1、头文件源码,把涉及到的进程权限的常量值都添加进去
#define PROCESS_TERMINATE (0x0001)
//进程权限
#define PROCESS_CREATE_THREAD (0x0002)
#define PROCESS_SET_SESSIONID (0x0004)
#define PROCESS_VM_OPERATION (0x0008)
#define PROCESS_VM_READ (0x0010)
#define PROCESS_VM_WRITE (0x0020)
#define PROCESS_DUP_HANDLE (0x0040)
#define PROCESS_CREATE_PROCESS (0x0080)
#define PROCESS_SET_QUOTA (0x0100)
#define PROCESS_SET_INFORMATION (0x0200)
#define PROCESS_QUERY_INFORMATION (0x0400)
#define PROCESS_SUSPEND_RESUME (0x0800)
#define PROCESS_QUERY_LIMITED_INFORMATION (0x1000)
#define PROCESS_SET_LIMITED_INFORMATION (0x2000)
void 安装进程保护();
void 卸载进程保护();
void 签名绕过(PDRIVER_OBJECT pDriverObj);2、源文件
#include <ntifs.h>
#include "驱动保护.h"
OB_PREOP_CALLBACK_STATUS
回调函数(
PVOID RegistrationContext,
POB_PRE_OPERATION_INFORMATION OperationInformation
)
{
DbgPrint("nxyn:sys pEPROCESS=%p ", OperationInformation->Object);
if (OperationInformation->KernelHandle)
{
//内核创建
}
else
{
//用户层
ACCESS_MASK 获取权限 = OperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess;
ACCESS_MASK 获取新权限 = OperationInformation->Parameters->CreateHandleInformation.DesiredAccess;//将句柄权限清零
//让结束进程的功能失效
获取权限 &= ~PROCESS_TERMINATE;
//返回我们修改过的权限 OpenProcess
OperationInformation->Parameters->CreateHandleInformation.DesiredAccess = 获取权限;
DbgPrint("nxyn:获取权限=%X 获取新权限=%X", 获取权限, 获取新权限);
}
return OB_PREOP_SUCCESS;
};
HANDLE 返回句柄 = NULL;//用来存放返回的句柄 以方便卸载对应功能
void 安装内存保护()
{
OB_CALLBACK_REGISTRATION 回调例程信息 = { 0 };
OB_OPERATION_REGISTRATION 接收已注册回调例程 = { 0 };
RtlInitUnicodeString(&回调例程信息.Altitude, L"321000");//指定驱动程序Altitude的Unicode字符串及长度
回调例程信息.RegistrationContext = NULL;//可以传递给回调例程,这里用不到,暂时为null
回调例程信息.Version = OB_FLT_REGISTRATION_VERSION;// 请求对象回调注册版本ObGetFilterVersion();
回调例程信息.OperationRegistrationCount = 1;//注册数组的数目
回调例程信息.OperationRegistration = &接收已注册回调例程;//可以理解为返回值
接收已注册回调例程.ObjectType = PsProcessType; //拦截的是进程还是线程PsThreadType
接收已注册回调例程.Operations = OB_OPERATION_HANDLE_CREATE;//创建操作句柄
接收已注册回调例程.PostOperation = NULL;
接收已注册回调例程.PreOperation = 回调函数;
ObRegisterCallbacks(&回调例程信息, &返回句柄); // 注册该函数
KdPrint(("nxyn:安装内存保护 返回句柄=%p", 返回句柄));
}
void 卸载内存保护()
{
if (返回句柄)
{
ObUnRegisterCallbacks(返回句柄);
}
DbgPrint("nxyn:卸载内存保护");
}
void 签名绕过(PDRIVER_OBJECT pDriverObj)
{
typedef struct _LDR_DATA
{
struct _LIST_ENTRY InLoadOrderLinks;
struct _LIST_ENTRY InMemoryOrderLinks;
struct _LIST_ENTRY InInitializationOrderLinks;
VOID* DllBase;
VOID* EntryPoint;
ULONG32 SizeOfImage;
UINT8 _PADDING0_[0x4];
struct _UNICODE_STRING FullDllName;
struct _UNICODE_STRING BaseDllName;
ULONG32 Flags;
}LDR_DATA, * PLDR_DATA;
PLDR_DATA ldr;
ldr = (PLDR_DATA)(pDriverObj->DriverSection);
ldr->Flags |= 0x20;
}3、入口函数调用
签名绕过(驱动对象);
安装内存保护();4、卸载驱动的时候卸载内存保护
void 卸载驱动回调函数(PDRIVER_OBJECT 驱动对象)
{
卸载内存保护();
删除设备(驱动对象);
KdPrint(("nxyn:我被卸载了,驱动编号=%p", 驱动对象));
}5、运行效果
