Win0 Ring anomaly Treatment and Object-hook

No Veh under 0 rings.
With SEH

#include <ntifs.h>VOID DriverUnload(PDRIVER_OBJECT pDriver);NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING pPath){    UNREFERENCED_PARAMETER(pPath);    DbgBreakPoint();    __try    {        int *p = 0;        *p = 100;    }    except(1)    {        KdPrint(("哈哈:掠过了一个异常"));    }    pDriver->DriverUnload = DriverUnload;    return STATUS_SUCCESS;}VOID DriverUnload(PDRIVER_OBJECT pDriver){    UNREFERENCED_PARAMETER(pDriver);}

Object-hook
The condition is to make your own reputation related structure (WinDbg view)
The problem is that the function is platform dependent
Cases:
Win32 under

#include <ntifs.h>void driverunload (pdriver_object objdriver); typedef ULONG (*obgetobjecttype) (PVOID OBJECT);    typedef NTSTATUS (*parseprodecedure) (in PVOID parseobject, in PVOID ObjectType, in out Paccess_state accessstate, In Kprocessor_mode AccessMode, in ULONG Attributes, in Out Punicode_string completename, in out punicode_string R Emainingname, in Out PVOID Context OPTIONAL, in Psecurity_quality_of_service Securityqos OPTIONAL, out PVOID *obj ECT); Parseprodecedure G_oldfun; NTSTATUS newparseprocedure (in PVOID parseobject, in PVOID ObjectType, in off Paccess_state accessstate, in Kproce Ssor_mode AccessMode, in ULONG Attributes, in Out Punicode_string completename, in out punicode_string REMAININGN    Ame, in Out PVOID Context OPTIONAL, in Psecurity_quality_of_service Securityqos OPTIONAL, out PVOID *object) {    Kdprint (("Hook success\n")); Return G_oldfun (Parseobject, ObjectType, Accessstate, AccessMode, Attributes, compleTename, Remainingname, Context, Securityqos, Object);}    Obgetobjecttype g_obgetobjecttype;//obtains a function address, which can be obtained by kernel object type void Getobjecttypeaddress () {Puchar addr;    Unicode_string Pslookup;    Rtlinitunicodestring (&pslookup, L "Obgetobjecttype");    GetProcAddress addr = (Puchar) mmgetsystemroutineaddress (&pslookup) similar to the application layer; G_obgetobjecttype = (obgetobjecttype) addr;}    typedef struct _OBJECT_TYPE_INITIALIZER {USHORT Length;    UCHAR Objecttypeflags;    UCHAR caseinsensitive;    UCHAR unnamedobjectsonly;    UCHAR Usedefaultobject;    UCHAR securityrequired;    UCHAR Maintainhandlecount;    UCHAR maintaintypelist;    UCHAR supportsobjectcallbacks;    UCHAR cachealigned;    ULONG Objecttypecode;    BOOLEAN invalidattributes;    Generic_mapping genericmapping;    BOOLEAN Validaccessmask;    BOOLEAN retainaccess;    Pool_type Pooltype;    BOOLEAN Defaultpagedpoolcharge;    BOOLEAN Defaultnonpagedpoolcharge;    PVOID dumpprocedure; ULONG OPENPRocedure;    PVOID closeprocedure;    PVOID deleteprocedure;    ULONG parseprocedure;    ULONG securityprocedure;    ULONG querynameprocedure; UCHAR Okaytocloseprocedure;}    Object_type_initializer, *pobject_type_initializer;typedef struct _object_type {list_entry TypeList;    Unicode_string Name;    PVOID Defaultobject;    ULONG Index;    ULONG totalnumberofobjects;    ULONG Totalnumberofhandles;    ULONG highwaternumberofobjects;    ULONG Highwaternumberofhandles;    Object_type_initializer TypeInfo;    ULONG Typelock;    ULONG Key; List_entry Callbacklist;} Object_type, *pobject_type;          HANDLE kernelcreatefile (in punicode_string pstrfile,//File path symbolic link in BOOLEAN bisdir)//is a folder {HANDLE    hfile = NULL;    NTSTATUS Status = status_unsuccessful;    Io_status_block Statusblock = {0}; ULONG ulshareaccess = File_share_read | File_share_write |    File_share_delete; ULONG ulcreateopt = File_synchronous_io_nOnalert; 1.    Initialize the contents of the object_attributes object_attributes Objattrib = {0}; ULONG ulattributes = obj_case_insensitive |    Obj_kernel_handle;  Initializeobjectattributes (&objattrib,//returns the initialized struct Pstrfile,//File object name Ulattributes,   object property NULL, or NULL); Generally null//2.    Create file Object ulcreateopt |= bisdir?    File_directory_file:file_non_directory_file; Status = ZwCreateFile (&hfile,//return file handle Generic_all,//File Operation description &obj Attrib,//Object_attributes &statusblock,//operation result of the Accept function 0,//Initial File size File_attribute_normal,//New file Properties ulshareaccess,//File Share file_open_if,//File Save                   When open does not exist then create ulcreateopt,//Open operation with additional flag bit NULL,//Extended attribute area 0); Extended attribute area length if (!    Nt_success (Status)) return (HANDLE)-1; return hfile;}void Onhook () {//1 Open a file, get a file object unicode_string Ustrfilepath; Rtlinitunicodestring (&ustrfilepath, L "\ \??    \\d:\\123.txt ");    HANDLE hfile = Kernelcreatefile (&ustrfilepath, FALSE);    PVOID Pobject;    Obreferenceobjectbyhandle (hfile, Generic_all, NULL, KernelMode, &pobject, NULL);    2 through this file object get object_type this struct object_type * FileType = NULL;    FileType = (object_type *) G_obgetobjecttype (pobject);    3 Save this function address G_oldfun = (parseprodecedure) filetype->typeinfo.parseprocedure;    4 Replace this function address with its own function. Filetype->typeinfo.parseprocedure = (ULONG) newparseprocedure;}    void Offhook () {}ntstatus driverentry (pdriver_object pdriver, punicode_string strregpath) {//prevent compiler from warning of unreferenced parameters    Unreferenced_parameter (Strregpath);        Prints a line of string and registers the drive unload function to facilitate the driver unloading dbgbreakpoint ();//_asm int 3 __try {getobjecttypeaddress ();    Onhook ();    } except (1) {Kdprint ("passing an exception \ n"));    } kdprint (("My first dirver!"); PDriver->driverunload = Driverunload; return status_success;}    VOID driverunload (Pdriver_object objdriver) {//Avoid compiler warning Unreferenced_parameter (objdriver) for unreferenced parameters; Do nothing, print only one line of string Kdprint (("My dirver is unloading ...");}

Win0 Ring exception handling and Object-hook