- #include "ntddk.h"
- #define PAGEDCODE code_seg("PAGE")
- #define LOCKEDCODE code_seg()
- #define INITCODE code_seg("INIT")
- #define PAGEDDATA data_seg("PAGE")
- #define LOCKEDDATA data_seg()
- #define INITDATA data_seg("INIT")
- #pragma pack(1)
- typedef struct ServiceDescriptorEntry {
- unsigned int *ServiceTableBase;
- unsigned int *ServiceCounterTableBase; //仅适用于checked build版本
- unsigned int NumberOfServices;
- unsigned char *ParamTableBase;
- } ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t;
- #pragma pack()
- __declspec (dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable;
- ULONG g_ntopenprocess;
- typedef NTSTATUS (*pNtOpenProcess) (
- __out PHANDLE ProcessHandle,
- __in ACCESS_MASK DesiredAccess,
- __in POBJECT_ATTRIBUTES ObjectAttributes,
- __in_opt PCLIENT_ID ClientId
- );
- NTSTATUS PsLookupProcessByProcessId(
- IN HANDLE ProcessId,
- OUT PEPROCESS *Process
- );
- void PageProtectOn()
- {
- //恢复内存保护
- __asm
- {
- mov eax, cr0
- or eax, 10000h
- mov cr0, eax
- sti
- }
- }
- void PageProtectOff()
- {
- //去掉内存保护
- __asm
- {
- cli
- mov eax, cr0
- and eax, not 10000h
- mov cr0, eax
- }
- }
- BOOLEAN ProtectProcess(HANDLE ProcessId, char* strProtectObjName)
- {
- NTSTATUS Status;
- PEPROCESS process_obj;
- if (!MmIsAddressValid(strProtectObjName))
- {
- return FALSE;
- }
-
- if (ProcessId == 0)
- {
- return FALSE;
- }
- Status = PsLookupProcessByProcessId(ProcessId, &process_obj);
- if (!NT_SUCCESS(Status))
- {
- KdPrint(("error code:%X", Status));
- return FALSE;
- }
- if (strcmp((UCHAR *)process_obj + 0x174, strProtectObjName) == 0)
- {
- ObDereferenceObject(process_obj);
- return TRUE;
- }
-
- ObDereferenceObject(process_obj);
- return FALSE;
- }
- NTSTATUS NewNtOpenProcess (
- __out PHANDLE ProcessHandle,
- __in ACCESS_MASK DesiredAccess,
- __in POBJECT_ATTRIBUTES ObjectAttributes,
- __in_opt PCLIENT_ID ClientId
- )
- {
- //KdPrint(("NewNtOpenProcess comming!---%s", (UCHAR *)PsGetCurrentProcess() + 0x174));
-
- if (ProtectProcess(ClientId->UniqueProcess, "notepad.exe"))
- {
- KdPrint(("Procect comming!...."));
- return STATUS_UNSUCCESSFUL;
- }
- return ((pNtOpenProcess)g_ntopenprocess)(ProcessHandle, DesiredAccess, ObjectAttributes, ClientId);
- }
- #pragma PAGEDCODE
- NTSTATUS HookNtOpenProcess()
- {
- NTSTATUS Status = STATUS_SUCCESS;
- //ULONG u_index;
- //for (u_index = 0; u_index < KeServiceDescriptorTable.NumberOfServices; u_index++)
- //{
- // KdPrint(("ServiceTableBase[%d]:%X", u_index, KeServiceDescriptorTable.ServiceTableBase[u_index]));
- //}
- PageProtectOff();
-
- g_ntopenprocess = KeServiceDescriptorTable.ServiceTableBase[122];
- KeServiceDescriptorTable.ServiceTableBase[122] = (unsigned int )NewNtOpenProcess;
-
- PageProtectOn();
-
- return Status;
- }
- #pragma PAGEDCODE
- void UnHookOpenProcess()
- {
- PageProtectOff();
- KeServiceDescriptorTable.ServiceTableBase[122] = g_ntopenprocess;
- PageProtectOn();
- }
- #pragma PAGEDCODE
- VOID MyDriverUnload(IN PDRIVER_OBJECT pDriverObject)
- {
- KdPrint(("DriverEntry unLoading...\n"));
- UnHookOpenProcess();
- }
- #pragma INITCODE
- NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING RegistryPath)
- {
- NTSTATUS status = STATUS_SUCCESS;
- HookNtOpenProcess();
- pDriverObject->DriverUnload = MyDriverUnload;
- return status;
- }
复制代码 |