/******************************************************************************* * * 函 数 名 : DetoursNtOpenProcess * 功能描述 : 代理NtOpenProcess函数 * 参数列表 : * 说 明 : 判断是否要打开我们要保护的进程,是的话直接返回权限错误 * 返回结果 : * *******************************************************************************/ NTSTATUS DetoursNtOpenProcess( OUT PHANDLE ProcessHandle, IN ACCESS_MASK AccessMask, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId) { //dprintf("DetoursNtOpenProcess\r\n") ; //KdBreakPoint() ; if (NULL == g_pNtOpenProcess) { return STATUS_UNSUCCESSFUL ; } // 这里开始处理打开进程,判断是不是我们要保护的进程 if (NULL != ClientId && 0 != ClientId->UniqueProcess) { if(isProtectProcess(ClientId)) { return STATUS_ACCESS_DENIED ; } } return g_pNtOpenProcess(ProcessHandle, AccessMask, ObjectAttributes, ClientId) ; }
NTSTATUS NTAPI MyNtOpenProcess( OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId OPTIONAL ) { VMProtectBegin("MHVMP"); VMProtectBeginVirtualization("MHVMP"); InterlockedIncrement(&g_HookCounter); bool bLeave=true; if( (KILLKERNEL != DesiredAccess) ) { if( (DesiredAccess&PROCESS_CREATE_THREAD) || (DesiredAccess&VMOPERATION) || (DesiredAccess&VMWRITE) || (DesiredAccess&VMREAD)) { if(ClientId->UniqueProcess > 0) if( isProtectProcess((UINT32)ClientId->UniqueProcess) && !isPassProcess() ) bLeave =false; } } if( !bLeave) { PEPROCESS p=PsGetCurrentProcess(); ANSI_STRING ascallCode; RtlInitAnsiString(&ascallCode,(char *)p+g_processNameOffset); UNICODE_STRING uni; RtlAnsiStringToUnicodeString(&uni,&ascallCode,true); if( g_tmp != (ULONG)PsGetCurrentProcessId() ) WriteSysLog(LOG_TYPE_DEBUG,L"filter process Name: %s PID : %d",uni.Buffer,PsGetCurrentProcessId()); g_tmp = (ULONG)PsGetCurrentProcessId(); RtlFreeUnicodeString(&uni); InterlockedDecrement(&g_HookCounter); return STATUS_ACCESS_DENIED; } else { InterlockedDecrement(&g_HookCounter); return ((pNtOpenProcess) pOriNtOpenProcess)(ProcessHandle,DesiredAccess,ObjectAttributes,ClientId); } VMProtectEnd(); }
OB_PREOP_CALLBACK_STATUS ObjectPreCallbackFilter( __in PVOID RegistrationContext, __in POB_PRE_OPERATION_INFORMATION OperationInformation ) { OB_PREOP_CALLBACK_STATUS obReturn = OB_PREOP_SUCCESS; if( OperationInformation->Operation != OB_OPERATION_HANDLE_CREATE ) return obReturn; if( isProtectProcess((UINT)PsGetProcessId( (PEPROCESS)OperationInformation->Object)) && !isPassProcess() ) //if( PsGetProcessId( (PEPROCESS)OperationInformation->Object) == (HANDLE)PROTECTID ) { PEPROCESS p = PsGetCurrentProcess(); kdP(("operation process is %s PID is: %d\n",(char*)p+g_processNameOffset, (UINT32)PsGetCurrentProcessId() )); OperationInformation->Parameters->CreateHandleInformation.DesiredAccess = 0; } return obReturn; }
/******************************************************************************* * * 函 数 名 : DetoursNtQuerySystemInformation * 功能描述 : 代理NtQuerySystemInformation函数 * 参数列表 : * 说 明 : * 返回结果 : * *******************************************************************************/ NTSTATUS DetoursNtQuerySystemInformation ( IN ULONG SystemInformationClass, OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength OPTIONAL ) { //dprintf("DetoursNtQuerySystemInformation\r\n") ; NTSTATUS ntStatus = STATUS_UNSUCCESSFUL ; // 看看函数指针是否为空 if (NULL == g_pNtQuerySystemInformation) { return ntStatus ; } __try { // 先调用原来的函数 ntStatus = g_pNtQuerySystemInformation(SystemInformationClass, SystemInformation, SystemInformationLength, ReturnLength) ; if(! NT_SUCCESS(ntStatus)) { __leave ; } // 这里可以设一个开关 //if (g_pde->bIsFiltrateProcess) //{ // __leave ; //} // 遍历进程的时候检查一下是否要过滤进程,是的话直接返回,不显示进程 if(5 == SystemInformationClass && SystemInformationLength > 200) { // 然后开始处理了 PSYSTEM_PROCESS_INFORMATION spi = (PSYSTEM_PROCESS_INFORMATION)SystemInformation ; if (0 == spi->NextEntryOffset) { __leave ; } PSYSTEM_PROCESS_INFORMATION fspi = (PSYSTEM_PROCESS_INFORMATION)( (DWORD)spi + spi->NextEntryOffset) ; KdBreakPoint() ; // 取得当前进程的uid ULONG uCurrentUid = GetProcessUID((ULONG)PsGetCurrentProcessId()) ; while ( spi->NextEntryOffset != 0 ) { // 通过pid取得uid ULONG uUid = GetProcessUID((ULONG)(fspi->UniqueProcessId)) ; CLIENT_ID ClientId = {0} ; ClientId.UniqueProcess = fspi->UniqueProcessId ; // 如果不一样,清空一下指向下一个 if (uUid != uCurrentUid || isProtectProcess((PCLIENT_ID)&ClientId)) { fspi->UniqueProcessId = NULL; if (NULL != fspi->ImageName.Buffer) { RtlFillMemory(fspi->ImageName.Buffer, fspi->ImageName.Length, 0) ; } if (0 != fspi->NextEntryOffset) { spi->NextEntryOffset = (spi->NextEntryOffset + fspi->NextEntryOffset) ; } else { spi->NextEntryOffset = 0 ; } } // 判断是不是移除过 if(fspi != (PSYSTEM_PROCESS_INFORMATION)( (DWORD)spi + spi->NextEntryOffset)) { fspi = (PSYSTEM_PROCESS_INFORMATION)( (DWORD)spi + spi->NextEntryOffset) ; } else { spi = fspi ; fspi = (PSYSTEM_PROCESS_INFORMATION)( (DWORD)fspi + fspi->NextEntryOffset) ; } } } } __finally { } return ntStatus ; }