Souhail_Hammou

OkayToCloseProcedure Hook

Jul 8th, 2014
591
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. /*
  2. By : Souhail Hammou
  3. http://rce4fun.blogspot.com/
  4. */
  5. #include <ntifs.h>
  6. #include <ntddk.h>
  7. typedef unsigned int DWORD;
  8. //extern "C" PUCHAR ObGetObjectType(PVOID Object);
  9. extern "C" POBJECT_TYPE *PsProcessType;
  10. int HooK(PEPROCESS Process,DWORD dw,HANDLE Handle,KPROCESSOR_MODE PreviousMode){
  11.     if(PreviousMode == KernelMode)
  12.         DbgPrint("Attempt to close the handle : %x to a process opened by the kernel process : %s\n",Handle,(PUCHAR)Process+0x16c);
  13.     else
  14.         DbgPrint("Attempt to close the handle : %x to a process opened by the usermode process : %s\n",Handle,(PUCHAR)Process+0x16c);
  15.     return 1;
  16. }
  17. void OkayToCloseProcedureHookUnload(IN PDRIVER_OBJECT DriverObject)
  18. {
  19.     PUCHAR ObjectType;
  20.     //ObjectType = ObGetObjectType(PsGetCurrentProcess());
  21.     ObjectType = (PUCHAR)*PsProcessType;
  22.     if(*(DWORD*)(ObjectType+0x74) == (DWORD)HooK)
  23.         *(DWORD*)(ObjectType+0x74) = NULL;
  24.     DbgPrint("[+] Hook Deleted for the Process Object\n");
  25.    
  26. }
  27. extern "C" NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING  RegistryPath)
  28. {
  29.     PUCHAR ProcessObjectType;
  30.     DriverObject->DriverUnload = OkayToCloseProcedureHookUnload;
  31.     DbgPrint("[+] Hooking The Process Object's OkayToCloseProcedure Callback\n");
  32.     DbgPrint("[+] Every attempt to close a handle to a process will be displayed\n");
  33.     /*Get the Process Object Type (OBJECT_TYPE) structure*/
  34.     //ProcessObjectType = ObGetObjectType(PsGetCurrentProcess());
  35.     ProcessObjectType = (PUCHAR)*PsProcessType;
  36.     DbgPrint("Process Object Type Structure at : %p\n",ProcessObjectType);
  37.     /*Set the OkayToCloseProcedure function pointer from the OBJECT_TYPE_INITIALIZER structure to the hook function*/
  38.     if(*(DWORD*)(ProcessObjectType+0x74) == NULL){
  39.         *(DWORD*)(ProcessObjectType+0x74) = (DWORD)HooK;
  40.         DbgPrint("[+]Hook Done !!\n");
  41.     }
  42.     else
  43.         DbgPrint("[-]Failed");
  44.     return STATUS_SUCCESS;
  45. }
RAW Paste Data