分享64位驱动保护进程源码

你们的非哥

环境:win7 64win8 win 10

1. SSDT HOOK NtOpenProcess //这一路径上的代码点 in line hook
   
2. ObRegisterCallbacks//注册回调函数 过滤
   
3. 
   
4. NTSTATUS
   
5. ObRegisterCallbacks (
   
6. _In_ POB_CALLBACK_REGISTRATION CallbackRegistration,
   
7. _Outptr_ PVOID *RegistrationHandle
   
8. );

复制代码

上边这是函数定义 。
第一个参数是注册回调的一些信息。
第二个参数返回此回调的指针:
创建一个进程会返回一个进程句柄，类似的创建一个回调会返回一个跟此回调相关的指针。

核心代码：

1. OB_PREOP_CALLBACK_STATUS RegProtectProcess_Callback(PVOID RegistrationContext, POB_PRE_OPERATION_INFORMATION pOperationInformation)
   
2. {
   
3. //DbgPrint("yjx:进入RegProtectProcess_Callback--------------OK---------");
   
4. HANDLE pid = PsGetProcessId((PEPROCESS)pOperationInformation->Object);
   
5. char szProcName[128] = { 0 };
   
6. UNREFERENCED_PARAMETER(RegistrationContext);
   
7. 
   
8. strcpy(szProcName, GetProcessImageNameByProcessID((ULONG)pid));
   
9. 
   
10. if (strstr(szProcName, "yjx150.exe"))
    
11. {
    
12. DbgPrint("yjx:进入RegProtectProcess_Callback--------------1111111111111111111111111111--------szProcName=%s -", szProcName);
    
13. if (pOperationInformation->Operation == OB_OPERATION_HANDLE_CREATE)
    
14. {
    
15. if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_TERMINATE) == PROCESS_TERMINATE)
    
16. {
    
17. //Terminate the process, such as by calling the user-mode TerminateProcess routine..
    
18. pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_TERMINATE;
    
19. }
    
20. if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_VM_OPERATION) == PROCESS_VM_OPERATION)
    
21. {
    
22. //Modify the address space of the process, such as by calling the user-mode WriteProcessMemory and VirtualProtectEx routines.
    
23. pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_VM_OPERATION;
    
24. }
    
25. if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_VM_READ) == PROCESS_VM_READ)
    
26. {
    
27. //Read to the address space of the process, such as by calling the user-mode ReadProcessMemory routine.
    
28. pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_VM_READ;
    
29. }
    
30. if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_VM_WRITE) == PROCESS_VM_WRITE)
    
31. {
    
32. //Write to the address space of the process, such as by calling the user-mode WriteProcessMemory routine.
    
33. pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_VM_WRITE;
    
34. }
    
35. }
    
36. }
    
37. return OB_PREOP_SUCCESS;
    
38. }
    
39. 
    
40. HANDLE g_obHandle_callback=0;
    
41. HANDLE g_obHandle_callback2= 0;
    
42. //注册保护回调
    
43. NTSTATUS RegProtectProcess_callback()
    
44. {
    
45. NTSTATUS ret = 0;
    
46. 
    
47. //LARGE_INTEGER CallbackCookie = { 0 };
    
48. OB_CALLBACK_REGISTRATION obregCallBack;
    
49. OB_OPERATION_REGISTRATION opReg;
    
50. memset(&obregCallBack, 0, sizeof(obregCallBack));
    
51. RtlInitUnicodeString(&obregCallBack.Altitude, L"QQ150330575"); // 据说此值需要向微软申请，网络上多用"321000"来填写
    
52. obregCallBack.Version =ObGetFilterVersion() ;//版本 OB_FLT_REGISTRATION_VERSION
    
53. obregCallBack.OperationRegistrationCount = 1; //一般为1
    
54. obregCallBack.RegistrationContext = NULL;
    
55. obregCallBack.OperationRegistration = &opReg; //
    
56. //
    
57. memset(&opReg, 0, sizeof(opReg)); //
    
58. opReg.ObjectType = PsProcessType; //是指我们要监视的对象类型 进程是PsProcessType 线程是PsThreadType
    
59. opReg.Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE; //Operations 是指句柄怎么方式 是直接创建呢 还是复制句柄这里一般填OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE;
    
60. opReg.PreOperation = RegProtectProcess_Callback;//注册回调函数(POB_PRE_OPERATION_CALLBACK)
    
61. //保护自身进程对象不被打开
    
62. ret = ObRegisterCallbacks(&obregCallBack, &g_obHandle_callback); //NtOpenProcess 会走入回调中NtOpenThread会进入 PsThreadType
    
63. //protectProcessCallback
    
64. //卸载用ObUnRegisterCallbacks(obHandle);
    
65. DbgPrint("yjx:---1111-----obHandle=%llx ret=%llx ------RegProtectProcess_callback\n", g_obHandle_callback,ret);
    
66. return ret;
    
67. }
    
68. 
    
69. NTSTATUS RegProtectProcess2()
    
70. {
    
71. 
    
72. OB_CALLBACK_REGISTRATION obregCallBack;
    
73. OB_OPERATION_REGISTRATION opReg;
    
74. 
    
75. memset(&obregCallBack, 0, sizeof(obregCallBack));
    
76. RtlInitUnicodeString(&obregCallBack.Altitude, L"Q150330575");// L"321000";
    
77. obregCallBack.Version = ObGetFilterVersion();
    
78. obregCallBack.OperationRegistrationCount = 1;
    
79. obregCallBack.RegistrationContext = NULL;
    
80. obregCallBack.OperationRegistration = &opReg; //注意这一条语句
    
81. 
    
82. //下面请注意这个结构体的成员字段的设置
    
83. memset(&opReg, 0, sizeof(opReg)); //初始化结构体变量
    
84. opReg.ObjectType = PsProcessType;
    
85. opReg.Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE;
    
86. opReg.PreOperation = RegProtectProcess_Callback; //在这里注册一个回调函数指针
    
87. NTSTATUS ret= ObRegisterCallbacks(&obregCallBack, &g_obHandle_callback2); //在这里注册回调函数
    
88. DbgPrint("yjx:---L156-----obHandle=%llx ret=%llx ------RegProtectProcess2\n", g_obHandle_callback2, ret);
    
89. return ret;
    
90. }

复制代码