龙马谷

 找回密码
 立即注册

QQ登录

只需一步,快速开始

龙马谷VIP会员办理客服QQ:82926983(如果临时会话没有收到回复,请先加QQ好友再发。)
1 [已完结] GG修改器新手入门与实战教程 31课 2 [已完结] GG修改器美化修改教程 6课 3 [已完结] GG修改器Lua脚本新手入门教程 12课
4 [已完结] 触动精灵脚本新手入门必学教程 22课 5 [已完结] 手游自动化脚本入门实战教程 9课 6 [已完结] C++射击游戏方框骨骼透视与自瞄教程 27课
7 [已完结] C++零基础UE4逆向开发FPS透视自瞄教程 29课 8 [已完结] C++零基础大漠模拟器手游自动化辅助教程 22课 9 [已完结] C++零基础开发DXF内存脚本辅助教程 32课
以下是天马阁VIP教程,本站与天马阁合作,赞助VIP可以获得天马阁对应VIP会员,名额有限! 点击进入天马阁论坛
1 [已完结] x64CE与x64dbg入门基础教程 7课 2 [已完结] x64汇编语言基础教程 16课 3 [已完结] x64辅助入门基础教程 9课
4 [已完结] C++x64内存辅助实战技术教程 149课 5 [已完结] C++x64内存检测与过检测技术教程 10课 6 [已完结] C+x64二叉树分析遍历与LUA自动登陆教程 19课
7 [已完结] C++BT功能原理与x64实战教程 29课 8 [已完结] C+FPS框透视与自瞄x64实现原理及防护思路
查看: 7276|回复: 0

分享64位驱动保护进程源码

[复制链接]

11

主题

0

回帖

15

积分

编程入门

Rank: 1

龙马币
40
你们的非哥 | 显示全部楼层 |阅读模式
环境:win7 64win8 win 10

  1. SSDT HOOK NtOpenProcess //这一路径上的代码点 in line hook
  2. ObRegisterCallbacks//注册回调函数 过滤

  3. NTSTATUS
  4. ObRegisterCallbacks (
  5. _In_ POB_CALLBACK_REGISTRATION CallbackRegistration,
  6. _Outptr_ PVOID *RegistrationHandle
  7. );
复制代码


上边这是函数定义 。
第一个参数是注册回调的一些信息。
第二个参数返回此回调的指针:
创建一个进程会返回一个进程句柄,类似的创建一个回调会返回一个跟此回调相关的指针。

核心代码:

  1. OB_PREOP_CALLBACK_STATUS RegProtectProcess_Callback(PVOID RegistrationContext, POB_PRE_OPERATION_INFORMATION pOperationInformation)
  2. {
  3. //DbgPrint("yjx:进入RegProtectProcess_Callback--------------OK---------");
  4. HANDLE pid = PsGetProcessId((PEPROCESS)pOperationInformation->Object);
  5. char szProcName[128] = { 0 };
  6. UNREFERENCED_PARAMETER(RegistrationContext);

  7. strcpy(szProcName, GetProcessImageNameByProcessID((ULONG)pid));

  8. if (strstr(szProcName, "yjx150.exe"))
  9. {
  10. DbgPrint("yjx:进入RegProtectProcess_Callback--------------1111111111111111111111111111--------szProcName=%s -", szProcName);
  11. if (pOperationInformation->Operation == OB_OPERATION_HANDLE_CREATE)
  12. {
  13. if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_TERMINATE) == PROCESS_TERMINATE)
  14. {
  15. //Terminate the process, such as by calling the user-mode TerminateProcess routine..
  16. pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_TERMINATE;
  17. }
  18. if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_VM_OPERATION) == PROCESS_VM_OPERATION)
  19. {
  20. //Modify the address space of the process, such as by calling the user-mode WriteProcessMemory and VirtualProtectEx routines.
  21. pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_VM_OPERATION;
  22. }
  23. if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_VM_READ) == PROCESS_VM_READ)
  24. {
  25. //Read to the address space of the process, such as by calling the user-mode ReadProcessMemory routine.
  26. pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_VM_READ;
  27. }
  28. if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_VM_WRITE) == PROCESS_VM_WRITE)
  29. {
  30. //Write to the address space of the process, such as by calling the user-mode WriteProcessMemory routine.
  31. pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_VM_WRITE;
  32. }
  33. }
  34. }
  35. return OB_PREOP_SUCCESS;
  36. }

  37. HANDLE g_obHandle_callback=0;
  38. HANDLE g_obHandle_callback2= 0;
  39. //注册保护回调
  40. NTSTATUS RegProtectProcess_callback()
  41. {
  42. NTSTATUS ret = 0;

  43. //LARGE_INTEGER CallbackCookie = { 0 };
  44. OB_CALLBACK_REGISTRATION obregCallBack;
  45. OB_OPERATION_REGISTRATION opReg;
  46. memset(&obregCallBack, 0, sizeof(obregCallBack));
  47. RtlInitUnicodeString(&obregCallBack.Altitude, L"QQ150330575"); // 据说此值需要向微软申请,网络上多用"321000"来填写
  48. obregCallBack.Version =ObGetFilterVersion() ;//版本 OB_FLT_REGISTRATION_VERSION
  49. obregCallBack.OperationRegistrationCount = 1; //一般为1
  50. obregCallBack.RegistrationContext = NULL;
  51. obregCallBack.OperationRegistration = &opReg; //
  52. //
  53. memset(&opReg, 0, sizeof(opReg)); //
  54. opReg.ObjectType = PsProcessType; //是指我们要监视的对象类型 进程是PsProcessType 线程是PsThreadType
  55. opReg.Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE; //Operations 是指句柄怎么方式 是直接创建呢 还是复制句柄这里一般填OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE;
  56. opReg.PreOperation = RegProtectProcess_Callback;//注册回调函数(POB_PRE_OPERATION_CALLBACK)
  57. //保护自身进程对象不被打开
  58. ret = ObRegisterCallbacks(&obregCallBack, &g_obHandle_callback); //NtOpenProcess 会走入回调中NtOpenThread会进入 PsThreadType
  59. //protectProcessCallback
  60. //卸载用ObUnRegisterCallbacks(obHandle);
  61. DbgPrint("yjx:---1111-----obHandle=%llx ret=%llx ------RegProtectProcess_callback\n", g_obHandle_callback,ret);
  62. return ret;
  63. }

  64. NTSTATUS RegProtectProcess2()
  65. {

  66. OB_CALLBACK_REGISTRATION obregCallBack;
  67. OB_OPERATION_REGISTRATION opReg;

  68. memset(&obregCallBack, 0, sizeof(obregCallBack));
  69. RtlInitUnicodeString(&obregCallBack.Altitude, L"Q150330575");// L"321000";
  70. obregCallBack.Version = ObGetFilterVersion();
  71. obregCallBack.OperationRegistrationCount = 1;
  72. obregCallBack.RegistrationContext = NULL;
  73. obregCallBack.OperationRegistration = &opReg; //注意这一条语句

  74. //下面请注意这个结构体的成员字段的设置
  75. memset(&opReg, 0, sizeof(opReg)); //初始化结构体变量
  76. opReg.ObjectType = PsProcessType;
  77. opReg.Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE;
  78. opReg.PreOperation = RegProtectProcess_Callback; //在这里注册一个回调函数指针
  79. NTSTATUS ret= ObRegisterCallbacks(&obregCallBack, &g_obHandle_callback2); //在这里注册回调函数
  80. DbgPrint("yjx:---L156-----obHandle=%llx ret=%llx ------RegProtectProcess2\n", g_obHandle_callback2, ret);
  81. return ret;
  82. }
复制代码

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

龙马谷| C/C++辅助教程| 安卓逆向安全| 论坛导航| 免责申明|Archiver|
拒绝任何人以任何形式在本论坛发表与中华人民共和国法律相抵触的言论,本站内容均为会员发表,并不代表龙马谷立场!
任何人不得以任何方式翻录、盗版或出售本站视频,一经发现我们将追究其相关责任!
我们一直在努力成为最好的编程论坛!
Copyright© 2018-2021 All Right Reserved.
在线客服
快速回复 返回顶部 返回列表