vc++实现内核级进程保护

最新推荐文章于 2023-12-04 11:27:25 发布

wind0513

最新推荐文章于 2023-12-04 11:27:25 发布

阅读量2k

点赞数

CC 4.0 BY-SA版权

文章标签： vc++ service null attributes access path

本文链接：https://blog.youkuaiyun.com/wind0513/article/details/5340990

这篇博客介绍了一个使用VC++实现的内核级进程保护机制。通过修改SSDT表，替换`ZwOpenProcess`函数，阻止对特定进程的访问，以此达到保护核心代码的目的。在驱动卸载时，会恢复SSDT表的原始状态。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

保护核心代码

#include "ntddk.h"

#define NT_DEVICE_NAME L"//Device//ProtectProcess"
#define DOS_DEVICE_NAME L"//DosDevices//ProtectProcess"

#define IOCTL_PROTECT_CONTROL CTL_CODE(FILE_DEVICE_UNKNOWN, 0x800, METHOD_BUFFERED, FILE_ANY_ACCESS)

NTSTATUS DispatchDeviceControl(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp);
VOID OnUnload(IN PDRIVER_OBJECT DriverObject);

#pragma pack(1) //SSDT表的结构
typedef struct ServiceDescriptorEntry {
unsigned int *ServiceTableBase;
unsigned int *ServiceCounterTableBase; //Used only in checked build
unsigned int NumberOfServices;
unsigned char *ParamTableBase;
} ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t;
#pragma pack()

__declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable; //变量名是不能变的,因为是从外部导入
//这个是查询某个函数的地址的一个宏
#define SYSTEMSERVICE(_function) KeServiceDescriptorTable.ServiceTableBase[*(PULONG)((PUCHAR)_function+1)]

NTSYSAPI NTSTATUS NTAPI ZwOpenProcess(OUT PHANDLE ProcessHandle,IN ACCESS_MASK DesiredAccess,IN POBJECT_ATTRIBUTES ObjectAttributes,IN PCLIENT_ID ClientId OPTIONAL);
typedef NTSTATUS (*ZWOPENPROCESS)(OUT PHANDLE ProcessHandle,IN ACCESS_MASK DesiredAccess,IN POBJECT_ATTRIBUTES ObjectAttributes,IN PCLIENT_ID ClientId OPTIONAL);

ZWOPENPROCESS OldZwOpenProcess;
long pid = -1;

NTSTATUS NewZwOpenProcess(OUT PHANDLE ProcessHandle,IN ACCESS_MASK DesiredAccess,IN POBJECT_ATTRIBUTES ObjectAttributes,IN PCLIENT_ID ClientId OPTIONAL)
{
//用来替换的新函数
NTSTATUS nStatus = STATUS_SUCCESS;
if((long)ClientId->UniqueProcess == pid)
{
DbgPrint("保护进程 PID:%ld/n",pid);
return STATUS_ACCESS_DENIED;
}

//剩下的交给我们的原函数
nStatus = OldZwOpenProcess(ProcessHandle,