Win7 x64下进程保护与文件保护(ObRegisterCallbacks)
进程保护部分参考 http://bbs.pediy.com/showthread.php?t=168023
进程保护,在任务管理器不能结束进程
#ifndef CXX_PROTECTPROCESSX64_H #define CXX_PROTECTPROCESSX64_H #include <ntifs.h> #define PROCESS_TERMINATE 0x0001 #define PROCESS_VM_OPERATION 0x0008 #define PROCESS_VM_READ 0x0010 #define PROCESS_VM_WRITE 0x0020 NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObj, IN PUNICODE_STRING pRegistryString); VOID DriverUnload(IN PDRIVER_OBJECT pDriverObj); typedef struct _LDR_DATA_TABLE_ENTRY64 { LIST_ENTRY64 InLoadOrderLinks; LIST_ENTRY64 InMemoryOrderLinks; LIST_ENTRY64 InInitializationOrderLinks; PVOID DllBase; PVOID EntryPoint; ULONG SizeOfImage; UNICODE_STRING FullDllName; UNICODE_STRING BaseDllName; ULONG Flags; USHORT LoadCount; USHORT TlsIndex; PVOID SectionPointer; ULONG CheckSum; PVOID LoadedImports; PVOID EntryPointActivationContext; PVOID PatchInformation; LIST_ENTRY64 ForwarderLinks; LIST_ENTRY64 ServiceTagLinks; LIST_ENTRY64 StaticLinks; PVOID ContextInformation; ULONG64 OriginalBase; LARGE_INTEGER LoadTime; } LDR_DATA_TABLE_ENTRY64, *PLDR_DATA_TABLE_ENTRY64; extern UCHAR * PsGetProcessImageFileName( __in PEPROCESS Process ); char* GetProcessImageNameByProcessID(ULONG ulProcessID); NTSTATUS ProtectProcess(BOOLEAN Enable); OB_PREOP_CALLBACK_STATUS preCall(PVOID RegistrationContext, POB_PRE_OPERATION_INFORMATION pOperationInformation); #endif #ifndef CXX_PROTECTPROCESSX64_H # include "ProtectProcessx64.h" #endif PVOID obHandle;//定义一个void*类型的变量,它将会作为ObRegisterCallbacks函数的第二个参数。 NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObj, IN PUNICODE_STRING pRegistryString) { NTSTATUS status = STATUS_SUCCESS; PLDR_DATA_TABLE_ENTRY64 ldr; pDriverObj->DriverUnload = DriverUnload; // 绕过MmVerifyCallbackFunction。 ldr = (PLDR_DATA_TABLE_ENTRY64)pDriverObj->DriverSection; ldr->Flags |= 0x20; ProtectProcess(TRUE); return STATUS_SUCCESS; } NTSTATUS ProtectProcess(BOOLEAN Enable) { OB_CALLBACK_REGISTRATION obReg; OB_OPERATION_REGISTRATION opReg; memset(&obReg, 0, sizeof(obReg)); obReg.Version = ObGetFilterVersion(); obReg.OperationRegistrationCount = 1; obReg.RegistrationContext = NULL; RtlInitUnicodeString(&obReg.Altitude, L"321000"); memset(&opReg, 0, sizeof(opReg)); //初始化结构体变量 //下面请注意这个结构体的成员字段的设置 opReg.ObjectType = PsProcessType; opReg.Operations = OB_OPERATION_HANDLE_CREATE|OB_OPERATION_HANDLE_DUPLICATE; opReg.PreOperation = (POB_PRE_OPERATION_CALLBACK)&preCall; //在这里注册一个回调函数指针 obReg.OperationRegistration = &opReg; //注意这一条语句 return ObRegisterCallbacks(&obReg, &obHandle); //在这里注册回调函数 } OB_PREOP_CALLBACK_STATUS preCall(PVOID RegistrationContext, POB_PRE_OPERATION_INFORMATION pOperationInformation) { HANDLE pid = PsGetProcessId((PEPROCESS)pOperationInformation->Object); char szProcName[16]={0}; UNREFERENCED_PARAMETER(RegistrationContext); strcpy(szProcName,GetProcessImageNameByProcessID((ULONG)pid)); if( !_stricmp(szProcName,"calc.exe") ) { if (pOperationInformation->Operation == OB_OPERATION_HANDLE_CREATE) { if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_TERMINATE) == PROCESS_TERMINATE) { //Terminate the process, such as by calling the user-mode TerminateProcess routine.. pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_TERMINATE; } if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_VM_OPERATION) == PROCESS_VM_OPERATION) { //Modify the address space of the process, such as by calling the user-mode WriteProcessMemory and VirtualProtectEx routines. pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_VM_OPERATION; } if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_VM_READ) == PROCESS_VM_READ) { //Read to the address space of the process, such as by calling the user-mode ReadProcessMemory routine. pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_VM_READ; } if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_VM_WRITE) == PROCESS_VM_WRITE) { //Write to the address space of the process, such as by calling the user-mode WriteProcessMemory routine. pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_VM_WRITE; } } } return OB_PREOP_SUCCESS; } /* OpenProcess 会一直走入回调中 直接蓝屏 char* GetProcessImageNameByProcessID(ULONG ulProcessID) { CLIENT_ID Cid; HANDLE hProcess; NTSTATUS Status; OBJECT_ATTRIBUTES oa; PEPROCESS EProcess = NULL; Cid.UniqueProcess = (HANDLE)ulProcessID; Cid.UniqueThread = 0; InitializeObjectAttributes(&oa,0,0,0,0); Status = ZwOpenProcess(&hProcess,PROCESS_ALL_ACCESS,&oa,&Cid); //hProcess //强打开进程获得句柄 if (!NT_SUCCESS(Status)) { return FALSE; } Status = ObReferenceObjectByHandle(hProcess,FILE_READ_DATA,0, KernelMode,&EProcess, 0); //通过句柄括获取EProcess if (!NT_SUCCESS(Status)) { ZwClose(hProcess); return FALSE; } ObDereferenceObject(EProcess); //最好判断 ZwClose(hProcess); //通过EProcess获得进程名称 return (char*)PsGetProcessImageFileName(EProcess); } */ char* GetProcessImageNameByProcessID(ULONG ulProcessID) { NTSTATUS Status; PEPROCESS EProcess = NULL; Status = PsLookupProcessByProcessId((HANDLE)ulProcessID,&EProcess); //EPROCESS //通过句柄获取EProcess if (!NT_SUCCESS(Status)) { return FALSE; } ObDereferenceObject(EProcess); //通过EProcess获得进程名称 return (char*)PsGetProcessImageFileName(EProcess); } VOID DriverUnload(IN PDRIVER_OBJECT pDriverObj) { UNREFERENCED_PARAMETER(pDriverObj); DbgPrint("driver unloading...\n"); ObUnRegisterCallbacks(obHandle); //obHandle是上面定义的 PVOID obHandle; }
我们使用任务管理器结束进程
结果是不能关闭的
文件保护
#ifndef CXX_FILEPROTECTX64_H #define CXX_FILEPROTECTX64_H #include <ntifs.h> #include <devioctl.h> NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegisterPath); VOID UnloadDriver(PDRIVER_OBJECT DriverObject); typedef struct _LDR_DATA_TABLE_ENTRY64 { LIST_ENTRY64 InLoadOrderLinks; LIST_ENTRY64 InMemoryOrderLinks; LIST_ENTRY64 InInitializationOrderLinks; PVOID DllBase; PVOID EntryPoint; ULONG SizeOfImage; UNICODE_STRING FullDllName; UNICODE_STRING BaseDllName; ULONG Flags; USHORT LoadCount; USHORT TlsIndex; PVOID SectionPointer; ULONG CheckSum; PVOID LoadedImports; PVOID EntryPointActivationContext; PVOID PatchInformation; LIST_ENTRY64 ForwarderLinks; LIST_ENTRY64 ServiceTagLinks; LIST_ENTRY64 StaticLinks; PVOID ContextInformation; ULONG64 OriginalBase; LARGE_INTEGER LoadTime; } LDR_DATA_TABLE_ENTRY64, *PLDR_DATA_TABLE_ENTRY64; typedef struct _OBJECT_TYPE_INITIALIZER { UINT16 Length; union { UINT8 ObjectTypeFlags; struct { UINT8 CaseInsensitive : 1; UINT8 UnnamedObjectsOnly : 1; UINT8 UseDefaultObject : 1; UINT8 SecurityRequired : 1; UINT8 MaintainHandleCount : 1; UINT8 MaintainTypeList : 1; UINT8 SupportsObjectCallbacks : 1; }; }; ULONG32 ObjectTypeCode; ULONG32 InvalidAttributes; struct _GENERIC_MAPPING GenericMapping; ULONG32 ValidAccessMask; ULONG32 RetainAccess; enum _POOL_TYPE PoolType; ULONG32 DefaultPagedPoolCharge; ULONG32 DefaultNonPagedPoolCharge; PVOID DumpProcedure; PVOID OpenProcedure; PVOID CloseProcedure; PVOID DeleteProcedure; PVOID ParseProcedure; PVOID SecurityProcedure; PVOID QueryNameProcedure; PVOID OkayToCloseProcedure; }OBJECT_TYPE_INITIALIZER, *POBJECT_TYPE_INITIALIZER; typedef struct _OBJECT_TYPE_TEMP { struct _LIST_ENTRY TypeList; struct _UNICODE_STRING Name; VOID* DefaultObject; UINT8 Index; UINT8 _PADDING0_[0x3]; ULONG32 TotalNumberOfObjects; ULONG32 TotalNumberOfHandles; ULONG32 HighWaterNumberOfObjects; ULONG32 HighWaterNumberOfHandles; UINT8 _PADDING1_[0x4]; struct _OBJECT_TYPE_INITIALIZER TypeInfo; ULONG64 TypeLock; ULONG32 Key; UINT8 _PADDING2_[0x4]; struct _LIST_ENTRY CallbackList; }OBJECT_TYPE_TEMP, *POBJECT_TYPE_TEMP; VOID EnableObType(POBJECT_TYPE ObjectType); UNICODE_STRING GetFilePathByFileObject(PVOID FileObject); OB_PREOP_CALLBACK_STATUS PreCallBack(PVOID RegistrationContext, POB_PRE_OPERATION_INFORMATION OperationInformation); NTSTATUS ProtectFileByObRegisterCallbacks(); #endif
#ifndef CXX_FILEPROTECTX64_H # include "FileProtectX64.h" #endif PVOID CallBackHandle = NULL; NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegisterPath) { PLDR_DATA_TABLE_ENTRY64 ldr; DriverObject->DriverUnload = UnloadDriver; ldr = (PLDR_DATA_TABLE_ENTRY64)DriverObject->DriverSection; ldr->Flags |= 0x20; ProtectFileByObRegisterCallbacks(); return STATUS_SUCCESS; } NTSTATUS ProtectFileByObRegisterCallbacks() { OB_CALLBACK_REGISTRATION CallBackReg; OB_OPERATION_REGISTRATION OperationReg; NTSTATUS Status; EnableObType(*IoFileObjectType); //开启文件对象回调 memset(&CallBackReg, 0, sizeof(OB_CALLBACK_REGISTRATION)); CallBackReg.Version = ObGetFilterVersion(); CallBackReg.OperationRegistrationCount = 1; CallBackReg.RegistrationContext = NULL; RtlInitUnicodeString(&CallBackReg.Altitude, L"321000"); memset(&OperationReg, 0, sizeof(OB_OPERATION_REGISTRATION)); //初始化结构体变量 OperationReg.ObjectType = IoFileObjectType; OperationReg.Operations = OB_OPERATION_HANDLE_CREATE|OB_OPERATION_HANDLE_DUPLICATE; OperationReg.PreOperation = (POB_PRE_OPERATION_CALLBACK)&PreCallBack; //在这里注册一个回调函数指针 CallBackReg.OperationRegistration = &OperationReg; //注意这一条语句 将结构体信息放入大结构体 Status = ObRegisterCallbacks(&CallBackReg, &CallBackHandle); if (!NT_SUCCESS(Status)) { Status = STATUS_UNSUCCESSFUL; } else { Status = STATUS_SUCCESS; } return Status; } OB_PREOP_CALLBACK_STATUS PreCallBack(PVOID RegistrationContext, POB_PRE_OPERATION_INFORMATION OperationInformation) { UNICODE_STRING uniDosName; UNICODE_STRING uniFilePath; PFILE_OBJECT FileObject = (PFILE_OBJECT)OperationInformation->Object; HANDLE CurrentProcessId = PsGetCurrentProcessId(); if( OperationInformation->ObjectType!=*IoFileObjectType) { return OB_PREOP_SUCCESS; } //过滤无效指针 if( FileObject->FileName.Buffer==NULL || !MmIsAddressValid(FileObject->FileName.Buffer) || FileObject->DeviceObject==NULL || !MmIsAddressValid(FileObject->DeviceObject) ) { return OB_PREOP_SUCCESS; } uniFilePath = GetFilePathByFileObject(FileObject); if (uniFilePath.Buffer==NULL||uniFilePath.Length==0) { return OB_PREOP_SUCCESS; } if(wcsstr(uniFilePath.Buffer,L"D:\\Test.txt")) { if (FileObject->DeleteAccess==TRUE||FileObject->WriteAccess==TRUE) { if (OperationInformation->Operation == OB_OPERATION_HANDLE_CREATE) { OperationInformation->Parameters->CreateHandleInformation.DesiredAccess=0; } if(OperationInformation->Operation == OB_OPERATION_HANDLE_DUPLICATE) { OperationInformation->Parameters->DuplicateHandleInformation.DesiredAccess=0; } } } RtlVolumeDeviceToDosName(FileObject->DeviceObject, &uniDosName); DbgPrint("PID : %ld File : %wZ %wZ\r\n", (ULONG64)CurrentProcessId, &uniDosName, &uniFilePath); return OB_PREOP_SUCCESS; } UNICODE_STRING GetFilePathByFileObject(PVOID FileObject) { POBJECT_NAME_INFORMATION ObjetNameInfor; if (NT_SUCCESS(IoQueryFileDosDeviceName((PFILE_OBJECT)FileObject, &ObjetNameInfor))) { return ObjetNameInfor->Name; } } VOID EnableObType(POBJECT_TYPE ObjectType) { POBJECT_TYPE_TEMP ObjectTypeTemp = (POBJECT_TYPE_TEMP)ObjectType; ObjectTypeTemp->TypeInfo.SupportsObjectCallbacks = 1; } VOID UnloadDriver(PDRIVER_OBJECT DriverObject) { if (CallBackHandle!=NULL) { ObUnRegisterCallbacks(CallBackHandle); } DbgPrint("UnloadDriver\r\n"); }
posted on 2016-05-07 12:49 ciyze0101 阅读(12518) 评论(0) 编辑 收藏 举报
