大牛已经把这些 玩的烂熟了
小小小菜鸟 把一个 修改了 无数次的代码发出来
希望 大家多多 提出意见 代码是非常的挫(本代码 修改自一个 网络博客的代码只是修改函数和部分通讯 把r3 r0 通讯 修改为 进程名 保护不需要通讯 直接加载驱动就可以了
虽说不是原原创 但是也是花了很多心血 )
代码:
/* Project Name: Processes Guard Description: Protection user specified process(es) Date: 2010-5-5 Version: 1.0 Author: Kernone Alter: 君君寒 Blog: http://hi.baidu.com/kernone File Name: ProcGuard.c Copyright(c) Kernone Soft 2010 */ #include <Ntifs.h> #pragma pack(1) typedef struct _SYSTEM_SERVICES_DESCRIPTOR_TABLE { PULONG *ServiceTableBase; PULONG *ServiceCounterTableBase; //Used in check builds only unsigned int NumberOfServices; PULONG *ParamTableBase; }SSDT, *PSSDT; #pragma pack() typedef struct _DEVICE_EXTENSION { PDEVICE_OBJECT pDevObj; UNICODE_STRING uniSymLink; PMDL pMdl; PULONG pulSSDTMapped; }DEVICE_EXTENSION, *PDEVICE_EXTENSION; typedef NTSTATUS (__stdcall *ZWOPENPROCESS)( OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID PCLIENT_ID OPTIONAL ); typedef NTSTATUS (__stdcall *ZWOPENTHREAD) ( OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID PCLIENT_ID OPTIONAL ); NTSYSAPI NTSTATUS NTAPI ZwOpenProcess( OUT PHANDLE ProcessHandle, IN ACCESS_MASK AccessMask, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId); NTSYSAPI NTSTATUS NTAPI ZwOpenThread( OUT PHANDLE ProcessHandle, IN ACCESS_MASK AccessMask, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId); /*Getting system service function address, the index of function locates 1 bytes offset*/ #define SYSTEM_SERVICE(_Func) KeServiceDescriptorTable.ServiceTableBase[*(PULONG)((PUCHAR)_Func + 1)] #define SYSTEM_INDEX(_Func) (*(PULONG)((PUCHAR)_Func + 1)) //#define SYSTEM_SERVICEONE(_Func) KeServiceDescriptorTable.ServiceTableBase[*(PULONG)((PUCHAR)_Func + 1)] //#define SYSTEM_INDEXONE(_Func) (*(PULONG)((PUCHAR)_Func + 1)) #define IOCTL_START_PROTECTION CTL_CODE(FILE_DEVICE_UNKNOWN, 0x800, METHOD_BUFFERED, FILE_ANY_ACCESS) #define C_MAXPROCNUMS 12 //Global variable //__declspec(dllimport) SSDT KeServiceDescriptorTable; __declspec(dllimport) SSDT KeServiceDescriptorTable; ZWOPENPROCESS ZwOpenProcessReal; ZWOPENTHREAD ZwOpenThreadReal; ULONG ulPIDs[C_MAXPROCNUMS]; DRIVER_UNLOAD DriverUnload; DRIVER_DISPATCH DispatchDevOpen, DispatchDevCtl; NTSTATUS ZwOpenProcessHook(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes,PCLIENT_ID ClientId); NTSTATUS ZwOpenThreadHook(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes,PCLIENT_ID ClientId); NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegistryPath) { PDEVICE_OBJECT pDevObj; PDEVICE_EXTENSION pDevExt; UNICODE_STRING uniSymLink, uniDevName; NTSTATUS ntStatus; PMDL pMdl; PULONG pulSSDTMapped; RtlInitUnicodeString(&uniSymLink, L"\\DosDevices\\ProcessesGuard"); RtlInitUnicodeString(&uniDevName, L"\\Device\\ProcessesGuard"); pDriverObj->DriverUnload = DriverUnload; pDriverObj->MajorFunction[IRP_MJ_CREATE] = pDriverObj->MajorFunction[IRP_MJ_CLOSE] = DispatchDevOpen; pDriverObj->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchDevCtl; ntStatus = IoCreateDevice(pDriverObj, sizeof (DEVICE_EXTENSION), &uniDevName, FILE_DEVICE_UNKNOWN, 0, FALSE, &pDevObj); if (!NT_SUCCESS(ntStatus)) return(ntStatus); IoCreateSymbolicLink(&uniSymLink, &uniDevName); pDevObj->Flags |= DO_BUFFERED_IO; pDevExt = pDevObj->DeviceExtension; pDevExt->pDevObj = pDevObj; pDevExt->uniSymLink = uniSymLink; pMdl = IoAllocateMdl(KeServiceDescriptorTable.ServiceTableBase, KeServiceDescriptorTable.NumberOfServices * 4, FALSE, FALSE, NULL); if (pMdl == NULL) { IoDeleteSymbolicLink(&uniSymLink); IoDeleteDevice(pDevObj); return(STATUS_INSUFFICIENT_RESOURCES); } MmBuildMdlForNonPagedPool(pMdl); pMdl->MdlFlags |= MDL_MAPPED_TO_SYSTEM_VA; //Write SSDT pulSSDTMapped = (PULONG)MmMapLockedPagesSpecifyCache(pMdl, KernelMode, MmNonCached, NULL, FALSE, NormalPagePriority); if (pulSSDTMapped == NULL) { IoDeleteSymbolicLink(&uniSymLink); IoDeleteDevice(pDevObj); IoFreeMdl(pMdl); return(STATUS_UNSUCCESSFUL); } pDevExt->pMdl = pMdl; pDevExt->pulSSDTMapped = pulSSDTMapped; ZwOpenProcessReal = (ZWOPENPROCESS)SYSTEM_SERVICE(ZwOpenProcess); pulSSDTMapped[SYSTEM_INDEX(ZwOpenProcess)] = (PULONG)ZwOpenProcessHook; ZwOpenThreadReal = (ZWOPENTHREAD)SYSTEM_SERVICE(ZwOpenThread); pulSSDTMapped[SYSTEM_INDEX(ZwOpenThread)] = (PULONG)ZwOpenThreadHook; return(ntStatus); } VOID DriverUnload(PDRIVER_OBJECT pDriverObj) { PDEVICE_OBJECT pDevObj = pDriverObj->DeviceObject; PDEVICE_EXTENSION pDevExt = pDevObj->DeviceExtension; PULONG pulSSDTMapped = pDevExt->pulSSDTMapped; PMDL pMdl = pDevExt->pMdl; pulSSDTMapped[SYSTEM_INDEX(ZwOpenProcess)] = (PULONG)ZwOpenProcessReal; pulSSDTMapped[SYSTEM_INDEX(ZwOpenThread)] = (PULONG)ZwOpenThreadReal;//先这个顺序 MmUnmapLockedPages(pulSSDTMapped, pMdl); IoFreeMdl(pMdl); while (pDevObj) { pDevExt = pDevObj->DeviceExtension; pDevObj = pDevObj->NextDevice; IoDeleteSymbolicLink(&pDevExt->uniSymLink); IoDeleteDevice(pDevExt->pDevObj); } } NTSTATUS DispatchDevOpen(PDEVICE_OBJECT pDevObj, PIRP pIrp) { NTSTATUS ntStatus = STATUS_SUCCESS; pIrp->IoStatus.Status = ntStatus; pIrp->IoStatus.Information = 0; IoCompleteRequest(pIrp, IO_NO_INCREMENT); return(ntStatus); } NTSTATUS DispatchDevCtl(PDEVICE_OBJECT pDevObj, PIRP pIrp) { PIO_STACK_LOCATION pIrpStack = IoGetCurrentIrpStackLocation(pIrp); ULONG ulIoCode, ulBufLength, ulRtn, ulCounts = 0, ulIndex; PVOID pvBuf; NTSTATUS ntStatus; ulIoCode = pIrpStack->Parameters.DeviceIoControl.IoControlCode; switch (ulIoCode) { case IOCTL_START_PROTECTION: ulBufLength = pIrpStack->Parameters.DeviceIoControl.InputBufferLength; pvBuf = pIrp->AssociatedIrp.SystemBuffer; ulCounts = ulBufLength / sizeof (ULONG); KdPrint(("Protection Numbers: %d\n"), ulCounts); for (ulIndex = 0; ulIndex < ulCounts && ulIndex < C_MAXPROCNUMS; ulIndex++) { ulPIDs[ulIndex] = ((PULONG)pvBuf)[ulIndex]; KdPrint(("Index %d -- PID %d\n"), ulIndex, ulPIDs[ulIndex]); } ntStatus = STATUS_SUCCESS; ulRtn = ulBufLength; break; default: ntStatus = STATUS_INVALID_PARAMETER; ulRtn = 0; break; } pIrp->IoStatus.Status = ntStatus; pIrp->IoStatus.Information = ulRtn; IoCompleteRequest(pIrp, IO_NO_INCREMENT); return(ntStatus); } CHAR *TerminateName = "demo.exe"; //这里就是我们的进程名 UCHAR *PsGetProcessImageFileName( IN PEPROCESS Process ); BOOLEAN IsProtect(CHAR *temp) //判断正在结束的进程是否是我们要保护的进程 { ULONG len = strcmp(TerminateName, temp); if(!len) return TRUE; return FALSE; } NTSTATUS ZwOpenProcessHook(PHANDLE ProcessHandle,ACCESS_MASK DesiredAccess,POBJECT_ATTRIBUTES ObjectAttributes,PCLIENT_ID ClientId)//我们自己的//NtZwOpenProcess { PEPROCESS process; //接受通过ProcessHandle返回的进程 NTSTATUS status; CHAR *pName; //接受进程的进程名 HANDLE hID; ULONG dwProcessId = NULL; PEPROCESS EProcessToOpen; status = PsLookupProcessByProcessId( ClientId->UniqueProcess, &process ); if(!NT_SUCCESS(status)) return(ZwOpenProcessReal(ProcessHandle,DesiredAccess,ObjectAttributes,ClientId)); pName = (CHAR*)PsGetProcessImageFileName(process); //获取进程名 if(IsProtect(pName)) //判断是否是我们要保护的进程,是则返回权限不足,否则调用原函数结束进程 { if(process != PsGetCurrentProcess()) { hID = PsGetProcessId(process);//获得进程id KdPrint(("Protection Pid: %d\n"), hID); return STATUS_ACCESS_DENIED; } } return(ZwOpenProcessReal(ProcessHandle,DesiredAccess,ObjectAttributes,ClientId)); } NTSTATUS ZwOpenThreadHook(PHANDLE ProcessHandle,ACCESS_MASK DesiredAccess,POBJECT_ATTRIBUTES ObjectAttributes,PCLIENT_ID ClientId)//我们自己的NtZwOpenProcess { PEPROCESS process; //接受通过ProcessHandle返回的进程 NTSTATUS status; CHAR *pName; //接受进程的进程名 HANDLE hID; ULONG dwProcessId = NULL; //PEPROCESS EProcessToOpen; status = PsLookupProcessByProcessId( ClientId->UniqueProcess, &process ); if(!NT_SUCCESS(status)) return(ZwOpenThreadReal(ProcessHandle,DesiredAccess,ObjectAttributes,ClientId)); pName = (CHAR*)PsGetProcessImageFileName(process); //获取进程名 if(IsProtect(pName)) //判断是否是我们要保护的进程,是则返回权限不足,否则调用原函数结束进程 { if(process != PsGetCurrentProcess()) { hID = PsGetProcessId(process);//获得进程id KdPrint(("Protection Pid: %d\n"), hID); return STATUS_ACCESS_DENIED; } } return(ZwOpenThreadReal(ProcessHandle,DesiredAccess,ObjectAttributes,ClientId)); }
代码是完全可以编译的 (wdk 7600)
具体的就是 ssdt hook
希望大家保留 原原创的版权
既然他给大家做了 贡献 就要尊重别人的成果
还有希望下了代码的都留点 痕迹 呵呵
win7 系统下稳定运行截图
解压密码kanxue 发错代码跟附件 居然没人说我 羞死了。