/** * This routine is called by the operating system * when a process or thread handle operation occurs. */ OB_PREOP_CALLBACK_STATUS PreProcessHandle( _In_ PVOID RegistrationContext, _Inout_ POB_PRE_OPERATION_INFORMATION OperationInformation) { PEPROCESS eProcess; UNREFERENCED_PARAMETER(RegistrationContext); // ObRegisterCallbacks doesn't allow changing access of kernel handles. if (OperationInformation->KernelHandle) return OB_PREOP_SUCCESS; // Get target eProcess. if (OperationInformation->ObjectType == *PsProcessType) eProcess = OperationInformation->Object; else if (OperationInformation->ObjectType == *PsThreadType) eProcess = IoThreadToProcess(OperationInformation->Object); else return OB_PREOP_SUCCESS; // Shouldn't ever happen. // Allow process to open itself. if (eProcess == IoGetCurrentProcess()) return OB_PREOP_SUCCESS; //获取该进程结构对象的名称 PUCHAR pProcessName = PsGetProcessImageFileName(eProcess); //KdPrint(("qsirR0: pProcessName = %s",pProcessName)); if (NULL != pProcessName && 0 == _stricmp((char*)pProcessName, PROTECT_NAME)) { // 判断操作类型,如果该句柄是终止操作,则拒绝该操作 switch (OperationInformation->Operation) { case OB_OPERATION_HANDLE_DUPLICATE: break; case OB_OPERATION_HANDLE_CREATE: { //如果要结束进程,进程管理器结束进程发送0x1001,taskkill指令结束进程发送0x0001,taskkil加/f参数结束进程发送0x1401 int code = OperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess; KdPrint(("qsirR0: Operation=%X OriginalDesiredAccess = %X\n",OperationInformation->Operation,code)); if ((code == PROCESS_TERMINATE_0) || (code == PROCESS_TERMINATE_1) || (code == PROCESS_KILL_F)) { //给进程赋予新权限 OperationInformation->Parameters->CreateHandleInformation.DesiredAccess = 0; KdPrint(("qsirR0: 拒绝操作 OriginalDesiredAccess = %X\n",code)); } if (code == PROCESS_TERMINATE_2) { OperationInformation->Parameters->CreateHandleInformation.DesiredAccess = STANDARD_RIGHTS_ALL; } break; } } } return OB_PREOP_SUCCESS; } /** * 过滤通过进程或线程句柄的访问权限 */ NTSTATUS RegisterProtectorCallbacks() { NTSTATUS status; OB_CALLBACK_REGISTRATION callbackRegistration; OB_OPERATION_REGISTRATION operationRegistration[2]; // 设置监听的对象类型 operationRegistration[0].ObjectType = PsProcessType; // 设置监听的操作类型 operationRegistration[0].Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE; // 设置操作发生前执行的回调 operationRegistration[0].PreOperation = PreProcessHandle; operationRegistration[0].PostOperation = NULL; operationRegistration[1].ObjectType = PsThreadType; operationRegistration[1].Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE; operationRegistration[1].PreOperation = PreProcessHandle; operationRegistration[1].PostOperation = NULL; // 设置版本号,必须为OB_FLT_REGISTRATION_VERSION callbackRegistration.Version = OB_FLT_REGISTRATION_VERSION; // 设置自定义参数,可以为NULL callbackRegistration.RegistrationContext = NULL; // 设置回调函数个数 callbackRegistration.OperationRegistrationCount = ARRAYSIZE(operationRegistration); // 设置回调函数信息结构体,如果有多个,需要定义为数组 callbackRegistration.OperationRegistration = operationRegistration; // 设置加载顺序 RtlInitUnicodeString(&callbackRegistration.Altitude, L"40100.7"); //FltInitializePushLock(&ObCallbackInstance.ProtectedProcessLock); status = ObRegisterCallbacks(&callbackRegistration, &ObCallbackInstance.RegistrationHandle); if (!NT_SUCCESS(status)) { //FltDeletePushLock(&ObCallbackInstance.ProtectedProcessLock); DbgPrint("ObRegisterCallbacks注册失败\n"); } else { DbgPrint("ObRegisterCallbacks注册成功\n"); } return status; } /// <summary> /// Stops process and thread access rights filtering. /// </summary> VOID UnRegisterProtectorCallbacks() { ObUnRegisterCallbacks(ObCallbackInstance.RegistrationHandle); DbgPrint("ObRegisterCallbacks注销成功\n"); // If ObUnRegisterCallbacks waits for callbacks to finish processing // there is no need to lock here. //FltAcquirePushLockExclusive(&ObCallbackInstance.ProtectedProcessLock); //FltReleasePushLock(&ObCallbackInstance.ProtectedProcessLock); //FltDeletePushLock(&ObCallbackInstance.ProtectedProcessLock); }
copy success
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127