;HOOK NtOpenProcess 保护指定进程
;Code:zzage
;From:[url]http://hi.baidu.com/zzage[/url]
.386
.model flat,stdcall
option casemap:none
include D:\RadASM\masm32\include\w2k\ntstatus.inc
include D:\RadASM\masm32\include\w2k\ntddk.inc
include D:\RadASM\masm32\include\w2k\ntoskrnl.inc
includelib D:\RadASM\masm32\lib\w2k\ntoskrnl.lib
include D:\RadASM\masm32\Macros\Strings.mac
_NTOPENPROCESS typedef proto :DWORD,:DWORD,:DWORD,:DWORD
NTOPENPROCESS typedef ptr _NTOPENPROCESS
.data
OldNtOpenProcess NTOPENPROCESS ?
dwNtOpenProcess_Addr dd ?
dwImageFileNameOffset dd ?
.code
GetImageFileNameOffset proc uses esi ebx ;获取EPROCESS结构的ImageFileName偏移量函数
invoke IoGetCurrentProcess
mov esi, eax
xor ebx, ebx
.while ebx < 1000h
lea eax, [esi+ebx]
invoke _strnicmp, eax, $CTA0("system"), 6
.break .if eax == 0
inc ebx
.endw
.if eax == 0
mov eax, ebx
.else
xor eax, eax
.endif
ret
GetImageFileNameOffset endp
MyNtOpenProcess proc hProcess,DesiredAccess,pObjectAttributes,pClientId
local lpEPROCESS:PVOID
mov ecx,pClientId
assume ecx:ptr CLIENT_ID
invoke PsLookupProcessByProcessId,[ecx].UniqueProcess,addr lpEPROCESS ;获取打开的目标进程的EPROCESS结构
assume ecx:nothing
.if eax == STATUS_SUCCESS
mov esi,lpEPROCESS
add esi,dwImageFileNameOffset ;指向EPROCESS结构的ImageFileName地址
invoke _strnicmp, esi, $CTA0("notepad.exe"),7 ;判断开打的目标进程是否为我们要保护的进程
.if eax==0
mov eax,STATUS_ACCESS_DENIED ;如果是打开我们保护的进程,就返回拒绝!
ret
.endif
.endif
invoke OldNtOpenProcess,hProcess,DesiredAccess,pObjectAttributes,pClientId ;如果不是打开我们保护的进程,就返回到原来的NtOpenProcess函数
ret
MyNtOpenProcess endp
DriverUnload proc pDriverObject:PDRIVER_OBJECT
pushad
invoke DbgPrint,$CTA0("卸载成功\n")
cli
mov eax,cr0
xor eax,10000h
mov cr0,eax
mov esi,dwNtOpenProcess_Addr
mov eax,OldNtOpenProcess
mov dword ptr[esi],eax ;还原旧的NtOpenProcess函数地址
mov eax, cr0
xor eax,10000h
mov cr0, eax
sti
popad
ret
DriverUnload endp
DriverEntry proc pDriverObject:PDRIVER_OBJECT,pRegistryPath:PUNICODE_STRING
pushad
invoke DbgPrint,$CTA0("安装成功\n")
invoke GetImageFileNameOffset
mov dwImageFileNameOffset,eax ;获取EPROCESS结构的ImageFileName偏移量
mov eax,KeServiceDescriptorTable ;获取KeServiceDescriptorTable的地址
mov esi,[eax]
mov esi,[esi] ;获取KeServiceDescriptorTable->ServiceTableBase
invoke MmGetSystemRoutineAddress,$CCOUNTED_UNICODE_STRING("ZwOpenProcess") ;获取ZwOpenProcess的地址
inc eax
movzx ecx,byte ptr[eax];取NtOpenProcess服务号
sal ecx,2
add esi,ecx
mov dwNtOpenProcess_Addr,esi
mov edi,dword ptr[esi]
mov OldNtOpenProcess,edi ;保存旧NtOpenProcess函数地址
invoke DbgPrint,$CTA0("OldNtOpenProcess: %X \n"),OldNtOpenProcess
mov edi,offset MyNtOpenProcess
cli
mov eax,cr0
xor eax,10000h
mov cr0,eax
mov dword ptr[esi],edi ;替换成我们自己的MyNtOpenProcess函数
mov eax, cr0
xor eax,10000h
mov cr0, eax
sti
invoke DbgPrint,$CTA0("MyNtOpenProcess: %X \n"),offset MyNtOpenProcess
mov esi,pDriverObject
mov [esi+34h],offset DriverUnload ;设置卸载例程
popad
mov eax,STATUS_SUCCESS
ret
DriverEntry endp
end DriverEntry