資源簡介
經過N多輾轉和持續驗證,終于搞定了在驅動程序中同時保護進程和文件(經持久測試后,避免了導致系統藍屏的情況),重點
1)拒絕通過進程管理器關閉進程,同時又允許某些進程可以管理
2)通過比較文件名,截獲被保護的文件操作
1)拒絕通過進程管理器關閉進程,同時又允許某些進程可以管理
2)通過比較文件名,截獲被保護的文件操作
代碼片段和文件信息
#ifndef?CXX_PROTECTPROCESSX64_H
#????include?“ProtectProcessx64.h“
#endif
#include?
#include?
#include?
#define?TRACE?ATLTRACE
//進程保護CallBackHandle
PVOID?processCallBackHandle?=?NULL; //定義一個void*類型的變量,它將會作為ObRegisterCallbacks函數的第二個參數。
PEPROCESS?parentsProtectedProcess; //被保護進程的父進程(來自該進程的處理,被排外)
//文件保護
PVOID??fileCallBackHandle?=?NULL;
//驅動入口
NTSTATUS
DriverEntry(IN?PDRIVER_object?pDriverObj?IN?PUNICODE_STRING?pRegistryString)
{
DbgPrint(“begin?to?load?driver...\n“);
KdPrint((“begin?to?load?driver...\n“));
//OutputDebugString(“begin?to?load?driver...\n“);
NTSTATUS?status?=?STATUS_SUCCESS;
PLDR_DATA_TABLE_ENTRY64?ldr;
pDriverObj->DriverUnload?=?DriverUnload;
//?繞過MmVerifyCallbackFunction
ldr?=?(PLDR_DATA_TABLE_ENTRY64)pDriverObj->DriverSection;
ldr->Flags?|=?0x20;
DbgPrint(“begin?to?ProtectProcess...\n“);
//保護線程回調
ProtectProcess(TRUE);
//保護文件
ProtectFileByObRegisterCallbacks();
return?STATUS_SUCCESS;
}
#define?MY_MAX_PATH?256
BOOLEAN?UnicodeStringToChar(char*?DestinationString?PUNICODE_STRING?SourceString)
{
????ANSI_STRING?v1;
????NTSTATUS????Status;
????char*???????v2?=?NULL;
????__try
????{
????????Status?=?RtlUnicodeStringToAnsiString(&v1?SourceString?TRUE);
????????if?(v1.Length?????????{
????????????v2?=?(PCHAR)v1.Buffer;
????????????strcpy(DestinationString?_strupr(v2));
????????}
????????RtlFreeAnsiString(&v1);
????}
????__except?(EXCEPTION_EXECUTE_HANDLER)
????{
????????return?FALSE;
????}
????return?TRUE;
}
void?MyUpper(char?*s)
{
while((*s)!=0){
if((*s)>=‘a‘&&(*s)<=‘z‘)
(*s)+=(‘A‘-‘a‘);
s++;
}
}
OB_PREOP_CALLBACK_STATUS?FilePreCallBack(PVOID?RegistrationContext?POB_PRE_OPERATION_INFORMATION?OperationInformation)
{
????UNICODE_STRING?uniDosName;
uniDosName.Length?=?0;
ACCESS_MASK?oldCreateDesiredAccess?=?0;
ACCESS_MASK?oldDuplicateDesiredAccess?=?0;
//參數檢查
if(NULL?==?OperationInformation)
return?OB_PREOP_SUCCESS;
????PFILE_object?Fileobject?=?(PFILE_object)OperationInformation->object;
????HANDLE?CurrentProcessId?=?PsGetCurrentProcessId();
UNREFERENCED_PARAMETER(RegistrationContext);
//有效性檢查
if(NULL?==?Fileobject)
return?OB_PREOP_SUCCESS;
//(1)屏蔽非IoFileobjectType類型的處理
????if(?OperationInformation->objectType!=*IoFileobjectType)
????{
????????return?OB_PREOP_SUCCESS;
????}
????//(2)過濾無效指針
????if(????Fileobject->FileName.Buffer==NULL??????????????||?
????????!MmIsAddressValid(Fileobject->FileName.Buffer)????||
????????Fileobject->Deviceobject==NULL????????????????????||
????????!MmIsAddressValid(Fileobject->Deviceobject)????????)
????{
????????return?OB_PREOP_SUCCESS;
????}
//(3)過濾無效路徑?否則使用RtlVolumeDeviceToDosName獲取盤符會藍屏
/**/
if(?!_wcsicmp(Fileobject->FileName.BufferL“\\Endpoint“) ||
!_wcsicmp(Fileobject->FileName.BufferL“?“) ||
!_wcsicmp(Fileobject->FileName.BufferL“\\.\\.“) ||
!_wcsicmp(Fileobject->Fi ?屬性????????????大小?????日期????時間???名稱
-----------?---------??----------?-----??----
?????文件??????13414??2020-02-11?08:47??ProtectProcessx64.cpp
?????文件???????4348??2020-02-11?08:45??ProtectProcessx64.h
-----------?---------??----------?-----??----
????????????????17762????????????????????2
評論
共有 條評論
川公網安備 51152502000135號