//基於ssdt hook
//hook zwterminateprocess對傳入的程序進行檢查,如果匹配,則返回拒絕訪問
#include
#include
#include
"ssdthook.h"
typedef
enum _system_information_class system_information_class,
*psystem_information_class;
typedef
struct _system_thread system_thread,
*psystem_thread;
typedef
struct _system_process_information system_process_information,
*psystem_process_information;
uchar *
psgetprocessimagefilename
(__in peprocess process)
;ntsysapi ntstatus ntapi zwquerysysteminformation
( __in system_information_class systeminformationclass
,__out_bcount_opt
(systeminformationlength) pvoid systeminformation,
__in ulong systeminformationlength,
__out_opt pulong returnlength );
ntstatus hookntquerysysteminformation
( __in system_information_class systeminformationclass
,__out_bcount_opt
(systeminformationlength) pvoid systeminformation,
__in ulong systeminformationlength,
__out_opt pulong returnlength );
typedef
ntstatus
(*ntquerysysteminformation)
( __in system_information_class systeminformationclass
,__out_bcount_opt
(systeminformationlength) pvoid systeminformation,
__in ulong systeminformationlength,
__out_opt pulong returnlength );
typedef
ntstatus
(*ntterminateprocess)
( __in_opt handle processhandle,
__in ntstatus exitstatus );
ntstatus hookntterminateprocess
( __in_opt handle processhandle,
__in ntstatus exitstatus );
ntterminateprocess poldntterminateprocess=
null
;boolean npunicodestringtochar
(punicode_string uniname,
char name)
rtlfreeansistring
(&ansiname);}
__except (exception_execute_handler)
return true;
}ntstatus unload
(pdriver_object driver)
ntstatus hookntterminateprocess
( __in_opt handle processhandle,
__in ntstatus exitstatus
)//儲存 ssdt 中原來的 ntterminateprocess 位址
poldntterminateprocess =
(ntterminateprocess)oldsysserviceaddr[
syscall_index
(zwterminateprocess)];
//通過該函式可以獲取到程序名稱和程序 id,該函式在核心中實質是匯出的(在 wrk 中可以看到)
//但是 ntddk.h 中並沒有到處,所以需要自己宣告才能使用
upid =
(ulong)
psgetprocessid
(peprocess)
; pstrprocname =
(pchar)
psgetprocessimagefilename
(peprocess)
;dbgprint
("terimateprocess:%s\n"
, pstrprocname)
;//通過程序名來初始化乙個 ascii 字串
rtlinitansistring
(&strprocname, pstrprocname);if
(strstr
(pstrprocname,
"notepad.exe"))
//保護notepad.exe程序
//對於非保護的程序可以直接呼叫原來 ssdt 中的 ntterminateprocess 來結束程序
rtstatus =
poldntterminateprocess
(processhandle, exitstatus)
;return rtstatus;
}ntstatus driverentry
(pdriver_object driver, punicode_string reg_path)
SSDT HOOK實現程序保護
灰狐 ssdt hook已經是很老的技術了,但對新手來說還是有一些嚼頭的。根據常規的做法,我們應該掛鉤 zwterminateprocess函式,不過這個函式僅有兩個引數,其中乙個是程序控制代碼,它指定了需要被結束的程序。由於我們不能直接從程序控制代碼獲取有關程序的一些資訊,這就使得一些 懶惰 的傢...
vc 實現核心級程序保護
保護核心 include ntddk.h define nt device name l device protectprocess define dos device name l dosdevices protectprocess define ioctl protect control ctl...
vc 實現核心級程序保護
保護核心 include ntddk.h define nt device name l device protectprocess define dos device name l dosdevices protectprocess define ioctl protect control ctl...