/*******************************************************************************
*
* 函 数 名 : DetoursNtOpenProcess
* 功能描述 : 代理NtOpenProcess函数
* 参数列表 :
* 说 明 : 判断是否要打开我们要保护的进程,是的话直接返回权限错误
* 返回结果 :
*
*******************************************************************************/
NTSTATUS DetoursNtOpenProcess(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK AccessMask,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId)
{
//dprintf("DetoursNtOpenProcess\r\n") ;
//KdBreakPoint() ;
if (NULL == g_pNtOpenProcess)
{
return STATUS_UNSUCCESSFUL ;
}
// 这里开始处理打开进程,判断是不是我们要保护的进程
if (NULL != ClientId
&& 0 != ClientId->UniqueProcess)
{
if(isProtectProcess(ClientId))
{
return STATUS_ACCESS_DENIED ;
}
}
return g_pNtOpenProcess(ProcessHandle,
AccessMask,
ObjectAttributes,
ClientId) ;
}
NTSTATUS NTAPI MyNtOpenProcess(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId OPTIONAL
)
{
VMProtectBegin("MHVMP");
VMProtectBeginVirtualization("MHVMP");
InterlockedIncrement(&g_HookCounter);
bool bLeave=true;
if( (KILLKERNEL != DesiredAccess) )
{
if( (DesiredAccess&PROCESS_CREATE_THREAD) || (DesiredAccess&VMOPERATION) || (DesiredAccess&VMWRITE) || (DesiredAccess&VMREAD))
{
if(ClientId->UniqueProcess > 0)
if( isProtectProcess((UINT32)ClientId->UniqueProcess) && !isPassProcess() )
bLeave =false;
}
}
if( !bLeave)
{
PEPROCESS p=PsGetCurrentProcess();
ANSI_STRING ascallCode;
RtlInitAnsiString(&ascallCode,(char *)p+g_processNameOffset);
UNICODE_STRING uni;
RtlAnsiStringToUnicodeString(&uni,&ascallCode,true);
if( g_tmp != (ULONG)PsGetCurrentProcessId() )
WriteSysLog(LOG_TYPE_DEBUG,L"filter process Name: %s PID : %d",uni.Buffer,PsGetCurrentProcessId());
g_tmp = (ULONG)PsGetCurrentProcessId();
RtlFreeUnicodeString(&uni);
InterlockedDecrement(&g_HookCounter);
return STATUS_ACCESS_DENIED;
}
else
{
InterlockedDecrement(&g_HookCounter);
return ((pNtOpenProcess) pOriNtOpenProcess)(ProcessHandle,DesiredAccess,ObjectAttributes,ClientId);
}
VMProtectEnd();
}
OB_PREOP_CALLBACK_STATUS ObjectPreCallbackFilter(
__in PVOID RegistrationContext,
__in POB_PRE_OPERATION_INFORMATION OperationInformation
)
{
OB_PREOP_CALLBACK_STATUS obReturn = OB_PREOP_SUCCESS;
if( OperationInformation->Operation != OB_OPERATION_HANDLE_CREATE )
return obReturn;
if( isProtectProcess((UINT)PsGetProcessId( (PEPROCESS)OperationInformation->Object)) && !isPassProcess() )
//if( PsGetProcessId( (PEPROCESS)OperationInformation->Object) == (HANDLE)PROTECTID )
{
PEPROCESS p = PsGetCurrentProcess();
kdP(("operation process is %s PID is: %d\n",(char*)p+g_processNameOffset, (UINT32)PsGetCurrentProcessId() ));
OperationInformation->Parameters->CreateHandleInformation.DesiredAccess = 0;
}
return obReturn;
}
/*******************************************************************************
*
* 函 数 名 : DetoursNtQuerySystemInformation
* 功能描述 : 代理NtQuerySystemInformation函数
* 参数列表 :
* 说 明 :
* 返回结果 :
*
*******************************************************************************/
NTSTATUS DetoursNtQuerySystemInformation (
IN ULONG SystemInformationClass,
OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength OPTIONAL
)
{
//dprintf("DetoursNtQuerySystemInformation\r\n") ;
NTSTATUS ntStatus = STATUS_UNSUCCESSFUL ;
// 看看函数指针是否为空
if (NULL == g_pNtQuerySystemInformation)
{
return ntStatus ;
}
__try
{
// 先调用原来的函数
ntStatus = g_pNtQuerySystemInformation(SystemInformationClass,
SystemInformation,
SystemInformationLength,
ReturnLength) ;
if(! NT_SUCCESS(ntStatus))
{
__leave ;
}
// 这里可以设一个开关
//if (g_pde->bIsFiltrateProcess)
//{
// __leave ;
//}
// 遍历进程的时候检查一下是否要过滤进程,是的话直接返回,不显示进程
if(5 == SystemInformationClass
&& SystemInformationLength > 200)
{
// 然后开始处理了
PSYSTEM_PROCESS_INFORMATION spi = (PSYSTEM_PROCESS_INFORMATION)SystemInformation ;
if (0 == spi->NextEntryOffset)
{
__leave ;
}
PSYSTEM_PROCESS_INFORMATION fspi = (PSYSTEM_PROCESS_INFORMATION)( (DWORD)spi + spi->NextEntryOffset) ;
KdBreakPoint() ;
// 取得当前进程的uid
ULONG uCurrentUid = GetProcessUID((ULONG)PsGetCurrentProcessId()) ;
while ( spi->NextEntryOffset != 0 )
{
// 通过pid取得uid
ULONG uUid = GetProcessUID((ULONG)(fspi->UniqueProcessId)) ;
CLIENT_ID ClientId = {0} ;
ClientId.UniqueProcess = fspi->UniqueProcessId ;
// 如果不一样,清空一下指向下一个
if (uUid != uCurrentUid
|| isProtectProcess((PCLIENT_ID)&ClientId))
{
fspi->UniqueProcessId = NULL;
if (NULL != fspi->ImageName.Buffer)
{
RtlFillMemory(fspi->ImageName.Buffer, fspi->ImageName.Length, 0) ;
}
if (0 != fspi->NextEntryOffset)
{
spi->NextEntryOffset = (spi->NextEntryOffset + fspi->NextEntryOffset) ;
}
else
{
spi->NextEntryOffset = 0 ;
}
}
// 判断是不是移除过
if(fspi != (PSYSTEM_PROCESS_INFORMATION)( (DWORD)spi + spi->NextEntryOffset))
{
fspi = (PSYSTEM_PROCESS_INFORMATION)( (DWORD)spi + spi->NextEntryOffset) ;
}
else
{
spi = fspi ;
fspi = (PSYSTEM_PROCESS_INFORMATION)( (DWORD)fspi + fspi->NextEntryOffset) ;
}
}
}
}
__finally
{
}
return ntStatus ;
}
