[开源]WS的“禁止进线程创建” - TaForbidCreateThreadProcess
通过Hook ObReferenceObjectByHandle达到目的。之所以说WS,是因为估计有副作用,但是目前还不知道副作用在何处。
在XP/WIN7下测试通过。
NTSTATUS DetourMyObReferenceObjectByHandle(IN HANDLEHandle,IN ACCESS_MASKDesiredAccess,IN POBJECT_TYPEObjectTypeOPTIONAL,IN KPROCESSOR_MODEAccessMode,OUT PVOID*Object,OUT POBJECT_HANDLE_INFORMATIONHandleInformationOPTIONAL)
{
NTSTATUS status;
if ( (ObjectType != *PsProcessType)&&(ObjectType != *PsThreadType) )//如果句柄类型不是进程或者线程,则放行
{
status=OriginalObReferenceObjectByHandle(Handle,DesiredAccess,ObjectType,AccessMode,Object,HandleInformation);
}
else
{ //如果是进程或线程类型
if( (PsGetCurrentProcessId() != (HANDLE)processID) )//如果操作者不是CSRSS(变量processID保存着CSRSS进程的PID),则放行
{
status=OriginalObReferenceObjectByHandle(Handle,DesiredAccess,ObjectType,AccessMode,Object,HandleInformation);
}
else
{ //先执行一次,如果得到的目标是它自己,则放行
status=OriginalObReferenceObjectByHandle(Handle,DesiredAccess,ObjectType,AccessMode,Object,HandleInformation);
if ( NT_SUCCESS(status) )
{
if( ((ULONG)(*Object)==(ULONG)PsGetCurrentProcess())||((ULONG)IoThreadToProcess((PETHREAD)(*Object))==(ULONG)PsGetCurrentProcess()) )
{
//Did Nothing
}
else
{
ObfDereferenceObject(*Object);
status=STATUS_UNSUCCESSFUL;
}
}
}
}
return status;
}
看不明白……
页:
[1]