你们的非哥 发表于 2021-5-4 16:12:25

分享64位驱动保护进程源码

环境:win7 64win8 win 10

SSDT HOOK NtOpenProcess //这一路径上的代码点 in line hook
ObRegisterCallbacks//注册回调函数 过滤

NTSTATUS
ObRegisterCallbacks (
_In_ POB_CALLBACK_REGISTRATION CallbackRegistration,
_Outptr_ PVOID *RegistrationHandle
);

上边这是函数定义 。
第一个参数是注册回调的一些信息。
第二个参数返回此回调的指针:
创建一个进程会返回一个进程句柄,类似的创建一个回调会返回一个跟此回调相关的指针。

核心代码:

OB_PREOP_CALLBACK_STATUS RegProtectProcess_Callback(PVOID RegistrationContext, POB_PRE_OPERATION_INFORMATION pOperationInformation)
{
//DbgPrint("yjx:进入RegProtectProcess_Callback--------------OK---------");
HANDLE pid = PsGetProcessId((PEPROCESS)pOperationInformation->Object);
char szProcName = { 0 };
UNREFERENCED_PARAMETER(RegistrationContext);

strcpy(szProcName, GetProcessImageNameByProcessID((ULONG)pid));

if (strstr(szProcName, "yjx150.exe"))
{
DbgPrint("yjx:进入RegProtectProcess_Callback--------------1111111111111111111111111111--------szProcName=%s -", szProcName);
if (pOperationInformation->Operation == OB_OPERATION_HANDLE_CREATE)
{
if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_TERMINATE) == PROCESS_TERMINATE)
{
//Terminate the process, such as by calling the user-mode TerminateProcess routine..
pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_TERMINATE;
}
if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_VM_OPERATION) == PROCESS_VM_OPERATION)
{
//Modify the address space of the process, such as by calling the user-mode WriteProcessMemory and VirtualProtectEx routines.
pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_VM_OPERATION;
}
if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_VM_READ) == PROCESS_VM_READ)
{
//Read to the address space of the process, such as by calling the user-mode ReadProcessMemory routine.
pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_VM_READ;
}
if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_VM_WRITE) == PROCESS_VM_WRITE)
{
//Write to the address space of the process, such as by calling the user-mode WriteProcessMemory routine.
pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_VM_WRITE;
}
}
}
return OB_PREOP_SUCCESS;
}

HANDLE g_obHandle_callback=0;
HANDLE g_obHandle_callback2= 0;
//注册保护回调
NTSTATUS RegProtectProcess_callback()
{
NTSTATUS ret = 0;

//LARGE_INTEGER CallbackCookie = { 0 };
OB_CALLBACK_REGISTRATION obregCallBack;
OB_OPERATION_REGISTRATION opReg;
memset(&obregCallBack, 0, sizeof(obregCallBack));
RtlInitUnicodeString(&obregCallBack.Altitude, L"QQ150330575"); // 据说此值需要向微软申请,网络上多用"321000"来填写
obregCallBack.Version =ObGetFilterVersion() ;//版本 OB_FLT_REGISTRATION_VERSION
obregCallBack.OperationRegistrationCount = 1; //一般为1
obregCallBack.RegistrationContext = NULL;
obregCallBack.OperationRegistration = &opReg; //
//
memset(&opReg, 0, sizeof(opReg)); //
opReg.ObjectType = PsProcessType; //是指我们要监视的对象类型 进程是PsProcessType 线程是PsThreadType
opReg.Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE; //Operations 是指句柄怎么方式 是直接创建呢 还是复制句柄这里一般填OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE;
opReg.PreOperation = RegProtectProcess_Callback;//注册回调函数(POB_PRE_OPERATION_CALLBACK)
//保护自身进程对象不被打开
ret = ObRegisterCallbacks(&obregCallBack, &g_obHandle_callback); //NtOpenProcess 会走入回调中NtOpenThread会进入 PsThreadType
//protectProcessCallback
//卸载用ObUnRegisterCallbacks(obHandle);
DbgPrint("yjx:---1111-----obHandle=%llx ret=%llx ------RegProtectProcess_callback\n", g_obHandle_callback,ret);
return ret;
}

NTSTATUS RegProtectProcess2()
{

OB_CALLBACK_REGISTRATION obregCallBack;
OB_OPERATION_REGISTRATION opReg;

memset(&obregCallBack, 0, sizeof(obregCallBack));
RtlInitUnicodeString(&obregCallBack.Altitude, L"Q150330575");// L"321000";
obregCallBack.Version = ObGetFilterVersion();
obregCallBack.OperationRegistrationCount = 1;
obregCallBack.RegistrationContext = NULL;
obregCallBack.OperationRegistration = &opReg; //注意这一条语句

//下面请注意这个结构体的成员字段的设置
memset(&opReg, 0, sizeof(opReg)); //初始化结构体变量
opReg.ObjectType = PsProcessType;
opReg.Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE;
opReg.PreOperation = RegProtectProcess_Callback; //在这里注册一个回调函数指针
NTSTATUS ret= ObRegisterCallbacks(&obregCallBack, &g_obHandle_callback2); //在这里注册回调函数
DbgPrint("yjx:---L156-----obHandle=%llx ret=%llx ------RegProtectProcess2\n", g_obHandle_callback2, ret);
return ret;
}
页: [1]
查看完整版本: 分享64位驱动保护进程源码