objet hook 是什么?
如果一处被HOOK还理解,SeDefaultObjectMethhod只是个函数怎么会有2个当前函数地址
头次接触这种hook ,网络上这方面的资料比较少,前来csdn向驱动牛讨教下
求解释!
[解决办法]
POBJECT_TYPE PsProcessType;
typedef struct _OBJECT_TYPE
{
ERESOURCE Mutex;
LIST_ENTRY TypeList;
UNICODE_STRING Name;
PVOID DefaultObject;
ULONG Index;
ULONG TotalNumberOfObjects;
ULONG TotalNumberOfHandles;
ULONG HighWaterNumberOfObjects;
ULONG HighWaterNumberOfHandles;
OBJECT_TYPE_INITIALIZER TypeInfo;
ULONG Key;
EX_PUSH_LOCK ObjectLocks[32];
} OBJECT_TYPE, *POBJECT_TYPE;
typedef struct _OBJECT_TYPE_INITIALIZER
{
WORD Length;
UCHAR ObjectTypeFlags;
ULONG CaseInsensitive: 1;
ULONG UnnamedObjectsOnly: 1;
ULONG UseDefaultObject: 1;
ULONG SecurityRequired: 1;
ULONG MaintainHandleCount: 1;
ULONG MaintainTypeList: 1;
ULONG ObjectTypeCode;
ULONG InvalidAttributes;
GENERIC_MAPPING GenericMapping;
ULONG ValidAccessMask;
POOL_TYPE PoolType;
ULONG DefaultPagedPoolCharge;
ULONG DefaultNonPagedPoolCharge;
PVOID DumpProcedure;
LONG * OpenProcedure;
PVOID CloseProcedure;
PVOID DeleteProcedure;
LONG * ParseProcedure;
LONG * SecurityProcedure;
LONG * QueryNameProcedure;
UCHAR * OkayToCloseProcedure;
} OBJECT_TYPE_INITIALIZER, *POBJECT_TYPE_INITIALIZER;
OBJECT_TYPE_INITIALIZER里面有一些例程地址,提供特定于对象类型的功能,相当于java对象的方法,会在某些时候被调用
比如OBJECT_TYPE_INITIALIZER.SecurityProcedure会在NtQueryObject时被调用
你可以修改这些例程的地址,也可以直接修改这些例程的代码
OBJECT_TYPE_INITIALIZER.SecurityProcedure缺省情况下是SeDefaultObjectMethhod
[解决办法]
帮顶 thread process 这两个的差别是不是有关系? 原是函数的地址没有变 当前的有差别
