vc 實現核心級程序保護

2021-09-05 23:51:00 字數 4514 閱讀 1621

保護核心**

#include "ntddk.h"

#define nt_device_name      l"\\device\\protectprocess"

#define dos_device_name     l"\\dosdevices\\protectprocess"

#define ioctl_protect_control ctl_code(file_device_unknown, 0x800, method_buffered, file_any_access)

ntstatus dispatchdevicecontrol(in pdevice_object  deviceobject,in pirp  irp);

void onunload(in pdriver_object driverobject);

#pragma pack(1) //ssdt表的結構

typedef struct servicedescriptorentry servicedescriptortableentry_t, *pservicedescriptortableentry_t;

#pragma pack()

__declspec(dllimport) servicedescriptortableentry_t keservicedescriptortable; //變數名是不能變的,因為是從外部匯入

//這個是查詢某個函式的位址的乙個巨集

#define systemservice(_function)  keservicedescriptortable.servicetablebase[*(pulong)((puchar)_function+1)]

ntsysapi ntstatus ntapi zwopenprocess(out phandle processhandle,in access_mask desiredaccess,in pobject_attributes objectattributes,in pclient_id clientid optional);

typedef ntstatus (*zwopenprocess)(out phandle processhandle,in access_mask desiredaccess,in pobject_attributes objectattributes,in pclient_id clientid optional);

zwopenprocess oldzwopenprocess;

long pid = -1;

ntstatus newzwopenprocess(out phandle processhandle,in access_mask desiredaccess,in pobject_attributes objectattributes,in pclient_id clientid optional)

//剩下的交給我們的原函式

nstatus = oldzwopenprocess(processhandle,desiredaccess,objectattributes,clientid);

return status_success; }

void onunload(in pdriver_object driverobject)

}  

dbgprint("裝置已經解除安裝\n");

dbgprint("修復ssdt表\n");

(zwopenprocess)(systemservice(zwopenprocess)) = oldzwopenprocess;

dbgprint("驅動解除安裝完畢.\n"); }

ntstatus dispatchdevicecontrol(in pdevice_object  deviceobject,in pirp  irp)

break;

default:

dbgprint("未知請求包被呼叫\n");

break; }

nstatus = irp->iostatus.status;

iocompleterequest(irp,io_no_increment);

return nstatus; }

ntstatus driverentry(in pdriver_object driverobject,in punicode_string theregistrypath)

rtlinitunicodestring(&devicelinkstring,dos_device_name);

ntstatus=iocreatesymboliclink(&devicelinkstring,&ntdevicename);

if(!nt_success(ntstatus))

driverobject->majorfunction[irp_mj_create] = dispatchdevicecontrol;

driverobject->majorfunction[irp_mj_close] = dispatchdevicecontrol;

driverobject->majorfunction[irp_mj_device_control] = dispatchdevicecontrol;

driverobject->driverunload = onunload;

dbgprint("驅動程式已經啟動\n");

dbgprint("修改ssdt表...\n");

//修改 zwopenprocess 函式位址

oldzwopenprocess =(zwopenprocess)(systemservice(zwopenprocess));

(zwopenprocess)(systemservice(zwopenprocess)) = newzwopenprocess;

dbgprint("驅動程式載入完畢.\n");

return status_success; }

#include

#include

#include

#include

#define buf_size 4096

int main(int argc,char* argv)

::getmodulefilename(0,base,buf_size);

int p = strlen(base);

while(base[p] != '\\')

strncpy(path,base,p+1);

memset(base,0,buf_size);

sprintf(base,"%sinstall.ini",path);

memset(path,0,buf_size);

::getprivateprofilestring("config","path","",path,buf_size,base);

::getprivateprofilestring("config","servicename","",sername,buf_size,base);

::getprivateprofilestring("config","displayname","",disname,buf_size,base);

printf("[*]service name:%s\n",sername);

printf("[*]display name:%s\n",disname);

printf("[*]driver  path:%s\n",path);

sh = openscmanager(null,null,sc_manager_all_access);

if (!sh)

if (argc == 2 && !strcmp(argv[1],"install"))

rh = createservice(sh,sername,disname,

service_all_access,

service_kernel_driver, //

service_error_normal,

path,

null,null,null,null,null);

if (!rh)

printf("[-]install service complete...\n");

}else if (argc == 2 && !strcmp(argv[1],"start"))

startservice(rh,null,null);

printf("[-]start service complete...\n");

}else if (argc == 2 && !strcmp(argv[1],"uninstall"))

service_status ss;

controlservice(rh,service_control_stop,&ss);

printf("[-]stop service complete...\n");

deleteservice(rh);

printf("[-]delete service complete...\n");  }

closeservicehandle(rh);

closeservicehandle(sh);

return 1; }

vc 實現核心級程序保護

保護核心 include ntddk.h define nt device name l device protectprocess define dos device name l dosdevices protectprocess define ioctl protect control ctl...

SSDT HOOK實現程序保護

灰狐 ssdt hook已經是很老的技術了,但對新手來說還是有一些嚼頭的。根據常規的做法,我們應該掛鉤 zwterminateprocess函式,不過這個函式僅有兩個引數,其中乙個是程序控制代碼,它指定了需要被結束的程序。由於我們不能直接從程序控制代碼獲取有關程序的一些資訊,這就使得一些 懶惰 的傢...

驅動實現程序保護

基於ssdt hook hook zwterminateprocess對傳入的程序進行檢查,如果匹配,則返回拒絕訪問 include include include ssdthook.h typedef enum system information class system information...