|
实现w10下 64位环境下的 进程结构保护,
用到的是进程回调并且去掉进程属性达到进程不被读取,需要关注的是几个结构回调函数,其他的不必太过关注,
思路如下 第一次作图,其实本人也方案作图, 将就看吧 代码有详细的解释和调用顺序
注意看 12345
1是我当前需要保护进程
2是被保护的程序进程PID
3是加载驱动 我木有开启VS调试和
4,进程保护成功
#pragma once
#include<ntddk.h>
#include<wdm.h>
#include<windef.h>
#define PROCESS_TERMINATE (0x0001)
#define PROCESS_CREATE_THREAD (0x0002)
#define PROCESS_SET_SESSIONID (0x0004)
#define PROCESS_VM_OPERATION (0x0008)
#define PROCESS_VM_READ (0x0010)
#define PROCESS_VM_WRITE (0x0020)
#define PROCESS_DUP_HANDLE (0x0040)
#define PROCESS_CREATE_PROCESS (0x0080)
#define PROCESS_SET_QUOTA (0x0100)
#define PROCESS_SET_INFORMATION (0x0200)
#define PROCESS_QUERY_INFORMATION (0x0400)
#define PROCESS_SUSPEND_RESUME (0x0800)
#define PROCESS_QUERY_LIMITED_INFORMATION (0x1000)
#define THREAD_TERMINATE (0x0001)
#define THREAD_SUSPEND_RESUME (0x0002)
#define THREAD_GET_CONTEXT (0x0008)
#define THREAD_SET_CONTEXT (0x0010)
#define THREAD_QUERY_INFORMATION (0x0040)
#define THREAD_SET_INFORMATION (0x0020)
#define THREAD_SET_THREAD_TOKEN (0x0080)
#define THREAD_IMPERSONATE (0x0100)
#define THREAD_DIRECT_IMPERSONATION (0x0200)
// begin_wdm
#define THREAD_SET_LIMITED_INFORMATION (0x0400) // winnt
#define THREAD_QUERY_LIMITED_INFORMATION (0x0800) // winnt
#define THREAD_RESUME (0x1000) // winnt
typedef struct _LDR_DATA_TABLE_ENTRY
{
LIST_ENTRY InLoadOrderLinks;
LIST_ENTRY InMemoryOrderLinks;
LIST_ENTRY InInitializationOrderLinks;
LPVOID DllBase;//==========对应 ptr64
LPVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
union
{
UCHAR FlagGroup[4];
ULONG Flags;
UCHAR PackagedBinary : 1;// PackagedBinary : Pos 0, 1 Bit
UCHAR MarkedForRemoval : 1;
UCHAR ImageDll : 1;
UCHAR LoadNotificationsSent : 1;
UCHAR TelemetryEntryProcessed : 1;
UCHAR ProcessStaticImport : 1;
UCHAR InLegacyLists : 1;
UCHAR InIndexes : 1;
UCHAR ShimDll : 1;
UCHAR InExceptionTable : 1;
UCHAR ReservedFlags1 : 2;
UCHAR LoadInProgress : 1;
UCHAR LoadConfigProcessed : 1;
UCHAR EntryProcessed : 1;
UCHAR ProtectDelayLoad : 1;
UCHAR ReservedFlags3 : 2;
UCHAR DontCallForThreads : 1;
UCHAR ProcessAttachCalled : 1;
UCHAR ProcessAttachFailed : 1;
UCHAR CorDeferredValidate : 1;
UCHAR CorImage : 1;
UCHAR DontRelocate : 1;
UCHAR CorILOnly : 1;
UCHAR ChpeImage : 1;
UCHAR ReservedFlags5 : 2;
UCHAR Redirected : 1;
UCHAR ReservedFlags6 : 2;
UCHAR CompatDatabaseProcessed : 1;
};
USHORT ObsoleteLoadCount;//=Uint 2B
USHORT TlsIndex;
LIST_ENTRY HashLinks;
ULONG TimeDateStamp;
LPVOID EntryPointActivationContext;
LPVOID Lock;
LPVOID DdagNode;
LIST_ENTRY NodeModuleLink;
LPVOID LoadContext;
LPVOID ParentDllBase;
LPVOID SwitchBackContext;
RTL_BALANCED_NODE BaseAddressIndexNode;
RTL_BALANCED_NODE MappingInfoIndexNode;
ULONG64 OriginalBase;//==Uint8B
LARGE_INTEGER LoadTime;
ULONG BaseNameHashValue;//==Uint4B
LPVOID LoadReason;
ULONG ImplicitPathOptions;
ULONG ReferenceCount;
ULONG DependentLoadFlags;
UCHAR SigningLevel;
}LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY;
OB_CALLBACK_REGISTRATION CBoRegistertion = { 0 };
OB_OPERATION_REGISTRATION CBOpertionRegostertons[2] = { {0},{0} };
UNICODE_STRING CBAltitude;
PVOID pCBRegisetionHandle = NULL;
NTSTATUS HelloDDKUnload(PDRIVER_OBJECT pDriverObject)
{
KdPrint(("Driver Un"));
if (pCBRegisetionHandle != NULL)
{
ObUnRegisterCallbacks(pCBRegisetionHandle);
}
return STATUS_SUCCESS;
}
OB_PREOP_CALLBACK_STATUS CBTdPreOpertionCallback_1(PVOID RehisterationCounttext, POB_PRE_OPERATION_INFORMATION PreInfo)
{
PACCESS_MASK DesiredAccess = STANDARD_RIGHTS_ALL;//断言--------------------------此处修改过原值是NULL现在测试如果出问题 首先将该值修改回去
ACCESS_MASK OriginalDesireAccess = 0;
HANDLE pId = PsGetProcessId((PEPROCESS)PreInfo->Object);
if (PreInfo->ObjectType == *PsThreadType);
{
HANDLE ProcessOfTargeTherad = PsGetThreadProcessId((PETHREAD)PreInfo->Object);
if (pId != 4776)
{
goto Exit;
}
if (PreInfo->Object == PsGetCurrentProcess())
{
KdPrint(("Current Prcoess"));
goto Exit;
}
}
switch (PreInfo->Operation)
{
case OB_OPERATION_HANDLE_CREATE:
DesiredAccess = &PreInfo->Parameters->CreateHandleInformation.DesiredAccess;
OriginalDesireAccess = PreInfo->Parameters->DuplicateHandleInformation.OriginalDesiredAccess;
break;
case OB_OPERATION_HANDLE_DUPLICATE:
DesiredAccess = &PreInfo->Parameters->CreateHandleInformation.DesiredAccess;
OriginalDesireAccess = PreInfo->Parameters->DuplicateHandleInformation.OriginalDesiredAccess;
break;
default:
break;
}
if (PreInfo->KernelHandle != 1)
{
__try
{
if ((*DesiredAccess & THREAD_TERMINATE) == THREAD_TERMINATE)
*DesiredAccess &= ~THREAD_TERMINATE;
if ((*DesiredAccess &= THREAD_SUSPEND_RESUME) == THREAD_SUSPEND_RESUME)
*DesiredAccess &= ~THREAD_SUSPEND_RESUME;
if ((*DesiredAccess &= THREAD_SET_THREAD_TOKEN) == THREAD_SET_THREAD_TOKEN)
*DesiredAccess &= ~THREAD_SET_THREAD_TOKEN;
}
__except (1)
{
goto Exit;
}
}
Exit:
return OB_PREOP_SUCCESS;
}
OB_PREOP_CALLBACK_STATUS CBTdPreOpertionCallback(PVOID RehisterationCounttext, POB_PRE_OPERATION_INFORMATION PreInfo)
{
PACCESS_MASK DesiredAccess = STANDARD_RIGHTS_ALL;//断言--------------------------此处修改过原值是NULL现在测试如果出问题 首先将该值修改回去
ACCESS_MASK OriginalDesireAccess = 0;
HANDLE pId = PsGetProcessId((PEPROCESS)PreInfo->Object);
if (PreInfo->ObjectType == *PsProcessType);
{
if (pId != 4776)
{
goto Exit;
}
if (PreInfo->Object == PsGetCurrentProcess())
{
KdPrint(("Current Prcoess"));
goto Exit;
}
}
switch (PreInfo->Operation)
{
case OB_OPERATION_HANDLE_CREATE:
DesiredAccess = &PreInfo->Parameters->CreateHandleInformation.DesiredAccess;
OriginalDesireAccess = PreInfo->Parameters->DuplicateHandleInformation.OriginalDesiredAccess;
break;
case OB_OPERATION_HANDLE_DUPLICATE:
DesiredAccess = &PreInfo->Parameters->CreateHandleInformation.DesiredAccess;
OriginalDesireAccess = PreInfo->Parameters->DuplicateHandleInformation.OriginalDesiredAccess;
break;
default:
break;
}
if (PreInfo->KernelHandle != 1)
{
__try
{
if ((*DesiredAccess & PROCESS_TERMINATE) == PROCESS_TERMINATE)
*DesiredAccess &= ~PROCESS_TERMINATE;
if ((*DesiredAccess &= PROCESS_CREATE_THREAD) == PROCESS_CREATE_THREAD)
*DesiredAccess &= ~PROCESS_CREATE_THREAD;
if ((*DesiredAccess &= PROCESS_VM_OPERATION) == PROCESS_VM_OPERATION)
*DesiredAccess &= ~PROCESS_VM_OPERATION;
if ((*DesiredAccess & PROCESS_VM_READ) == PROCESS_VM_READ)
*DesiredAccess &= ~PROCESS_VM_READ;
if ((*DesiredAccess & PROCESS_VM_WRITE) == PROCESS_VM_WRITE)
*DesiredAccess &= ~PROCESS_VM_WRITE;
}
__except (1)
{
goto Exit;
}
}
Exit:
return OB_PREOP_SUCCESS;
}
NTSTATUS SetProtectCallBack()
{
NTSTATUS nStatus = STATUS_SUCCESS;
CBOpertionRegostertons[0].ObjectType = PsProcessType;//设置回调类型,进程设置为该类型
CBOpertionRegostertons[0].Operations |= OB_OPERATION_HANDLE_CREATE;
CBOpertionRegostertons[0].Operations |= OB_OPERATION_HANDLE_DUPLICATE;
CBOpertionRegostertons[0].PreOperation = CBTdPreOpertionCallback;//进程回调函数
CBOpertionRegostertons[1].ObjectType = PsThreadType;
CBOpertionRegostertons[1].Operations |= OB_OPERATION_HANDLE_CREATE;
CBOpertionRegostertons[1].Operations |= OB_OPERATION_HANDLE_DUPLICATE;
CBOpertionRegostertons[1].PreOperation = CBTdPreOpertionCallback_1;
RtlInitUnicodeString(&CBAltitude, L"2000");
CBoRegistertion.Version = OB_FLT_REGISTRATION_VERSION;//设置版本
CBoRegistertion.OperationRegistrationCount = 2;//回调数量
CBoRegistertion.Altitude = CBAltitude;//指向Unicode的字符串
CBoRegistertion.RegistrationContext = NULL;
CBoRegistertion.OperationRegistration = CBOpertionRegostertons;
nStatus = ObRegisterCallbacks(&CBoRegistertion, &pCBRegisetionHandle);
if (!NT_SUCCESS(nStatus))
{
KdPrint(("ObRegistert CallBack Error Code : 0x % X", nStatus));
}
return nStatus;
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING RegPath)
{
NTSTATUS nStatus = STATUS_SUCCESS;
KdPrint(("in Driver"));
KdPrint(("Driver=%p", pDriverObject));
PLDR_DATA_TABLE_ENTRY ldr = pDriverObject->DriverSection;
ldr->Flags |= 0x20;
pDriverObject->DriverUnload = HelloDDKUnload;
SetProtectCallBack();
return nStatus;
} |
评分
-
查看全部评分
上一篇: lParam在postMessage作用下一篇: 关于vs2019对XP驱动 编程的支持
|