驱动开发-ObRegisterCallbacks-剥离句柄权限

参考链接 (opens new window)

/**
 * This routine is called by the operating system
 * when a process or thread handle operation occurs.
 */
OB_PREOP_CALLBACK_STATUS PreProcessHandle(
	_In_ PVOID RegistrationContext,
	_Inout_ POB_PRE_OPERATION_INFORMATION OperationInformation)
{
	PEPROCESS eProcess;

	UNREFERENCED_PARAMETER(RegistrationContext);

	// ObRegisterCallbacks doesn't allow changing access of kernel handles.
	if (OperationInformation->KernelHandle)
		return OB_PREOP_SUCCESS;

	// Get target eProcess.
	if (OperationInformation->ObjectType == *PsProcessType)
		eProcess = OperationInformation->Object;
	else if (OperationInformation->ObjectType == *PsThreadType)
		eProcess = IoThreadToProcess(OperationInformation->Object);
	else
		return OB_PREOP_SUCCESS; // Shouldn't ever happen.

	// Allow process to open itself.
	if (eProcess == IoGetCurrentProcess())
		return OB_PREOP_SUCCESS;

	//获取该进程结构对象的名称
	PUCHAR pProcessName = PsGetProcessImageFileName(eProcess);

	//KdPrint(("qsirR0: pProcessName  = %s",pProcessName));
	if (NULL != pProcessName && 0 == _stricmp((char*)pProcessName, PROTECT_NAME))
	{
		// 判断操作类型,如果该句柄是终止操作,则拒绝该操作
		switch (OperationInformation->Operation)
		{
		case OB_OPERATION_HANDLE_DUPLICATE:
			break;

		case OB_OPERATION_HANDLE_CREATE:
		{
			//如果要结束进程,进程管理器结束进程发送0x1001,taskkill指令结束进程发送0x0001,taskkil加/f参数结束进程发送0x1401
			int code = OperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess;
			KdPrint(("qsirR0: Operation=%X OriginalDesiredAccess = %X\n",OperationInformation->Operation,code));
			if ((code == PROCESS_TERMINATE_0) || (code == PROCESS_TERMINATE_1) || (code == PROCESS_KILL_F))
			{
				//给进程赋予新权限
				OperationInformation->Parameters->CreateHandleInformation.DesiredAccess = 0;
				KdPrint(("qsirR0: 拒绝操作 OriginalDesiredAccess = %X\n",code));
			}
			if (code == PROCESS_TERMINATE_2) {
				OperationInformation->Parameters->CreateHandleInformation.DesiredAccess = STANDARD_RIGHTS_ALL;
			}
			break;
		}
		}
	}

	return OB_PREOP_SUCCESS;
}

/**
 * 过滤通过进程或线程句柄的访问权限
 */
NTSTATUS RegisterProtectorCallbacks()
{
	NTSTATUS status;
	OB_CALLBACK_REGISTRATION callbackRegistration;
	OB_OPERATION_REGISTRATION operationRegistration[2];

	// 设置监听的对象类型
	operationRegistration[0].ObjectType = PsProcessType;
	// 设置监听的操作类型
	operationRegistration[0].Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE;
	// 设置操作发生前执行的回调
	operationRegistration[0].PreOperation = PreProcessHandle;
	operationRegistration[0].PostOperation = NULL;

	operationRegistration[1].ObjectType = PsThreadType;
	operationRegistration[1].Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE;
	operationRegistration[1].PreOperation = PreProcessHandle;
	operationRegistration[1].PostOperation = NULL;

	// 设置版本号,必须为OB_FLT_REGISTRATION_VERSION
	callbackRegistration.Version = OB_FLT_REGISTRATION_VERSION;
	// 设置自定义参数,可以为NULL
	callbackRegistration.RegistrationContext = NULL;
	// 设置回调函数个数
	callbackRegistration.OperationRegistrationCount = ARRAYSIZE(operationRegistration);
	// 设置回调函数信息结构体,如果有多个,需要定义为数组
	callbackRegistration.OperationRegistration = operationRegistration;

	// 设置加载顺序
	RtlInitUnicodeString(&callbackRegistration.Altitude, L"40100.7");

	//FltInitializePushLock(&ObCallbackInstance.ProtectedProcessLock);

	status = ObRegisterCallbacks(&callbackRegistration, &ObCallbackInstance.RegistrationHandle);

	if (!NT_SUCCESS(status)) {
		//FltDeletePushLock(&ObCallbackInstance.ProtectedProcessLock);
		DbgPrint("ObRegisterCallbacks注册失败\n");
	}
	else {
		DbgPrint("ObRegisterCallbacks注册成功\n");
	}

	return status;
}

/// <summary>
/// Stops process and thread access rights filtering.
/// </summary>
VOID UnRegisterProtectorCallbacks()
{
	ObUnRegisterCallbacks(ObCallbackInstance.RegistrationHandle);
	DbgPrint("ObRegisterCallbacks注销成功\n");

	// If ObUnRegisterCallbacks waits for callbacks to finish processing
	// there is no need to lock here.

	//FltAcquirePushLockExclusive(&ObCallbackInstance.ProtectedProcessLock);
	//FltReleasePushLock(&ObCallbackInstance.ProtectedProcessLock);
	//FltDeletePushLock(&ObCallbackInstance.ProtectedProcessLock);
}

copy success
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127