object hook实现禁止创建文件
要解决的问题:
对于第二个问题:
- #define OBJECT_TO_OBJECT_HEADER(o) CONTAINING_RECORD((o),OBJECT_HEADER,Body)
- POBJECT_HEADER addrs=NULL;
- POBJECT_TYPE pType= NULL;
- addrs=OBJECT_TO_OBJECT_HEADER(pObject);//获取对象头
- pType=addrs->Type;//获取对象类型结构 object-10h
- OldParseProcedure = pType->TypeInfo.ParseProcedure;//获取服务函数原始地址OBJECT_TYPE+9C位置为打开
3. 怎样改写((POBJECT_TYPE)*IoDeviceObjectType)->TypeInfo.ParseProcedure=pNewProcedure
//PVOID oldParseProcedure;
//typedef int (*FP_CALC)(int, int);
NTSTATUS (*oldParseProcedure)(IN PVOID ParseObject,
IN PVOID ObjectType,
IN OUT PACCESS_STATE AccessState,
IN KPROCESSOR_MODE AccessMode,
IN ULONG Attributes,
IN OUT PUNICODE_STRING CompleteName,
IN OUT PUNICODE_STRING RemainingName,
IN OUT PVOID Context OPTIONAL,
IN PSECURITY_QUALITY_OF_SERVICE SecurityQos OPTIONAL,
OUT PVOID *Object);
VOID MyObjectHook()
{
UNICODE_STRING uFileName;
OBJECT_ATTRIBUTES ob;
NTSTATUS status;
HANDLE hFile;
IO_STATUS_BLOCK ioStaBlock;
PVOID pObject;
POBJECT_HEADER addr;
POBJECT_TYPE pType;
OBJECT_TYPE_INITIALIZER obTypeInit;
KIRQL irql;
dprintf("enter myObjectHook...\n");
DbgBreakPoint();
RtlInitUnicodeString(&uFileName,L"\\Device\\HarddiskVolume1\\123.txt");//这个文件必需存在
InitializeObjectAttributes(&ob,&uFileName,OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE ,NULL, NULL);
status = ZwOpenFile(&hFile,GENERIC_ALL,&ob,&ioStaBlock,0,FILE_NON_DIRECTORY_FILE);
if (!NT_SUCCESS(status))
{
dprintf("ZwOpenFile error..\n");
return ;
}
status = ObReferenceObjectByHandle(hFile,GENERIC_ALL,NULL,KernelMode,&pObject,NULL);
if (!NT_SUCCESS(status))
{
dprintf("ObReferenceObjectByHandle:Object is Null\n");
return ;
}
dprintf("pObject is 0x%08X\n",pObject);
addr = OBJECT_TO_OBJECT_HEADER(pObject);
dprintf("addr is 0x%08X\n",addr); //这里是pObject-0x18的位置
pType = addr->Type;
dprintf("pType is 0x%08X\n",pType);
//oldParseProcedure = (PVOID)(pType->TypeInfo.ParseProcedure);
oldParseProcedure = pType->TypeInfo.ParseProcedure;
dprintf("OldParseProcedure addrs is %08X\n",oldParseProcedure);
//HOOK 一下下
irql = WPOFF();
pType->TypeInfo.ParseProcedure = NewParseProcedure;//hook
WPON(irql);
//关闭句柄
ZwClose(hFile);
}
//OBJECT HOOK 函数
NTSTATUS NewParseProcedure(IN PVOID ParseObject,
IN PVOID ObjectType,
IN OUT PACCESS_STATE AccessState,
IN KPROCESSOR_MODE AccessMode,
IN ULONG Attributes,
IN OUT PUNICODE_STRING CompleteName,
IN OUT PUNICODE_STRING RemainingName,
IN OUT PVOID Context OPTIONAL,
IN PSECURITY_QUALITY_OF_SERVICE SecurityQos OPTIONAL,
OUT PVOID *Object)
{
NTSTATUS status = STATUS_UNSUCCESSFUL;
PVOID namePool;
if (RemainingName->Buffer)
{
namePool = ExAllocatePool(NonPagedPool, RemainingName->Buffer+2);
RtlZeroMemory(namePool, RemainingName->Buffer+2);
if (namePool)
{
RtlCopyMemory(namePool, RemainingName->Buffer,RemainingName->Length);
_wcsupr((wchar_t*)namePool);
if (wcsstr(namePool, L"TEST.TXT"))
{
ExFreePool(namePool);
return STATUS_ACCESS_DENIED;
}
}
}
return oldParseProcedure(ParseObject,
ObjectType,
AccessState,
AccessMode,
Attributes,
CompleteName,
RemainingName,
Context,
SecurityQos,
*Object);
}
//object hook
VOID MyObjectHook();
#define OBJECT_TO_OBJECT_HEADER(o)\
CONTAINING_RECORD((o),OBJECT_HEADER,Body)
typedef struct _OBJECT_HEADER {
LONG PointerCount;
union {
LONG HandleCount;
PSINGLE_LIST_ENTRY SEntry;
};
POBJECT_TYPE Type;
UCHAR NameInfoOffset;
UCHAR HandleInfoOffset;
UCHAR QuotaInfoOffset;
UCHAR Flags;
union
{
PVOID ObjectCreateInfo;
PVOID QuotaBlockCharged;
};
PSECURITY_DESCRIPTOR SecurityDescriptor;
QUAD Body;
} OBJECT_HEADER, *POBJECT_HEADER;
NTSTATUS NewParseProcedure(IN PVOID ParseObject,
IN PVOID ObjectType,
IN OUT PACCESS_STATE AccessState,
IN KPROCESSOR_MODE AccessMode,
IN ULONG Attributes,
IN OUT PUNICODE_STRING CompleteName,
IN OUT PUNICODE_STRING RemainingName,
IN OUT PVOID Context OPTIONAL,
IN PSECURITY_QUALITY_OF_SERVICE SecurityQos OPTIONAL,
OUT PVOID *Object);
object hook实现禁止创建文件的更多相关文章
- 一个简单的Object Hook的例子(win7 32bit)
Object Hook简单的来说就是Hook对象,这里拿看雪上的一个例子,因为是在win7 32位上的,有些地方做了些修改. _OBJECT_HEADER: kd> dt _OBJECT_HEA ...
- HOOK NTFS 禁止格式化
if(bHooked == FALSE) { RtlInitUnicodeString (&HookDriverName, L"\\FileSystem\\Ntfs"); ...
- Java File文件操作 创建文件\目录,删除文件\目录
Java手册 java.io 类 File java.lang.Object java.io.File 所有已实现的接口: Serializable, Comparable<File> p ...
- apache环境下禁止某文件夹内运行PHP脚本、禁止访问文件或目录执行权限的设置方法
apache环境下禁止某文件夹内运行PHP脚本.禁止访问文件或目录执行权限的设置方法 首先我们来看两段对上传目录设置无权限的列子,配置如下: <Directory "要去掉PHP执 ...
- 【转】c# winform 创建文件,把值写入文件,读取文件里的值,修改文件的值,对文件的创建,写入,修改
创建文件和读取文件的值 #region 判断文件是否存在,不存在则创建,否则读取值显示到窗体 public FormMain() { InitializeComponent(); //ReadFile ...
- python在windows系统上创建文件
正确方法为:open("test1.txt",'wb')或open("test1.txt",'w') 以下是网上的方法创建遇到的问题 使用Python2.7在w ...
- 98)PHP,文件类型获取和创建文件夹
看手册 finfo这个类:This class provides an object oriented interface into the fileinfo functions. 这个$mime_ ...
- centos彻底删除文件夹创建文件
centos彻底删除文件夹.文件命令(centos 新建.删除.移动.复制等命令: 1.新建文件夹 mkdir 文件名 新建一个名为test的文件夹在home下 view source1 mkdir ...
- linux下创建文件与目录时默认被赋予了什么样的权限?
当我们创建一个新的文件或目录的时候,他的默认权限是什么? umask--指定当前使用者在创建文件或目录的时候默认的权限值 [root@iZ288fgkcpkZ default]# umask [roo ...
随机推荐
- 更改yum源为网易的
更改yum源为网易的. mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup cd /etc/yu ...
- gaggd
####算法一 暴力枚举所有可能的$a_2$并递推判断.复杂度$O(r \times k)$,预期得分10分. ####算法二 $a_k$可以表示为$a_1$与$a_2$的线性组合.使用递推计算出系数 ...
- AppScan8.7的两个细节亮点
1.增加了对红极一时的Struts2的远程代码执行漏洞的检测 2.增加了对篡改价格这类应用逻辑缺陷的检测
- python读取大文件【一行一行读取】
with open('e:/content.txt') as f: for line in f: if '==3346628==' in line: …………
- 如何在Android Studio中创建jniLib和asset文件夹 2
1.创建asset文件夹 如图进行操作 2.创建jniLib文件夹 —打开app下面的gradle文件(不是project的gradle) —在gradle文件的Android标签里面添加 sourc ...
- 训练指南 UVALive - 3523 (双联通分量 + 二分图染色)
layout: post title: 训练指南 UVALive - 3523 (双联通分量 + 二分图染色) author: "luowentaoaa" catalog: tru ...
- 树链剖分【p2568】[SDOI2011]染色
Description 给定一颗有\(n\)个节点的无根树和\(m\)个操作,操作有\(2\)类: 1.将节点\(a\)到节点\(b\)路径上所有点染成颜色\(c\) 2.询问节点\(a\)到节点\( ...
- 洛谷——P2556 [AHOI2002]黑白图像压缩
P2556 [AHOI2002]黑白图像压缩 题目描述 选修基础生物基因学的时候, 小可可在家里做了一次图像学试验. 她知道:整个图像其实就是若干个图像点(称作像素)的序列,假定序列中像素的个数总是 ...
- [BZOJ 1305] 跳舞
Link:https://www.lydsy.com/JudgeOnline/problem.php?id=1305 Solution: 发现res是否可行具有单调性,二分答案 容易看出每次check ...
- POJ 3537:Crosses and Crosses(Multi-Nim)
[题目链接] http://poj.org/problem?id=3537 [题目大意] 在一个1*n的方格纸上下棋,谁先连三子谁就赢了,问必胜的是谁. [题解] 我们发现对于一个n规模的游戏.在i位 ...