PLIST_ENTRY
GetProcCallList()
{
NTSTATUS status;
OB_CALLBACK_REGISTRATION obReg;
OB_OPERATION_REGISTRATION opReg;
PCALLBACK_NODE obHandle;
memset(&obReg, 0, sizeof(obReg));
obReg.Version = ObGetFilterVersion();
obReg.OperationRegistrationCount = 1;
obReg.RegistrationContext = NULL;
RtlInitUnicodeString(&obReg.Altitude, L"CallBack");
memset(&opReg, 0, sizeof(opReg));//Init Struct
opReg.ObjectType = PsProcessType;
opReg.Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE;
opReg.PreOperation = (POB_PRE_OPERATION_CALLBACK)&PreCall;
//opReg.PostOperation=(POB_POST_OPERATION_CALLBACK)&PostCall;
obReg.OperationRegistration = &opReg;
status = ObRegisterCallbacks(&obReg, &obHandle);
if(NT_SUCCESS(status)){
PLIST_ENTRY self = &(obHandle->Entries[0].CallbackList);
ObUnRegisterCallbacks((PVOID)obHandle);
return self->Blink;
}
else {
DbgPrint("RegisterCallback failed! errcode:%x", status);
}
return NULL;
}
/// <summary>
/// Starts filtering process and thread access rights.
/// </summary>
NTSTATUS HsRegisterProtector()
{
NTSTATUS status;
OB_CALLBACK_REGISTRATION callbackRegistration;
OB_OPERATION_REGISTRATION operationRegistration[2];
operationRegistration[0].ObjectType = PsProcessType;
operationRegistration[0].Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE;
operationRegistration[0].PreOperation = HspObPreCallback;
operationRegistration[0].PostOperation = NULL;
operationRegistration[1].ObjectType = PsThreadType;
operationRegistration[1].Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE;
operationRegistration[1].PreOperation = HspObPreCallback;
operationRegistration[1].PostOperation = NULL;
callbackRegistration.Version = OB_FLT_REGISTRATION_VERSION;
callbackRegistration.RegistrationContext = NULL;
callbackRegistration.OperationRegistrationCount = ARRAYSIZE(operationRegistration);
callbackRegistration.OperationRegistration = operationRegistration;
RtlInitUnicodeString(&callbackRegistration.Altitude, L"40100.7");
FltInitializePushLock(&ObCallbackInstance.ProtectedProcessLock);
RtlInitializeGenericTableAvl(
&ObCallbackInstance.ProtectedProcesses,
HspCompareProtectedProcess,
HsAvlAllocate,
HsAvlFree,
NULL);
status = ObRegisterCallbacks(&callbackRegistration, &ObCallbackInstance.RegistrationHandle);
if (!NT_SUCCESS(status))
FltDeletePushLock(&ObCallbackInstance.ProtectedProcessLock);
return status;
}
/**
* 装载过滤处理模块
*/
bool loadFilter()
{
NTSTATUS status;
UNICODE_STRING ustrAltitude;
RtlInitUnicodeString(&ustrAltitude, L"326666");
OB_OPERATION_REGISTRATION oor = {PsProcessType, OB_OPERATION_HANDLE_CREATE, ObjectPreCallbackFilter, NULL};
OB_CALLBACK_REGISTRATION ocr = {OB_FLT_REGISTRATION_VERSION, 1, ustrAltitude, NULL, &oor };
status = ObRegisterCallbacks(&ocr, &g_registerHandle);
if (!NT_SUCCESS(status))
{
switch(status)
{
case STATUS_FLT_INSTANCE_ALTITUDE_COLLISION :
WriteSysLog(LOG_TYPE_DEBUG,L" altitude is already exist!\n");
break;
case STATUS_INVALID_PARAMETER:
WriteSysLog(LOG_TYPE_DEBUG,L" parameter is error!\n");
break;
}
return false;
}
kdP(("obRegisterCallbacks is sucessful!\n"));
return true;
}
NTSTATUS
DriverEntry (
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
)
{
NTSTATUS status = STATUS_UNSUCCESSFUL;
OB_OPERATION_REGISTRATION ObOperations[] = {
{PsProcessType, OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE, ObCallbackPreProcess, ObCallbackPostProcess},
{PsThreadType, OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE, ObCallbackPreThread, ObCallbackPostThread}
};
OB_CALLBACK_REGISTRATION ObRegistration = {
OB_FLT_REGISTRATION_VERSION,
sizeof(ObOperations) / sizeof(OB_OPERATION_REGISTRATION),
{sizeof(L"320400") - sizeof(WCHAR), sizeof(L"320400"), L"320400"},
&Globals,
ObOperations
};
PVOID RegistrationHandle = NULL;
UNREFERENCED_PARAMETER( RegistryPath );
RtlZeroMemory( &Globals, sizeof(Globals) );
Globals.m_FilterDriverObject = DriverObject;
status = ObRegisterCallbacks( &ObRegistration, &RegistrationHandle );
if (NT_SUCCESS( status ))
{
status = PsSetCreateProcessNotifyRoutineEx( cbCreateNotifyEx, FALSE );
if (NT_SUCCESS( status ))
Globals.m_RegistrationHandle = RegistrationHandle;
else
{
ObUnRegisterCallbacks( RegistrationHandle );
DbgBreakPoint();
}
}
else
{
DbgBreakPoint();
}
return status;
}
NTSTATUS RegisterHandlesOperationsNotifier(IN PHANDLES_NOTIFY_STRUCT HandlesNotifyStruct, OUT PVOID *RegistrationHandle) {
// Определяем тип операции и задаём сами каллбэки:
OB_OPERATION_REGISTRATION OperationRegistration;
OperationRegistration.ObjectType = HandlesNotifyStruct->ObjectType; // PsProcessType / PsThreadType / ExDesktopObjectType
OperationRegistration.Operations = HandlesNotifyStruct->Operations; // OB_OPERATION_HANDLE_CREATE || OB_OPERATION_HANDLE_DUPLICATE
OperationRegistration.PostOperation = HandlesNotifyStruct->PostOperation;
OperationRegistration.PreOperation = HandlesNotifyStruct->PreOperation;
// Определяем "высоту" фильтра в стеке фильтров:
UNICODE_STRING Altitude;
RtlInitUnicodeString(&Altitude, L"389020"); // It's a magic!
// Заполняем структуру регистрации каллбэка:
OB_CALLBACK_REGISTRATION CallbackRegistration;
CallbackRegistration.Altitude = Altitude;
CallbackRegistration.OperationRegistration = &OperationRegistration;
CallbackRegistration.OperationRegistrationCount = 1;
CallbackRegistration.RegistrationContext = HandlesNotifyStruct->RegistrationContext; // Параметр, который будет передан в каллбэк
CallbackRegistration.Version = OB_FLT_REGISTRATION_VERSION;
// Регистрируем каллбэк:
return ObRegisterCallbacks(&CallbackRegistration, RegistrationHandle);
}
NTSTATUS TdProtectNameCallback (
_In_ PTD_PROTECTNAME_INPUT pProtectName
)
{
NTSTATUS Status = STATUS_SUCCESS;
if (!pProtectName) {
DbgPrintEx (
DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL,
"ObCallbackTest: TdProtectNameCallback: name to protect/filter NULL pointer\n"
);
}
else {
DbgPrintEx (
DPFLTR_IHVDRIVER_ID, DPFLTR_TRACE_LEVEL,
"ObCallbackTest: TdProtectNameCallback: entering name to protect/filter %ls\n", pProtectName->Name
);
}
KeAcquireGuardedMutex (&TdCallbacksMutex);
// Need to copy out the name and then set the flag to filter
// This will allow process creation to watch for the process to be created and get the PID
// and then prevent any other process from opening up that PID to terminate
memcpy(TdwProtectName, pProtectName->Name, sizeof(TdwProtectName));
DbgPrintEx (
DPFLTR_IHVDRIVER_ID, DPFLTR_TRACE_LEVEL,
"ObCallbackTest: name copied %ls\n", TdwProtectName
);
// Need to enable the OB callbacks
// once the process is matched to a newly created process, the callbacks will protect the process
if (bCallbacksInstalled == FALSE) {
DbgPrintEx (
DPFLTR_IHVDRIVER_ID, DPFLTR_TRACE_LEVEL,
"ObCallbackTest: TdProtectNameCallback: installing callbacks\n"
);
// Setup the Ob Registration calls
CBOperationRegistrations[0].ObjectType = PsProcessType;
CBOperationRegistrations[0].Operations |= OB_OPERATION_HANDLE_CREATE;
CBOperationRegistrations[0].Operations |= OB_OPERATION_HANDLE_DUPLICATE;
CBOperationRegistrations[0].PreOperation = CBTdPreOperationCallback;
CBOperationRegistrations[0].PostOperation = CBTdPostOperationCallback;
CBOperationRegistrations[1].ObjectType = PsThreadType;
CBOperationRegistrations[1].Operations |= OB_OPERATION_HANDLE_CREATE;
CBOperationRegistrations[1].Operations |= OB_OPERATION_HANDLE_DUPLICATE;
CBOperationRegistrations[1].PreOperation = CBTdPreOperationCallback;
CBOperationRegistrations[1].PostOperation = CBTdPostOperationCallback;
RtlInitUnicodeString (&CBAltitude, L"1000");
CBObRegistration.Version = OB_FLT_REGISTRATION_VERSION;
CBObRegistration.OperationRegistrationCount = 2;
CBObRegistration.Altitude = CBAltitude;
CBObRegistration.RegistrationContext = &CBCallbackRegistration;
CBObRegistration.OperationRegistration = CBOperationRegistrations;
Status = ObRegisterCallbacks (
&CBObRegistration,
&pCBRegistrationHandle // save the registration handle to remove callbacks later
);
if (!NT_SUCCESS (Status)) {
DbgPrintEx (
DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL,
"ObCallbackTest: installing OB callbacks failed status 0x%x\n", Status
);
KeReleaseGuardedMutex (&TdCallbacksMutex); // Release the lock before exit
goto Exit;
}
bCallbacksInstalled = TRUE;
}
KeReleaseGuardedMutex (&TdCallbacksMutex);
DbgPrintEx (
DPFLTR_IHVDRIVER_ID, DPFLTR_TRACE_LEVEL,
"ObCallbackTest: TdProtectNameCallback: name to protect/filter %ls\n", TdwProtectName
);
Exit:
DbgPrintEx (
DPFLTR_IHVDRIVER_ID, DPFLTR_TRACE_LEVEL,
"ObCallbackTest: TdProtectNameCallback: exiting status 0x%x\n", Status
);
return Status;
}
