本帖最后由 aswcy815174418 于 2022-1-27 12:42 编辑
本机环境:Windows10 X64 IDA 7.6Pro 内核文件:Windows7 X64 Sp1(ntoskrnl.exe)
特别说明:本图调用了两次ObRegisterCallBacks
最左边的图插入了两个回调函数到PsProcessType->CallBackList和PsThreadType->CallBackList
最右边的图插入一个回调函数到PsThreadType->CallBackList
黄色块具体定义:
typedef struct _CALLBACK_ENTRY_ITEM {
LIST_ENTRY EntryItemList;
OB_OPERATION Operations;
CALLBACK_ENTRY* CallbackEntry; // Points to the CALLBACK_ENTRY which we use for ObUnRegisterCallback
POBJECT_TYPE ObjectType;
POB_PRE_OPERATION_CALLBACK PreOperation;
POB_POST_OPERATION_CALLBACK PostOperation;
__int64 unk;
}CALLBACK_ENTRY_ITEM, *PCALLBACK_ENTRY_ITEM;
绿色或橙色块具体定义
typedef struct _CALLBACK_ENTRY{
__int16 Version;
char buffer1[6];
POB_OPERATION_REGISTRATION RegistrationContext;
__int16 AltitudeLength1;
__int16 AltitudeLength2;
char buffer2[4];
WCHAR* AltitudeString;
CALLBACK_ENTRY_ITEM Items; // Is actually an array of CALLBACK_ENTRY_ITEMs that are also in a doubly linked list
}CALLBACK_ENTRY, *PCALLBACK_ENTRY;
最左边的注册回调函数代码:
NTSTATUS ProtectProcess()
{
OB_CALLBACK_REGISTRATION obReg;
OB_OPERATION_REGISTRATION opReg[2];
memset(&obReg, 0, sizeof(obReg));
obReg.Version = ObGetFilterVersion();
obReg.OperationRegistrationCount = 1;
obReg.RegistrationContext = NULL;
RtlInitUnicodeString(&obReg.Altitude, L"123321");
DbgPrint("%S\n", obReg.Altitude.Buffer);
memset(&opReg, 0, sizeof(opReg)); //初始化结构体变量
opReg[0].ObjectType = PsProcessType;
opReg[0].Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE;
opReg[0].PreOperation = (POB_PRE_OPERATION_CALLBACK)(&MyCallback); //注册回调函数指针
opReg[1].ObjectType = PsProcessType;
opReg[1].Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE;
opReg[1].PreOperation = (POB_PRE_OPERATION_CALLBACK)(&MyCallback); //注册回调函数指针
obReg.OperationRegistration = opReg;
ObRegisterCallbacks(&obReg, &obHandle);
DbgPrint("%p\n", obHandle);
return 0;
}
最右边的注册回调函数代码:
NTSTATUS ProtectProcess()
{
OB_CALLBACK_REGISTRATION obReg;
OB_OPERATION_REGISTRATION opReg[1];
memset(&obReg, 0, sizeof(obReg));
obReg.Version = ObGetFilterVersion();
obReg.OperationRegistrationCount = 1;
obReg.RegistrationContext = NULL;
RtlInitUnicodeString(&obReg.Altitude, L"123321");
DbgPrint("%S\n", obReg.Altitude.Buffer);
memset(&opReg, 0, sizeof(opReg)); //初始化结构体变量
opReg[0].ObjectType = PsProcessType;
opReg[0].Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE;
opReg[0].PreOperation = (POB_PRE_OPERATION_CALLBACK)(&MyCallback); //注册回调函数指针
obReg.OperationRegistration = opReg;
ObRegisterCallbacks(&obReg, &obHandle);
DbgPrint("%p\n", obHandle);
return 0;
}
资料参考:https://www.unknowncheats.me/forum/anti-cheat-bypass/148364-obregistercallbacks-countermeasures.html | 
[复制链接]
发表于 2022-1-27 11:57
