#pragma once
#include <ntifs.h>
#include "ProcessProtect.h"
#include "Public.h"
PVOID g_RegistrationHandle = NULL;
VOID DriverUnload(PDRIVER_OBJECT pDriver)
{
if (g_RegistrationHandle)
{
ObUnRegisterCallbacks(g_RegistrationHandle);
g_RegistrationHandle = NULL;
}
DbgPrint("驱动卸载\n");
}
OB_PREOP_CALLBACK_STATUS
PreOperationCallback(_In_ PVOID RegistrationContext,
_Inout_ POB_PRE_OPERATION_INFORMATION PreInfo)
{
/* 进程保护
ACCESS_MASK AccessBitsToClear = PROCESS_TERMINATE;
//获取操作的进程对象
PEPROCESS process = (PEPROCESS)PreInfo->Object;
//获取进程名
PUCHAR processName = PsGetProcessImageFileName(process);
if (_stricmp((char*)processName, "Notepad.exe") != 0)
{
//不是我们关心的进程,直接return
return OB_PREOP_SUCCESS;
}
if (PreInfo->Operation == OB_OPERATION_HANDLE_CREATE)
{
//PreInfo->Parameters->CreateHandleInformation.DesiredAccess &= ~AccessBitsToClear;
PreInfo->Parameters->CreateHandleInformation.DesiredAccess =0;
}
if (PreInfo->Operation == OB_OPERATION_HANDLE_DUPLICATE)
{
PreInfo->Parameters->DuplicateHandleInformation.DesiredAccess =0;
}
*/
if (PreInfo->Operation == OB_OPERATION_HANDLE_CREATE)
{
PreInfo->Parameters->CreateHandleInformation.DesiredAccess = PROCESS_ALL_ACCESS;
PreInfo->Parameters->CreateHandleInformation.OriginalDesiredAccess = PROCESS_ALL_ACCESS;
}
else
{
PreInfo->Parameters->DuplicateHandleInformation.DesiredAccess = PROCESS_ALL_ACCESS;
PreInfo->Parameters->DuplicateHandleInformation.OriginalDesiredAccess = PROCESS_ALL_ACCESS;
}
return OB_PREOP_SUCCESS;
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING pReg)
{
DbgPrint("驱动加载\n");
pDriver->DriverUnload = DriverUnload;
//去除校验
PKLDR_DATA_TABLE_ENTRY ldr = (PKLDR_DATA_TABLE_ENTRY)pDriver->DriverSection;
ldr->Flags |= 0x20;
OB_OPERATION_REGISTRATION obOperationRegistrations;
obOperationRegistrations.ObjectType = PsProcessType;
obOperationRegistrations.Operations |= OB_OPERATION_HANDLE_CREATE;
obOperationRegistrations.Operations |= OB_OPERATION_HANDLE_DUPLICATE;
obOperationRegistrations.PreOperation = PreOperationCallback;
obOperationRegistrations.PostOperation = NULL;
OB_CALLBACK_REGISTRATION obCallbackRegistration = { 0 };
UNICODE_STRING altitude = { 0 };
RtlInitUnicodeString(&altitude, L"1000");
obCallbackRegistration.Version = ObGetFilterVersion();
obCallbackRegistration.OperationRegistrationCount = 1;
obCallbackRegistration.RegistrationContext = NULL;
obCallbackRegistration.Altitude = altitude;
obCallbackRegistration.OperationRegistration = &obOperationRegistrations;
//注册回调函数
ObRegisterCallbacks(&obCallbackRegistration, &g_RegistrationHandle);
return STATUS_SUCCESS;
}
驱动保护进程 句柄降权 杀软自保 游戏破图标技术实现代码
需积分: 42 44 浏览量
2022-11-19
15:36:10
上传
评论 5
收藏 5KB ZIP 举报
鬼手56
- 粉丝: 3w+
- 资源: 7
最新资源
- Q1.py
- 企业政府灵智电子政务网站系统-lingzhi.rar
- Thinkphp内核开发Lsky Pro兰空图床网站源码.rar
- 基于FPGA(XC6SLX9)+SDRAM+AD7829多通道数据采集板硬件(原理图+PCB)工程文件.zip
- 阿里巴巴精准测试体系:基于代码链路分析的性能优化方案
- mmexport1714217773503.jpg
- 【图片网盘外链系统5.0】全新前端UI界面设计 支持图片违规检测网站自适应H5源码.rar
- jsp+sql的BBS论坛系统.zip
- 网盘外链PHP开发彩虹网盘外链程序源码.rar
- 2023年最新文件快递柜系统网站源码 保护用户隐私的匿名口令分享和临时文件分享功能.rar
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈