-
-
[求助]Hook ZwCreateProcess时遇到的问题
-
发表于: 2010-7-2 17:18
-
HOOK ZwCreateProcess , 拦截禁止运行的程序,拦截一次进程创建之后,将同一文件改名再次打开,发现FILE_OBJECT对象
FILE_NAME字段的缓冲区大小不变,导致取文件名错误。从而无法禁止该文件运行了。
想要问的是:如何才能保证改名后依然获得正确的文件名长度呢。。。。==??
如果放过(允许执行的话,怎么改名都能正常获得)
如果想要自己释放一个文件FILE_OBJECT对象,该怎么做?
////////////////////////////////////////////////////////////
// 获取FILE_OBJECT指针方式
//
NTSTATUS Status;
PSECTION Section; // 内存区
PSEGMENT Segment; // 内存段
PCONTROL_AREA ControlArea;// 控制区域
PFILE_OBJECT FileObject; // 文件对象(Exe)
UNICODE_STRING ExeName = {0};
PPROCESS_PACKET ProcessPacket;
Status = ObReferenceObjectByHandle(SectionHandle,
0,
NULL,
KernelMode,
&Section,
NULL);
if (!NT_SUCCESS(Status))
{
goto SYSCALL;
}
Segment = Section->Segment;
ControlArea = Segment->ControlArea;
FileObject = ControlArea->FilePointer;
//
// 获取进程路径名
//
Status = KFGetExeNameByFileObject(FileObject,&ExeName);
//////////////////////////////////////////////////////////
第一次打开文件时FILE_OBJECT中FILE_NAME的长度为0x5C, 获取文件名正常:
kd> dt _FILE_OBJECT 0x816c5028
+0x000 Type : 5
+0x002 Size : 112
+0x004 DeviceObject : 0x817dda68
+0x008 Vpb : 0x817de138
+0x00c FsContext : 0xe141c710
+0x010 FsContext2 : 0xe141c868
+0x014 SectionObjectPointer : 0x816c5fac
+0x018 PrivateCacheMap : (null)
+0x01c FinalStatus : 0
+0x020 RelatedFileObject : (null)
+0x024 LockOperation : 0 ''
+0x025 DeletePending : 0 ''
+0x026 ReadAccess : 0x1 ''
+0x027 WriteAccess : 0 ''
+0x028 DeleteAccess : 0 ''
+0x029 SharedRead : 0x1 ''
+0x02a SharedWrite : 0 ''
+0x02b SharedDelete : 0x1 ''
+0x02c Flags : 0xc0042
+0x030 FileName : _UNICODE_STRING "\Documents and Settings\ss\???"
+0x038 CurrentByteOffset : _LARGE_INTEGER 0x0
+0x040 Waiters : 0
+0x044 Busy : 0
+0x048 LastLock : (null)
+0x04c Lock : _KEVENT
+0x05c Event : _KEVENT
+0x06c CompletionContext : (null)
kd> dt _UNICODE_STRING 0x816c5028+0x030
"\Documents and Settings\ss\???"
+0x000 Length : 0x5c
+0x002 MaximumLength : 0x78
+0x004 Buffer : 0xe14193f8 "\Documents and Settings\ss\???"
kd> db 0xe14193f8
e14193f8 5c 00 44 00 6f 00 63 00-75 00 6d 00 65 00 6e 00 \.D.o.c.u.m.e.n.
e1419408 74 00 73 00 20 00 61 00-6e 00 64 00 20 00 53 00 t.s. .a.n.d. .S.
e1419418 65 00 74 00 74 00 69 00-6e 00 67 00 73 00 5c 00 e.t.t.i.n.g.s.\.
e1419428 73 00 73 00 5c 00 4c 68-62 97 5c 00 31 00 32 00 s.s.\.Lhb.\.1.2.
e1419438 33 00 31 00 33 00 32 00-31 00 33 00 33 00 33 00 3.1.3.2.1.3.3.3.
e1419448 33 00 65 00 2e 00 65 00-78 00 65 00 00 00 a1 8b 3.e...e.x.e.....
e1419458 97 7b 68 56 2e 00 4c 00-4e 00 4b 00 00 00 49 00 .{hV..L.N.K...I.
e1419468 4e 00 49 00 00 00 00 00-10 02 07 0c 4d 6d 53 6d N.I.........MmSm
//////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////
第二次:将文件改名,再次运行时的FILE_OBJECT中FILE_NAME的长度仍为0x5c
此时获取的文件名就有问题了。
kd> dt _FILE_OBJECT 0x816c5028
+0x000 Type : 5
+0x002 Size : 112
+0x004 DeviceObject : 0x817dda68
+0x008 Vpb : 0x817de138
+0x00c FsContext : 0xe141c710
+0x010 FsContext2 : 0xe141c868
+0x014 SectionObjectPointer : 0x816c5fac
+0x018 PrivateCacheMap : (null)
+0x01c FinalStatus : 0
+0x020 RelatedFileObject : (null)
+0x024 LockOperation : 0 ''
+0x025 DeletePending : 0 ''
+0x026 ReadAccess : 0x1 ''
+0x027 WriteAccess : 0 ''
+0x028 DeleteAccess : 0 ''
+0x029 SharedRead : 0x1 ''
+0x02a SharedWrite : 0 ''
+0x02b SharedDelete : 0x1 ''
+0x02c Flags : 0x44042
+0x030 FileName : _UNICODE_STRING "\Documents and Settings\ss\???"
+0x038 CurrentByteOffset : _LARGE_INTEGER 0x0
+0x040 Waiters : 0
+0x044 Busy : 0
+0x048 LastLock : (null)
+0x04c Lock : _KEVENT
+0x05c Event : _KEVENT
+0x06c CompletionContext : (null)
kd> dt _UNICODE_STRING 0x816c5028+0x030
"\Documents and Settings\ss\???"
+0x000 Length : 0x5c
+0x002 MaximumLength : 0x78
+0x004 Buffer : 0xe14193f8 "\Documents and Settings\ss\???"
kd> db 0xe14193f8
e14193f8 5c 00 44 00 6f 00 63 00-75 00 6d 00 65 00 6e 00 \.D.o.c.u.m.e.n.
e1419408 74 00 73 00 20 00 61 00-6e 00 64 00 20 00 53 00 t.s. .a.n.d. .S.
e1419418 65 00 74 00 74 00 69 00-6e 00 67 00 73 00 5c 00 e.t.t.i.n.g.s.\.
e1419428 73 00 73 00 5c 00 4c 68-62 97 5c 00 61 00 61 00 s.s.\.Lhb.\.a.a.
e1419438 62 00 62 00 63 00 63 00-64 00 64 00 65 00 65 00 b.b.c.c.d.d.e.e.
e1419448 66 00 66 00 67 00 67 00-68 00 68 00 69 00 69 00 f.f.g.g.h.h.i.i.
e1419458 6a 00 6a 00 6b 00 6b 00-2e 00 65 00 78 00 65 00 j.j.k.k...e.x.e.
e1419468 4e 00 49 00 00 00 00 00-10 02 07 0c 4d 6d 53 6d N.I.........MmSm
kd> du 0xe14193f8
e14193f8 "\Documents and Settings\ss\"
e1419438 "bbccddeeffgghhiijjkk.exeNI"
/////////////////////////////////////////////////////////////////////////////////////////
// 拦截到后,返回到应用层比较,比较完毕,FLAG传入RING0,据此判断是否放过
if (ProcessPacket->Flag == 0)
{
ExFreePool(ProcessPacket);
goto SYSCALL;
}
else
{
ExFreePool(ProcessPacket);
// 如果不允许运行,简单返回一个失败
return STATUS_ACCESS_DENIED;
}
}
_except(EXCEPTION_EXECUTE_HANDLER)
{
return STATUS_UNSUCCESSFUL;
}
SYSCALL:
return OrgZwCreateProcessEx(ProcessHandle,
DesiredAccess,
ObjectAttributes,
ParentProcess,
Flags,
SectionHandle,
DebugPort,
ExceptionPort,
JobMemberLevel);
FILE_NAME字段的缓冲区大小不变,导致取文件名错误。从而无法禁止该文件运行了。
想要问的是:如何才能保证改名后依然获得正确的文件名长度呢。。。。==??
如果放过(允许执行的话,怎么改名都能正常获得)
如果想要自己释放一个文件FILE_OBJECT对象,该怎么做?
////////////////////////////////////////////////////////////
// 获取FILE_OBJECT指针方式
//
NTSTATUS Status;
PSECTION Section; // 内存区
PSEGMENT Segment; // 内存段
PCONTROL_AREA ControlArea;// 控制区域
PFILE_OBJECT FileObject; // 文件对象(Exe)
UNICODE_STRING ExeName = {0};
PPROCESS_PACKET ProcessPacket;
Status = ObReferenceObjectByHandle(SectionHandle,
0,
NULL,
KernelMode,
&Section,
NULL);
if (!NT_SUCCESS(Status))
{
goto SYSCALL;
}
Segment = Section->Segment;
ControlArea = Segment->ControlArea;
FileObject = ControlArea->FilePointer;
//
// 获取进程路径名
//
Status = KFGetExeNameByFileObject(FileObject,&ExeName);
//////////////////////////////////////////////////////////
第一次打开文件时FILE_OBJECT中FILE_NAME的长度为0x5C, 获取文件名正常:
kd> dt _FILE_OBJECT 0x816c5028
+0x000 Type : 5
+0x002 Size : 112
+0x004 DeviceObject : 0x817dda68
+0x008 Vpb : 0x817de138
+0x00c FsContext : 0xe141c710
+0x010 FsContext2 : 0xe141c868
+0x014 SectionObjectPointer : 0x816c5fac
+0x018 PrivateCacheMap : (null)
+0x01c FinalStatus : 0
+0x020 RelatedFileObject : (null)
+0x024 LockOperation : 0 ''
+0x025 DeletePending : 0 ''
+0x026 ReadAccess : 0x1 ''
+0x027 WriteAccess : 0 ''
+0x028 DeleteAccess : 0 ''
+0x029 SharedRead : 0x1 ''
+0x02a SharedWrite : 0 ''
+0x02b SharedDelete : 0x1 ''
+0x02c Flags : 0xc0042
+0x030 FileName : _UNICODE_STRING "\Documents and Settings\ss\???"
+0x038 CurrentByteOffset : _LARGE_INTEGER 0x0
+0x040 Waiters : 0
+0x044 Busy : 0
+0x048 LastLock : (null)
+0x04c Lock : _KEVENT
+0x05c Event : _KEVENT
+0x06c CompletionContext : (null)
kd> dt _UNICODE_STRING 0x816c5028+0x030
"\Documents and Settings\ss\???"
+0x000 Length : 0x5c
+0x002 MaximumLength : 0x78
+0x004 Buffer : 0xe14193f8 "\Documents and Settings\ss\???"
kd> db 0xe14193f8
e14193f8 5c 00 44 00 6f 00 63 00-75 00 6d 00 65 00 6e 00 \.D.o.c.u.m.e.n.
e1419408 74 00 73 00 20 00 61 00-6e 00 64 00 20 00 53 00 t.s. .a.n.d. .S.
e1419418 65 00 74 00 74 00 69 00-6e 00 67 00 73 00 5c 00 e.t.t.i.n.g.s.\.
e1419428 73 00 73 00 5c 00 4c 68-62 97 5c 00 31 00 32 00 s.s.\.Lhb.\.1.2.
e1419438 33 00 31 00 33 00 32 00-31 00 33 00 33 00 33 00 3.1.3.2.1.3.3.3.
e1419448 33 00 65 00 2e 00 65 00-78 00 65 00 00 00 a1 8b 3.e...e.x.e.....
e1419458 97 7b 68 56 2e 00 4c 00-4e 00 4b 00 00 00 49 00 .{hV..L.N.K...I.
e1419468 4e 00 49 00 00 00 00 00-10 02 07 0c 4d 6d 53 6d N.I.........MmSm
//////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////
第二次:将文件改名,再次运行时的FILE_OBJECT中FILE_NAME的长度仍为0x5c
此时获取的文件名就有问题了。
kd> dt _FILE_OBJECT 0x816c5028
+0x000 Type : 5
+0x002 Size : 112
+0x004 DeviceObject : 0x817dda68
+0x008 Vpb : 0x817de138
+0x00c FsContext : 0xe141c710
+0x010 FsContext2 : 0xe141c868
+0x014 SectionObjectPointer : 0x816c5fac
+0x018 PrivateCacheMap : (null)
+0x01c FinalStatus : 0
+0x020 RelatedFileObject : (null)
+0x024 LockOperation : 0 ''
+0x025 DeletePending : 0 ''
+0x026 ReadAccess : 0x1 ''
+0x027 WriteAccess : 0 ''
+0x028 DeleteAccess : 0 ''
+0x029 SharedRead : 0x1 ''
+0x02a SharedWrite : 0 ''
+0x02b SharedDelete : 0x1 ''
+0x02c Flags : 0x44042
+0x030 FileName : _UNICODE_STRING "\Documents and Settings\ss\???"
+0x038 CurrentByteOffset : _LARGE_INTEGER 0x0
+0x040 Waiters : 0
+0x044 Busy : 0
+0x048 LastLock : (null)
+0x04c Lock : _KEVENT
+0x05c Event : _KEVENT
+0x06c CompletionContext : (null)
kd> dt _UNICODE_STRING 0x816c5028+0x030
"\Documents and Settings\ss\???"
+0x000 Length : 0x5c
+0x002 MaximumLength : 0x78
+0x004 Buffer : 0xe14193f8 "\Documents and Settings\ss\???"
kd> db 0xe14193f8
e14193f8 5c 00 44 00 6f 00 63 00-75 00 6d 00 65 00 6e 00 \.D.o.c.u.m.e.n.
e1419408 74 00 73 00 20 00 61 00-6e 00 64 00 20 00 53 00 t.s. .a.n.d. .S.
e1419418 65 00 74 00 74 00 69 00-6e 00 67 00 73 00 5c 00 e.t.t.i.n.g.s.\.
e1419428 73 00 73 00 5c 00 4c 68-62 97 5c 00 61 00 61 00 s.s.\.Lhb.\.a.a.
e1419438 62 00 62 00 63 00 63 00-64 00 64 00 65 00 65 00 b.b.c.c.d.d.e.e.
e1419448 66 00 66 00 67 00 67 00-68 00 68 00 69 00 69 00 f.f.g.g.h.h.i.i.
e1419458 6a 00 6a 00 6b 00 6b 00-2e 00 65 00 78 00 65 00 j.j.k.k...e.x.e.
e1419468 4e 00 49 00 00 00 00 00-10 02 07 0c 4d 6d 53 6d N.I.........MmSm
kd> du 0xe14193f8
e14193f8 "\Documents and Settings\ss\"
e1419438 "bbccddeeffgghhiijjkk.exeNI"
/////////////////////////////////////////////////////////////////////////////////////////
// 拦截到后,返回到应用层比较,比较完毕,FLAG传入RING0,据此判断是否放过
if (ProcessPacket->Flag == 0)
{
ExFreePool(ProcessPacket);
goto SYSCALL;
}
else
{
ExFreePool(ProcessPacket);
// 如果不允许运行,简单返回一个失败
return STATUS_ACCESS_DENIED;
}
}
_except(EXCEPTION_EXECUTE_HANDLER)
{
return STATUS_UNSUCCESSFUL;
}
SYSCALL:
return OrgZwCreateProcessEx(ProcessHandle,
DesiredAccess,
ObjectAttributes,
ParentProcess,
Flags,
SectionHandle,
DebugPort,
ExceptionPort,
JobMemberLevel);
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
