这个代码可以在WIN8.1上面跑的测试成功 自己测试的时候呢 把ObInsertObjectEx,DbgkDebugObjectType替换一下 最后用符号连接就完美了这个不像昨天的那个伪代码 这个可以跑的 我跟着调试了一遍代码也是没有用IDA了IDA太坑优化一下函数 减少一个硬编码 现在只有一个dbgobjecttype了NTSTATUS NTCreateDebugObject(OUT PHANDLE DebugObjectHandle,IN ACCESS_MASK DesiredAccess,IN POBJECT_ATTRIBUTES ObjectAttributes,IN ULONG Flags){typedef NTSTATUS (__stdcall *OBCREATEOBJECT)(__in KPROCESSOR_MODE ProbeMode,__in POBJECT_TYPE ObjectType,__in POBJECT_ATTRIBUTES ObjectAttributes,__in KPROCESSOR_MODE OwnershipMode,__inout_opt PVOID ParseContext,__in ULONG ObjectBodySize,__in ULONG PagedPoolCharge,__in ULONG NonPagedPoolCharge,__out PVOID *Object);PHANDLE handle;UNICODE_STRING usFuncName;KPROCESSOR_MODEPreviousMode;OBCREATEOBJECT ObCreateObject;POBJECT_TYPE DebugObject;POBJECT_TYPE DbgkDebugObjectType=(POBJECT_TYPE)0x84939eb0 ;NTSTATUS status;RtlInitUnicodeString(&usFuncName,L"ObCreateObject");ObCreateObject = MmGetSystemRoutineAddress(&usFuncName);PreviousMode=ExGetPreviousMode();if (PreviousMode==KernelMode){return STATUS_INVALID_PARAMETER;}if (Flags & 0xFFFFFFFE){return STATUS_INVALID_PARAMETER;}
status=ObCreateObject(PreviousMode,DbgkDebugObjectType,ObjectAttributes,PreviousMode,NULL,0x3c,0, 0,(PVOID)&DebugObject);if (!NT_SUCCESS(status)){return status;}*(ULONG*)((ULONG)DebugObject+0x10)=1;*(ULONG*)((ULONG)DebugObject+0x14)=0;*(ULONG*)((ULONG)DebugObject+0x18)=0;KeInitializeEvent((PRKEVENT)((ULONG)DebugObject+0x1c),1,0);*(ULONG*)((ULONG)DebugObject+0x30+4)=((ULONG)DebugObject+0x30);*(ULONG*)((ULONG)DebugObject+0x30)=((ULONG)DebugObject+0x30);KeInitializeEvent((PRKEVENT)DebugObject,0,0);*(ULONG*)((ULONG)DebugObject+0x38)=2;status=ObInsertObject(DebugObject,NULL,DesiredAccess,0,NULL,&handle);if (!NT_SUCCESS(status)){return status;}KdPrint(("handle %X",handle));*(ULONG*)DebugObjectHandle=handle;
return 0;
}
,深重如溺入蓝色的海洋,无法呼吸。
