OK学习

见招拆招就好

链接:678K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6H3j5h3&6Q4x3X3g2T1j5h3W2V1N6g2)9J5k6h3y4G2L8g2)9J5c8Y4y4Q4x3V1j5I4j5$3N6D9y4h3!0Q4y4h3k6A6c8$3R3%4K9h3#2F1h3f1k6e0K9@1E0H3M7f1c8Y4i4K6t1$3L8X3u0K6M7q4)9K6b7W2!0q4y4W2)9^5c8W2)9&6x3q4!0q4y4g2)9^5c8W2)9&6y4W2!0q4y4#2!0m8x3q4)9^5x3g2)9K6b7i4u0%4L8U0c8Q4x3U0k6F1j5Y4y4H3i4K6y4n7i4@1f1#2i4@1p5@1i4K6S2p5i4@1f1#2i4K6R3^5i4@1t1$3i4@1f1^5i4@1u0r3i4K6V1&6i4@1f1$3i4@1q4q4i4@1t1#2i4@1f1#2i4K6R3$3i4K6R3#2i4@1f1#2i4@1q4q4i4@1t1&6i4@1f1#2i4K6V1H3i4K6S2q4i4@1f1$3i4K6R3&6i4K6V1K6i4@1f1#2i4@1u0o6i4K6R3H3i4@1f1%4i4K6V1&6i4@1u0q4i4@1f1#2i4@1u0m8i4@1p5$3i4@1f1%4i4@1u0p5i4K6V1I4i4@1f1%4i4K6W2n7i4K6V1^5i4@1f1$3i4K6R3&6i4K6S2n7i4@1f1$3i4K6W2o6i4@1u0m8b7i4m8H3i4@1g2r3i4@1u0o6i4K6S2o6i4@1f1$3i4K6V1K6i4K6S2p5i4@1f1@1i4@1u0p5i4K6W2o6i4@1f1$3i4K6W2n7i4@1t1@1i4@1f1$3i4K6V1$3i4@1t1&6i4@1f1@1i4@1u0q4i4@1u0r3i4@1f1#2i4K6V1K6i4@1p5$3

PVOID                ObHandle;
NTSTATUS        PassStatus = STATUS_UNSUCCESSFUL;

OB_PREOP_CALLBACK_STATUS preCall(PVOID RegistrationContext, POB_PRE_OPERATION_INFORMATION pOperationInformation)
{
       UNREFERENCED_PARAMETER(RegistrationContext);

       pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess = PROCESS_ALL_ACCESS;
       pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess = PROCESS_ALL_ACCESS;

       return OB_PREOP_SUCCESS;
}

NTSTATUS PassTP_Begin()
{
       OB_CALLBACK_REGISTRATION        ObReg;
       OB_OPERATION_REGISTRATION        OpReg;
       
       memset(&ObReg, 0, sizeof(ObReg));
       ObReg.Version = ObGetFilterVersion();
       ObReg.OperationRegistrationCount = 1;
       ObReg.RegistrationContext = NULL;
       RtlInitUnicodeString(&ObReg.Altitude, L"25444");
       memset(&OpReg, 0, sizeof(OpReg));

       OpReg.ObjectType = PsProcessType;
       OpReg.Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE;

       OpReg.PreOperation = (POB_PRE_OPERATION_CALLBACK)preCall;

       ObReg.OperationRegistration = &OpReg;

       PassStatus = ObRegisterCallbacks(&ObReg, &ObHandle);
       if (!NT_SUCCESS(PassStatus))
               return PassStatus;
       return PassStatus;
}

NTSTATUS PassTP_Finish()
{
       if (!NT_SUCCESS(PassStatus))
               return STATUS_UNSUCCESSFUL;

       PassStatus = STATUS_UNSUCCESSFUL;
       ObUnRegisterCallbacks(ObHandle);
       return STATUS_SUCCESS;
}

酷，谢谢分享。。。。。

// 用于全局调试对象权限的计时器   500ms写一次
VOID TimerRoutine(
  _In_      struct _KDPC *Dpc,
  _In_opt_  PVOID DeferredContext,
  _In_opt_  PVOID SystemArgument1,
  _In_opt_  PVOID SystemArgument2
  )
{
  UNREFERENCED_PARAMETER(Dpc);
  UNREFERENCED_PARAMETER(DeferredContext);
  UNREFERENCED_PARAMETER(SystemArgument1);
  UNREFERENCED_PARAMETER(SystemArgument2);
 
  LARGE_INTEGER lTime = { 0 };
  ULONG ulMicroSecond = 0;
 
  //将定时器的时间设置为500ms
  ulMicroSecond = 500000;
  //将32位整数转化成64位整数
  lTime = RtlConvertLongToLargeInteger(-10 * ulMicroSecond);
 
  DbgPrint("dpc Timer...\n");
  KIRQL irql;
  irql = WPOFF();
  *(PULONG_PTR)ul_ValidAccessMask_Addr = 0x1f000f;
  WPON(irql);
 
  KeSetTimer(&Timer, lTime, &myDpc);
}