[C] 纯文本查看 复制代码 /*将系统服务表中的某个函数改成自己的函数,是任务管理器无法关闭它,只有点击自己的关闭按钮才可以额正
常关闭*/
#include <ntddk.h>
#include <ntstatus.h>
/*函数声明PsGetProcessImageFileName就可以使用了*/
NTKERNELAPI
UCHAR *
PsGetProcessImageFileName(
__in PEPROCESS Process
);
//定义一个宏,这个代表是NtTerminateProcess的服务号
#define NTTERMINATEPROCESS 0x101;
ULONG OldNtTerminateProcess;
typedef (*NTTERMINATE)(HANDLE ProcessHandle, NTSTATUS ExitStatus);
/*****************************************
***声明函数
*****************************************/
VOID PageProtectOn(VOID);
VOID PageProtectOff(VOID);
VOID HOOKNtTerminateProcess(VOID);
VOID UNHOOKNtTerminateProcess(VOID);
NTSTATUS NewNtTerminateProcess(HANDLE ProcessHandle, NTSTATUS ExitStatus);//保护记事本不被任务管理器关闭
/*****************************************
***SSDT表
*****************************************/
typedef struct _KSYSTEM_SERVICE_TABLE
{
PULONG ServiceTableBase;
PULONG ServiceCounterTableBase;
ULONG NumberOfService;
PULONG ParamTableBase;
}KSYSTEM_SERVICE_TABLE, *PKSYSTEM_SERVICE_TABLE;
typedef struct _KSERVICE_TABLE_DESCRIPTOR
{
KSYSTEM_SERVICE_TABLE ntoskrnl;
KSYSTEM_SERVICE_TABLE win32k;
KSYSTEM_SERVICE_TABLE notUsed1;
KSYSTEM_SERVICE_TABLE notUsed2;
}KSERVICE_TABLE_DESCRIPTOR, *PKSERVICE_TABLE_DESCRIPTOR;
extern PKSERVICE_TABLE_DESCRIPTOR KeServiceDescriptorTable;
VOID DriverLoad(PDRIVER_OBJECT pDriver)
{
UNHOOKNtTerminateProcess();
DbgPrint("驱动已经被卸载了!\n");
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver,PUNICODE_STRING pReg)
{
HOOKNtTerminateProcess();
pDriver->DriverUnload = DriverLoad;
return STATUS_SUCCESS;
}
VOID PageProtectOn(VOID)
{
__asm
{
mov eax, cr0;
or eax, 0x10000;
mov cr0, eax;
sti;
}
}
VOID PageProtectOff(VOID)
{
__asm
{
cli;
mov eax, cr0;
and eax, not 0x10000;
mov cr0, eax;
}
}
VOID HOOKNtTerminateProcess(VOID)
{
PageProtectOff();
OldNtTerminateProcess = KeServiceDescriptorTable->ntoskrnl.ServiceTableBase[0x101];
KeServiceDescriptorTable->ntoskrnl.ServiceTableBase[0x101] = NewNtTerminateProcess;
PageProtectOn();
}
VOID UNHOOKNtTerminateProcess(VOID)
{
PageProtectOff();
KeServiceDescriptorTable->ntoskrnl.ServiceTableBase[0x101] = OldNtTerminateProcess;
PageProtectOn();
}
NTSTATUS NewNtTerminateProcess(HANDLE ProcessHandle, NTSTATUS ExitStatus)
{
PEPROCESS pEprocess;
NTSTATUS status;
PCHAR ImageFileName;
// 此API用法请看文档
/*setokenobjecttype*/
status = ObReferenceObjectByHandle(ProcessHandle, FILE_ANY_ACCESS, NULL, KernelMode, &pEprocess, NULL);
if (!NT_SUCCESS(status))
{
return status;//失败了
}
// 根据镜像文件名判断是不是要保护的进程,字符串最大长度是16,超过就会截断,所以不用担心越界
ImageFileName = (CHAR*)PsGetProcessImageFileName(pEprocess);//PsGetProcessImageFileName通过进程结构体获取进程的名字
if (!strcmp(ImageFileName, "notepad.exe"))
{
if (pEprocess != PsGetCurrentProcess())
{
DbgPrint("关闭已经被拒绝!\n");
return STATUS_ACCESS_DENIED;
}
}
return ((NTTERMINATE)OldNtTerminateProcess)(ProcessHandle, ExitStatus);
} |