Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- /*
- By : Souhail Hammou
- http://rce4fun.blogspot.com/
- */
- #include <ntifs.h>
- #include <ntddk.h>
- typedef unsigned int DWORD;
- //extern "C" PUCHAR ObGetObjectType(PVOID Object);
- extern "C" POBJECT_TYPE *PsProcessType;
- int HooK(PEPROCESS Process,DWORD dw,HANDLE Handle,KPROCESSOR_MODE PreviousMode){
- if(PreviousMode == KernelMode)
- DbgPrint("Attempt to close the handle : %x to a process opened by the kernel process : %s\n",Handle,(PUCHAR)Process+0x16c);
- else
- DbgPrint("Attempt to close the handle : %x to a process opened by the usermode process : %s\n",Handle,(PUCHAR)Process+0x16c);
- return 1;
- }
- void OkayToCloseProcedureHookUnload(IN PDRIVER_OBJECT DriverObject)
- {
- PUCHAR ObjectType;
- //ObjectType = ObGetObjectType(PsGetCurrentProcess());
- ObjectType = (PUCHAR)*PsProcessType;
- if(*(DWORD*)(ObjectType+0x74) == (DWORD)HooK)
- *(DWORD*)(ObjectType+0x74) = NULL;
- DbgPrint("[+] Hook Deleted for the Process Object\n");
- }
- extern "C" NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
- {
- PUCHAR ProcessObjectType;
- DriverObject->DriverUnload = OkayToCloseProcedureHookUnload;
- DbgPrint("[+] Hooking The Process Object's OkayToCloseProcedure Callback\n");
- DbgPrint("[+] Every attempt to close a handle to a process will be displayed\n");
- /*Get the Process Object Type (OBJECT_TYPE) structure*/
- //ProcessObjectType = ObGetObjectType(PsGetCurrentProcess());
- ProcessObjectType = (PUCHAR)*PsProcessType;
- DbgPrint("Process Object Type Structure at : %p\n",ProcessObjectType);
- /*Set the OkayToCloseProcedure function pointer from the OBJECT_TYPE_INITIALIZER structure to the hook function*/
- if(*(DWORD*)(ProcessObjectType+0x74) == NULL){
- *(DWORD*)(ProcessObjectType+0x74) = (DWORD)HooK;
- DbgPrint("[+]Hook Done !!\n");
- }
- else
- DbgPrint("[-]Failed");
- return STATUS_SUCCESS;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
