0x040 SecurityProcedure : 0x805f9150 long nt!SeDefaultObjectMethod+0 +0x044 QueryNameProcedure : (null) +0x048 OkayToCloseProcedure : (null) lkd> dt _OBJECT_TYPE_INITIALIZER poi(PsThreadType)+0x60 nt!_OBJECT_TYPE_INITIALIZER +0x000 Length : 0x4c +0x002 UseDefaultObject : 0 '' +0x003 CaseInsensitive : 0 '' +0x004 InvalidAttributes : 0xb0 +0x008 GenericMapping : _GENERIC_MAPPING +0x018 ValidAccessMask : 0x1f03ff +0x01c SecurityRequired : 0x1 '' +0x01d MaintainHandleCount : 0 '' +0x01e MaintainTypeList : 0 '' +0x020 PoolType : 0 ( NonPagedPool ) +0x024 DefaultPagedPoolCharge : 0 +0x028 DefaultNonPagedPoolCharge : 0x288 +0x02c DumpProcedure : (null) +0x030 OpenProcedure : (null) +0x034 CloseProcedure : (null) +0x038 DeleteProcedure : 0x805d2e64 void nt!PspThreadDelete+0 +0x03c ParseProcedure : (null) +0x040 SecurityProcedure : 0x805f9150 long nt!SeDefaultObjectMethod+0 +0x044 QueryNameProcedure : (null) +0x048 OkayToCloseProcedure : (null) lkd> dt _OBJECT_TYPE_INITIALIZER poi(CmpKeyObjectType)+0x60 nt!_OBJECT_TYPE_INITIALIZER +0x000 Length : 0x4c +0x002 UseDefaultObject : 0x1 '' +0x003 CaseInsensitive : 0 '' +0x004 InvalidAttributes : 0x30 +0x008 GenericMapping : _GENERIC_MAPPING +0x018 ValidAccessMask : 0x1f003f +0x01c SecurityRequired : 0x1 '' +0x01d MaintainHandleCount : 0 '' +0x01e MaintainTypeList : 0 '' +0x020 PoolType : 1 ( PagedPool ) +0x024 DefaultPagedPoolCharge : 0x74 +0x028 DefaultNonPagedPoolCharge : 0 +0x02c DumpProcedure : (null) +0x030 OpenProcedure : (null) +0x034 CloseProcedure : 0x8063806e void nt!CmpCloseKeyObject+0 +0x038 DeleteProcedure : 0x80637f54 void nt!CmpDeleteKeyObject+0 +0x03c ParseProcedure : 0x8062ff1c long nt!CmpParseKey+0 +0x040 SecurityProcedure : 0x80637db8 long nt!CmpSecurityMethod+0 +0x044 QueryNameProcedure : 0x80636dee long nt!CmpQueryKeyName+0 +0x048 OkayToCloseProcedure : (null) lkd> dt _OBJECT_TYPE_INITIALIZER poi(IoFileObjectType)+0x60 nt!_OBJECT_TYPE_INITIALIZER +0x000 Length : 0x4c +0x002 UseDefaultObject : 0 '' +0x003 CaseInsensitive : 0x1 '' +0x004 InvalidAttributes : 0x130 +0x008 GenericMapping : _GENERIC_MAPPING +0x018 ValidAccessMask : 0x1f01ff +0x01c SecurityRequired : 0 '' +0x01d MaintainHandleCount : 0x1 '' +0x01e MaintainTypeList : 0 '' +0x020 PoolType : 0 ( NonPagedPool ) +0x024 DefaultPagedPoolCharge : 0x400 +0x028 DefaultNonPagedPoolCharge : 0xe8 +0x02c DumpProcedure : (null) +0x030 OpenProcedure : (null) +0x034 CloseProcedure : 0x805846e8 void nt!IopCloseFile+0 +0x038 DeleteProcedure : 0x805849c6 void nt!IopDeleteFile+0 +0x03c ParseProcedure : 0x805845d6 long nt!IopParseFile+0 +0x040 SecurityProcedure : 0x80584d4a long nt!IopGetSetSecurityObject+0 +0x044 QueryNameProcedure : 0x80583680 long nt!IopQueryName+0 +0x048 OkayToCloseProcedure : (null) lkd> dt _OBJECT_TYPE_INITIALIZER poi(IoDriverObjectType)+0x60 nt!_OBJECT_TYPE_INITIALIZER +0x000 Length : 0x4c +0x002 UseDefaultObject : 0x1 '' +0x003 CaseInsensitive : 0x1 '' +0x004 InvalidAttributes : 0x100 +0x008 GenericMapping : _GENERIC_MAPPING +0x018 ValidAccessMask : 0x1f01ff +0x01c SecurityRequired : 0 '' +0x01d MaintainHandleCount : 0 '' +0x01e MaintainTypeList : 0 '' +0x020 PoolType : 0 ( NonPagedPool ) +0x024 DefaultPagedPoolCharge : 0 +0x028 DefaultNonPagedPoolCharge : 0xd8 +0x02c DumpProcedure : (null) +0x030 OpenProcedure : (null) +0x034 CloseProcedure : (null) +0x038 DeleteProcedure : 0x8058462e void nt!IopDeleteDriver+0 +0x03c ParseProcedure : (null) +0x040 SecurityProcedure : 0x805f9150 long nt!SeDefaultObjectMethod+0 +0x044 QueryNameProcedure : (null) +0x048 OkayToCloseProcedure : (null) lkd> dt _OBJECT_TYPE_INITIALIZER poi(IoDeviceObjectType)+0x60 nt!_OBJECT_TYPE_INITIALIZER +0x000 Length : 0x4c +0x002 UseDefaultObject : 0x1 '' +0x003 CaseInsensitive : 0x1 '' +0x004 InvalidAttributes : 0x100 +0x008 GenericMapping : _GENERIC_MAPPING +0x018 ValidAccessMask : 0x1f01ff +0x01c SecurityRequired : 0 '' +0x01d MaintainHandleCount : 0 '' +0x01e MaintainTypeList : 0 '' +0x020 PoolType : 0 ( NonPagedPool ) +0x024 DefaultPagedPoolCharge : 0 +0x028 DefaultNonPagedPoolCharge : 0xe8 +0x02c DumpProcedure : (null) +0x030 OpenProcedure : (null) +0x034 CloseProcedure : (null) +0x038 DeleteProcedure : 0x805846a8 void nt!IopDeleteDevice+0 +0x03c ParseProcedure : 0x805837e8 long nt!IopParseDevice+0 +0x040 SecurityProcedure : 0x80584d4a long nt!IopGetSetSecurityObject+0 +0x044 QueryNameProcedure : (null) +0x048 OkayToCloseProcedure : (null) |
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- 论文笔记 | Exploit All the Layers: Fast and Accurate CNN Object Detector with SDP and CRC
- ajax返回object Object解决方法
- java.lang.NoClassDefFoundError: org.ksoap2.serialization.SoapObject
- java基础之--object
- java中判断Object对象类型
- java中object...类型
- Java Object 对象拷贝答疑
- Objective-C 非主流代码技巧
- Java Object 对象拷贝
- Objective-C(一,导言)
- childobjects方法
- Objective-C 入门教程(一)
- 17SWFObject使用
- 法线从object space到eye space的转换((normal matrix)
- Objective-C开发编码规范:4大方面解决开发中的规范性问题
- java.lang.String cannot be cast to [Ljava.lang.Object
- Objective-C Runtime
- Objective-C 消息发送与转发机制原理
- 内存管理基本原理
- bean的加载(九)记录创建bean的ObjectFactory