分类
无聊代码

NTCreateDEbugOBject for win8..1

这个代码可以在WIN8.1上面跑的 测试成功 自己测试的时候呢 把ObInsertObjectEx,DbgkDebugObjectType替换一下 最后用符号连接就完美了
 这个不像昨天的那个伪代码 这个可以跑的 我跟着调试了一遍代码也是没有用IDA了 IDA太坑
 优化一下函数 减少一个硬编码 现在只有一个dbgobjecttype了
 NTSTATUS NTCreateDebugObject(OUT PHANDLE DebugObjectHandle,
 IN ACCESS_MASK DesiredAccess,
 IN POBJECT_ATTRIBUTES ObjectAttributes,
 IN ULONG Flags){
 typedef NTSTATUS (__stdcall *OBCREATEOBJECT)(
 __in KPROCESSOR_MODE ProbeMode,
 __in POBJECT_TYPE ObjectType,
 __in POBJECT_ATTRIBUTES ObjectAttributes,
 __in KPROCESSOR_MODE OwnershipMode,
 __inout_opt PVOID ParseContext,
 __in ULONG ObjectBodySize,
 __in ULONG PagedPoolCharge,
 __in ULONG NonPagedPoolCharge,
 __out PVOID *Object
 );
 PHANDLE handle;
 UNICODE_STRING usFuncName;
 KPROCESSOR_MODE PreviousMode;
 OBCREATEOBJECT ObCreateObject;
 POBJECT_TYPE DebugObject;
 POBJECT_TYPE DbgkDebugObjectType=(POBJECT_TYPE)0x84939eb0 ;

NTSTATUS status;
 RtlInitUnicodeString(&usFuncName,L"ObCreateObject");
 ObCreateObject = MmGetSystemRoutineAddress(&usFuncName);
 PreviousMode=ExGetPreviousMode();
 if (PreviousMode==KernelMode)
 {
 return STATUS_INVALID_PARAMETER;
 }
 if (Flags & 0xFFFFFFFE)
 {
 return STATUS_INVALID_PARAMETER;
 }

status= ObCreateObject(PreviousMode,DbgkDebugObjectType,ObjectAttributes,PreviousMode,NULL,0x3c,0, 0,(PVOID)&DebugObject);
 if (!NT_SUCCESS(status))
 {
 return status;
 }
 *(ULONG*)((ULONG)DebugObject+0x10)=1;
 *(ULONG*)((ULONG)DebugObject+0x14)=0;
 *(ULONG*)((ULONG)DebugObject+0x18)=0;

KeInitializeEvent((PRKEVENT)((ULONG)DebugObject+0x1c),1,0);

*(ULONG*)((ULONG)DebugObject+0x30+4)= ((ULONG)DebugObject+0x30);
 *(ULONG*)((ULONG)DebugObject+0x30)=((ULONG)DebugObject+0x30);
 KeInitializeEvent((PRKEVENT)DebugObject,0,0);
 *(ULONG*)((ULONG)DebugObject+0x38)=2;

status= ObInsertObject(DebugObject,NULL,DesiredAccess,0,NULL,&handle);
 if (!NT_SUCCESS(status))
 {
 return status;
 }
 KdPrint(("handle %X",handle));
 *(ULONG*)DebugObjectHandle=handle;
 return 0;

}

由FAKE

研究商业反作弊.

发表评论

电子邮件地址不会被公开。 必填项已用*标注