Win7 x64下进程保护与文件保护(ObRegisterCallbacks)
进程保护部分参考 http://bbs.pediy.com/showthread.php?t=168023
进程保护,在任务管理器不能结束进程
#ifndef CXX_PROTECTPROCESSX64_H
#define CXX_PROTECTPROCESSX64_H #include <ntifs.h> #define PROCESS_TERMINATE 0x0001
#define PROCESS_VM_OPERATION 0x0008
#define PROCESS_VM_READ 0x0010
#define PROCESS_VM_WRITE 0x0020 NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObj, IN PUNICODE_STRING pRegistryString); VOID DriverUnload(IN PDRIVER_OBJECT pDriverObj); typedef struct _LDR_DATA_TABLE_ENTRY64
{
LIST_ENTRY64 InLoadOrderLinks;
LIST_ENTRY64 InMemoryOrderLinks;
LIST_ENTRY64 InInitializationOrderLinks;
PVOID DllBase;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
USHORT LoadCount;
USHORT TlsIndex;
PVOID SectionPointer;
ULONG CheckSum;
PVOID LoadedImports;
PVOID EntryPointActivationContext;
PVOID PatchInformation;
LIST_ENTRY64 ForwarderLinks;
LIST_ENTRY64 ServiceTagLinks;
LIST_ENTRY64 StaticLinks;
PVOID ContextInformation;
ULONG64 OriginalBase;
LARGE_INTEGER LoadTime;
} LDR_DATA_TABLE_ENTRY64, *PLDR_DATA_TABLE_ENTRY64; extern
UCHAR *
PsGetProcessImageFileName(
__in PEPROCESS Process
);
char*
GetProcessImageNameByProcessID(ULONG ulProcessID); NTSTATUS ProtectProcess(BOOLEAN Enable); OB_PREOP_CALLBACK_STATUS
preCall(PVOID RegistrationContext, POB_PRE_OPERATION_INFORMATION pOperationInformation); #endif #ifndef CXX_PROTECTPROCESSX64_H
# include "ProtectProcessx64.h"
#endif PVOID obHandle;//定义一个void*类型的变量,它将会作为ObRegisterCallbacks函数的第二个参数。 NTSTATUS
DriverEntry(IN PDRIVER_OBJECT pDriverObj, IN PUNICODE_STRING pRegistryString)
{
NTSTATUS status = STATUS_SUCCESS;
PLDR_DATA_TABLE_ENTRY64 ldr; pDriverObj->DriverUnload = DriverUnload;
// 绕过MmVerifyCallbackFunction。
ldr = (PLDR_DATA_TABLE_ENTRY64)pDriverObj->DriverSection;
ldr->Flags |= 0x20; ProtectProcess(TRUE); return STATUS_SUCCESS;
} NTSTATUS ProtectProcess(BOOLEAN Enable)
{ OB_CALLBACK_REGISTRATION obReg;
OB_OPERATION_REGISTRATION opReg; memset(&obReg, , sizeof(obReg));
obReg.Version = ObGetFilterVersion();
obReg.OperationRegistrationCount = ;
obReg.RegistrationContext = NULL;
RtlInitUnicodeString(&obReg.Altitude, L"");
memset(&opReg, , sizeof(opReg)); //初始化结构体变量 //下面请注意这个结构体的成员字段的设置
opReg.ObjectType = PsProcessType;
opReg.Operations = OB_OPERATION_HANDLE_CREATE|OB_OPERATION_HANDLE_DUPLICATE; opReg.PreOperation = (POB_PRE_OPERATION_CALLBACK)&preCall; //在这里注册一个回调函数指针 obReg.OperationRegistration = &opReg; //注意这一条语句 return ObRegisterCallbacks(&obReg, &obHandle); //在这里注册回调函数
} OB_PREOP_CALLBACK_STATUS
preCall(PVOID RegistrationContext, POB_PRE_OPERATION_INFORMATION pOperationInformation)
{
HANDLE pid = PsGetProcessId((PEPROCESS)pOperationInformation->Object);
char szProcName[]={};
UNREFERENCED_PARAMETER(RegistrationContext);
strcpy(szProcName,GetProcessImageNameByProcessID((ULONG)pid));
if( !_stricmp(szProcName,"calc.exe") )
{
if (pOperationInformation->Operation == OB_OPERATION_HANDLE_CREATE)
{
if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_TERMINATE) == PROCESS_TERMINATE)
{
//Terminate the process, such as by calling the user-mode TerminateProcess routine..
pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_TERMINATE;
}
if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_VM_OPERATION) == PROCESS_VM_OPERATION)
{
//Modify the address space of the process, such as by calling the user-mode WriteProcessMemory and VirtualProtectEx routines.
pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_VM_OPERATION;
}
if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_VM_READ) == PROCESS_VM_READ)
{
//Read to the address space of the process, such as by calling the user-mode ReadProcessMemory routine.
pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_VM_READ;
}
if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_VM_WRITE) == PROCESS_VM_WRITE)
{
//Write to the address space of the process, such as by calling the user-mode WriteProcessMemory routine.
pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_VM_WRITE;
}
}
}
return OB_PREOP_SUCCESS;
} /*
OpenProcess 会一直走入回调中 直接蓝屏
char*
GetProcessImageNameByProcessID(ULONG ulProcessID)
{
CLIENT_ID Cid;
HANDLE hProcess;
NTSTATUS Status;
OBJECT_ATTRIBUTES oa;
PEPROCESS EProcess = NULL; Cid.UniqueProcess = (HANDLE)ulProcessID;
Cid.UniqueThread = 0; InitializeObjectAttributes(&oa,0,0,0,0);
Status = ZwOpenProcess(&hProcess,PROCESS_ALL_ACCESS,&oa,&Cid); //hProcess
//强打开进程获得句柄
if (!NT_SUCCESS(Status))
{
return FALSE;
}
Status = ObReferenceObjectByHandle(hProcess,FILE_READ_DATA,0,
KernelMode,&EProcess, 0);
//通过句柄括获取EProcess
if (!NT_SUCCESS(Status))
{
ZwClose(hProcess);
return FALSE;
}
ObDereferenceObject(EProcess);
//最好判断
ZwClose(hProcess);
//通过EProcess获得进程名称
return (char*)PsGetProcessImageFileName(EProcess); }
*/ char*
GetProcessImageNameByProcessID(ULONG ulProcessID)
{
NTSTATUS Status;
PEPROCESS EProcess = NULL; Status = PsLookupProcessByProcessId((HANDLE)ulProcessID,&EProcess); //EPROCESS //通过句柄获取EProcess
if (!NT_SUCCESS(Status))
{
return FALSE;
}
ObDereferenceObject(EProcess);
//通过EProcess获得进程名称
return (char*)PsGetProcessImageFileName(EProcess); } VOID
DriverUnload(IN PDRIVER_OBJECT pDriverObj)
{
UNREFERENCED_PARAMETER(pDriverObj);
DbgPrint("driver unloading...\n"); ObUnRegisterCallbacks(obHandle); //obHandle是上面定义的 PVOID obHandle;
}
我们使用任务管理器结束进程
结果是不能关闭的
文件保护
#ifndef CXX_FILEPROTECTX64_H
#define CXX_FILEPROTECTX64_H
#include <ntifs.h>
#include <devioctl.h>
NTSTATUS
DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegisterPath);
VOID UnloadDriver(PDRIVER_OBJECT DriverObject);
typedef struct _LDR_DATA_TABLE_ENTRY64
{
LIST_ENTRY64 InLoadOrderLinks;
LIST_ENTRY64 InMemoryOrderLinks;
LIST_ENTRY64 InInitializationOrderLinks;
PVOID DllBase;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
USHORT LoadCount;
USHORT TlsIndex;
PVOID SectionPointer;
ULONG CheckSum;
PVOID LoadedImports;
PVOID EntryPointActivationContext;
PVOID PatchInformation;
LIST_ENTRY64 ForwarderLinks;
LIST_ENTRY64 ServiceTagLinks;
LIST_ENTRY64 StaticLinks;
PVOID ContextInformation;
ULONG64 OriginalBase;
LARGE_INTEGER LoadTime;
} LDR_DATA_TABLE_ENTRY64, *PLDR_DATA_TABLE_ENTRY64; typedef struct _OBJECT_TYPE_INITIALIZER
{
UINT16 Length;
union
{
UINT8 ObjectTypeFlags;
struct
{
UINT8 CaseInsensitive : ; UINT8 UnnamedObjectsOnly : ; UINT8 UseDefaultObject : ; UINT8 SecurityRequired : ; UINT8 MaintainHandleCount : ; UINT8 MaintainTypeList : ; UINT8 SupportsObjectCallbacks : ;
};
};
ULONG32 ObjectTypeCode;
ULONG32 InvalidAttributes;
struct _GENERIC_MAPPING GenericMapping;
ULONG32 ValidAccessMask;
ULONG32 RetainAccess;
enum _POOL_TYPE PoolType;
ULONG32 DefaultPagedPoolCharge;
ULONG32 DefaultNonPagedPoolCharge;
PVOID DumpProcedure;
PVOID OpenProcedure;
PVOID CloseProcedure;
PVOID DeleteProcedure;
PVOID ParseProcedure;
PVOID SecurityProcedure;
PVOID QueryNameProcedure;
PVOID OkayToCloseProcedure;
}OBJECT_TYPE_INITIALIZER, *POBJECT_TYPE_INITIALIZER; typedef struct _OBJECT_TYPE_TEMP
{
struct _LIST_ENTRY TypeList;
struct _UNICODE_STRING Name;
VOID* DefaultObject;
UINT8 Index;
UINT8 _PADDING0_[0x3];
ULONG32 TotalNumberOfObjects;
ULONG32 TotalNumberOfHandles;
ULONG32 HighWaterNumberOfObjects;
ULONG32 HighWaterNumberOfHandles;
UINT8 _PADDING1_[0x4];
struct _OBJECT_TYPE_INITIALIZER TypeInfo;
ULONG64 TypeLock;
ULONG32 Key;
UINT8 _PADDING2_[0x4];
struct _LIST_ENTRY CallbackList;
}OBJECT_TYPE_TEMP, *POBJECT_TYPE_TEMP; VOID EnableObType(POBJECT_TYPE ObjectType);
UNICODE_STRING GetFilePathByFileObject(PVOID FileObject);
OB_PREOP_CALLBACK_STATUS PreCallBack(PVOID RegistrationContext, POB_PRE_OPERATION_INFORMATION OperationInformation);
NTSTATUS ProtectFileByObRegisterCallbacks();
#endif #ifndef CXX_FILEPROTECTX64_H
# include "FileProtectX64.h"
#endif
PVOID CallBackHandle = NULL;
NTSTATUS
DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegisterPath)
{ PLDR_DATA_TABLE_ENTRY64 ldr;
DriverObject->DriverUnload = UnloadDriver;
ldr = (PLDR_DATA_TABLE_ENTRY64)DriverObject->DriverSection;
ldr->Flags |= 0x20;
ProtectFileByObRegisterCallbacks();
return STATUS_SUCCESS;
}
NTSTATUS ProtectFileByObRegisterCallbacks()
{
OB_CALLBACK_REGISTRATION CallBackReg;
OB_OPERATION_REGISTRATION OperationReg;
NTSTATUS Status; EnableObType(*IoFileObjectType); //开启文件对象回调
memset(&CallBackReg, , sizeof(OB_CALLBACK_REGISTRATION));
CallBackReg.Version = ObGetFilterVersion();
CallBackReg.OperationRegistrationCount = ;
CallBackReg.RegistrationContext = NULL;
RtlInitUnicodeString(&CallBackReg.Altitude, L"");
memset(&OperationReg, , sizeof(OB_OPERATION_REGISTRATION)); //初始化结构体变量 OperationReg.ObjectType = IoFileObjectType;
OperationReg.Operations = OB_OPERATION_HANDLE_CREATE|OB_OPERATION_HANDLE_DUPLICATE; OperationReg.PreOperation = (POB_PRE_OPERATION_CALLBACK)&PreCallBack; //在这里注册一个回调函数指针
CallBackReg.OperationRegistration = &OperationReg; //注意这一条语句 将结构体信息放入大结构体
Status = ObRegisterCallbacks(&CallBackReg, &CallBackHandle);
if (!NT_SUCCESS(Status))
{
Status = STATUS_UNSUCCESSFUL;
}
else
{
Status = STATUS_SUCCESS;
}
return Status;
} OB_PREOP_CALLBACK_STATUS PreCallBack(PVOID RegistrationContext, POB_PRE_OPERATION_INFORMATION OperationInformation)
{
UNICODE_STRING uniDosName;
UNICODE_STRING uniFilePath;
PFILE_OBJECT FileObject = (PFILE_OBJECT)OperationInformation->Object;
HANDLE CurrentProcessId = PsGetCurrentProcessId();
if( OperationInformation->ObjectType!=*IoFileObjectType)
{
return OB_PREOP_SUCCESS;
}
//过滤无效指针
if( FileObject->FileName.Buffer==NULL ||
!MmIsAddressValid(FileObject->FileName.Buffer) ||
FileObject->DeviceObject==NULL ||
!MmIsAddressValid(FileObject->DeviceObject) )
{
return OB_PREOP_SUCCESS;
}
uniFilePath = GetFilePathByFileObject(FileObject);
if (uniFilePath.Buffer==NULL||uniFilePath.Length==)
{
return OB_PREOP_SUCCESS;
}
if(wcsstr(uniFilePath.Buffer,L"D:\\Test.txt"))
{
if (FileObject->DeleteAccess==TRUE||FileObject->WriteAccess==TRUE)
{
if (OperationInformation->Operation == OB_OPERATION_HANDLE_CREATE)
{
OperationInformation->Parameters->CreateHandleInformation.DesiredAccess=;
}
if(OperationInformation->Operation == OB_OPERATION_HANDLE_DUPLICATE)
{
OperationInformation->Parameters->DuplicateHandleInformation.DesiredAccess=;
}
}
}
RtlVolumeDeviceToDosName(FileObject->DeviceObject, &uniDosName);
DbgPrint("PID : %ld File : %wZ %wZ\r\n", (ULONG64)CurrentProcessId, &uniDosName, &uniFilePath);
return OB_PREOP_SUCCESS;
}
UNICODE_STRING GetFilePathByFileObject(PVOID FileObject)
{
POBJECT_NAME_INFORMATION ObjetNameInfor;
if (NT_SUCCESS(IoQueryFileDosDeviceName((PFILE_OBJECT)FileObject, &ObjetNameInfor)))
{
return ObjetNameInfor->Name;
}
}
VOID EnableObType(POBJECT_TYPE ObjectType)
{
POBJECT_TYPE_TEMP ObjectTypeTemp = (POBJECT_TYPE_TEMP)ObjectType;
ObjectTypeTemp->TypeInfo.SupportsObjectCallbacks = ;
}
VOID UnloadDriver(PDRIVER_OBJECT DriverObject)
{
if (CallBackHandle!=NULL)
{
ObUnRegisterCallbacks(CallBackHandle);
}
DbgPrint("UnloadDriver\r\n");
}
Win7 x64下进程保护与文件保护(ObRegisterCallbacks)的更多相关文章
- x64下进程保护HOOK
目录 x64(32)下的进程保护回调. 一丶进程保护线程保护 1.简介以及原理 1.2 代码 1.3注意的问题 二丶丶回调函数写法 2.1 遇到的问题. 2.2 回调代码 x64(32)下的进程保护回 ...
- [转载] 关于Win7 x64下过TP保护的一些思路,内核层过保护,驱动过保护
首先特别感谢梦老大,本人一直没搞懂异常处理机制,看了他的教程之后终于明白了.在他的教程里我学到了不少东西.第一次在论坛发帖,就说说Win7 x64位下怎么过TP保护.如果有讲错的地方,还望指出.说不定 ...
- 关于Win7 x64下过TP保护(应用层)(转)
非常感谢大家那么支持我上一篇教程.Win10 快出了,所以我打算尽快把应用层的部分说完. 调试对象:DXF调试工具:CE.OD.PCHunter.Windbg调试先言:TP的应用层保护做得比较多,包括 ...
- Oracle学习笔记1:win7 x64下安装Oracle10g
oracle 10g在win7x64下的安装: 第一次直接双击setup,出错了…… 可能是兼容性的问题,所以试着 右击setup-->属性-->兼容性-->勾上"以兼容模 ...
- WIN7 X64 下 VS2008升级补丁 (显示隐藏按钮)
原文地址:http://blog.sina.com.cn/s/blog_57b5da120100gk7l.html 更新列表: 2010年3月26日:增加对日文版的支持. 2010年3月3日:更新代码 ...
- pcl 1.8 + VS 2010 在win7 x64下的配置
https://blog.csdn.net/zhangping560/article/details/53978011 版权声明:(转载请注明作者和出处:http://blog.csdn.net/zh ...
- WIN7 x64下java 8的环境变量配置
Oracle官网下载JDK进行安装:我下载的是Java 8 JDK,地址:http://www.oracle.com/technetwork/java/javase/downloads/jdk8-do ...
- X64下MmIsAddressValid的逆向及内存寻址解析
标 题: [原创]X64下MmIsAddressValid的逆向及内存寻址解析 作 者: 普通朋友 时 间: 2015-10-21,20:03:52 链 接: http://bbs.pediy.com ...
- 如何在Win7 x64上的配置32位的PostgreSQL ODBC数据源
在Win7 x64下安装最新版的PostgreSQL 9.x 后,从其官网下载最新的 ODBC驱动,分为普通的32位和64位版本,正常安装后,从已安装软件列表里可以看到两个版本的驱动都已经正确显示出来 ...
随机推荐
- mysqldump备份数据库时排除某些库
说明:使用mysqldump –all-databases会导出所有库.但如果做主从,从主库dump出数据时,我们是不需要也不想要information_schema 和 mysql 库的.数据库少的 ...
- 【转】Android Interface的使用
原文网址:http://www.3g-edu.org/Android_free/art115.htm Android应用程序采用Java语言编写,Java语法和C/C++有很大的相似性,但也有一些特别 ...
- mysql初识之数据文件及其他文件
在mysql中数据文件存放于在my.cnf中datadir指定的路径,使用的表引擎不同产生的文件格式.表文件个数也会有所差异.mysql的表引擎有多种,表的扩展名也不一样,如innodb用“ .ibd ...
- hdu 5469 Antonidas (dfs+剪枝)2015 ACM/ICPC Asia Regional Shanghai Online
题意: 给出一棵树,再给出每个节点上的值(一个char字符)这些值以一个字符串s1表示,然后给出一个s2字符串,问在这棵树上是否存在两个点,从一个点走到另一个点所经过的路径上的char字符组成的字符串 ...
- hdu 5492 Find a path(dp+少量数学)2015 ACM/ICPC Asia Regional Hefei Online
题意: 给出一个n*m的地图,要求从左上角(0, 0)走到右下角(n-1, m-1). 地图中每个格子中有一个值.然后根据这些值求出一个最小值. 这个最小值要这么求—— 这是我们从起点走到终点的路径, ...
- java定时器的几种用法
package com.lid; import java.util.Calendar; import java.util.Date; import java.util.Timer; import ja ...
- 【转】从外行的视角尝试讲解为什么这回丰田栽了【全文完】【v1.01】
转自:http://club.tgfcer.com/thread-6817371-1-1.html [第一部分]背景简介 前几年闹得沸沸扬扬的丰田刹不住事件最近又有新进展.十月底俄克拉荷马的一次庭审 ...
- Python自动单元测试框架
原文链接:http://www.ibm.com/developerworks/cn/linux/l-pyunit/ 软件的测试是一件非常乏味的事情,在测试别人编写的软件时尤其如此,程序员通常都只对编写 ...
- Win7+xp命令行 一键修改IP、DNS
这里提供了一个简便方法:(该方法为Win7下的,XP下的见最后一行) 第一步:新建一个txt文件 第二步:在文件中添加如下内容: netsh interface ip set address name ...
- php 高效分页
mysql.php 获取数据库中的记录,完全个人经验总结,仅供参考!<?php/***PHP+MYSQL数据库基本功能*http://blog.csdn.net/yown*/########## ...