谁有这样的代码?保护进程的
就是一部分是VB的一部分是驱动的
在VB里输入要保护进程的pid
通过调用驱动,也就是sys
就能保护这个进程
我想知道驱动的代码
谢谢大家 #include "ntddk.h"
ULONG pid;
#define IOCTL_TEST2 CTL_CODE(\
FILE_DEVICE_UNKNOWN, \
0x801, \
METHOD_BUFFERED, \
FILE_ANY_ACCESS)
#define IOCTL_TEST1 CTL_CODE(\
FILE_DEVICE_UNKNOWN, \
0x800, \
METHOD_BUFFERED, \
FILE_ANY_ACCESS)
VOID Unload(IN PDRIVER_OBJECT DriverObject)
{
}
NTSTATUS MyDispatch(IN PDEVICE_OBJECT device,IN PIRP irp)
{
PIO_STACK_LOCATION stack = IoGetCurrentIrpStackLocation(irp);
irp->IoStatus.Status = STATUS_SUCCESS;
irp->IoStatus.Information = 0;
if (stack->MajorFunction==IRP_MJ_CREATE)
{
KdPrint(("IRP_MJ_CREATE\n"));
}
if (stack->MajorFunction==IRP_MJ_CLOSE)
{
KdPrint(("IRP_MJ_CLOSE\n"));
}
IoCompleteRequest( irp, IO_NO_INCREMENT );
return STATUS_SUCCESS;
}
NTSTATUS CreateDevice (
IN PDRIVER_OBJECT DriverObject)
{
NTSTATUS status;
PDEVICE_OBJECT pDevObj;
UNICODE_STRING devName;
UNICODE_STRING symLinkName;
RtlInitUnicodeString(&devName,L"\\Device\\ok100fen");
RtlInitUnicodeString(&symLinkName,L"\\??\\ok100fen");
status = IoCreateDevice( DriverObject,
0,
&devName,
FILE_DEVICE_UNKNOWN,
0, TRUE,
&pDevObj );
if (!NT_SUCCESS(status))
{
return status;
}
pDevObj->Flags |= DO_BUFFERED_IO;
status = IoCreateSymbolicLink( &symLinkName,&devName );
if (!NT_SUCCESS(status))
{
IoDeleteDevice( pDevObj );
return status;
}
return STATUS_SUCCESS;
}
NTSTATUS MyIOCTL(IN PDEVICE_OBJECT pDevObj,
IN PIRP pIrp)
{
NTSTATUS status = STATUS_SUCCESS;
UCHAR* OutputBuffer=NULL;
ULONG info = 0;
PIO_STACK_LOCATION stack = IoGetCurrentIrpStackLocation(pIrp);
ULONG cbin = stack->Parameters.DeviceIoControl.InputBufferLength;
ULONG cbout = stack->Parameters.DeviceIoControl.OutputBufferLength;
ULONG code = stack->Parameters.DeviceIoControl.IoControlCode;
pid=*(PULONG)pIrp->AssociatedIrp.SystemBuffer;
switch (code)
{ // process request
case IOCTL_TEST2:
{
KdPrint(("IOCTL_TEST1\n"));
OutputBuffer = (UCHAR*)pIrp->AssociatedIrp.SystemBuffer;
memset(OutputBuffer,0x8,cbout);
info = cbout;
break;
}
case IOCTL_TEST1:
{
DbgPrint(("IOCTL_TEST1\n"));
DbgPrint("输入缓冲数据内容:%u 输入缓冲数据长度:%u",pid,cbin);
break;
}
default:
status = STATUS_INVALID_VARIANT;
}
pIrp->IoStatus.Status = status;
pIrp->IoStatus.Information = info; // bytes xfered
IoCompleteRequest( pIrp, IO_NO_INCREMENT );
return status;
}
#pragma pack(1)
typedef struct ServiceDescriptorEntry {
unsigned int *ServiceTableBase;
unsigned int *ServiceCounterTableBase; //Used only in checked build
unsigned int NumberOfServices;
unsigned char *ParamTableBase;
} ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t;
#pragma pack()
__declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable;
#define SYSTEMSERVICE(_function) KeServiceDescriptorTable.ServiceTableBase[ *(PULONG)((PUCHAR)_function+1)]
#define SYSCALL_INDEX(_Function) *(PULONG)((PUCHAR)_Function+1)
#define HOOK_SYSCALL(_Function, _Hook, _Orig ) _Orig = (PVOID) InterlockedExchange( (PLONG) &m_Mapped, (LONG) _Hook)
PMDL m_MDL;
PVOID *m_Mapped;
NTSYSAPI NTSTATUS NTAPI ZwOpenProcess(OUT PHANDLE ProcessHandle,IN ACCESS_MASK DesiredAccess,IN POBJECT_ATTRIBUTES ObjectAttributes,IN PCLIENT_ID ClientId OPTIONAL);
NTSYSAPI NTSTATUS NTAPI ZwTerminateProcess(IN HANDLE ProcessHandle OPTIONAL,IN NTSTATUS ExitStatus);
typedef NTSTATUS (*ZWOPENPROCESS)(OUT PHANDLE ProcessHandle,IN ACCESS_MASK DesiredAccess,IN POBJECT_ATTRIBUTES ObjectAttributes,IN PCLIENT_ID ClientId OPTIONAL);
typedef NTSTATUS (*ZWTERMINATEPROCESS)(IN HANDLE ProcessHandle OPTIONAL,IN NTSTATUS ExitStatus);
NTSTATUS NewZwOpenProcess(OUT PHANDLE ProcessHandle,IN ACCESS_MASK DesiredAccess,IN POBJECT_ATTRIBUTES ObjectAttributes,IN PCLIENT_ID ClientId OPTIONAL);
NTSTATUS NewZwTerminateProcess(IN HANDLE ProcessHandle OPTIONAL,IN NTSTATUS ExitStatus);
NTSTATUS PsLookupProcessByProcessId(IN ULONG ulProcId, OUT PEPROCESS *pEProcess);
ZWOPENPROCESS OldZwOpenProcess = NULL;
ZWTERMINATEPROCESS OldZwTerminateProcess = NULL;
VOID OnUnload(IN PDRIVER_OBJECT DriverObject)
{
PVOID Oldfun = NULL;
UNICODE_STRING symLinkName;
RtlInitUnicodeString(&symLinkName,L"\\??\\ok100fen");
IoDeleteSymbolicLink(&symLinkName);
IoDeleteDevice(DriverObject->DeviceObject);
KdPrint(("Device Delete Success\n"));
HOOK_SYSCALL(ZwOpenProcess,OldZwOpenProcess,Oldfun);
HOOK_SYSCALL(ZwTerminateProcess,OldZwTerminateProcess,Oldfun);
if(m_MDL){
MmUnmapLockedPages(m_Mapped,m_MDL);
IoFreeMdl(m_MDL);
}
KdPrint(("驱动卸载完毕.\n"));
}
NTSTATUS NewZwOpenProcess(OUT PHANDLE ProcessHandle,IN ACCESS_MASK DesiredAccess,IN POBJECT_ATTRIBUTES ObjectAttributes,IN PCLIENT_ID ClientId OPTIONAL)
{
if((long)ClientId->UniqueProcess == pid)
{
KdPrint(("保护进程,打开操作 PID:%ld\n",pid));
return STATUS_ACCESS_DENIED;
}
return OldZwOpenProcess(ProcessHandle,DesiredAccess,ObjectAttributes,ClientId);
}
NTSTATUS NewZwTerminateProcess(IN HANDLE ProcessHandle OPTIONAL,IN NTSTATUS ExitStatus)
{
NTSTATUS nStatus = STATUS_SUCCESS;
PEPROCESS EPROCESSPROTECT = NULL;
PEPROCESS EPROCESSKILL = NULL;
PsLookupProcessByProcessId((ULONG)pid,&EPROCESSPROTECT);
if (ObReferenceObjectByHandle(ProcessHandle,GENERIC_READ,NULL,KernelMode,&EPROCESSKILL,0) == STATUS_SUCCESS)
{
if (EPROCESSPROTECT== EPROCESSKILL)
{
if (EPROCESSPROTECT != PsGetCurrentProcess())
KdPrint(("[-]进程保护,外部程序试图关闭保护进程\n"));
nStatus = STATUS_ACCESS_DENIED;
}else{
KdPrint(("[-]进程保护,程序自身退出请求!\n"));
}
}
}
if (nStatus != STATUS_SUCCESS)
return nStatus;
else
return OldZwTerminateProcess(ProcessHandle,ExitStatus);
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING theRegistryPath)
{
NTSTATUS ntStatus = STATUS_SUCCESS;
PDEVICE_OBJECT deviceObject = NULL;
DriverObject->DriverUnload = OnUnload;
//DriverObject->DriverUnload = Unload;
DriverObject->MajorFunction = MyDispatch;
DriverObject->MajorFunction = MyDispatch;
DriverObject->MajorFunction = MyIOCTL;
CreateDevice(DriverObject);
m_MDL = MmCreateMdl(NULL,KeServiceDescriptorTable.ServiceTableBase,KeServiceDescriptorTable.NumberOfServices*4);
if(!m_MDL)
{
return STATUS_UNSUCCESSFUL;
}
MmBuildMdlForNonPagedPool(m_MDL);
m_MDL->MdlFlags = m_MDL->MdlFlags | MDL_MAPPED_TO_SYSTEM_VA;
m_Mapped = MmMapLockedPages(m_MDL, KernelMode);
HOOK_SYSCALL(ZwOpenProcess,NewZwOpenProcess,OldZwOpenProcess);
HOOK_SYSCALL(ZwTerminateProcess,NewZwTerminateProcess,OldZwTerminateProcess);
return STATUS_SUCCESS;
}
VB的,不过有点问题
好像卸载驱动有点问题
需要重启,才能重新加载
Dim c_drv As New cls_Driver
Private Sub Command1_Click()
Dim Canshu As Long
Canshu = Val(Text1.Text)
With c_drv
.IoControl .CTL_CODE_GEN(&H800), VarPtr(Canshu), 4, 0, 0
End With
End Sub
Private Sub Command2_Click()
Dim Canshu As Long
With c_drv
.IoControl .CTL_CODE_GEN(&H801), 0, 0, VarPtr(Canshu), 4
End With
Text2.Text = Canshu
End Sub
Private Sub Form_Load()
With c_drv
.szDrvFilePath = App.Path & "\ok100fen.sys"
.szDrvLinkName = "ok100fen"
.szDrvSvcName = "ok100fen"
.szDrvDisplayName = "ok100fen"
.InstDrv
.StartDrv
.OpenDrv
End With
End Sub
Private Sub Form_Unload(Cancel As Integer)
With c_drv
.StopDrv
.DelDrv
End With
End Sub 本帖最后由 ok100fen 于 2010-8-16 23:01 编辑
尽管代码东拼西凑
但是基本上明白了其中的代理
俺也很高兴~~ 呃.....拦截了ZwOpenProcess与ZwTerminateProcess呀.....
普通的结束法就确实无效了.
支持一下!
页:
[1]