首先,最高效的应该是这种办法,但是最不稳定的也是这种办法。 虽然不会触发 PG ,但是由于调用方太多了,所以动不动炸进程或者蓝屏。
进程对象(EPORCESS)->PsProcessType
线程对象(PETHREAD)->PsThreadType
文件对象(FileObject)->IoFileObjectType
…
具体流程不分析大概是这样,创建对象->Ob插入对象->系统访问(对象,这些对象是分配出来的不归PG管理)->根据对象Index->寻找对应Ob回调->…(笼统来说,不喜勿喷)
用Process在win 7 上做实验,这是win7-w10 结构对象
关注 +0x28位置,这是在寻找Object Context的依据 ,可见win7上 Object Type Index = 0x7
随便哪个进程EProcess Object - 0x18(Object Header)emmm。。自己去看资料为什么-0x18
可以看到每个EPROCESS 的对象 index = 7.好了我们知道大概的流程
1.获取对象地址 Object
2.Object -0x18 = Object Index
3.创建内核新对象->填充原始数据->替换原始对象->获取 (新对象+0x28)Index->解锁对象(这个很重要)
4.替换 Object-0x18 = (新对象+0x28)
5.收工。。最终效果
接着打开PCHUNTER火绒等等
触发自己对象回调
POBJECT_TYPE_INITIALIZER ProcessType = (POBJECT_TYPE_INITIALIZER)(Object_type + 0x40);//OBJECT_TYPE_INITIALIZER 对象
RtlZeroMemory(ObjectTypeInitializer, sizeof(OBJECT_TYPE_INITIALIZER));
ObjectTypeInitializer->PoolType = NonPagedPool;
ObjectTypeInitializer->InvalidAttributes = OBJ_OPENIF;
ObjectTypeInitializer->ValidAccessMask = OBJECT_TYPE_ALL_ACCESS;
ObjectTypeInitializer->RetainAccess = 1;
ObjectTypeInitializer->OpenProcedure = (PVOID)NewPspProcessOpen;
ObjectTypeInitializer->DumpProcedure = (PVOID)ProcessType->DumpProcedure;
ObjectTypeInitializer->CloseProcedure = ProcessType->CloseProcedure;
ObjectTypeInitializer->DeleteProcedure = ProcessType->DeleteProcedure;
ObjectTypeInitializer->ObjectTypeCode = 1;
ObjectTypeInitializer->DefaultNonPagedPoolCharge = sizeof(OBJECT_TYPE_INITIALIZER);
ObjectTypeInitializer->u.ObjectTypeFlags = 0x4a;