|
BOOLEAN IsNotProtect(IN PCHAR StartProcessPath)
{
PCHAR LowProcessFullPath; KIRQL oldirql; PPROCESS_RULE pRule=NULL; BOOLEAN result;
result = FALSE;
pRule = g_policyRule;
if (!pRule)
return result;
LowProcessFullPath = _strlwr(StartProcessPath);
oldirql=KfAcquireSpinLock(&MySpinLock);
while (pRule)
{
if (strstr(LowProcessFullPath,&pRule->ProcessName[0]))
{
if (pRule->IsNotProtected == 0x30)
result =TRUE;
if (pRule->IsNotProtected == 0x31)
result =FALSE;
break;
}
pRule =pRule->Next;
}
KfReleaseSpinLock(&MySpinLock,oldirql);
return result;
}
//修改 PE 的 OEP 入口地址来拦截进程
NTSTATUS PatchProcessEntry(IN HANDLE PId)
{
NTSTATUS status; PEPROCESS EProcess; PULONG Peb;
HANDLE ProcessHandle; PROCESS_BASIC_INFORMATION ProcessInformation; PULONG ImageBaseAddress;
ULONG e_lfanew; PULONG PeHeader;
ULONG AddressOfEntryPointer_RVA; PULONG OEP_VA;
ULONG IsNotAttached; ULONG MemSize;
ULONG OldProtect; PULONG tempaddress;
status = STATUS_UNSUCCESSFUL; IsNotAttached=0;
status = PsLookupProcessByProcessId((ULONG)PId, &EProcess);
if (!NT_SUCCESS( status ))
{
DbgPrint("PsLookupProcessByProcessId Failed!\n");
return status ;
}
status = ObOpenObjectByPointer((PVOID)EProcess,OBJ_KERNEL_HANDLE,NULL,PROCESS_ALL_AC CESS,NULL,KernelMode,&ProcessHandle);
if (!NT_SUCCESS( status ))
{
DbgPrint("ObOpenObjectByPointer Failed!\n");
return status ;
}
= ZwQueryInformationProcess(ProcessHandle,ProcessBasicInformation,&ProcessInf ormation,sizeof(PROCESS_BASIC_INFORMATION),NULL);
if (!NT_SUCCESS( status ))
{
DbgPrint("ZwQueryInformationProcess Failed!\n");
return status ;
}
if (ProcessInformation.PebBaseAddress)
{
Peb = ProcessInformation.PebBaseAddress; KeAttachProcess(EProcess);
IsNotAttached =1;
//中间是定位到用户进程的 OEP,修改入口地址{mov eax,0 ;return}
ProbeForRead(Peb,0x10,1);
ImageBaseAddress = *(PULONG)((PBYTE)Peb+0x08); ProbeForRead(ImageBaseAddress,0x60,1);
//到 PEheader 的 RVA
e_lfanew = *(PULONG)((PBYTE)ImageBaseAddress + 0x3C);
//定位到 PEHeader 的 VA
PeHeader = (ULONG*)((PBYTE)ImageBaseAddress + e_lfanew); ProbeForRead(PeHeader,0x40,1);
//定位到 OEP 的 RVA
AddressOfEntryPointer_RVA = *(PULONG)((PBYTE)PeHeader +0x28);
//定位到 OEP 的 VA
OEP_VA = (ULONG*)((PBYTE)ImageBaseAddress + AddressOfEntryPointer_RVA); ProbeForRead(OEP_VA,0x20,1);
//修改内存属性
MemSize =0x20;
tempaddress = OEP_VA;
status = g_ZwProtectVirtualMemory(0xFFFFFFFF,&tempaddress,&MemSize,PAGE_READWRITE,&O ldProtect);
if (NT_SUCCESS(status))
{
memcpy((PCHAR)OEP_VA,(PCHAR)&pacthcode[0],5);
g_ZwProtectVirtualMemory(0xFFFFFFFF,&tempaddress,&MemSize,OldProtect,NU LL);
status =STATUS_SUCCESS;
}
}
if (IsNotAttached==1) KeDetachProcess();
if (ProcessHandle)
ZwClose(ProcessHandle); if (EProcess) ObfDereferenceObject(EProcess);
return status;
}
//进程监控回调函数
VOID ProcessCreateMon(IN HANDLE hParentId,IN HANDLE PId,IN BOOLEAN bCreate)
{
ULONG ulCurrentProcessId; NTSTATUS status;
HANDLE hProcess=NULL;
ANSI_STRING pImageName; PCHAR outbuf;
ULONG outlen;
PEPROCESS EProcess=NULL; HANDLE handle=0;
if ( bCreate )
{
if ( PId != 4 && PId != 8)
{
RtlInitAnsiString(&pImageName,"test"); GetProcPath(PId,&pImageName); outbuf=(PCHAR)pImageName.Buffer; outlen=pImageName.Length+1; PsLookupProcessByProcessId((ULONG)PId, &EProcess);
DbgPrint("CREATE PROCESS = PROCESS Path: %s , PROCESS PARENTID: %d, PROCESS ID: %d, PROCESS ADDRESS %x:\n",
outbuf,
hParentId, PId, EProcess);
if ( IsNotProtect(outbuf) )
{
if (NT_SUCCESS(PatchProcessEntry(PId)))
{
DbgPrint( "PATCH Process == PROCESS ID: %d OK\n", PId);
}
else
{
Status
=
ObOpenObjectByPointer((PVOID)EProcess,OBJ_KERNEL_HANDLE,NULL,PROCESS_ALL_AC CESS,NULL,KernelMode,&handle);
if (NT_SUCCESS(status))
status = ZwTerminateProcess(handle,STATUS_SUCCESS);
if (NT_SUCCESS(status))
DbgPrint( "ARREST == PROCESS ID: %d OK\n", PId);
}
}
}
}
else
|
