1、头文件源码,把涉及到的进程权限的常量值都添加进去
#define PROCESS_TERMINATE (0x0001) //进程权限 #define PROCESS_CREATE_THREAD (0x0002) #define PROCESS_SET_SESSIONID (0x0004) #define PROCESS_VM_OPERATION (0x0008) #define PROCESS_VM_READ (0x0010) #define PROCESS_VM_WRITE (0x0020) #define PROCESS_DUP_HANDLE (0x0040) #define PROCESS_CREATE_PROCESS (0x0080) #define PROCESS_SET_QUOTA (0x0100) #define PROCESS_SET_INFORMATION (0x0200) #define PROCESS_QUERY_INFORMATION (0x0400) #define PROCESS_SUSPEND_RESUME (0x0800) #define PROCESS_QUERY_LIMITED_INFORMATION (0x1000) #define PROCESS_SET_LIMITED_INFORMATION (0x2000) void 安装进程保护(); void 卸载进程保护(); void 签名绕过(PDRIVER_OBJECT pDriverObj);
2、源文件
#include <ntifs.h> #include "驱动保护.h" OB_PREOP_CALLBACK_STATUS 回调函数( PVOID RegistrationContext, POB_PRE_OPERATION_INFORMATION OperationInformation ) { DbgPrint("nxyn:sys pEPROCESS=%p ", OperationInformation->Object); if (OperationInformation->KernelHandle) { //内核创建 } else { //用户层 ACCESS_MASK 获取权限 = OperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess; ACCESS_MASK 获取新权限 = OperationInformation->Parameters->CreateHandleInformation.DesiredAccess;//将句柄权限清零 //让结束进程的功能失效 获取权限 &= ~PROCESS_TERMINATE; //返回我们修改过的权限 OpenProcess OperationInformation->Parameters->CreateHandleInformation.DesiredAccess = 获取权限; DbgPrint("nxyn:获取权限=%X 获取新权限=%X", 获取权限, 获取新权限); } return OB_PREOP_SUCCESS; }; HANDLE 返回句柄 = NULL;//用来存放返回的句柄 以方便卸载对应功能 void 安装内存保护() { OB_CALLBACK_REGISTRATION 回调例程信息 = { 0 }; OB_OPERATION_REGISTRATION 接收已注册回调例程 = { 0 }; RtlInitUnicodeString(&回调例程信息.Altitude, L"321000");//指定驱动程序Altitude的Unicode字符串及长度 回调例程信息.RegistrationContext = NULL;//可以传递给回调例程,这里用不到,暂时为null 回调例程信息.Version = OB_FLT_REGISTRATION_VERSION;// 请求对象回调注册版本ObGetFilterVersion(); 回调例程信息.OperationRegistrationCount = 1;//注册数组的数目 回调例程信息.OperationRegistration = &接收已注册回调例程;//可以理解为返回值 接收已注册回调例程.ObjectType = PsProcessType; //拦截的是进程还是线程PsThreadType 接收已注册回调例程.Operations = OB_OPERATION_HANDLE_CREATE;//创建操作句柄 接收已注册回调例程.PostOperation = NULL; 接收已注册回调例程.PreOperation = 回调函数; ObRegisterCallbacks(&回调例程信息, &返回句柄); // 注册该函数 KdPrint(("nxyn:安装内存保护 返回句柄=%p", 返回句柄)); } void 卸载内存保护() { if (返回句柄) { ObUnRegisterCallbacks(返回句柄); } DbgPrint("nxyn:卸载内存保护"); } void 签名绕过(PDRIVER_OBJECT pDriverObj) { typedef struct _LDR_DATA { struct _LIST_ENTRY InLoadOrderLinks; struct _LIST_ENTRY InMemoryOrderLinks; struct _LIST_ENTRY InInitializationOrderLinks; VOID* DllBase; VOID* EntryPoint; ULONG32 SizeOfImage; UINT8 _PADDING0_[0x4]; struct _UNICODE_STRING FullDllName; struct _UNICODE_STRING BaseDllName; ULONG32 Flags; }LDR_DATA, * PLDR_DATA; PLDR_DATA ldr; ldr = (PLDR_DATA)(pDriverObj->DriverSection); ldr->Flags |= 0x20; }
3、入口函数调用
签名绕过(驱动对象); 安装内存保护();
4、卸载驱动的时候卸载内存保护
void 卸载驱动回调函数(PDRIVER_OBJECT 驱动对象) { 卸载内存保护(); 删除设备(驱动对象); KdPrint(("nxyn:我被卸载了,驱动编号=%p", 驱动对象)); }
5、运行效果