本论坛为只读模式,仅供查阅,不能注册新用户,不能发帖/回帖,有问题可发邮件 xikug.xp (^) gmail.com
查看: 39943|回复: 232

我也爆,object hook需要的一个头文件   [复制链接]

Rank: 5Rank: 5

发表于 2008-2-12 01:16:05 |显示全部楼层
#ifndef KRNLSTRUCTS_H
#define KRNLSTRUCTS_H

typedef struct _STACK_FRAME
{
    struct _STACK_FRAME *PreviousFrame;
    ULONG *ReturnAddress;
    ULONG Parameters[1];
} STACK_FRAME;

//////////////////////////////////////////////////////////////////

typedef struct _HANDLE_ENTRY
{
    union
    {
        ULONG HandleAttributes; // HANDLE_ATTRIBUTE_MASK
        struct _OBJECT_HEADER *ObjectHeader; // HANDLE_OBJECT_MASK
    };
    union
    {
        ACCESS_MASK GrantedAccess; // if used entry
        ULONG NextEntry;             // if free entry
    };
} HANDLE_ENTRY, *PHANDLE_ENTRY;

typedef struct _HANDLE_TABLE
{
    ULONG Flags;
    ULONG HandleCount;
    PHANDLE_ENTRY **Table;
    struct _EPROCESS *Process;
    HANDLE ProcessID;
    ULONG FirstFreeEntry;
    ULONG NextPoolIndex;
    ERESOURCE HandleTableLock;
    LIST_ENTRY HandleTableList;
    KEVENT Contention;
} HANDLE_TABLE, *PHANDLE_TABLE;

typedef struct _OBJECT_HANDLE_COUNT_ENTRY
{
  PEPROCESS Process;
  ULONG HandleCount;
} OBJECT_HANDLE_COUNT_ENTRY, *POBJECT_HANDLE_COUNT_ENTRY;

//////////////////////////////////////////////////////////////////

typedef struct _OBJECT_DUMP_CONTROL
{
    PVOID Stream;
    ULONG Detail;
} OB_DUMP_CONTROL, *POB_DUMP_CONTROL;

typedef VOID (*OB_DUMP_METHOD)(
    IN PVOID Object,
    IN POB_DUMP_CONTROL Control OPTIONAL
    );

typedef enum _OB_OPEN_REASON
{
    ObCreateHandle,
    ObOpenHandle,
    ObDuplicateHandle,
    ObInheritHandle,
    ObMaxOpenReason
} OB_OPEN_REASON;


typedef VOID (*OB_OPEN_METHOD)(
    IN OB_OPEN_REASON OpenReason,
    IN PEPROCESS Process OPTIONAL,
    IN PVOID Object,
    IN ACCESS_MASK GrantedAccess,
    IN ULONG HandleCount
    );

typedef BOOLEAN (*OB_OKAYTOCLOSE_METHOD)(
    IN PEPROCESS Process OPTIONAL,
    IN PVOID Object,
    IN HANDLE Handle
    );

typedef VOID (*OB_CLOSE_METHOD)(
    IN PEPROCESS Process OPTIONAL,
    IN PVOID Object,
    IN ACCESS_MASK GrantedAccess,
    IN ULONG ProcessHandleCount,
    IN ULONG SystemHandleCount
    );

typedef VOID (*OB_DELETE_METHOD)(
    IN PVOID Object
    );

typedef NTSTATUS (*OB_PARSE_METHOD)(
    IN PVOID ParseObject,
    IN PVOID ObjectType,
    IN OUT PACCESS_STATE AccessState,
    IN KPROCESSOR_MODE AccessMode,
    IN ULONG Attributes,
    IN OUT PUNICODE_STRING CompleteName,
    IN OUT PUNICODE_STRING RemainingName,
    IN OUT PVOID Context OPTIONAL,
    IN PSECURITY_QUALITY_OF_SERVICE SecurityQos OPTIONAL,
    OUT PVOID *Object
    );

typedef NTSTATUS (*OB_SECURITY_METHOD)(
    IN PVOID Object,
    IN SECURITY_OPERATION_CODE OperationCode,
    IN PSECURITY_INFORMATION SecurityInformation,
    IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor,
    IN OUT PULONG CapturedLength,
    IN OUT PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor,
    IN POOL_TYPE PoolType,
    IN PGENERIC_MAPPING GenericMapping
    );

typedef NTSTATUS (*OB_QUERYNAME_METHOD)(
    IN PVOID Object,
    IN BOOLEAN HasObjectName,
    OUT POBJECT_NAME_INFORMATION ObjectNameInfo,
    IN ULONG Length,
    OUT PULONG ReturnLength
    );

typedef struct _OBJECT_TYPE_INITIALIZER
{
    USHORT Length;
    BOOLEAN UseDefaultObject;
    BOOLEAN Reserved;
    ULONG InvalidAttributes;
    GENERIC_MAPPING GenericMapping;
    ULONG ValidAccessMask;
    BOOLEAN SecurityRequired;
    BOOLEAN MaintainHandleCount;
    BOOLEAN MaintainTypeList;
    POOL_TYPE PoolType;
    ULONG DefaultPagedPoolCharge;
    ULONG DefaultNonPagedPoolCharge;
    OB_DUMP_METHOD DumpProcedure;
    OB_OPEN_METHOD OpenProcedure;
    OB_CLOSE_METHOD CloseProcedure;
    OB_DELETE_METHOD DeleteProcedure;
    OB_PARSE_METHOD ParseProcedure;
    OB_SECURITY_METHOD SecurityProcedure;
    OB_QUERYNAME_METHOD QueryNameProcedure;
    OB_OKAYTOCLOSE_METHOD OkayToCloseProcedure;
} OBJECT_TYPE_INITIALIZER, *POBJECT_TYPE_INITIALIZER;

typedef struct _OBJECT_TYPE
{
    ERESOURCE Mutex;
    LIST_ENTRY TypeList;
    UNICODE_STRING Name;
    PVOID DefaultObject;
    ULONG Index;
    ULONG TotalNumberOfObjects;
    ULONG TotalNumberOfHandles;
    ULONG HighWaterNumberOfObjects;
    ULONG HighWaterNumberOfHandles;
    OBJECT_TYPE_INITIALIZER TypeInfo;
} OBJECT_TYPE, *POBJECT_TYPE;

typedef struct _OBJECT_DIRECTORY_ENTRY
{
    struct _OBJECT_DIRECTORY_ENTRY *ChainLink;
    PVOID Object;
} OBJECT_DIRECTORY_ENTRY, *POBJECT_DIRECTORY_ENTRY;

typedef struct _DEVICE_MAP
{
    ULONG ReferenceCount;
    struct _OBJECT_DIRECTORY *DosDevicesDirectory;
    ULONG DriveMap;
    UCHAR DriveType[32];
} DEVICE_MAP, *PDEVICE_MAP;

typedef struct _OBJECT_SYMBOLIC_LINK
{
    LARGE_INTEGER CreationTime;
    UNICODE_STRING LinkTarget;
    UNICODE_STRING LinkTargetRemaining;
    PVOID LinkTargetObject;
    ULONG DosDeviceDriveIndex;
} OBJECT_SYMBOLIC_LINK;

typedef struct _OBJECT_HEADER_CREATOR_INFO
{
  LIST_ENTRY TypeList;
  HANDLE CreatorUniqueProcess;
  USHORT CreatorBackTraceIndex;
  USHORT Reserved;
} OBJECT_HEADER_CREATOR_INFO, *POBJECT_HEADER_CREATOR_INFO;

typedef struct _OBJECT_CREATE_INFORMATION
{
    ULONG Attributes;
    HANDLE RootDirectory;
    PVOID ParseContext;
    KPROCESSOR_MODE ProbeMode;
    ULONG PagedPoolCharge;
    ULONG NonPagedPoolCharge;
    ULONG SecurityDescriptorCharge;
    PSECURITY_DESCRIPTOR SecurityDescriptor;
    PSECURITY_QUALITY_OF_SERVICE SecurityQos;
    SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService;
} OBJECT_CREATE_INFORMATION, *POBJECT_CREATE_INFORMATION;

typedef struct _OBJECT_HEADER_QUOTA_INFO
{
  ULONG PagedPoolCharge;
  ULONG NonPagedPoolCharge;
  ULONG SecurityDescriptorCharge;
  PEPROCESS ExclusiveProcess;
} OBJECT_HEADER_QUOTA_INFO, *POBJECT_HEADER_QUOTA_INFO;

typedef struct _OBJECT_HANDLE_COUNT_DATABASE
{
  ULONG CountEntries;
  OBJECT_HANDLE_COUNT_ENTRY HandleCountEntries[1];
} OBJECT_HANDLE_COUNT_DATABASE, *POBJECT_HANDLE_COUNT_DATABASE;

typedef struct _OBJECT_HEADER_HANDLE_INFO
{
    union
    {
            POBJECT_HANDLE_COUNT_DATABASE HandleCountDataBase;
            OBJECT_HANDLE_COUNT_ENTRY SingleEntry;
    };
} OBJECT_HEADER_HANDLE_INFO, *POBJECT_HEADER_HANDLE_INFO;

#define NUMBER_HASH_BUCKETS 37
typedef struct _OBJECT_DIRECTORY
{
    OBJECT_DIRECTORY_ENTRY *HashBuckets[NUMBER_HASH_BUCKETS];
    OBJECT_DIRECTORY_ENTRY **LookupBucket;
    BOOLEAN LookupFound;
    USHORT SymbolicLinkUsageCount;
    DEVICE_MAP *DeviceMap;
} OBJECT_DIRECTORY, *POBJECT_DIRECTORY;

typedef struct _OBJECT_HEADER_NAME_INFO
{
  POBJECT_DIRECTORY Directory;
  UNICODE_STRING Name;
  ULONG Reserved;
} OBJECT_HEADER_NAME_INFO, *POBJECT_HEADER_NAME_INFO;

typedef struct _OBJECT_HEADER
{
    LONG ReferenceCount;
    union
        {
        LONG HandleCount;
        PSINGLE_LIST_ENTRY SEntry;
    };
    POBJECT_TYPE Type;
    UCHAR NameInfoOffset;
    UCHAR HandleInfoOffset;
    UCHAR QuotaInfoOffset;
    UCHAR Flags;
    union
        {
        POBJECT_CREATE_INFORMATION ObjectCreateInfo;
        PVOID QuotaBlockCharged;
    };

    PSECURITY_DESCRIPTOR SecurityDescriptor;
    QUAD Body;
} OBJECT_HEADER, *POBJECT_HEADER;

#define OBJECT_TO_OBJECT_HEADER( o ) \
    CONTAINING_RECORD( (o), OBJECT_HEADER, Body )
#define OBJECT_HEADER_TO_EXCLUSIVE_PROCESS( oh ) ((oh->Flags & OB_FLAG_EXCLUSIVE_OBJECT) == 0 ? \
    NULL : (((POBJECT_HEADER_QUOTA_INFO)((PCHAR)(oh) - (oh)->QuotaInfoOffset))->ExclusiveProcess))

#define OBJECT_HEADER_TO_QUOTA_INFO( oh ) ((POBJECT_HEADER_QUOTA_INFO) \
    ((oh)->QuotaInfoOffset == 0 ? NULL : ((PCHAR)(oh) - (oh)->QuotaInfoOffset)))

#define OBJECT_HEADER_TO_HANDLE_INFO( oh ) ((POBJECT_HEADER_HANDLE_INFO) \
    ((oh)->HandleInfoOffset == 0 ? NULL : ((PCHAR)(oh) - (oh)->HandleInfoOffset)))

#define OBJECT_HEADER_TO_NAME_INFO( oh ) ((POBJECT_HEADER_NAME_INFO) \
    ((oh)->NameInfoOffset == 0 ? NULL : ((PCHAR)(oh) - (oh)->NameInfoOffset)))

#define OBJECT_HEADER_TO_CREATE_INFO( oh ) ((oh->Flags & OB_FLAG_NEW_OBJECT) == 0 ? \
    NULL : ((oh)->ObjectCreateInfo))

#define OBJECT_HEADER_TO_CREATOR_INFO( oh ) ((POBJECT_HEADER_CREATOR_INFO) \
    (((oh)->Flags & OB_FLAG_CREATOR_INFO) == 0 ? NULL : ((PCHAR)(oh) - sizeof(OBJECT_HEADER_CREATOR_INFO))))

#define OBJ_PROTECT_CLOSE (1<<0)
#define OBJ_AUDIT_OBJECT_CLOSE (1<<2)
#define OBJ_HANDLE_ATTRIBUTES (OBJ_PROTECT_CLOSE|OBJ_INHERIT|OBJ_AUDIT_OBJECT_CLOSE)
#define OB_FLAG_NEW_OBJECT 0x01
#define OB_FLAG_KERNEL_OBJECT 0x02
#define OB_FLAG_CREATOR_INFO 0x04
#define OB_FLAG_EXCLUSIVE_OBJECT 0x08
#define OB_FLAG_PERMANENT_OBJECT 0x10
#define OB_FLAG_DEFAULT_SECURITY_QUOTA 0x20
#define OB_FLAG_SINGLE_HANDLE_ENTRY    0x40

//////////////////////////////////////////////////////////////////

#define SE_OWNER_DEFAULTED               (0x0001)
#define SE_GROUP_DEFAULTED               (0x0002)
#define SE_DACL_PRESENT                  (0x0004)
#define SE_DACL_DEFAULTED                (0x0008)
#define SE_SACL_PRESENT                  (0x0010)
#define SE_SACL_DEFAULTED                (0x0020)
#define SE_DACL_AUTO_INHERIT_REQ         (0x0100)
#define SE_SACL_AUTO_INHERIT_REQ         (0x0200)
#define SE_DACL_AUTO_INHERITED           (0x0400)
#define SE_SACL_AUTO_INHERITED           (0x0800)
#define SE_DACL_PROTECTED                (0x1000)
#define SE_SACL_PROTECTED                (0x2000)
#define SE_RM_CONTROL_VALID              (0x4000)
#define SE_SELF_RELATIVE                 (0x8000)
typedef struct _SECURITY_DESCRIPTOR_RELATIVE
{
    UCHAR Revision;
    UCHAR Sbz1;
    USHORT Control;
    ULONG Owner;
    ULONG Group;
    ULONG Sacl;
    ULONG Dacl;
} SECURITY_DESCRIPTOR_RELATIVE;
typedef struct _SECURITY_DESCRIPTOR
{
   UCHAR Revision;
   UCHAR Sbz1;
   USHORT Control;
   PSID Owner;
   PSID Group;
   PACL Sacl;
   PACL Dacl;
} SECURITY_DESCRIPTOR;

typedef struct _KQUEUE
{
    DISPATCHER_HEADER Header;
    LIST_ENTRY EntryListHead;
    ULONG CurrentCount;
    ULONG MaximumCount;
    LIST_ENTRY ThreadListHead;
} KQUEUE, *PKQUEUE, *PRKQUEUE;

// Stuff not actually being used
typedef struct  { ULONG Reserved; } EPROCESS;
typedef struct  { ULONG Reserved; } ETHREAD;
typedef struct  { ULONG Reserved; } EJOB;
typedef struct  { ULONG Reserved; } ECHANNEL;
typedef struct  { ULONG Reserved; } CALLBACK_OBJECT;
typedef struct  { ULONG Reserved; } DEBUG_OBJECT;
typedef struct  { ULONG Reserved; } DESKTOP;
typedef struct  { ULONG Reserved; } EEVENT_PAIR;
typedef struct  { ULONG Reserved; } ADAPTER_OBJECT;
typedef struct  { ULONG Reserved; } DEVICE_HANDLER_OBJECT;
typedef struct  { ULONG Reserved; } CM_KEY_BODY;
typedef struct  { ULONG Reserved; } KEYED_EVENT_OBJECT;
typedef struct  { ULONG Reserved; } LPC_PORT_OBJECT;
typedef struct  { ULONG Reserved; } SECTION;
typedef struct  { ULONG Reserved; } MMSUPER_SECTION;
typedef struct  { ULONG Reserved; } EPROFILE;
typedef struct  { ULONG Reserved; } TOKEN;
typedef struct  { ULONG Reserved; } WINDOWSTATION;
typedef struct  { ULONG Reserved; } WMIGUID_OBJECT;

#endif

Rank: 5Rank: 5

发表于 2008-2-12 01:16:28 |显示全部楼层
回复可见,无声望要求~

Rank: 5Rank: 5

发表于 2008-2-12 01:18:00 |显示全部楼层
不算爆啊不算爆啊 WRK里就有啊

Rank: 5Rank: 5

发表于 2008-2-12 01:20:06 |显示全部楼层
WRK里提取慢啊~~索性提供了~
嘿嘿

Rank: 1

发表于 2008-2-12 01:20:21 |显示全部楼层
我看看是什么

Rank: 1

发表于 2008-2-12 01:21:03 |显示全部楼层
我还以为又要威望的。。。

Rank: 1

发表于 2008-2-12 01:40:03 |显示全部楼层
引用第5楼1haoyu于2008-02-11 22:21发表的  :
我还以为又要威望的。。。
难得

Rank: 1

发表于 2008-2-12 01:55:53 |显示全部楼层

Rank: 4

发表于 2008-2-12 01:59:02 |显示全部楼层
哈哈.

Rank: 2

发表于 2008-2-12 03:31:20 |显示全部楼层
还是 发财发财发财。。。。。

Rank: 1

发表于 2008-2-12 17:00:22 |显示全部楼层
你们真厚道

Rank: 1

发表于 2008-2-12 17:10:27 |显示全部楼层
辛苦了

Rank: 2

发表于 2008-2-12 17:56:27 |显示全部楼层
果然是WRK中可以提取,还是要谢V大.

Rank: 1

发表于 2008-2-12 18:21:40 |显示全部楼层
厚道

Rank: 1

发表于 2008-2-12 21:10:02 |显示全部楼层
看看先

Rank: 1

发表于 2008-2-12 23:08:03 |显示全部楼层
看看...

Rank: 1

发表于 2008-2-12 23:24:18 |显示全部楼层
我不喜欢要威望的

Rank: 1

发表于 2008-2-12 23:48:52 |显示全部楼层
终于不要威望了!!!

Rank: 2

发表于 2008-2-13 02:04:22 |显示全部楼层
wow,好东西

Rank: 1

发表于 2008-2-13 14:07:15 |显示全部楼层
站在巨人的肩膀上总是感觉很好
您需要登录后才可以回帖 登录 | 立即加入

Archiver|手机版|第8个男人 - 论坛为只读模式,仅供查阅

GMT+8, 2019-2-22 23:27 , Processed in 0.034970 second(s), 8 queries .

Design by pvo.cn

© 2011 Pvo Inc.

回顶部