谁有这样的代码？保护进程的

ok100fen

就是一部分是VB的
一部分是驱动的
在VB里输入要保护进程的pid
通过调用驱动，也就是sys
就能保护这个进程
我想知道驱动的代码
谢谢大家

ok100fen

1. #include "ntddk.h"
   
2. 
   
3. 
   
4. ULONG pid;
   
5. 
   
6. #define IOCTL_TEST2 CTL_CODE(\
   
7. FILE_DEVICE_UNKNOWN, \
   
8. 0x801, \
   
9. METHOD_BUFFERED, \
   
10. FILE_ANY_ACCESS)
    
11. 
    
12. #define IOCTL_TEST1 CTL_CODE(\
    
13. FILE_DEVICE_UNKNOWN, \
    
14. 0x800, \
    
15. METHOD_BUFFERED, \
    
16. FILE_ANY_ACCESS)
    
17. 
    
18. VOID Unload(IN PDRIVER_OBJECT DriverObject)
    
19. {
    
20. 
    
21. }
    
22. 
    
23. NTSTATUS MyDispatch(IN PDEVICE_OBJECT device,IN PIRP irp)
    
24. {
    
25. PIO_STACK_LOCATION stack = IoGetCurrentIrpStackLocation(irp);
    
26. 
    
27. irp->IoStatus.Status = STATUS_SUCCESS;
    
28. irp->IoStatus.Information = 0;
    
29. 
    
30. if (stack->MajorFunction==IRP_MJ_CREATE)
    
31. {
    
32. KdPrint(("IRP_MJ_CREATE\n"));
    
33. }
    
34. if (stack->MajorFunction==IRP_MJ_CLOSE)
    
35. {
    
36. KdPrint(("IRP_MJ_CLOSE\n"));
    
37. }
    
38. 
    
39. IoCompleteRequest( irp, IO_NO_INCREMENT );
    
40. 
    
41. return STATUS_SUCCESS;
    
42. }
    
43. NTSTATUS CreateDevice (
    
44. IN PDRIVER_OBJECT DriverObject)
    
45. {
    
46. NTSTATUS status;
    
47. PDEVICE_OBJECT pDevObj;
    
48. 
    
49. UNICODE_STRING devName;
    
50. UNICODE_STRING symLinkName;
    
51. 
    
52. RtlInitUnicodeString(&devName,L"\\Device\\ok100fen");
    
53. RtlInitUnicodeString(&symLinkName,L"\\??\\ok100fen");
    
54. 
    
55. status = IoCreateDevice( DriverObject,
    
56. 0,
    
57. &devName,
    
58. FILE_DEVICE_UNKNOWN,
    
59. 0, TRUE,
    
60. &pDevObj );
    
61. if (!NT_SUCCESS(status))
    
62. {
    
63. return status;
    
64. }
    
65. pDevObj->Flags |= DO_BUFFERED_IO;
    
66. 
    
67. status = IoCreateSymbolicLink( &symLinkName,&devName );
    
68. if (!NT_SUCCESS(status))
    
69. {
    
70. IoDeleteDevice( pDevObj );
    
71. return status;
    
72. }
    
73. return STATUS_SUCCESS;
    
74. }
    
75. 
    
76. NTSTATUS MyIOCTL(IN PDEVICE_OBJECT pDevObj,
    
77. IN PIRP pIrp)
    
78. {
    
79. NTSTATUS status = STATUS_SUCCESS;
    
80. UCHAR* OutputBuffer=NULL;
    
81. ULONG info = 0;
    
82. 
    
83. PIO_STACK_LOCATION stack = IoGetCurrentIrpStackLocation(pIrp);
    
84. ULONG cbin = stack->Parameters.DeviceIoControl.InputBufferLength;
    
85. ULONG cbout = stack->Parameters.DeviceIoControl.OutputBufferLength;
    
86. ULONG code = stack->Parameters.DeviceIoControl.IoControlCode;
    
87. pid=*(PULONG)pIrp->AssociatedIrp.SystemBuffer;
    
88. switch (code)
    
89. { // process request
    
90. case IOCTL_TEST2:
    
91. {
    
92. KdPrint(("IOCTL_TEST1\n"));
    
93. OutputBuffer = (UCHAR*)pIrp->AssociatedIrp.SystemBuffer;
    
94. memset(OutputBuffer,0x8,cbout);
    
95. info = cbout;
    
96. break;
    
97. }
    
98. 
    
99. 
    
100. case IOCTL_TEST1:
     
101. {
     
102. DbgPrint(("IOCTL_TEST1\n"));
     
103. DbgPrint("输入缓冲数据内容:%u 输入缓冲数据长度:%u",pid,cbin);
     
104. break;
     
105. }
     
106. default:
     
107. status = STATUS_INVALID_VARIANT;
     
108. }
     
109. 
     
110. pIrp->IoStatus.Status = status;
     
111. pIrp->IoStatus.Information = info; // bytes xfered
     
112. IoCompleteRequest( pIrp, IO_NO_INCREMENT );
     
113. 
     
114. return status;
     
115. }
     
116. 
     
117. 
     
118. 
     
119. 
     
120. #pragma pack(1)
     
121. typedef struct ServiceDescriptorEntry {
     
122. unsigned int *ServiceTableBase;
     
123. unsigned int *ServiceCounterTableBase; //Used only in checked build
     
124. unsigned int NumberOfServices;
     
125. unsigned char *ParamTableBase;
     
126. } ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t;
     
127. #pragma pack()
     
128. 
     
129. 
     
130. __declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable;
     
131. #define SYSTEMSERVICE(_function) KeServiceDescriptorTable.ServiceTableBase[ *(PULONG)((PUCHAR)_function+1)]
     
132. #define SYSCALL_INDEX(_Function) *(PULONG)((PUCHAR)_Function+1)
     
133. #define HOOK_SYSCALL(_Function, _Hook, _Orig ) _Orig = (PVOID) InterlockedExchange( (PLONG) &m_Mapped[SYSCALL_INDEX(_Function)], (LONG) _Hook)
     
134. PMDL m_MDL;
     
135. PVOID *m_Mapped;
     
136. 
     
137. 
     
138. NTSYSAPI NTSTATUS NTAPI ZwOpenProcess(OUT PHANDLE ProcessHandle,IN ACCESS_MASK DesiredAccess,IN POBJECT_ATTRIBUTES ObjectAttributes,IN PCLIENT_ID ClientId OPTIONAL);
     
139. NTSYSAPI NTSTATUS NTAPI ZwTerminateProcess(IN HANDLE ProcessHandle OPTIONAL,IN NTSTATUS ExitStatus);
     
140. 
     
141. typedef NTSTATUS (*ZWOPENPROCESS)(OUT PHANDLE ProcessHandle,IN ACCESS_MASK DesiredAccess,IN POBJECT_ATTRIBUTES ObjectAttributes,IN PCLIENT_ID ClientId OPTIONAL);
     
142. typedef NTSTATUS (*ZWTERMINATEPROCESS)(IN HANDLE ProcessHandle OPTIONAL,IN NTSTATUS ExitStatus);
     
143. 
     
144. NTSTATUS NewZwOpenProcess(OUT PHANDLE ProcessHandle,IN ACCESS_MASK DesiredAccess,IN POBJECT_ATTRIBUTES ObjectAttributes,IN PCLIENT_ID ClientId OPTIONAL);
     
145. NTSTATUS NewZwTerminateProcess(IN HANDLE ProcessHandle OPTIONAL,IN NTSTATUS ExitStatus);
     
146. 
     
147. NTSTATUS PsLookupProcessByProcessId(IN ULONG ulProcId, OUT PEPROCESS *pEProcess);
     
148. 
     
149. ZWOPENPROCESS OldZwOpenProcess = NULL;
     
150. ZWTERMINATEPROCESS OldZwTerminateProcess = NULL;
     
151. 
     
152. VOID OnUnload(IN PDRIVER_OBJECT DriverObject)
     
153. {
     
154. PVOID Oldfun = NULL;
     
155. 
     
156. UNICODE_STRING symLinkName;
     
157. RtlInitUnicodeString(&symLinkName,L"\\??\\ok100fen");
     
158. IoDeleteSymbolicLink(&symLinkName);
     
159. IoDeleteDevice(DriverObject->DeviceObject);
     
160. KdPrint(("Device Delete Success\n"));
     
161. 
     
162. HOOK_SYSCALL(ZwOpenProcess,OldZwOpenProcess,Oldfun);
     
163. HOOK_SYSCALL(ZwTerminateProcess,OldZwTerminateProcess,Oldfun);
     
164. 
     
165. if(m_MDL){
     
166. MmUnmapLockedPages(m_Mapped,m_MDL);
     
167. IoFreeMdl(m_MDL);
     
168. }
     
169. 
     
170. KdPrint(("驱动卸载完毕.\n"));
     
171. }
     
172. 
     
173. NTSTATUS NewZwOpenProcess(OUT PHANDLE ProcessHandle,IN ACCESS_MASK DesiredAccess,IN POBJECT_ATTRIBUTES ObjectAttributes,IN PCLIENT_ID ClientId OPTIONAL)
     
174. {
     
175. if((long)ClientId->UniqueProcess == pid)
     
176. {
     
177. KdPrint(("保护进程,打开操作 PID:%ld\n",pid));
     
178. return STATUS_ACCESS_DENIED;
     
179. }
     
180. return OldZwOpenProcess(ProcessHandle,DesiredAccess,ObjectAttributes,ClientId);
     
181. }
     
182. 
     
183. NTSTATUS NewZwTerminateProcess(IN HANDLE ProcessHandle OPTIONAL,IN NTSTATUS ExitStatus)
     
184. {
     
185. NTSTATUS nStatus = STATUS_SUCCESS;
     
186. PEPROCESS EPROCESSPROTECT = NULL;
     
187. PEPROCESS EPROCESSKILL = NULL;
     
188. 
     
189. PsLookupProcessByProcessId((ULONG)pid,&EPROCESSPROTECT);
     
190. 
     
191. 
     
192. if (ObReferenceObjectByHandle(ProcessHandle,GENERIC_READ,NULL,KernelMode,&EPROCESSKILL,0) == STATUS_SUCCESS)
     
193. {
     
194. if (EPROCESSPROTECT== EPROCESSKILL)
     
195. {
     
196. if (EPROCESSPROTECT != PsGetCurrentProcess())
     
197. KdPrint(("[-]进程保护,外部程序试图关闭保护进程\n"));
     
198. nStatus = STATUS_ACCESS_DENIED;
     
199. }else{
     
200. 
     
201. KdPrint(("[-]进程保护,程序自身退出请求!\n"));
     
202. }
     
203. 
     
204. }
     
205. }
     
206. 
     
207. if (nStatus != STATUS_SUCCESS)
     
208. return nStatus;
     
209. else
     
210. return OldZwTerminateProcess(ProcessHandle,ExitStatus);
     
211. }
     
212. 
     
213. NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING theRegistryPath)
     
214. {
     
215. NTSTATUS ntStatus = STATUS_SUCCESS;
     
216. PDEVICE_OBJECT deviceObject = NULL;
     
217. 
     
218. DriverObject->DriverUnload = OnUnload;
     
219. //DriverObject->DriverUnload = Unload;
     
220. 
     
221. DriverObject->MajorFunction[IRP_MJ_CREATE] = MyDispatch;
     
222. DriverObject->MajorFunction[IRP_MJ_CLOSE] = MyDispatch;
     
223. DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = MyIOCTL;
     
224. 
     
225. CreateDevice(DriverObject);
     
226. 
     
227. 
     
228. m_MDL = MmCreateMdl(NULL,KeServiceDescriptorTable.ServiceTableBase,KeServiceDescriptorTable.NumberOfServices*4);
     
229. if(!m_MDL)
     
230. {
     
231. return STATUS_UNSUCCESSFUL;
     
232. }
     
233. 
     
234. 
     
235. MmBuildMdlForNonPagedPool(m_MDL);
     
236. 
     
237. m_MDL->MdlFlags = m_MDL->MdlFlags | MDL_MAPPED_TO_SYSTEM_VA;
     
238. 
     
239. 
     
240. m_Mapped = MmMapLockedPages(m_MDL, KernelMode);
     
241. 
     
242. HOOK_SYSCALL(ZwOpenProcess,NewZwOpenProcess,OldZwOpenProcess);
     
243. HOOK_SYSCALL(ZwTerminateProcess,NewZwTerminateProcess,OldZwTerminateProcess);
     
244. 
     
245. return STATUS_SUCCESS;
     
246. }
     

复制代码

ok100fen

VB的，不过有点问题
好像卸载驱动有点问题
需要重启，才能重新加载


Dim c_drv As New cls_Driver

Private Sub Command1_Click()
    Dim Canshu As Long
    Canshu = Val(Text1.Text)
   
    With c_drv

     .IoControl .CTL_CODE_GEN(&H800), VarPtr(Canshu), 4, 0, 0

    End With

End Sub

Private Sub Command2_Click()
Dim Canshu As Long
   
   
    With c_drv

     .IoControl .CTL_CODE_GEN(&H801), 0, 0, VarPtr(Canshu), 4

    End With
    Text2.Text = Canshu
End Sub

Private Sub Form_Load()
    With c_drv
        .szDrvFilePath = App.Path & "\ok100fen.sys"
        .szDrvLinkName = "ok100fen"
        .szDrvSvcName = "ok100fen"
        .szDrvDisplayName = "ok100fen"
        .InstDrv
        .StartDrv
        .OpenDrv
    End With
End Sub

Private Sub Form_Unload(Cancel As Integer)
    With c_drv
        .StopDrv
        .DelDrv
    End With
End Sub

ok100fen

尽管代码东拼西凑
但是基本上明白了其中的代理
俺也很高兴~~

马大哈

呃.....拦截了ZwOpenProcess与ZwTerminateProcess呀.....

普通的结束法就确实无效了.

支持一下!