逆WIN7X64内核调试之NTCreateDebugObject
来源:互联网 发布:淘宝买到假货退款三倍 编辑:程序博客网 时间:2024/03/29 16:41
NTSTATUS __fastcall proxyNtCreateDebugObject(
OUT PHANDLE DebugObjectHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN ULONG Flags
)
{
NTSTATUS status;
HANDLE Handle;
PDEBUG_OBJECT DebugObject;
KPROCESSOR_MODE PreviousMode;
PreviousMode = ExGetPreviousMode();
//判断用户层句柄地址是否合法
try {
if (PreviousMode != KernelMode) {
ProbeForWriteHandle (DebugObjectHandle);
*DebugObjectHandle = *DebugObjectHandle;
}
*DebugObjectHandle = NULL;
} except(ExSystemExceptionFilter()) {
return GetExceptionCode();
}
if (Flags & ~DEBUG_KILL_ON_CLOSE) {
return STATUS_INVALID_PARAMETER;
}
//创建调试对象
status = ObCreateObject(
PreviousMode,
NewDbgObject, //调试对象类型,后面我们要换成我们新建的调试对象类型
ObjectAttributes,
PreviousMode,
NULL,
sizeof(DEBUG_OBJECT),
0,
0,
(PVOID*)&DebugObject);
if (!NT_SUCCESS(status)) {
return status;
}
//初始化调试对象
ExInitializeFastMutex(&DebugObject->Mutex);
InitializeListHead(&DebugObject->EventList);
KeInitializeEvent(&DebugObject->EventsPresent, NotificationEvent, FALSE);
if (Flags & DEBUG_KILL_ON_CLOSE) {
DebugObject->Flags = DEBUG_OBJECT_KILL_ON_CLOSE;
}
else {
DebugObject->Flags = 0;
}
//调试对象插入句柄表
status = ObInsertObject(
DebugObject,
NULL,
DesiredAccess,
0,
NULL,
&Handle);
if (!NT_SUCCESS(status)) {
return status;
}
try {
*DebugObjectHandle = Handle;
} except(ExSystemExceptionFilter()) {
status = GetExceptionCode();
}
return status;
}
OUT PHANDLE DebugObjectHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN ULONG Flags
)
{
NTSTATUS status;
HANDLE Handle;
PDEBUG_OBJECT DebugObject;
KPROCESSOR_MODE PreviousMode;
PreviousMode = ExGetPreviousMode();
//判断用户层句柄地址是否合法
try {
if (PreviousMode != KernelMode) {
ProbeForWriteHandle (DebugObjectHandle);
*DebugObjectHandle = *DebugObjectHandle;
}
*DebugObjectHandle = NULL;
} except(ExSystemExceptionFilter()) {
return GetExceptionCode();
}
if (Flags & ~DEBUG_KILL_ON_CLOSE) {
return STATUS_INVALID_PARAMETER;
}
//创建调试对象
status = ObCreateObject(
PreviousMode,
NewDbgObject, //调试对象类型,后面我们要换成我们新建的调试对象类型
ObjectAttributes,
PreviousMode,
NULL,
sizeof(DEBUG_OBJECT),
0,
0,
(PVOID*)&DebugObject);
if (!NT_SUCCESS(status)) {
return status;
}
//初始化调试对象
ExInitializeFastMutex(&DebugObject->Mutex);
InitializeListHead(&DebugObject->EventList);
KeInitializeEvent(&DebugObject->EventsPresent, NotificationEvent, FALSE);
if (Flags & DEBUG_KILL_ON_CLOSE) {
DebugObject->Flags = DEBUG_OBJECT_KILL_ON_CLOSE;
}
else {
DebugObject->Flags = 0;
}
//调试对象插入句柄表
status = ObInsertObject(
DebugObject,
NULL,
DesiredAccess,
0,
NULL,
&Handle);
if (!NT_SUCCESS(status)) {
return status;
}
try {
*DebugObjectHandle = Handle;
} except(ExSystemExceptionFilter()) {
status = GetExceptionCode();
}
return status;
}
0 0
- 逆WIN7X64内核调试之NTCreateDebugObject
- 逆WIN7X64内核调试体系之NtDebugActiveProcess
- 内核调试之dump_stack
- Linux 内核调试之 printk
- Windbg内核调试之三: 调试驱动
- Windbg内核调试之三: 调试驱动
- Windbg内核调试之三: 调试驱动
- Windbg内核调试之三: 调试驱动
- 使用kgdb调试内核之模块调试
- Windbg内核调试之三: 调试驱动
- 内核调试 之 搭建qmeu 调试环境
- NTCreateDEbugOBject for win8..1
- 在Win7x64上加载无签名驱动以及让PatchGuard失效(Win7x64内核越狱)
- 在Win7x64上加载无签名驱动以及让PatchGuard失效(Win7x64内核越狱)
- WinDbg : 在Win7X64中调试x86应用层程序
- 【Oracle 64bit】win7x64 VS2012调试 提示ORA-12154
- redhat9调试笔记之编译内核
- 揭秘Linux内核调试器之内幕
- MyEclipse 8.6环境搭建Android开发环境 wang
- iOS开发之线程
- 遍历map集合
- 秋之感
- c++的override关键字作用
- 逆WIN7X64内核调试之NTCreateDebugObject
- elasticsearch安装
- ReactJs之render
- IPV6下对localhost解析错误
- Linux如何查找文件安装路径
- easy ui 1.2.4的中文API
- CWnd,HWND; CDC,HDC
- Linux 虚拟内存和物理内存的理解
- RF+ Appium,如何隐藏Android的键盘?