驱动实现进程保护
//基于SSDT Hook
//Hook ZwTerminateProcess對(duì)傳入的進(jìn)程進(jìn)行檢查,如果匹配,則返回拒絕訪問(wèn)#include <ntddk.h>
#include <windef.h>
#include "SSDTHook.h"typedef enum _SYSTEM_INFORMATION_CLASS {SystemBasicInformation,SystemProcessorInformation,SystemPerformanceInformation,SystemTimeOfDayInformation,SystemPathInformation,SystemProcessInformation,SystemCallCountInformation,SystemDeviceInformation,SystemProcessorPerformanceInformation,SystemFlagsInformation,SystemCallTimeInformation,SystemModuleInformation,SystemLocksInformation,SystemStackTraceInformation,SystemPagedPoolInformation,SystemNonPagedPoolInformation,SystemHandleInformation,SystemObjectInformation,SystemPageFileInformation,SystemVdmInstemulInformation,SystemVdmBopInformation,SystemFileCacheInformation,SystemPoolTagInformation,SystemInterruptInformation,SystemDpcBehaviorInformation,SystemFullMemoryInformation,SystemLoadGdiDriverInformation,SystemUnloadGdiDriverInformation,SystemTimeAdjustmentInformation,SystemSummaryMemoryInformation,SystemNextEventIdInformation,SystemEventIdsInformation,SystemCrashDumpInformation,SystemExceptionInformation,SystemCrashDumpStateInformation,SystemKernelDebuggerInformation,SystemContextSwitchInformation,SystemRegistryQuotaInformation,SystemExtendServiceTableInformation,SystemPrioritySeperation,SystemPlugPlayBusInformation,SystemDockInformation,//SystemPowerInformation,SystemProcessorSpeedInformation,SystemCurrentTimeZoneInformation,SystemLookasideInformation
} SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS;typedef struct _SYSTEM_THREAD {LARGE_INTEGER KernelTime;LARGE_INTEGER UserTime;LARGE_INTEGER CreateTime;ULONG WaitTime;PVOID StartAddress;CLIENT_ID ClientId;KPRIORITY Priority;LONG BasePriority;ULONG ContextSwitchCount;ULONG State;KWAIT_REASON WaitReason;} SYSTEM_THREAD, *PSYSTEM_THREAD;typedef struct _SYSTEM_PROCESS_INFORMATION {ULONG NextEntryOffset;ULONG NumberOfThreads;LARGE_INTEGER SpareLi1;LARGE_INTEGER SpareLi2;LARGE_INTEGER SpareLi3;LARGE_INTEGER CreateTime;LARGE_INTEGER UserTime;LARGE_INTEGER KernelTime;UNICODE_STRING ImageName;KPRIORITY BasePriority;HANDLE UniqueProcessId;HANDLE InheritedFromUniqueProcessId;ULONG HandleCount;ULONG SessionId;ULONG_PTR PageDirectoryBase;SIZE_T PeakVirtualSize;SIZE_T VirtualSize;ULONG PageFaultCount;SIZE_T PeakWorkingSetSize;SIZE_T WorkingSetSize;SIZE_T QuotaPeakPagedPoolUsage;SIZE_T QuotaPagedPoolUsage;SIZE_T QuotaPeakNonPagedPoolUsage;SIZE_T QuotaNonPagedPoolUsage;SIZE_T PagefileUsage;SIZE_T PeakPagefileUsage;SIZE_T PrivatePageCount;LARGE_INTEGER ReadOperationCount;LARGE_INTEGER WriteOperationCount;LARGE_INTEGER OtherOperationCount;LARGE_INTEGER ReadTransferCount;LARGE_INTEGER WriteTransferCount;LARGE_INTEGER OtherTransferCount;
} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;UCHAR * PsGetProcessImageFileName(__in PEPROCESS Process);NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation(__in SYSTEM_INFORMATION_CLASS SystemInformationClass,__out_bcount_opt(SystemInformationLength) PVOID SystemInformation,__in ULONG SystemInformationLength,__out_opt PULONG ReturnLength);NTSTATUS HookNtQuerySystemInformation(__in SYSTEM_INFORMATION_CLASS SystemInformationClass,__out_bcount_opt(SystemInformationLength) PVOID SystemInformation,__in ULONG SystemInformationLength,__out_opt PULONG ReturnLength);typedef NTSTATUS(*NTQUERYSYSTEMINFORMATION)(__in SYSTEM_INFORMATION_CLASS SystemInformationClass,__out_bcount_opt(SystemInformationLength) PVOID SystemInformation,__in ULONG SystemInformationLength,__out_opt PULONG ReturnLength);typedef NTSTATUS(*NTTERMINATEPROCESS)(__in_opt HANDLE ProcessHandle,__in NTSTATUS ExitStatus);NTSTATUS HookNtTerminateProcess(__in_opt HANDLE ProcessHandle,__in NTSTATUS ExitStatus);NTTERMINATEPROCESS pOldNtTerminateProcess=NULL;BOOLEAN NPUnicodeStringToChar(PUNICODE_STRING UniName, char Name[])
{ANSI_STRING AnsiName;NTSTATUS ntstatus;char* nameptr;__try {ntstatus = RtlUnicodeStringToAnsiString(&AnsiName, UniName, TRUE);if (AnsiName.Length < 260) {nameptr = (PCHAR)AnsiName.Buffer;//strcpy(Name, _strupr(nameptr)); //將字符串轉(zhuǎn)換成大寫(xiě)形式strcpy(Name, nameptr);//}RtlFreeAnsiString(&AnsiName);}__except (EXCEPTION_EXECUTE_HANDLER) {DbgPrint("NPUnicodeStringToChar EXCEPTION_EXECUTE_HANDLER\n");return FALSE;}return TRUE;
}NTSTATUS Unload(PDRIVER_OBJECT driver)
{DbgPrint("unloaded!");UnInstallSysServiceHook((ULONG)ZwQuerySystemInformation);UnInstallSysServiceHook((ULONG)ZwTerminateProcess);return STATUS_SUCCESS;
}
NTSTATUS HookNtTerminateProcess(__in_opt HANDLE ProcessHandle,__in NTSTATUS ExitStatus)
{ULONG uPID;NTSTATUS rtStatus;PCHAR pStrProcName;PEPROCESS pEProcess;ANSI_STRING strProcName;//通過(guò)進(jìn)程句柄來(lái)獲得該進(jìn)程所對(duì)應(yīng)的 FileObject 對(duì)象,由于這里是進(jìn)程對(duì)象,自然獲得的是 EPROCESS 對(duì)象rtStatus = ObReferenceObjectByHandle(ProcessHandle,FILE_READ_DATA, NULL, KernelMode, &pEProcess, NULL);if (!NT_SUCCESS(rtStatus)){return rtStatus;}//保存 SSDT 中原來(lái)的 NtTerminateProcess 地址pOldNtTerminateProcess = (NTTERMINATEPROCESS)oldSysServiceAddr[SYSCALL_INDEX(ZwTerminateProcess)];//通過(guò)該函數(shù)可以獲取到進(jìn)程名稱(chēng)和進(jìn)程 ID,該函數(shù)在內(nèi)核中實(shí)質(zhì)是導(dǎo)出的(在 WRK 中可以看到)//但是 ntddk.h 中并沒(méi)有到處,所以需要自己聲明才能使用uPID = (ULONG)PsGetProcessId(pEProcess);pStrProcName = (PCHAR)PsGetProcessImageFileName(pEProcess);DbgPrint("TerimateProcess:%s\n", pStrProcName);//通過(guò)進(jìn)程名來(lái)初始化一個(gè) ASCII 字符串RtlInitAnsiString(&strProcName, pStrProcName);if (strstr(pStrProcName, "notepad.exe"))//保護(hù)notepad.exe進(jìn)程{//如果該進(jìn)程是所保護(hù)的的進(jìn)程的話,則返回權(quán)限不夠的異常即可return STATUS_ACCESS_DENIED;}//對(duì)于非保護(hù)的進(jìn)程可以直接調(diào)用原來(lái) SSDT 中的 NtTerminateProcess 來(lái)結(jié)束進(jìn)程rtStatus = pOldNtTerminateProcess(ProcessHandle, ExitStatus);return rtStatus;
}NTSTATUS DriverEntry(PDRIVER_OBJECT driver, PUNICODE_STRING reg_path)
{DbgPrint("Driver Entry");BackupSysServicesTable();driver->DriverUnload = Unload;InstallSysServiceHook((ULONG)ZwTerminateProcess, (ULONG)HookNtTerminateProcess);return STATUS_SUCCESS;}
源代碼:https://pan.baidu.com/s/14GY1wwvbpws3nNQy02GIbQ
總結(jié)
- 上一篇: 修改xp boot.ini文件
- 下一篇: CmRegisterCallback监控