|
|
提醒:若下载的软件是收费的"请不要付款",可能是骗子,请立即联系本站举报,执意要付款被骗后本站概不负责。(任何交易请走第三方中介,请勿直接付款交易以免被骗!切记).
- <p>ULONG DbgkDebugObjectTypeAddr = 0;
- POBJECT_TYPE DbgkDebugObjectType = NULL, MyDbgkDebugObjectType = NULL;
- OBJECT_TYPE_INITIALIZER ObjectTypeInitializer;
- BOOLEAN bEditDbgkDebugObjectType = FALSE;</p><p>BOOLEAN CreateMyDbgkDebugObjectType()
- {
- ULONG NtDebugActiveProcess;
- UNICODE_STRING MyObjectTypeName;</p><p> NtDebugActiveProcess = GetSSDTFunctionAddr(SysFuncIdx.NtDebugActiveProcess);
- DbgkDebugObjectTypeAddr = *(PULONG)(NtDebugActiveProcess + 0x5a + 2);
- KdPrint(("DbgkDebugObjectTypeAddr: 0x%8x\n", DbgkDebugObjectTypeAddr)); //8055a540
- if (DbgkDebugObjectTypeAddr == 0)
- {
- KdPrint(("DbgkDebugObjectTypeAddr == 0!"));
- return FALSE;
- }
- DbgkDebugObjectType = (POBJECT_TYPE)(*(PULONG)DbgkDebugObjectTypeAddr);
- KdPrint(("DbgkDebugObjectType: 0x%8x\n", DbgkDebugObjectType)); //863bb040
- KdPrint(("DbgkDebugObjectType->Name: %ws\n", DbgkDebugObjectType->Name.Buffer));
- KdPrint(("TypeInfo.GenericMapping.GenericRead: 0x%08x\n", DbgkDebugObjectType->TypeInfo.GenericMapping.GenericRead)); //00020001
- KdPrint(("TypeInfo.GenericMapping.GenericWrite: 0x%08x\n", DbgkDebugObjectType->TypeInfo.GenericMapping.GenericWrite)); //00020002
- KdPrint(("TypeInfo.GenericMapping.GenericExecute: 0x%08x\n", DbgkDebugObjectType->TypeInfo.GenericMapping.GenericExecute)); //00120000
- KdPrint(("TypeInfo.GenericMapping.GenericAll: 0x%08x\n", DbgkDebugObjectType->TypeInfo.GenericMapping.GenericAll)); //001f000f
- KdPrint(("TypeInfo.ValIDAccessMask: 0x%08x\n", DbgkDebugObjectType->TypeInfo.ValidAccessMask)); //001f000f
- if (wcscmp(DbgkDebugObjectType->Name.Buffer, L"MyDebugObject") == 0)
- {
- KdPrint(("已经修改为MyDebugObject.\n"));
- return FALSE;
- }</p><p> RtlCopyMemory(&ObjectTypeInitializer, &DbgkDebugObjectType->TypeInfo, sizeof(ObjectTypeInitializer));
- if (DbgkDebugObjectType->TypeInfo.ValidAccessMask == 0)
- {
- KdPrint(("DbgkDebugObjectType->TypeInfo.ValidAccessMask被清零,开始恢复.\n"));
- ObjectTypeInitializer.GenericMapping.GenericRead = 0x00020001;
- ObjectTypeInitializer.GenericMapping.GenericWrite = 0x00020002;
- ObjectTypeInitializer.GenericMapping.GenericExecute = 0x00120000;
- ObjectTypeInitializer.GenericMapping.GenericAll = 0x001f000f;
- ObjectTypeInitializer.ValidAccessMask = 0x001f000f;
- }
- RtlInitUnicodeString(&MyObjectTypeName, L"MyDebugObject");
- return (STATUS_SUCCESS == ObCreateObjectType(&MyObjectTypeName, &ObjectTypeInitializer, (PSECURITY_DESCRIPTOR)NULL, &MyDbgkDebugObjectType));</p><p> //0: kd> uf nt!NtDebugActiveProcess
- //nt!NtDebugActiveProcess:
- //80644cb2 8bff mov edi,edi
- //80644cb4 55 push ebp
- //80644cb5 8bec mov ebp,esp
- //...
- //nt!NtDebugActiveProcess+0x51:
- //80644d03 6a00 push 0
- //80644d05 8d4508 lea eax,[ebp+8]
- //80644d08 50 push eax
- //80644d09 ff75fc push dword ptr [ebp-4]
- //80644d0c ff3540a55580 push dword ptr [nt!DbgkDebugObjectType (8055a540)]
- //80644d12 6a02 push 2
- //80644d14 ff750c push dword ptr [ebp+0Ch]
- //80644d17 e8ee77f7ff call nt!ObReferenceObjectByHandle (805bc50a)
- }</p><p>VOID EditDbgkDebugObjectType()
- {
- if (bEditDbgkDebugObjectType)
- return;
- if (CreateMyDbgkDebugObjectType())
- {
- WPOFF();
- *(PULONG)DbgkDebugObjectTypeAddr = (ULONG)MyDbgkDebugObjectType;
- WPON();
- bEditDbgkDebugObjectType = TRUE;
- }</p><p> //lkd> dd nt!DbgkDebugObjectType
- //8055a540 863bb040 00000000 00000000 00000000</p><p> //加载tp前:
- //0: kd> dd 863bb040+68
- //863bb0a8 00020001 00020002 00120000 001f000f
- //863bb0b8 001f000f 00000001 00000000 00000000</p><p> //加载tp后:
- //0: kd> dd 863bb040+68
- //863bb0a8 00000000 00000000 00000000 00000000
- //863bb0b8 00000000 00000001 00000000 00000000
- }</p><p>VOID UnEditDbgkDebugObjectType()
- {
- if (!bEditDbgkDebugObjectType)
- return;
- WPOFF();
- *(PULONG)DbgkDebugObjectTypeAddr = (ULONG)DbgkDebugObjectType;
- WPON();
- ObfDereferenceObject(MyDbgkDebugObjectType);
- bEditDbgkDebugObjectType = FALSE;
- }
- </p><p> </p>
//原:
lkd> dt _object_type 863bb040
nt!_OBJECT_TYPE
+0x000 Mutex : _ERESOURCE
+0x038 TypeList : _LIST_ENTRY [ 0x863bb078 - 0x863bb078 ]
+0x040 Name : _UNICODE_STRING "DebugObject"
+0x048 DefaultObject : (null)
+0x04c Index : 8
+0x050 TotalNumberOfObjects : 0
+0x054 TotalNumberOfHandles : 0
+0x058 HighWaterNumberOfObjects : 0
+0x05c HighWaterNumberOfHandles : 0
+0x060 TypeInfo : _OBJECT_TYPE_INITIALIZER
+0x0ac Key : 0x75626544
+0x0b0 ObjectLocks : [4] _ERESOURCE
//新:
lkd> dt _object_type 85adec38
nt!_OBJECT_TYPE
+0x000 Mutex : _ERESOURCE
+0x038 TypeList : _LIST_ENTRY [ 0x85adec70 - 0x85adec70 ]
+0x040 Name : _UNICODE_STRING "MyDebugObject"
+0x048 DefaultObject : (null)
+0x04c Index : 0x20
+0x050 TotalNumberOfObjects : 0
+0x054 TotalNumberOfHandles : 0
+0x058 HighWaterNumberOfObjects : 0
+0x05c HighWaterNumberOfHandles : 0
+0x060 TypeInfo : _OBJECT_TYPE_INITIALIZER
+0x0ac Key : 0x6544794d
+0x0b0 ObjectLocks : [4] _ERESOURCE
联系我时,请说是在 挂海论坛 上看到的,谢谢! |
下一篇: 梦幻西游一级对话框呼出程序
免责声明:
1、本主题所有言论和图片纯属会员个人意见,与本论坛立场无关。一切关于该内容及资源商业行为与www.52ghai.com无关。
2、本站提供的一切资源内容信息仅限用于学习和研究目的;不得将上述内容用于商业或者非法用途,否则,一切后果请用户自负。
3、本站信息来自第三方用户,非本站自制,版权归原作者享有,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。
4、如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵犯你版权的,请邮件与我们联系删除(邮箱:xhzlw@foxmail.com),本站将立即改正。
|
好评
贡献
海币
交易币
发表于 2014-5-24 12:58:36
收藏
转播
淘帖
支持
反对
提升卡
置顶卡
变色卡
千斤顶
照妖镜
发表于 2014-7-1 17:19:05
