2: kd> dt nt!_OBJECT_TYPE poi(nt!PsProcessType)
+0x000 TypeList : _LIST_ENTRY [ 0xffff8481`f02d7350 - 0xffff8481`f02d7350 ]
+0x010 Name : _UNICODE_STRING "Process"
+0x020 DefaultObject : (null)
+0x028 Index : 0x7 ''
+0x02c TotalNumberOfObjects : 0x3f
+0x030 TotalNumberOfHandles : 0x20a
+0x034 HighWaterNumberOfObjects : 0x51
+0x038 HighWaterNumberOfHandles : 0x25c
+0x040 TypeInfo : _OBJECT_TYPE_INITIALIZER
+0x0b8 TypeLock : _EX_PUSH_LOCK
+0x0c0 Key : 0x636f7250
+0x0c8 CallbackList : _LIST_ENTRY [ 0xffffcf0d`19f25b90 - 0xffffcf0d`19f25b90 ]
这个CallbackList链表的前后节点都一样,我还以为是空呢?
2: kd> dps ffffcf0d`19f25b90
ffffcf0d`19f25b90 ffff8481`f02d7418 这个和下面的一样,可以考虑是LIST_ENTRY
ffffcf0d`19f25b98 ffff8481`f02d7418
ffffcf0d`19f25ba0 00000001`00000003 后面的3是Operations
ffffcf0d`19f25ba8 ffffcf0d`19f25b70 又是一个结构
ffffcf0d`19f25bb0 ffff8481`f02d7350 是PsProcessType
ffffcf0d`19f25bb8 fffff802`425f10e0 ObCallbackTest!CBTdPreOperationCallback [e:\开源\microsoft\windows-driver-samples\trunk\general\obcallback\driver\callback.c @ 264]
ffffcf0d`19f25bc0 fffff802`425f1000 ObCallbackTest!CBTdPostOperationCallback [e:\开源\microsoft\windows-driver-samples\trunk\general\obcallback\driver\callback.c @ 427]
ffffcf0d`19f25bc8 00000000`00000000 未知,补充,保留
ffffcf0d`19f25bd0 ffff8481`f02c7b88
ffffcf0d`19f25bd8 ffff8481`f02c7b88
ffffcf0d`19f25be0 00000001`00000003 后面的3是Operations
ffffcf0d`19f25be8 ffffcf0d`19f25b70
ffffcf0d`19f25bf0 ffff8481`f02c7ac0 是PsThreadType
ffffcf0d`19f25bf8 fffff802`425f10e0 ObCallbackTest!CBTdPreOperationCallback [e:\开源\microsoft\windows-driver-samples\trunk\general\obcallback\driver\callback.c @ 264]
ffffcf0d`19f25c00 fffff802`425f1000 ObCallbackTest!CBTdPostOperationCallback [e:\开源\microsoft\windows-driver-samples\trunk\general\obcallback\driver\callback.c @ 427]
ffffcf0d`19f25c08 00000000`00000000
2: kd> !object ffff8481`f02d7350
Object: ffff8481f02d7350 Type: (ffff8481f02f7ec0) Type
ObjectHeader: ffff8481f02d7320 (new version)
HandleCount: 0 PointerCount: 2
Directory Object: ffffcf0d11e147f0 Name: Process
2: kd> !object ffff8481`f02c7ac0
Object: ffff8481f02c7ac0 Type: (ffff8481f02f7ec0) Type
ObjectHeader: ffff8481f02c7a90 (new version)
HandleCount: 0 PointerCount: 2
Directory Object: ffffcf0d11e147f0 Name: Thread
2: kd> dps ffffcf0d`19f25b70 L20
ffffcf0d`19f25b70 00000000`00020100
ffffcf0d`19f25b78 fffff802`425f50b0 ObCallbackTest!CBCallbackRegistration
ffffcf0d`19f25b80 00000000`00080008
ffffcf0d`19f25b88 ffffcf0d`19f25c10
ffffcf0d`19f25b90 ffff8481`f02d7418
ffffcf0d`19f25b98 ffff8481`f02d7418
ffffcf0d`19f25ba0 00000001`00000003
ffffcf0d`19f25ba8 ffffcf0d`19f25b70
ffffcf0d`19f25bb0 ffff8481`f02d7350
ffffcf0d`19f25bb8 fffff802`425f10e0 ObCallbackTest!CBTdPreOperationCallback [e:\开源\microsoft\windows-driver-samples\trunk\general\obcallback\driver\callback.c @ 264]
ffffcf0d`19f25bc0 fffff802`425f1000 ObCallbackTest!CBTdPostOperationCallback [e:\开源\microsoft\windows-driver-samples\trunk\general\obcallback\driver\callback.c @ 427]
ffffcf0d`19f25bc8 00000000`00000000
ffffcf0d`19f25bd0 ffff8481`f02c7b88
ffffcf0d`19f25bd8 ffff8481`f02c7b88
ffffcf0d`19f25be0 00000001`00000003
ffffcf0d`19f25be8 ffffcf0d`19f25b70
ffffcf0d`19f25bf0 ffff8481`f02c7ac0
ffffcf0d`19f25bf8 fffff802`425f10e0 ObCallbackTest!CBTdPreOperationCallback [e:\开源\microsoft\windows-driver-samples\trunk\general\obcallback\driver\callback.c @ 264]
ffffcf0d`19f25c00 fffff802`425f1000 ObCallbackTest!CBTdPostOperationCallback [e:\开源\microsoft\windows-driver-samples\trunk\general\obcallback\driver\callback.c @ 427]
ffffcf0d`19f25c08 00000000`00000000
ffffcf0d`19f25c10 00300030`00300031
ffffcf0d`19f25c18 00000012`00000201
ffffcf0d`19f25c20 3066744e`0303030c
ffffcf0d`19f25c28 07be696e`a40c5c62
ffffcf0d`19f25c30 ffffcf0d`18bec700
ffffcf0d`19f25c38 ffffcf0d`19f8e430
ffffcf0d`19f25c40 00000064`04d44d5b
ffffcf0d`19f25c48 00000073`006c006f
ffffcf0d`19f25c50 6e664d46`03160303
ffffcf0d`19f25c58 07be696e`a40c5c12
ffffcf0d`19f25c60 00000000`0150f204
ffffcf0d`19f25c68 00000000`00000000
typedef struct _CALLBACK_ENTRY_ITEM {
LIST_ENTRY EntryItemList;
OB_OPERATION Operations;
CALLBACK_ENTRY* CallbackEntry; // Points to the CALLBACK_ENTRY which we use for ObUnRegisterCallback
POBJECT_TYPE ObjectType;
POB_PRE_OPERATION_CALLBACK PreOperation;
POB_POST_OPERATION_CALLBACK PostOperation;
__int64 unk;
}CALLBACK_ENTRY_ITEM, *PCALLBACK_ENTRY_ITEM;
typedef struct _CALLBACK_ENTRY{
__int16 Version;
char buffer1[6];
POB_OPERATION_REGISTRATION RegistrationContext;
__int16 AltitudeLength1;
__int16 AltitudeLength2;
char buffer2[4];
WCHAR* AltitudeString;
CALLBACK_ENTRY_ITEM Items; // Is actually an array of CALLBACK_ENTRY_ITEMs that are also in a doubly linked list
}CALLBACK_ENTRY, *PCALLBACK_ENTRY;
https://douggemhax.wordpress.com/2015/05/27/obregistercallbacks-and-countermeasures/
https://www.unknowncheats.me/forum/dayz-sa/166167-douggem-_callback_entry-rebuilding.html
+0x000 TypeList : _LIST_ENTRY [ 0xffff8481`f02d7350 - 0xffff8481`f02d7350 ]
+0x010 Name : _UNICODE_STRING "Process"
+0x020 DefaultObject : (null)
+0x028 Index : 0x7 ''
+0x02c TotalNumberOfObjects : 0x3f
+0x030 TotalNumberOfHandles : 0x20a
+0x034 HighWaterNumberOfObjects : 0x51
+0x038 HighWaterNumberOfHandles : 0x25c
+0x040 TypeInfo : _OBJECT_TYPE_INITIALIZER
+0x0b8 TypeLock : _EX_PUSH_LOCK
+0x0c0 Key : 0x636f7250
+0x0c8 CallbackList : _LIST_ENTRY [ 0xffffcf0d`19f25b90 - 0xffffcf0d`19f25b90 ]
这个CallbackList链表的前后节点都一样,我还以为是空呢?
2: kd> dps ffffcf0d`19f25b90
ffffcf0d`19f25b90 ffff8481`f02d7418 这个和下面的一样,可以考虑是LIST_ENTRY
ffffcf0d`19f25b98 ffff8481`f02d7418
ffffcf0d`19f25ba0 00000001`00000003 后面的3是Operations
ffffcf0d`19f25ba8 ffffcf0d`19f25b70 又是一个结构
ffffcf0d`19f25bb0 ffff8481`f02d7350 是PsProcessType
ffffcf0d`19f25bb8 fffff802`425f10e0 ObCallbackTest!CBTdPreOperationCallback [e:\开源\microsoft\windows-driver-samples\trunk\general\obcallback\driver\callback.c @ 264]
ffffcf0d`19f25bc0 fffff802`425f1000 ObCallbackTest!CBTdPostOperationCallback [e:\开源\microsoft\windows-driver-samples\trunk\general\obcallback\driver\callback.c @ 427]
ffffcf0d`19f25bc8 00000000`00000000 未知,补充,保留
ffffcf0d`19f25bd0 ffff8481`f02c7b88
ffffcf0d`19f25bd8 ffff8481`f02c7b88
ffffcf0d`19f25be0 00000001`00000003 后面的3是Operations
ffffcf0d`19f25be8 ffffcf0d`19f25b70
ffffcf0d`19f25bf0 ffff8481`f02c7ac0 是PsThreadType
ffffcf0d`19f25bf8 fffff802`425f10e0 ObCallbackTest!CBTdPreOperationCallback [e:\开源\microsoft\windows-driver-samples\trunk\general\obcallback\driver\callback.c @ 264]
ffffcf0d`19f25c00 fffff802`425f1000 ObCallbackTest!CBTdPostOperationCallback [e:\开源\microsoft\windows-driver-samples\trunk\general\obcallback\driver\callback.c @ 427]
ffffcf0d`19f25c08 00000000`00000000
2: kd> !object ffff8481`f02d7350
Object: ffff8481f02d7350 Type: (ffff8481f02f7ec0) Type
ObjectHeader: ffff8481f02d7320 (new version)
HandleCount: 0 PointerCount: 2
Directory Object: ffffcf0d11e147f0 Name: Process
2: kd> !object ffff8481`f02c7ac0
Object: ffff8481f02c7ac0 Type: (ffff8481f02f7ec0) Type
ObjectHeader: ffff8481f02c7a90 (new version)
HandleCount: 0 PointerCount: 2
Directory Object: ffffcf0d11e147f0 Name: Thread
2: kd> dps ffffcf0d`19f25b70 L20
ffffcf0d`19f25b70 00000000`00020100
ffffcf0d`19f25b78 fffff802`425f50b0 ObCallbackTest!CBCallbackRegistration
ffffcf0d`19f25b80 00000000`00080008
ffffcf0d`19f25b88 ffffcf0d`19f25c10
ffffcf0d`19f25b90 ffff8481`f02d7418
ffffcf0d`19f25b98 ffff8481`f02d7418
ffffcf0d`19f25ba0 00000001`00000003
ffffcf0d`19f25ba8 ffffcf0d`19f25b70
ffffcf0d`19f25bb0 ffff8481`f02d7350
ffffcf0d`19f25bb8 fffff802`425f10e0 ObCallbackTest!CBTdPreOperationCallback [e:\开源\microsoft\windows-driver-samples\trunk\general\obcallback\driver\callback.c @ 264]
ffffcf0d`19f25bc0 fffff802`425f1000 ObCallbackTest!CBTdPostOperationCallback [e:\开源\microsoft\windows-driver-samples\trunk\general\obcallback\driver\callback.c @ 427]
ffffcf0d`19f25bc8 00000000`00000000
ffffcf0d`19f25bd0 ffff8481`f02c7b88
ffffcf0d`19f25bd8 ffff8481`f02c7b88
ffffcf0d`19f25be0 00000001`00000003
ffffcf0d`19f25be8 ffffcf0d`19f25b70
ffffcf0d`19f25bf0 ffff8481`f02c7ac0
ffffcf0d`19f25bf8 fffff802`425f10e0 ObCallbackTest!CBTdPreOperationCallback [e:\开源\microsoft\windows-driver-samples\trunk\general\obcallback\driver\callback.c @ 264]
ffffcf0d`19f25c00 fffff802`425f1000 ObCallbackTest!CBTdPostOperationCallback [e:\开源\microsoft\windows-driver-samples\trunk\general\obcallback\driver\callback.c @ 427]
ffffcf0d`19f25c08 00000000`00000000
ffffcf0d`19f25c10 00300030`00300031
ffffcf0d`19f25c18 00000012`00000201
ffffcf0d`19f25c20 3066744e`0303030c
ffffcf0d`19f25c28 07be696e`a40c5c62
ffffcf0d`19f25c30 ffffcf0d`18bec700
ffffcf0d`19f25c38 ffffcf0d`19f8e430
ffffcf0d`19f25c40 00000064`04d44d5b
ffffcf0d`19f25c48 00000073`006c006f
ffffcf0d`19f25c50 6e664d46`03160303
ffffcf0d`19f25c58 07be696e`a40c5c12
ffffcf0d`19f25c60 00000000`0150f204
ffffcf0d`19f25c68 00000000`00000000
typedef struct _CALLBACK_ENTRY_ITEM {
LIST_ENTRY EntryItemList;
OB_OPERATION Operations;
CALLBACK_ENTRY* CallbackEntry; // Points to the CALLBACK_ENTRY which we use for ObUnRegisterCallback
POBJECT_TYPE ObjectType;
POB_PRE_OPERATION_CALLBACK PreOperation;
POB_POST_OPERATION_CALLBACK PostOperation;
__int64 unk;
}CALLBACK_ENTRY_ITEM, *PCALLBACK_ENTRY_ITEM;
typedef struct _CALLBACK_ENTRY{
__int16 Version;
char buffer1[6];
POB_OPERATION_REGISTRATION RegistrationContext;
__int16 AltitudeLength1;
__int16 AltitudeLength2;
char buffer2[4];
WCHAR* AltitudeString;
CALLBACK_ENTRY_ITEM Items; // Is actually an array of CALLBACK_ENTRY_ITEMs that are also in a doubly linked list
}CALLBACK_ENTRY, *PCALLBACK_ENTRY;
https://douggemhax.wordpress.com/2015/05/27/obregistercallbacks-and-countermeasures/
https://www.unknowncheats.me/forum/dayz-sa/166167-douggem-_callback_entry-rebuilding.html
没有评论:
发表评论