|
发表于 2010-4-25 10:55:20
|
显示全部楼层
一些修改:
- NTSTATUS fake_NtUserBuildHwndList(
- IN HDESK hdesk,
- IN HWND hwndNext,
- IN ULONG fEnumChildren,
- IN DWORD idThread,
- IN UINT cHwndMax,
- OUT HWND *phwndFirst,
- OUT ULONG* pcHwndNeeded)
- {
- NTSTATUS ntStatus;
- ULONG j=0,i=0;
- if (PsGetCurrentProcess()!= ProtectedProcess)
- {
- if (fEnumChildren==1)//是否是枚举子窗口
- { //如果是枚举本程序子窗体 返回失败
- if (Old_NtUserQueryWindow((ULONG)hwndNext, 0) == (ULONG)PsGetProcessId(ProtectedProcess))
- {
- return STATUS_UNSUCCESSFUL;
- }
- }
- //枚举顶层窗口
- ntStatus = Old_NtUserBuildHwndList(hdesk, hwndNext, fEnumChildren, idThread, cHwndMax, phwndFirst, pcHwndNeeded);
- if (NT_SUCCESS(ntStatus))
- {
- while (i<*pcHwndNeeded)
- {
- if (Old_NtUserQueryWindow((ULONG)phwndFirst[i],0) == (ULONG)PsGetProcessId(ProtectedProcess))
- {
- phwndFirst[i]=0;//直接把保护的句柄置0
- }
- i++;
- }
- }
- return ntStatus;
- }
- return Old_NtUserBuildHwndList(hdesk, hwndNext, fEnumChildren, idThread, cHwndMax, phwndFirst, pcHwndNeeded);
- }
复制代码
- NTSTATUS fake_NtDuplicateObject(
- IN HANDLE SourceProcessHandle,
- IN HANDLE SourceHandle,
- IN HANDLE TargetProcessHandle,
- OUT PHANDLE TargetHandle OPTIONAL,
- IN ACCESS_MASK DesiredAccess,
- IN ULONG Attributes,
- IN ULONG Options)
- {
- NTSTATUS ntStatus,Tmp,Tmd;
- THREAD_BASIC_INFORMATION TBI;
- PROCESS_BASIC_INFORMATION PBI;
- ntStatus=Old_NtDuplicateObject(SourceProcessHandle,SourceHandle,TargetProcessHandle,TargetHandle,DesiredAccess,Attributes,Options);
- if (NT_SUCCESS(ntStatus) )
- { //在当前进程上下文 直接查询输出句柄所属ID 是我们的直接CLOSE掉
- //这里 用内核提供的查询句柄函数似乎更精确 可以直接获取对象 然后对比是否是我们的进线程对象.
- Tmp=ZwQueryInformationProcess(*TargetHandle,ProcessBasicInformation,&PBI,sizeof(PBI),NULL);
- if (NT_SUCCESS(Tmp))
- {
- if (PBI.UniqueProcessId ==(ULONG)PsGetProcessId(ProtectedProcess))
- {
- ZwClose(*TargetHandle);
- *TargetHandle=0;
- ntStatus= STATUS_UNSUCCESSFUL;
- }
- }
- Tmd=ZwQueryInformationThread(*TargetHandle,0,&TBI,sizeof(TBI),NULL);
- if (NT_SUCCESS(Tmd))
- {
- if (TBI.ClientId.UniqueProcess==(HANDLE)inpid)
- {
- ZwClose(*TargetHandle);
- *TargetHandle=0;
- ntStatus= STATUS_UNSUCCESSFUL;
- }
- }
- }
- return ntStatus;
- }
复制代码
- BOOLEAN fake_KeInsertQueueApc(IN PKAPC Apc,IN PVOID SystemArgument1,IN PVOID SystemArgument2,IN KPRIORITY PriorityBoost)
- {
- PETHREAD ThreadInApc;
- PEPROCESS ThreadInApcOfProcess;
- if( MmIsAddressValid((PVOID)(Apc->Thread))==FALSE ) //如果线程地址无效
- return FALSE; //直接返回失败
- ThreadInApc=(PETHREAD)(Apc->Thread);
- ThreadInApcOfProcess=IoThreadToProcess(ThreadInApc);
- if (ProtectedProcess!=ThreadInApcOfProcess)
- {
- //不是自己的线程,直接把参数传递给原始函数
- return Old_KeInsertQueueApc(Apc,SystemArgument1,SystemArgument2,PriorityBoost);
- }
- else
- {
- //如果是自己的线程,就判断一下是否会对自己造成损害
- if (PriorityBoost==2||PriorityBoost==0)
- {
- return FALSE;
- }
- else
- {
- return Old_KeInsertQueueApc(Apc,SystemArgument1,SystemArgument2,PriorityBoost);
- }
- }
- }
复制代码 |
|