过TP创建CreateMyDbgkDebugObjectType源码

haha0518

过TP创建CreateMyDbgkDebugObjectType源码

因为TP有个线程不断的对这个清零,测试过以下方案:
1.直接恢复结构,马上会被清零,od提示无法附加进程,放弃
2.inlinehook,调用ob***之前恢复结构,因为tp清零太快,od提示无法附加进程,放弃

还有个难点就是debugport清零了,我已经解决了,至于方法就不直接说了,提示一下:
修改31处系统函数的debugport偏移,但是有一处tp有检测,我是用Inlinehook绕过的,不修改这一处偏移,在自己的代码里写上新偏移.
至于是检测了哪一处,你们自己测试,我曾经inlinehook了31处才确定的.汗啊!
等哪天tp增加检测的位置,我那31个inlinehook代码又要用上了.

总结:
1.不能修改TesSafe.sys代码,有校验,修改任何一个字节会重启,如果有能力过掉校验就没问题,好像很麻烦,我就不走这条路了.
2.修改系统函数代码,如果有检测,会弹出警告,此时就要改变修改位置,比如双机调试的inlinehook.

1. ULONG DbgkDebugObjectTypeAddr = 0;
   
2. POBJECT_TYPE DbgkDebugObjectType = NULL, MyDbgkDebugObjectType = NULL;
   
3. OBJECT_TYPE_INITIALIZER ObjectTypeInitializer;
   
4. BOOLEAN bEditDbgkDebugObjectType = FALSE;
   
5. BOOLEAN CreateMyDbgkDebugObjectType() {
   
6.         ULONG NtDebugActiveProcess;
   
7.         UNICODE_STRING MyObjectTypeName;
   
8.         NtDebugActiveProcess = GetSSDTFunctionAddr(SysFuncIdx.NtDebugActiveProcess);
   
9.         DbgkDebugObjectTypeAddr = *(PULONG)(NtDebugActiveProcess + 0x5a + 2);
   
10.         KdPrint(("DbgkDebugObjectTypeAddr: 0x%8x\n", DbgkDebugObjectTypeAddr));
    
11.         //8055a540
    
12.         if (DbgkDebugObjectTypeAddr == 0) {
    
13.                 KdPrint(("DbgkDebugObjectTypeAddr == 0!"));
    
14.                 return FALSE;
    
15.         }
    
16.         DbgkDebugObjectType = (POBJECT_TYPE)(*(PULONG)DbgkDebugObjectTypeAddr);
    
17.         KdPrint(("DbgkDebugObjectType: 0x%8x\n", DbgkDebugObjectType));
    
18.         //863bb040
    
19.         KdPrint(("DbgkDebugObjectType->Name: %ws\n", DbgkDebugObjectType->Name.Buffer));
    
20.         KdPrint(("TypeInfo.GenericMapping.GenericRead: 0x%08x\n", DbgkDebugObjectType->TypeInfo.GenericMapping.GenericRead));
    
21.         //00020001
    
22.         KdPrint(("TypeInfo.GenericMapping.GenericWrite: 0x%08x\n", DbgkDebugObjectType->TypeInfo.GenericMapping.GenericWrite));
    
23.         //00020002
    
24.         KdPrint(("TypeInfo.GenericMapping.GenericExecute: 0x%08x\n", DbgkDebugObjectType->TypeInfo.GenericMapping.GenericExecute));
    
25.         //00120000
    
26.         KdPrint(("TypeInfo.GenericMapping.GenericAll: 0x%08x\n", DbgkDebugObjectType->TypeInfo.GenericMapping.GenericAll));
    
27.         //001f000f
    
28.         KdPrint(("TypeInfo.ValidAccessMask: 0x%08x\n", DbgkDebugObjectType->TypeInfo.ValidAccessMask));
    
29.         //001f000f
    
30.         if (wcscmp(DbgkDebugObjectType->Name.Buffer, L"MyDebugObject") == 0) {
    
31.                 KdPrint(("已经修改为MyDebugObject.\n"));
    
32.                 return FALSE;
    
33.         }
    
34.         RtlCopyMemory(&ObjectTypeInitializer, &DbgkDebugObjectType->TypeInfo, sizeof(ObjectTypeInitializer));
    
35.         if (DbgkDebugObjectType->TypeInfo.ValidAccessMask == 0) {
    
36.                 KdPrint(("DbgkDebugObjectType->TypeInfo.ValidAccessMask被清零,开始恢复.\n"));
    
37.                 ObjectTypeInitializer.GenericMapping.GenericRead = 0x00020001;
    
38.                 ObjectTypeInitializer.GenericMapping.GenericWrite = 0x00020002;
    
39.                 ObjectTypeInitializer.GenericMapping.GenericExecute = 0x00120000;
    
40.                 ObjectTypeInitializer.GenericMapping.GenericAll = 0x001f000f;
    
41.                 ObjectTypeInitializer.ValidAccessMask = 0x001f000f;
    
42.         }
    
43.         RtlInitUnicodeString(&MyObjectTypeName, L"MyDebugObject");
    
44.         return (STATUS_SUCCESS == ObCreateObjectType(&MyObjectTypeName, &ObjectTypeInitializer, (PSECURITY_DESCRIPTOR)NULL, &MyDbgkDebugObjectType));
    
45.         //0: kd> uf nt!NtDebugActiveProcess
    
46.         //nt!NtDebugActiveProcess:
    
47.         //80644cb2 8bffmov edi,edi
    
48.         //80644cb4 55pushebp
    
49.         //80644cb5 8becmov ebp,esp
    
50.         //...
    
51.         //nt!NtDebugActiveProcess+0x51:
    
52.         //80644d03 6a00push0
    
53.         //80644d05 8d4508lea eax,[ebp+8]
    
54.         //80644d08 50pusheax
    
55.         //80644d09 ff75fcpushdword ptr [ebp-4]
    
56.         //80644d0c ff3540a55580pushdword ptr [nt!DbgkDebugObjectType (8055a540)]
    
57.         //80644d12 6a02push2
    
58.         //80644d14 ff750cpushdword ptr [ebp+0Ch]
    
59.         //80644d17 e8ee77f7ffcallnt!ObReferenceObjectByHandle (805bc50a)
    
60. }
    
61. VOID EditDbgkDebugObjectType() {
    
62.         if (bEditDbgkDebugObjectType)
    
63.         return;
    
64.         if (CreateMyDbgkDebugObjectType()) {
    
65.                 WPOFF();
    
66.                 *(PULONG)DbgkDebugObjectTypeAddr = (ULONG)MyDbgkDebugObjectType;
    
67.                 WPON();
    
68.                 bEditDbgkDebugObjectType = TRUE;
    
69.         }
    
70.         //lkd> dd nt!DbgkDebugObjectType
    
71.         //8055a540863bb040 00000000 00000000 00000000
    
72.         //加载tp前:
    
73.         //0: kd> dd 863bb040+68
    
74.         //863bb0a800020001 00020002 00120000 001f000f
    
75.         //863bb0b8001f000f 00000001 00000000 00000000
    
76.         //加载tp后:
    
77.         //0: kd> dd 863bb040+68
    
78.         //863bb0a800000000 00000000 00000000 00000000
    
79.         //863bb0b800000000 00000001 00000000 00000000
    
80. }
    
81. VOID UnEditDbgkDebugObjectType() {
    
82.         if (!bEditDbgkDebugObjectType)
    
83.         return;
    
84.         WPOFF();
    
85.         *(PULONG)DbgkDebugObjectTypeAddr = (ULONG)DbgkDebugObjectType;
    
86.         WPON();
    
87.         ObfDereferenceObject(MyDbgkDebugObjectType);
    
88.         bEditDbgkDebugObjectType = FALSE;
    
89. }
    

复制代码