看流星社区 › 驱动开发技术 › [源码] 过TP之创建CreateMyDbgkDebugObjectType

多维时空 发表于 2014-2-28 09:27:22

[源码] 过TP之创建CreateMyDbgkDebugObjectType

ULONG DbgkDebugObjectTypeAddr = 0;
POBJECT_TYPE DbgkDebugObjectType = NULL, MyDbgkDebugObjectType = NULL;
OBJECT_TYPE_INITIALIZER ObjectTypeInitializer;
BOOLEAN bEditDbgkDebugObjectType = FALSE;
BOOLEAN CreateMyDbgkDebugObjectType() {
        ULONG NtDebugActiveProcess;
        UNICODE_STRING MyObjectTypeName;
        NtDebugActiveProcess = GetSSDTFunctionAddr(SysFuncIdx.NtDebugActiveProcess);
        DbgkDebugObjectTypeAddr = *(PULONG)(NtDebugActiveProcess + 0x5a + 2);
        KdPrint(("DbgkDebugObjectTypeAddr: 0x%8x\n", DbgkDebugObjectTypeAddr));
        //8055a540
        if (DbgkDebugObjectTypeAddr == 0) {
                KdPrint(("DbgkDebugObjectTypeAddr == 0!"));
                return FALSE;
        }
        DbgkDebugObjectType = (POBJECT_TYPE)(*(PULONG)DbgkDebugObjectTypeAddr);
        KdPrint(("DbgkDebugObjectType: 0x%8x\n", DbgkDebugObjectType));
        //863bb040
        KdPrint(("DbgkDebugObjectType->Name: %ws\n", DbgkDebugObjectType->Name.Buffer));
        KdPrint(("TypeInfo.GenericMapping.GenericRead: 0x%08x\n", DbgkDebugObjectType->TypeInfo.GenericMapping.GenericRead));
        //00020001
        KdPrint(("TypeInfo.GenericMapping.GenericWrite: 0x%08x\n", DbgkDebugObjectType->TypeInfo.GenericMapping.GenericWrite));
        //00020002
        KdPrint(("TypeInfo.GenericMapping.GenericExecute: 0x%08x\n", DbgkDebugObjectType->TypeInfo.GenericMapping.GenericExecute));
        //00120000
        KdPrint(("TypeInfo.GenericMapping.GenericAll: 0x%08x\n", DbgkDebugObjectType->TypeInfo.GenericMapping.GenericAll));
        //001f000f
        KdPrint(("TypeInfo.ValidAccessMask: 0x%08x\n", DbgkDebugObjectType->TypeInfo.ValidAccessMask));
        //001f000f
        if (wcscmp(DbgkDebugObjectType->Name.Buffer, L"MyDebugObject") == 0) {
                KdPrint(("已经修改为MyDebugObject.\n"));
                return FALSE;
        }
        RtlCopyMemory(&ObjectTypeInitializer, &DbgkDebugObjectType->TypeInfo, sizeof(ObjectTypeInitializer));
        if (DbgkDebugObjectType->TypeInfo.ValidAccessMask == 0) {
                KdPrint(("DbgkDebugObjectType->TypeInfo.ValidAccessMask被清零,开始恢复.\n"));
                ObjectTypeInitializer.GenericMapping.GenericRead = 0x00020001;
                ObjectTypeInitializer.GenericMapping.GenericWrite = 0x00020002;
                ObjectTypeInitializer.GenericMapping.GenericExecute = 0x00120000;
                ObjectTypeInitializer.GenericMapping.GenericAll = 0x001f000f;
                ObjectTypeInitializer.ValidAccessMask = 0x001f000f;
        }
        RtlInitUnicodeString(&MyObjectTypeName, L"MyDebugObject");
        return (STATUS_SUCCESS == ObCreateObjectType(&MyObjectTypeName, &ObjectTypeInitializer, (PSECURITY_DESCRIPTOR)NULL, &MyDbgkDebugObjectType));
        //0: kd> uf nt!NtDebugActiveProcess
        //nt!NtDebugActiveProcess:
        //80644cb2 8bffmov edi,edi
        //80644cb4 55pushebp
        //80644cb5 8becmov ebp,esp
        //...
        //nt!NtDebugActiveProcess+0x51:
        //80644d03 6a00push0
        //80644d05 8d4508lea eax,
        //80644d08 50pusheax
        //80644d09 ff75fcpushdword ptr
        //80644d0c ff3540a55580pushdword ptr
        //80644d12 6a02push2
        //80644d14 ff750cpushdword ptr
        //80644d17 e8ee77f7ffcallnt!ObReferenceObjectByHandle (805bc50a)
}
VOID EditDbgkDebugObjectType() {
        if (bEditDbgkDebugObjectType)
        return;
        if (CreateMyDbgkDebugObjectType()) {
                WPOFF();
                *(PULONG)DbgkDebugObjectTypeAddr = (ULONG)MyDbgkDebugObjectType;
                WPON();
                bEditDbgkDebugObjectType = TRUE;
        }
        //lkd> dd nt!DbgkDebugObjectType
        //8055a540863bb040 00000000 00000000 00000000
        //加载tp前:
        //0: kd> dd 863bb040+68
        //863bb0a800020001 00020002 00120000 001f000f
        //863bb0b8001f000f 00000001 00000000 00000000
        //加载tp后:
        //0: kd> dd 863bb040+68
        //863bb0a800000000 00000000 00000000 00000000
        //863bb0b800000000 00000001 00000000 00000000
}
VOID UnEditDbgkDebugObjectType() {
        if (!bEditDbgkDebugObjectType)
        return;
        WPOFF();
        *(PULONG)DbgkDebugObjectTypeAddr = (ULONG)DbgkDebugObjectType;
        WPON();
        ObfDereferenceObject(MyDbgkDebugObjectType);
        bEditDbgkDebugObjectType = FALSE;
}

多维时空 发表于 2014-2-28 09:28:16

因为TP有个线程不断的对这个清零,测试过以下方案:
1.直接恢复结构,马上会被清零,od提示无法附加进程,放弃
2.inlinehook,调用ob***之前恢复结构,因为tp清零太快,od提示无法附加进程,放弃

还有个难点就是debugport清零了,我已经解决了,至于方法就不直接说了,提示一下:
修改31处系统函数的debugport偏移,但是有一处tp有检测,我是用Inlinehook绕过的,不修改这一处偏移,在自己的代码里写上新偏移.
至于是检测了哪一处,你们自己测试,我曾经inlinehook了31处才确定的.汗啊!
等哪天tp增加检测的位置,我那31个inlinehook代码又要用上了.

总结:
1.不能修改TesSafe.sys代码,有校验,修改任何一个字节会重启,如果有能力过掉校验就没问题,好像很麻烦,我就不走这条路了.
2.修改系统函数代码,如果有检测,会弹出警告,此时就要改变修改位置,比如双机调试的inlinehook.

wfdwmkqp 发表于 2014-2-28 12:11:35

gdfgfdgfdgd

wizardiecb 发表于 2014-2-28 12:27:36

支持看流星社区

pomian 发表于 2014-3-1 17:19:59

学习了支持下啊

lhx1054176946 发表于 2014-3-1 20:27:18

好东西，一定要看看

羁绊的颜色 发表于 2014-3-2 18:24:57

好东西，一定要看看

niemen 发表于 2014-3-16 10:05:52

好东西,先谢了!!!!!!!!!!!!!!!!

vvnb78 发表于 2014-3-24 14:18:08

回复 1# 多维时空


    sfdfdfdffsd

84869559 发表于 2014-3-24 14:58:45

6y4tyryryr

查看完整版本: [源码] 过TP之创建CreateMyDbgkDebugObjectType