驱动保护进程 句柄降权 杀软自保 游戏破图标技术实现代码

#pragma once #include <ntifs.h> #include "ProcessProtect.h" #include "Public.h" PVOID g_RegistrationHandle = NULL; VOID DriverUnload(PDRIVER_OBJECT pDriver) { if (g_RegistrationHandle) { ObUnRegisterCallbacks(g_RegistrationHandle); g_RegistrationHandle = NULL; } DbgPrint("驱动卸载\n"); } OB_PREOP_CALLBACK_STATUS PreOperationCallback(_In_ PVOID RegistrationContext, _Inout_ POB_PRE_OPERATION_INFORMATION PreInfo) { /* 进程保护 ACCESS_MASK AccessBitsToClear = PROCESS_TERMINATE; //获取操作的进程对象 PEPROCESS process = (PEPROCESS)PreInfo->Object; //获取进程名 PUCHAR processName = PsGetProcessImageFileName(process); if (_stricmp((char*)processName, "Notepad.exe") != 0) { //不是我们关心的进程，直接return return OB_PREOP_SUCCESS; } if (PreInfo->Operation == OB_OPERATION_HANDLE_CREATE) { //PreInfo->Parameters->CreateHandleInformation.DesiredAccess &= ~AccessBitsToClear; PreInfo->Parameters->CreateHandleInformation.DesiredAccess =0; } if (PreInfo->Operation == OB_OPERATION_HANDLE_DUPLICATE) { PreInfo->Parameters->DuplicateHandleInformation.DesiredAccess =0; } */ if (PreInfo->Operation == OB_OPERATION_HANDLE_CREATE) { PreInfo->Parameters->CreateHandleInformation.DesiredAccess = PROCESS_ALL_ACCESS; PreInfo->Parameters->CreateHandleInformation.OriginalDesiredAccess = PROCESS_ALL_ACCESS; } else { PreInfo->Parameters->DuplicateHandleInformation.DesiredAccess = PROCESS_ALL_ACCESS; PreInfo->Parameters->DuplicateHandleInformation.OriginalDesiredAccess = PROCESS_ALL_ACCESS; } return OB_PREOP_SUCCESS; } NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING pReg) { DbgPrint("驱动加载\n"); pDriver->DriverUnload = DriverUnload; //去除校验 PKLDR_DATA_TABLE_ENTRY ldr = (PKLDR_DATA_TABLE_ENTRY)pDriver->DriverSection; ldr->Flags |= 0x20; OB_OPERATION_REGISTRATION obOperationRegistrations; obOperationRegistrations.ObjectType = PsProcessType; obOperationRegistrations.Operations |= OB_OPERATION_HANDLE_CREATE; obOperationRegistrations.Operations |= OB_OPERATION_HANDLE_DUPLICATE; obOperationRegistrations.PreOperation = PreOperationCallback; obOperationRegistrations.PostOperation = NULL; OB_CALLBACK_REGISTRATION obCallbackRegistration = { 0 }; UNICODE_STRING altitude = { 0 }; RtlInitUnicodeString(&altitude, L"1000"); obCallbackRegistration.Version = ObGetFilterVersion(); obCallbackRegistration.OperationRegistrationCount = 1; obCallbackRegistration.RegistrationContext = NULL; obCallbackRegistration.Altitude = altitude; obCallbackRegistration.OperationRegistration = &obOperationRegistrations; //注册回调函数 ObRegisterCallbacks(&obCallbackRegistration, &g_RegistrationHandle); return STATUS_SUCCESS; }