[半原创]稳定的禁止进程创建 - TaForbidCreateProcess
本帖最后由 HoviDelphic 于 2010-7-9 17:29 编辑Hook RtlImageNtHeader,不能与KV2010共存。
在Windows XP和Windows 7下测试成功。
======
放假了,给朋友们的一些提醒:
1.不要沉迷于网络,牢记网络只是工具而不是目的,网络上的人和事都是虚幻甚至是虚假的。
2.要准备中考的同学就别玩电脑了,比如SYF大牛,否则你会后悔的。
3.用电脑一个小时,要休息15分钟,保护眼睛。
======
NTKERNELAPI PIMAGE_NT_HEADERS RtlImageNtHeader(PVOID ModuleAddress);
NTKERNELAPI PEPROCESS PsGetThreadProcess(PETHREAD Thread);
NTKERNELAPI PUCHAR PsGetProcessImageFileName(PEPROCESS Process);
typedef PIMAGE_NT_HEADERS (NTAPI *MYRTLIMAGENTHEADER)(PVOID ModuleAddres);
MYRTLIMAGENTHEADER MyRtlImageNtHeader = NULL;
BYTE OldCode = {0};
BYTE HookCode = {0xe9, 0, 0, 0, 0};
BYTE JmpCode = {0xe9, 0, 0, 0, 0};
BYTE ProxyFun = {0, 0, 0, 0, 0, 0xe9, 0, 0, 0, 0};
ULONG ToHookFuncAddr = 0;
KIRQL oldIrql,oldirql;
long lng = 0;
KSPIN_LOCK spinlock;
PIMAGE_NT_HEADERS RtlImageNtHeaderCallBack(PVOID Base)
{
PEPROCESS A,B;
InterlockedIncrement(&lng);
MyRtlImageNtHeader=(MYRTLIMAGENTHEADER)((PVOID)ProxyFun);
A=PsGetThreadProcess(PsGetCurrentThread());
B=PsGetCurrentProcess();
if (A==B)
{
InterlockedDecrement(&lng);
return MyRtlImageNtHeader(Base);
}
else
{
InterlockedDecrement(&lng);
return NULL;
}
}
BOOL StartHook_RINH()
{
PMDL pMdl = NULL;
PUCHAR Addr = NULL;
PUCHAR MapAddr = NULL;
ToHookFuncAddr = (ULONG)RtlImageNtHeader;
memcpy(OldCode, (PBYTE)RtlImageNtHeader, 5);
*((PULONG)(HookCode + 1)) = (ULONG)RtlImageNtHeaderCallBack - ToHookFuncAddr -5;
*((PULONG)(JmpCode + 1)) = (ToHookFuncAddr + 5) - (ULONG)(ProxyFun + 5) - 5;
memcpy(ProxyFun, OldCode, 5);
memcpy((PVOID)(ProxyFun + 5), JmpCode, 5);
pMdl = IoAllocateMdl((PBYTE)RtlImageNtHeader, 5, FALSE, FALSE, NULL);
if (pMdl)
{
__try
{MmProbeAndLockPages(pMdl, KernelMode, IoWriteAccess);}
__except(EXCEPTION_EXECUTE_HANDLER)
{
IoFreeMdl(pMdl);
return FALSE;
}
MapAddr = (PUCHAR)MmGetSystemAddressForMdlSafe(pMdl, NormalPagePriority);
if (!MapAddr)
{
IoFreeMdl(pMdl);
return FALSE;
}
KeInitializeSpinLock(&spinlock);
KeAcquireSpinLock(&spinlock,&oldirql);
oldIrql = KeRaiseIrqlToDpcLevel();
*(PUSHORT)MapAddr = 0xfeeb;
memcpy(MapAddr + 2, (PCHAR)HookCode + 2, 3);
memcpy(MapAddr, HookCode, 5);
KeLowerIrql(oldIrql);
KeReleaseSpinLock(&spinlock, oldirql);
MmUnlockPages(pMdl);
IoFreeMdl(pMdl);
}
return TRUE;
}
void StopHook_RINH()
{
PMDL pMdl = NULL;
PUCHAR MapAddr = NULL;
pMdl = IoAllocateMdl((PBYTE)RtlImageNtHeader, 5, FALSE, FALSE, NULL);
if (pMdl)
{
__try
{
MmProbeAndLockPages(pMdl, KernelMode, IoWriteAccess);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
IoFreeMdl(pMdl);
}
MapAddr = (PUCHAR)MmGetSystemAddressForMdlSafe(pMdl, NormalPagePriority);
if (!MapAddr) IoFreeMdl(pMdl);
KeInitializeSpinLock(&spinlock);
KeAcquireSpinLock(&spinlock,&oldirql);
oldIrql = KeRaiseIrqlToDpcLevel();
*(PUSHORT)MapAddr = 0xfeeb;
memcpy(MapAddr + 2, (PCHAR)OldCode + 2, 3);
memcpy(MapAddr, OldCode, 5);
KeLowerIrql(oldIrql);
KeReleaseSpinLock(&spinlock, oldirql);
MmUnlockPages(pMdl);
IoFreeMdl(pMdl);
}
}
页:
[1]