windows驱动 - 进程回调

于 2020-12-29 08:27:26 发布
阅读量1.2k 收藏 1
点赞数
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.youkuaiyun.com/qq726232111/article/details/111879322
版权

0x00 函数

ObRegisterCallbacks()  //为线程、进程和桌面句柄操作注册回调例程列表

ObUnRegisterCallbacks()  //卸载回调的注册

0x01 代码

//打印哪些进程在操作cmd进程的句柄

#include <wdm.h>

PCHAR PsGetProcessImageFileName(PEPROCESS Process);

#define ProcessName "cmd"

typedef struct _LDR_DATA_TABLE_ENTRY
{
    LIST_ENTRY InLoadOrderLinks;
    LIST_ENTRY InMemoryOrderLinks;
    LIST_ENTRY InInitializationOrderLinks;
    PVOID      DllBase;
    PVOID      EntryPoint;
    UINT64    SizeOfImage;
    UNICODE_STRING FullDllName;
    UNICODE_STRING BaseDllName;
    INT Flags;
}LDR_DATA_TABLE_ENTRY, * PLDR_DATA_TABLE_ENTRY;

//https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nc-wdm-pob_pre_operation_callback
OB_PREOP_CALLBACK_STATUS PobPreOperationCallback(PVOID RegistrationContext, POB_PRE_OPERATION_INFORMATION OperationInformation)
{
    //https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/ns-wdm-_ob_pre_operation_information
    //https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/ns-wdm-_ob_pre_operation_parameters
    //https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/ns-wdm-_ob_pre_create_handle_information

    //被操作的进程对象名
    PCHAR TargetProcessName = NULL;
    PCHAR SourceProcessName = NULL;

    TargetProcessName = PsGetProcessImageFileName(OperationInformation->Object);

    //DbgPrint("PobPreOperationCallback -> Tragert Process Name:<%s>", TargetProcessName);

    //RegistrationContext = CallbackRegistration.RegistrationContext = 0;    //回调参数

    //加载驱动后,打开cmd,通过任务管理器无法关闭该进程
    //被操作进程为cmd.exe,操作进程为Taskmgr.exe 则拒绝
    if (strstr(TargetProcessName, ProcessName))
    {
        //IoGetCurrentProcess()返回指向当前进程的指针
        //流程:程序打开或复制句柄前.会检测是否存在相关回调,如果存在则由当前程序去调用
        //通过IoGetCurrentProcess可以得到哪一个进程要操作进程句柄.
        //在通过OperationInformation->Object得到被操作的进程

        //获取操作ProcessName的进程名
        SourceProcessName = PsGetProcessImageFileName(IoGetCurrentProcess());
        //DbgPrint("PobPreOperationCallback CurrentProcess:<%s>", PsGetProcessImageFileName(IoGetCurrentProcess()));

        //https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights

        //    OperationInformation->Parameters->CreateHandleInformation.DesiredAccess = 0;

        //    OperationInformation->Parameters->DuplicateHandleInformation.DesiredAccess = 0;

        DbgPrint("PobPreOperationCallback <%s> operation <%s> | <%x>  <%x>", SourceProcessName, TargetProcessName,
            OperationInformation->Parameters->CreateHandleInformation.DesiredAccess,
            OperationInformation->Parameters->DuplicateHandleInformation.DesiredAccess
        );
    }

    return OB_PREOP_SUCCESS;
}

//https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nc-wdm-pob_post_operation_callback
void PobPostOperationCallback(PVOID RegistrationContext, POB_POST_OPERATION_INFORMATION OperationInformation)
{
}

PVOID RegistrationHandle = NULL;

void DriverUnload(PDRIVER_OBJECT DriverObjec)
{
    DbgPrint("DriverUnload");

    //https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-obunregistercallbacks
    ObUnRegisterCallbacks(RegistrationHandle);

    return;
}

/*

OB_CALLBACK_REGISTRATION
OB_OPERATION_REGISTRATION
ObGetFilerVersion
ObRegisterCallbacks
ObUnRegisterCallbacks
PsGetProcessFileName

*/

NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING ReigtryPath)
{
    NTSTATUS status = STATUS_SUCCESS;

    DriverObject->DriverUnload = DriverUnload;

    //https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/ns-wdm-_ob_operation_registration
    OB_OPERATION_REGISTRATION OperationRegistration = { 0 };
    //OB_CALLBACK_REGISTRATION->OperationRegistration
    OperationRegistration.ObjectType = PsProcessType;    //指定进程的回调
    OperationRegistration.Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE; //复制进程句柄,触发回调
    OperationRegistration.PreOperation = PobPreOperationCallback;    //复制进程句柄前,触发的回调
    //OperationRegistration.PostOperation = PobPostOperationCallback;    //复制进程句柄后,触发的回调
    OperationRegistration.PostOperation = NULL;

    //https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/ns-wdm-_ob_callback_registration
    OB_CALLBACK_REGISTRATION CallbackRegistration = { 0 };
    CallbackRegistration.Version = OB_FLT_REGISTRATION_VERSION;    //版本
    CallbackRegistration.OperationRegistrationCount = 1;    //OperationRegistration数量
    CallbackRegistration.RegistrationContext = 0;    //回调参数
    CallbackRegistration.OperationRegistration = &OperationRegistration;    //指向OB_OPERATION_REGISTRATION数组

    PLDR_DATA_TABLE_ENTRY ldr = DriverObject->DriverSection;
    ldr->Flags |= 0x20;    //需要将当前模块的ProcessStaticImport标志位置1才能成功创建回调

    //https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/wdm/nf-wdm-obregistercallbacks
    status = ObRegisterCallbacks(&CallbackRegistration, &RegistrationHandle);

    DbgPrint("DriverEntry End status:%x ", status);

    return status;
}

i未若
关注
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值