1 //进程自我保护,注意只有X64 WIN7可用 2 #include <ntddk.h> 3 #define PROCESS_TERMINATE 1 4 typedef struct _LDR_DATA // 24 elements, 0xE0 bytes (sizeof) 5 { 6 struct _LIST_ENTRY InLoadOrderLinks; // 2 elements, 0x10 bytes (sizeof) 7 struct _LIST_ENTRY InMemoryOrderLinks; // 2 elements, 0x10 bytes (sizeof) 8 struct _LIST_ENTRY InInitializationOrderLinks; // 2 elements, 0x10 bytes (sizeof) 9 VOID* DllBase; 10 VOID* EntryPoint; 11 ULONG32 SizeOfImage; 12 UINT8 _PADDING0_[0x4]; 13 struct _UNICODE_STRING FullDllName; // 3 elements, 0x10 bytes (sizeof) 14 struct _UNICODE_STRING BaseDllName; // 3 elements, 0x10 bytes (sizeof) 15 ULONG32 Flags; 16 }LDR_DATA, *PLDR_DATA; 17 18 char* GetProcessImageFileName(PEPROCESS Process) 19 { 20 char *FileName; 21 FileName = (char *)Process + 0x16c; 22 return FileName; 23 } 24 25 26 BOOLEAN IsProtectedProcessName(PEPROCESS eprocess) 27 { 28 char *Name = GetProcessImageFileName(eprocess); 29 if (!_stricmp("vb.exe", Name)) 30 return 1; 31 else 32 return 0; 33 } 34 35 36 OB_PREOP_CALLBACK_STATUS ProccessProtectCallBack(PVOID RegContext, 37 POB_PRE_OPERATION_INFORMATION pOperationInformation) 38 { 39 if (pOperationInformation->ObjectType != *PsProcessType) 40 { 41 return OB_PREOP_SUCCESS; 42 } 43 if (IsProtectedProcessName((PEPROCESS)pOperationInformation->Object)) 44 45 { 46 if (pOperationInformation->Operation == OB_OPERATION_HANDLE_CREATE) 47 { 48 if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess& 49 PROCESS_TERMINATE) == PROCESS_TERMINATE) 50 { 51 pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_TERMINATE; 52 } 53 } 54 if (pOperationInformation->Operation == OB_OPERATION_HANDLE_DUPLICATE) 55 { 56 if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess& 57 PROCESS_TERMINATE) == PROCESS_TERMINATE) 58 { 59 pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_TERMINATE; 60 } 61 } 62 } 63 return OB_PREOP_SUCCESS; 64 } 65 66 67 NTSTATUS SelfProtection() 68 { 69 NTSTATUS obst1 = 0; 70 HANDLE obHandle; 71 LARGE_INTEGER CallbackCookie = { 0 }; 72 OB_CALLBACK_REGISTRATION obReg; 73 OB_OPERATION_REGISTRATION opReg; 74 memset(&obReg, 0, sizeof(obReg)); 75 obReg.Version = ObGetFilterVersion(); 76 obReg.OperationRegistrationCount = 1; 77 obReg.RegistrationContext = NULL; 78 RtlInitUnicodeString(&obReg.Altitude, L"321124"); 79 obReg.OperationRegistration = &opReg; 80 memset(&opReg, 0, sizeof(&opReg)); 81 opReg.ObjectType = PsProcessType; 82 opReg.Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE; 83 opReg.PreOperation = (POB_PRE_OPERATION_CALLBACK)&ProccessProtectCallBack; 84 //保护自身进程对象不被打开 85 obst1 = ObRegisterCallbacks(&obReg, &obHandle); 86 return 0; 87 } 88 NTSTATUS DriverEntry(PDRIVER_OBJECT MyDriver, PUNICODE_STRING reg_path) 89 { 90 PLDR_DATA ldr; 91 ldr = (PLDR_DATA)MyDriver->DriverSection; 92 ldr->Flags |= 0x20; 93 SelfProtection(); 94 return 0; 95 }