SHARE
TWEET

OkayToCloseProcedure Hook

Souhail_Hammou Jul 8th, 2014 308 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. /*
  2. By : Souhail Hammou
  3. http://rce4fun.blogspot.com/
  4. */
  5. #include <ntifs.h>
  6. #include <ntddk.h>
  7. typedef unsigned int DWORD;
  8. //extern "C" PUCHAR ObGetObjectType(PVOID Object);
  9. extern "C" POBJECT_TYPE *PsProcessType;
  10. int HooK(PEPROCESS Process,DWORD dw,HANDLE Handle,KPROCESSOR_MODE PreviousMode){
  11.         if(PreviousMode == KernelMode)
  12.                 DbgPrint("Attempt to close the handle : %x to a process opened by the kernel process : %s\n",Handle,(PUCHAR)Process+0x16c);
  13.         else
  14.                 DbgPrint("Attempt to close the handle : %x to a process opened by the usermode process : %s\n",Handle,(PUCHAR)Process+0x16c);
  15.         return 1;
  16. }
  17. void OkayToCloseProcedureHookUnload(IN PDRIVER_OBJECT DriverObject)
  18. {
  19.         PUCHAR ObjectType;
  20.         //ObjectType = ObGetObjectType(PsGetCurrentProcess());
  21.         ObjectType = (PUCHAR)*PsProcessType;
  22.         if(*(DWORD*)(ObjectType+0x74) == (DWORD)HooK)
  23.                 *(DWORD*)(ObjectType+0x74) = NULL;
  24.         DbgPrint("[+] Hook Deleted for the Process Object\n");
  25.        
  26. }
  27. extern "C" NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING  RegistryPath)
  28. {
  29.         PUCHAR ProcessObjectType;
  30.         DriverObject->DriverUnload = OkayToCloseProcedureHookUnload;
  31.         DbgPrint("[+] Hooking The Process Object's OkayToCloseProcedure Callback\n");
  32.         DbgPrint("[+] Every attempt to close a handle to a process will be displayed\n");
  33.         /*Get the Process Object Type (OBJECT_TYPE) structure*/
  34.         //ProcessObjectType = ObGetObjectType(PsGetCurrentProcess());
  35.         ProcessObjectType = (PUCHAR)*PsProcessType;
  36.         DbgPrint("Process Object Type Structure at : %p\n",ProcessObjectType);
  37.         /*Set the OkayToCloseProcedure function pointer from the OBJECT_TYPE_INITIALIZER structure to the hook function*/
  38.         if(*(DWORD*)(ProcessObjectType+0x74) == NULL){
  39.                 *(DWORD*)(ProcessObjectType+0x74) = (DWORD)HooK;
  40.                 DbgPrint("[+]Hook Done !!\n");
  41.         }
  42.         else
  43.                 DbgPrint("[-]Failed");
  44.         return STATUS_SUCCESS;
  45. }
RAW Paste Data
Top