LycorisGuard
parent
aea9bf0f57
commit
8080e9d7d3
|
|
@ -5,38 +5,26 @@
|
|||
#endif
|
||||
PVOID CallBackHandle = NULL;
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
NTSTATUS
|
||||
DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegisterPath)
|
||||
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegisterPath)
|
||||
{
|
||||
|
||||
PLDR_DATA_TABLE_ENTRY64 ldr;
|
||||
|
||||
DriverObject->DriverUnload = UnloadDriver;
|
||||
ldr = (PLDR_DATA_TABLE_ENTRY64)DriverObject->DriverSection;
|
||||
ldr->Flags |= 0x20;
|
||||
|
||||
|
||||
ProtectFileByObRegisterCallbacks();
|
||||
return STATUS_SUCCESS;
|
||||
|
||||
}
|
||||
|
||||
NTSTATUS ProtectFileByObRegisterCallbacks()
|
||||
{
|
||||
OB_CALLBACK_REGISTRATION CallBackReg;
|
||||
OB_OPERATION_REGISTRATION OperationReg;
|
||||
|
||||
NTSTATUS Status;
|
||||
|
||||
|
||||
EnableObType(*IoFileObjectType); //开启文件对象回调
|
||||
|
||||
|
||||
memset(&CallBackReg, 0, sizeof(OB_CALLBACK_REGISTRATION));
|
||||
CallBackReg.Version = ObGetFilterVersion();
|
||||
CallBackReg.OperationRegistrationCount = 1;
|
||||
|
|
@ -45,19 +33,14 @@ NTSTATUS ProtectFileByObRegisterCallbacks()
|
|||
|
||||
memset(&OperationReg, 0, sizeof(OB_OPERATION_REGISTRATION)); //初始化结构体变量
|
||||
|
||||
|
||||
OperationReg.ObjectType = IoFileObjectType;
|
||||
OperationReg.Operations = OB_OPERATION_HANDLE_CREATE|OB_OPERATION_HANDLE_DUPLICATE;
|
||||
|
||||
OperationReg.PreOperation = (POB_PRE_OPERATION_CALLBACK)&PreCallBack; //在这里注册一个回调函数指针
|
||||
|
||||
CallBackReg.OperationRegistration = &OperationReg; //注意这一条语句 将结构体信息放入大结构体
|
||||
|
||||
|
||||
Status = ObRegisterCallbacks(&CallBackReg, &CallBackHandle);
|
||||
if (!NT_SUCCESS(Status))
|
||||
{
|
||||
|
||||
Status = STATUS_UNSUCCESSFUL;
|
||||
}
|
||||
else
|
||||
|
|
@ -65,12 +48,8 @@ NTSTATUS ProtectFileByObRegisterCallbacks()
|
|||
Status = STATUS_SUCCESS;
|
||||
}
|
||||
return Status;
|
||||
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
||||
OB_PREOP_CALLBACK_STATUS PreCallBack(PVOID RegistrationContext, POB_PRE_OPERATION_INFORMATION OperationInformation)
|
||||
{
|
||||
UNICODE_STRING uniDosName;
|
||||
|
|
@ -91,8 +70,6 @@ OB_PREOP_CALLBACK_STATUS PreCallBack(PVOID RegistrationContext, POB_PRE_OPERATIO
|
|||
return OB_PREOP_SUCCESS;
|
||||
}
|
||||
|
||||
|
||||
|
||||
uniFilePath = GetFilePathByFileObject(FileObject);
|
||||
|
||||
if (uniFilePath.Buffer==NULL||uniFilePath.Length==0)
|
||||
|
|
@ -100,10 +77,8 @@ OB_PREOP_CALLBACK_STATUS PreCallBack(PVOID RegistrationContext, POB_PRE_OPERATIO
|
|||
return OB_PREOP_SUCCESS;
|
||||
}
|
||||
|
||||
|
||||
if(wcsstr(uniFilePath.Buffer,L"D:\\Alif.txt"))
|
||||
{
|
||||
|
||||
if (FileObject->DeleteAccess==TRUE||FileObject->WriteAccess==TRUE)
|
||||
{
|
||||
if (OperationInformation->Operation == OB_OPERATION_HANDLE_CREATE)
|
||||
|
|
@ -115,7 +90,6 @@ OB_PREOP_CALLBACK_STATUS PreCallBack(PVOID RegistrationContext, POB_PRE_OPERATIO
|
|||
OperationInformation->Parameters->DuplicateHandleInformation.DesiredAccess=0;
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
RtlVolumeDeviceToDosName(FileObject->DeviceObject, &uniDosName);
|
||||
DbgPrint("PID : %ld File : %wZ %wZ\r\n", (ULONG64)CurrentProcessId, &uniDosName, &uniFilePath);
|
||||
|
|
@ -135,14 +109,13 @@ UNICODE_STRING GetFilePathByFileObject(PVOID FileObject)
|
|||
|
||||
VOID EnableObType(POBJECT_TYPE ObjectType)
|
||||
{
|
||||
POBJECT_TYPE_TEMP ObjectTypeTemp = (POBJECT_TYPE_TEMP)ObjectType;
|
||||
POBJECT_TYPE_TEMP ObjectTypeTemp = (POBJECT_TYPE_TEMP)ObjectType;
|
||||
ObjectTypeTemp->TypeInfo.SupportsObjectCallbacks = 1;
|
||||
}
|
||||
|
||||
|
||||
VOID UnloadDriver(PDRIVER_OBJECT DriverObject)
|
||||
{
|
||||
|
||||
if (CallBackHandle!=NULL)
|
||||
{
|
||||
ObUnRegisterCallbacks(CallBackHandle);
|
||||
|
|
|
|||
Loading…
Reference in New Issue