無HOOK監控進線程句柄操作

? ? ? ? ?

? ? ? ? 在?NT5?平臺下，要監控進線程句柄的操作。

? 通常要掛鉤三個API：NtOpenProcess、NtOpenThread、NtDuplicateObject。但是在?VISTA?SP1?以及之后的系統中，我們可以完全拋棄?HOOK?方案了，轉而使用一個標準的?API：ObRegisterCallbacks。下面做一個監視進線程句柄操作的程序，并實現保護名為?CALC.EXE?的進程不被結束。

????首先介紹一下?ObRegisterCallbacks?這個函數。此函數的前綴是Ob，看得出它是屬于對象管理器的函數，Register?是注冊，Callbacks?是回調（復數）。

? ? 因此從字面意思上看，它是注冊一個對象回調的意思。現在它只能監控進程對象和線程對象。但微軟承諾會給此函數增加功能，實現對其它內核對象的監控。這個函數在不能合法進行內核掛鉤的?WIN64?上特別有用，但是微軟做了一個很扯淡的限制：?驅動程序必須有數字簽名才能使用?此函數。不過國外的黑客對此限制很不爽，他們通過逆向?ObRegisterCallbacks，找到了破解這個限制的方法。經研究，內核通過?MmVerifyCallbackFunction?驗證此回調是否合法，但此函數只是簡單的驗證了一下?DriverObject->DriverSection->Flags?的值是不是為?0x20：所以可以簡單破解掉這個限制：

X32typedef struct _LDR_DATA_TABLE_ENTRY32{LIST_ENTRY32 InLoadOrderLinks;LIST_ENTRY32 InMemoryOrderLinks;LIST_ENTRY32 InInitializationOrderLinks;ULONG DllBase;ULONG EntryPoint;ULONG SizeOfImage;UNICODE_STRING32 FullDllName;UNICODE_STRING32 BaseDllName;ULONG Flags;USHORT LoadCount;USHORT TlsIndex;union {LIST_ENTRY32 HashLinks;struct {ULONG SectionPointer;ULONG CheckSum;};};union {struct {ULONG TimeDateStamp;};struct {ULONG LoadedImports;};};} LDR_DATA_TABLE_ENTRY32, *PLDR_DATA_TABLE_ENTRY32;PLDR_DATA_TABLE_ENTRY32 ldr;ldr = (PLDR_DATA_TABLE_ENTRY32)(pDriverObj->DriverSection);ldr->Flags |= 0x20; X64typedef struct _LDR_DATA_TABLE_ENTRY64{LIST_ENTRY64 InLoadOrderLinks;LIST_ENTRY64 InMemoryOrderLinks;LIST_ENTRY64 InInitializationOrderLinks;PVOID DllBase;PVOID EntryPoint;ULONG SizeOfImage;UNICODE_STRING FullDllName;UNICODE_STRING BaseDllName;ULONG Flags;USHORT LoadCount;USHORT TlsIndex;PVOID SectionPointer;ULONG CheckSum;PVOID LoadedImports;PVOID EntryPointActivationContext;PVOID PatchInformation;LIST_ENTRY64 ForwarderLinks;LIST_ENTRY64 ServiceTagLinks;LIST_ENTRY64 StaticLinks;PVOID ContextInformation;ULONG64 OriginalBase;LARGE_INTEGER LoadTime;} LDR_DATA_TABLE_ENTRY64, *PLDR_DATA_TABLE_ENTRY64;PLDR_DATA_TABLE_ENTRY64 ldr;ldr = (PLDR_DATA_TABLE_ENTRY64)(pDriverObj->DriverSection);ldr->Flags |= 0x20;

? ? 上面代碼如果是用于商業或者其他正當場合，注意要好好測試下，我是在網上找了到了那個結構體定義，然后自己在win7?32和win764位機器上測試了一下，沒問題。小伙伴記得好好測試其他系統再用。然后就是來兩個回調函數，一個是進程回調，一個是線程回調：

NTKERNELAPI PEPROCESS IoThreadToProcess(PETHREAD Thread); NTKERNELAPI char* PsGetProcessImageFileName(PEPROCESS Process);BOOLEAN IsProtectedProcessName(PEPROCESS eprocess) {char *Name=PsGetProcessImageFileName(eprocess);if(!_stricmp("calc.exe",Name))return TRUE;elsereturn FALSE; }PVOID obHandle=NULL,obHandle2=NULL;OB_PREOP_CALLBACK_STATUS preCall(PVOID RegistrationContext, POB_PRE_OPERATION_INFORMATION pOperationInformation) {#define PROCESS_TERMINATE 0x1HANDLE pid;if(pOperationInformation->ObjectType!=*PsProcessType)goto exit_sub;pid = PsGetProcessId((PEPROCESS)pOperationInformation->Object);DbgPrint("[OBCALLBACK][Process]PID=%ld\n",pid);UNREFERENCED_PARAMETER(RegistrationContext);if( IsProtectedProcessName((PEPROCESS)pOperationInformation->Object) ){if (pOperationInformation->Operation == OB_OPERATION_HANDLE_CREATE){//pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess=0;if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_TERMINATE) == PROCESS_TERMINATE){pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_TERMINATE;}}if(pOperationInformation->Operation == OB_OPERATION_HANDLE_DUPLICATE){//pOperationInformation->Parameters->DuplicateHandleInformation.DesiredAccess=0;if ((pOperationInformation->Parameters->DuplicateHandleInformation.OriginalDesiredAccess & PROCESS_TERMINATE) == PROCESS_TERMINATE){pOperationInformation->Parameters->DuplicateHandleInformation.DesiredAccess &= ~PROCESS_TERMINATE;}}} exit_sub:return OB_PREOP_SUCCESS; }OB_PREOP_CALLBACK_STATUS preCall2(PVOID RegistrationContext, POB_PRE_OPERATION_INFORMATION pOperationInformation) {#define THREAD_TERMINATE2 0x1PEPROCESS ep;PETHREAD et;HANDLE pid;if(pOperationInformation->ObjectType!=*PsThreadType)goto exit_sub;et=(PETHREAD)pOperationInformation->Object;ep=IoThreadToProcess(et);pid = PsGetProcessId(ep);DbgPrint("[OBCALLBACK][Thread]PID=%ld; TID=%ld\n",pid,PsGetThreadId(et));UNREFERENCED_PARAMETER(RegistrationContext);if( IsProtectedProcessName(ep) ){if (pOperationInformation->Operation == OB_OPERATION_HANDLE_CREATE){//pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess=0;if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & THREAD_TERMINATE2) == THREAD_TERMINATE2){pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~THREAD_TERMINATE2;}}if(pOperationInformation->Operation == OB_OPERATION_HANDLE_DUPLICATE){//pOperationInformation->Parameters->DuplicateHandleInformation.DesiredAccess=0;if ((pOperationInformation->Parameters->DuplicateHandleInformation.OriginalDesiredAccess & THREAD_TERMINATE2) == THREAD_TERMINATE2){pOperationInformation->Parameters->DuplicateHandleInformation.DesiredAccess &= ~THREAD_TERMINATE2;}}} exit_sub:return OB_PREOP_SUCCESS; }然后就是在驅動里注冊/卸載這兩個回調函數： NTSTATUS ObProtectProcess(BOOLEAN Enable) {if(Enable==TRUE){NTSTATUS obst1=0,obst2=0;OB_CALLBACK_REGISTRATION obReg,obReg2;OB_OPERATION_REGISTRATION opReg,opReg2;//reg ob callback 1memset(&obReg, 0, sizeof(obReg));obReg.Version = ObGetFilterVersion();obReg.OperationRegistrationCount = 1;obReg.RegistrationContext = NULL;RtlInitUnicodeString(&obReg.Altitude, L"321124");obReg.OperationRegistration = &opReg;memset(&opReg, 0, sizeof(opReg));opReg.ObjectType = PsProcessType;opReg.Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE;opReg.PreOperation = (POB_PRE_OPERATION_CALLBACK)&preCall;obst1=ObRegisterCallbacks(&obReg, &obHandle);//reg ob callback 2memset(&obReg2, 0, sizeof(obReg2));obReg2.Version = ObGetFilterVersion();obReg2.OperationRegistrationCount = 1;obReg2.RegistrationContext = NULL;RtlInitUnicodeString(&obReg2.Altitude, L"321125");obReg2.OperationRegistration = &opReg2;memset(&opReg2, 0, sizeof(opReg2));opReg2.ObjectType = PsThreadType;opReg2.Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE;opReg2.PreOperation = (POB_PRE_OPERATION_CALLBACK)&preCall2;obst1=ObRegisterCallbacks(&obReg2, &obHandle2);return NT_SUCCESS(obst1) & NT_SUCCESS(obst2);}else{if(obHandle!=NULL)ObUnRegisterCallbacks(obHandle);if(obHandle2!=NULL)ObUnRegisterCallbacks(obHandle2);return TRUE;} } 執行結果：

總結

以上是生活随笔為你收集整理的Win64 驱动内核编程-11.回调监控进线程句柄操作的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。