逆WIN7X64内核调试之NTCreateDebugObject
NTSTATUS __fastcall proxyNtCreateDebugObject(
OUT PHANDLE DebugObjectHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN ULONG Flags )
{
NTSTATUS status;
HANDLE Handle;
PDEBUG_OBJECT DebugObject;
KPROCESSOR_MODE PreviousMode;
PreviousMode = ExGetPreviousMode();
//判断用户层句柄地址是否合法
try {
if (PreviousMode != KernelMode) {
ProbeForWriteHandle (DebugObjectHandle);
*DebugObjectHandle = *DebugObjectHandle;
}
*DebugObjectHandle = NULL;
} except(ExSystemExceptionFilter()) {
return GetExceptionCode();
}
if (Flags & ~DEBUG_KILL_ON_CLOSE) {
return STATUS_INVALID_PARAMETER;
}
//创建调试对象
status = ObCreateObject(
PreviousMode,
NewDbgObject, //调试对象类型,后面我们要换成我们新建的调试对象类型
ObjectAttributes,
PreviousMode,
NULL,
sizeof(DEBUG_OBJECT),
0,
0,
(PVOID*)&DebugObject);
if (!NT_SUCCESS(status)) {
return status;
}
//初始化调试对象
ExInitializeFastMutex(&DebugObject->Mutex);
InitializeListHead(&DebugObject->EventList);
KeInitializeEvent(&DebugObject->EventsPresent, NotificationEvent, FALSE);
if (Flags & DEBUG_KILL_ON_CLOSE) {
DebugObject->Flags = DEBUG_OBJECT_KILL_ON_CLOSE;
}
else {
DebugObject->Flags = 0;
}
//调试对象插入句柄表
status = ObInsertObject(
DebugObject,
NULL,
DesiredAccess,
0,
NULL,
&Handle);
if (!NT_SUCCESS(status)) {
return status;
}
try {
*DebugObjectHandle = Handle;
} except(ExSystemExceptionFilter()) {
status = GetExceptionCode();
}
return status;
}
页:
[1]