Driver.h- #ifdef __cplusplus
- extern "C"
- {
- #endif
- #include <ntddk.h>
- NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath);
- #ifdef __cplusplus
- }
- #endif
- #define PAGEDCODE code_seg("PAGE")
- #define LOCKEDCODE code_seg()
- #define INITCODE code_seg("INIT")
- #define PAGEDDATA data_seg("PAGE")
- #define LOCKEDDATA data_seg()
- #define INITDATA data_seg("INIT")
- #define arraysize(p) (sizeof(p)/sizeof((p)[0]))
- VOID DriverUnload(IN PDRIVER_OBJECT DriverObject);
- typedef NTSTATUS (*OB_SECURITY_METHOD)(
- IN PVOID Object,
- IN SECURITY_OPERATION_CODE OperationCode,
- IN PSECURITY_INFORMATION SecurityInformation,
- IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor,
- IN OUT PULONG CapturedLength,
- IN OUT PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor,
- IN POOL_TYPE PoolType,
- IN PGENERIC_MAPPING GenericMapping,
- IN PVOID unknown
- );
- typedef struct _OBJECT_CREATE_INFORMATION {
- ULONG Attributes;
- HANDLE RootDirectory;
- PVOID ParseContext;
- KPROCESSOR_MODE ProbeMode;
- ULONG PagedPoolCharge;
- ULONG NonPagedPoolCharge;
- ULONG SecurityDescriptorCharge;
- PSECURITY_DESCRIPTOR SecurityDescriptor;
- PSECURITY_QUALITY_OF_SERVICE SecurityQos;
- SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService;
- } OBJECT_CREATE_INFORMATION;
- typedef struct _OBJECT_CREATE_INFORMATION *POBJECT_CREATE_INFORMATION;;
- typedef struct _OBJECT_HEADER {
- LONG_PTR PointerCount;
- union {
- LONG_PTR HandleCount;
- PVOID NextToFree;
- };
- POBJECT_TYPE Type;
- UCHAR NameInfoOffset;
- UCHAR HandleInfoOffset;
- UCHAR QuotaInfoOffset;
- UCHAR Flags;
- union {
- POBJECT_CREATE_INFORMATION ObjectCreateInfo;
- PVOID QuotaBlockCharged;
- };
- PSECURITY_DESCRIPTOR SecurityDescriptor;
- QUAD Body;
- } OBJECT_HEADER, *POBJECT_HEADER;
- #define OBJECT_TO_OBJECT_HEADER( o ) \
- CONTAINING_RECORD( (o), OBJECT_HEADER, Body )
- EXTERN_C NTKERNELAPI UCHAR * PsGetProcessImageFileName(
- __in PEPROCESS Process
- );
- void HandleObjectHook(BOOLEAN bHook);
复制代码 Driver.cpp- #include "Driver.h"
- OB_SECURITY_METHOD g_pfnSecurityProcedure;
- void PageProtectOn()
- {
- //恢复内存保护
- __asm
- {
- mov eax, cr0
- or eax, 10000h
- mov cr0, eax
- sti
- }
- }
- void PageProtectOff()
- {
- //去掉内存保护
- __asm
- {
- cli
- mov eax, cr0
- and eax, not 10000h
- mov cr0, eax
- }
- }
- NTSTATUS MySecurityProcedure(
- IN PVOID Object,
- IN SECURITY_OPERATION_CODE OperationCode,
- IN PSECURITY_INFORMATION SecurityInformation,
- IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor,
- IN OUT PULONG CapturedLength,
- IN OUT PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor,
- IN POOL_TYPE PoolType,
- IN PGENERIC_MAPPING GenericMapping,
- IN PVOID unknown
- )
- {
- KdPrint(("Current Eprocess: 0x%08x Object:0x%08x\n", IoGetCurrentProcess(), Object));
- PUCHAR pTargetName = PsGetProcessImageFileName((PEPROCESS)Object);
- if (_stricmp((const char *)pTargetName, "calc.exe") == 0)
- {
- return STATUS_INVALID_PARAMETER;
- }
- return g_pfnSecurityProcedure(
- Object,
- OperationCode,
- SecurityInformation,
- SecurityDescriptor,
- CapturedLength,
- ObjectsSecurityDescriptor,
- PoolType,
- GenericMapping,
- unknown);
- }
- void HandleObjectHook(BOOLEAN bHook)
- {
- PVOID pTypeInfo = (PVOID)((ULONG)*PsProcessType + 0x60);
- if (bHook)
- {
- g_pfnSecurityProcedure = (OB_SECURITY_METHOD)*(PULONG)((ULONG)pTypeInfo + 0x40);
- *(PULONG)((ULONG)pTypeInfo + 0x40) = (ULONG)MySecurityProcedure;
- }
- else
- {
- *(PULONG)((ULONG)pTypeInfo + 0x40) = (ULONG)g_pfnSecurityProcedure;
- }
- }
- #pragma INITCODE
- NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
- {
- NTSTATUS status = STATUS_SUCCESS;
- HandleObjectHook(TRUE);
- DriverObject->DriverUnload = DriverUnload;
- return status;
- }
- #pragma PAGEDCODE
- VOID DriverUnload(IN PDRIVER_OBJECT DriverObject)
- {
-
- HandleObjectHook(FALSE);
- KdPrint(("DriverEntry unLoading...\n"));
-
- }
复制代码 |