看流星社区

 找回密码
 注册账号
查看: 2557|回复: 4

分享64位驱动保护进程源码

[复制链接]

该用户从未签到

发表于 2020-3-23 09:08:51 | 显示全部楼层 |阅读模式
环境:win7 64win8 win 10

  1. SSDT HOOK NtOpenProcess //这一路径上的代码点 in line hook
  2. ObRegisterCallbacks//注册回调函数 过滤

  3. NTSTATUS
  4. ObRegisterCallbacks (
  5. _In_ POB_CALLBACK_REGISTRATION CallbackRegistration,
  6. _Outptr_ PVOID *RegistrationHandle
  7. );
复制代码


上边这是函数定义 。
第一个参数是注册回调的一些信息。
第二个参数返回此回调的指针:
创建一个进程会返回一个进程句柄,类似的创建一个回调会返回一个跟此回调相关的指针。

核心代码:

  1. OB_PREOP_CALLBACK_STATUS RegProtectProcess_Callback(PVOID RegistrationContext, POB_PRE_OPERATION_INFORMATION pOperationInformation)
  2. {
  3. //DbgPrint("yjx:进入RegProtectProcess_Callback--------------OK---------");
  4. HANDLE pid = PsGetProcessId((PEPROCESS)pOperationInformation->Object);
  5. char szProcName[128] = { 0 };
  6. UNREFERENCED_PARAMETER(RegistrationContext);

  7. strcpy(szProcName, GetProcessImageNameByProcessID((ULONG)pid));

  8. if (strstr(szProcName, "yjx150.exe"))
  9. {
  10. DbgPrint("yjx:进入RegProtectProcess_Callback--------------1111111111111111111111111111--------szProcName=%s -", szProcName);
  11. if (pOperationInformation->Operation == OB_OPERATION_HANDLE_CREATE)
  12. {
  13. if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_TERMINATE) == PROCESS_TERMINATE)
  14. {
  15. //Terminate the process, such as by calling the user-mode TerminateProcess routine..
  16. pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_TERMINATE;
  17. }
  18. if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_VM_OPERATION) == PROCESS_VM_OPERATION)
  19. {
  20. //Modify the address space of the process, such as by calling the user-mode WriteProcessMemory and VirtualProtectEx routines.
  21. pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_VM_OPERATION;
  22. }
  23. if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_VM_READ) == PROCESS_VM_READ)
  24. {
  25. //Read to the address space of the process, such as by calling the user-mode ReadProcessMemory routine.
  26. pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_VM_READ;
  27. }
  28. if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_VM_WRITE) == PROCESS_VM_WRITE)
  29. {
  30. //Write to the address space of the process, such as by calling the user-mode WriteProcessMemory routine.
  31. pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_VM_WRITE;
  32. }
  33. }
  34. }
  35. return OB_PREOP_SUCCESS;
  36. }

  37. HANDLE g_obHandle_callback=0;
  38. HANDLE g_obHandle_callback2= 0;
  39. //注册保护回调
  40. NTSTATUS RegProtectProcess_callback()
  41. {
  42. NTSTATUS ret = 0;

  43. //LARGE_INTEGER CallbackCookie = { 0 };
  44. OB_CALLBACK_REGISTRATION obregCallBack;
  45. OB_OPERATION_REGISTRATION opReg;
  46. memset(&obregCallBack, 0, sizeof(obregCallBack));
  47. RtlInitUnicodeString(&obregCallBack.Altitude, L"QQ150330575"); // 据说此值需要向微软申请,网络上多用"321000"来填写
  48. obregCallBack.Version =ObGetFilterVersion() ;//版本 OB_FLT_REGISTRATION_VERSION
  49. obregCallBack.OperationRegistrationCount = 1; //一般为1
  50. obregCallBack.RegistrationContext = NULL;
  51. obregCallBack.OperationRegistration = &opReg; //
  52. //
  53. memset(&opReg, 0, sizeof(opReg)); //
  54. opReg.ObjectType = PsProcessType; //是指我们要监视的对象类型 进程是PsProcessType 线程是PsThreadType
  55. opReg.Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE; //Operations 是指句柄怎么方式 是直接创建呢 还是复制句柄这里一般填OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE;
  56. opReg.PreOperation = RegProtectProcess_Callback;//注册回调函数(POB_PRE_OPERATION_CALLBACK)
  57. //保护自身进程对象不被打开
  58. ret = ObRegisterCallbacks(&obregCallBack, &g_obHandle_callback); //NtOpenProcess 会走入回调中NtOpenThread会进入 PsThreadType
  59. //protectProcessCallback
  60. //卸载用ObUnRegisterCallbacks(obHandle);
  61. DbgPrint("yjx:---1111-----obHandle=%llx ret=%llx ------RegProtectProcess_callback\n", g_obHandle_callback,ret);
  62. return ret;
  63. }

  64. NTSTATUS RegProtectProcess2()
  65. {

  66. OB_CALLBACK_REGISTRATION obregCallBack;
  67. OB_OPERATION_REGISTRATION opReg;

  68. memset(&obregCallBack, 0, sizeof(obregCallBack));
  69. RtlInitUnicodeString(&obregCallBack.Altitude, L"Q150330575");// L"321000";
  70. obregCallBack.Version = ObGetFilterVersion();
  71. obregCallBack.OperationRegistrationCount = 1;
  72. obregCallBack.RegistrationContext = NULL;
  73. obregCallBack.OperationRegistration = &opReg; //注意这一条语句

  74. //下面请注意这个结构体的成员字段的设置
  75. memset(&opReg, 0, sizeof(opReg)); //初始化结构体变量
  76. opReg.ObjectType = PsProcessType;
  77. opReg.Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE;
  78. opReg.PreOperation = RegProtectProcess_Callback; //在这里注册一个回调函数指针
  79. NTSTATUS ret= ObRegisterCallbacks(&obregCallBack, &g_obHandle_callback2); //在这里注册回调函数
  80. DbgPrint("yjx:---L156-----obHandle=%llx ret=%llx ------RegProtectProcess2\n", g_obHandle_callback2, ret);
  81. return ret;
  82. }
复制代码

该用户从未签到

发表于 2020-3-24 16:24:30 | 显示全部楼层
支持楼主,支持看流星社区,以后我会经常来!

该用户从未签到

发表于 2020-3-29 11:06:07 | 显示全部楼层
很好的源码。

该用户从未签到

发表于 2020-3-30 10:45:41 | 显示全部楼层
感谢分享 win10 不会蓝屏?
点击按钮快速添加回复内容: 支持 高兴 激动 给力 加油 苦寻 生气 回帖 路过 感恩
您需要登录后才可以回帖 登录 | 注册账号

本版积分规则

小黑屋|手机版|Archiver|看流星社区 |网站地图

GMT+8, 2024-3-29 19:59

Powered by Kanliuxing X3.4

© 2010-2019 kanliuxing.com

快速回复 返回顶部 返回列表