#include <ntddk.h>
#define PROCESS_TERMINATE 1
#define PROCESS_VM_OPERATION 0x0008
#define PROCESS_VM_READ 0x0010
#define PROCESS_VM_WRITE 0x0020
typedef struct _LDR_DATA // 24 elements, 0xE0 bytes (sizeof)
{
struct _LIST_ENTRY InLoadOrderLinks; // 2 elements, 0x10 bytes (sizeof)
struct _LIST_ENTRY InMemoryOrderLinks; // 2 elements, 0x10 bytes (sizeof)
struct _LIST_ENTRY InInitializationOrderLinks; // 2 elements, 0x10 bytes (sizeof)
VOID* DllBase;
VOID* EntryPoint;
ULONG32 SizeOfImage;
UINT8 _PADDING0_[0x4];
struct _UNICODE_STRING FullDllName; // 3 elements, 0x10 bytes (sizeof)
struct _UNICODE_STRING BaseDllName; // 3 elements, 0x10 bytes (sizeof)
ULONG32 Flags;
}LDR_DATA, *PLDR_DATA;
NTSTATUS PsLookupProcessByProcessId(
HANDLE ProcessId,
PEPROCESS *Process
);
extern
UCHAR *PsGetProcessImageFileName(__in PEPROCESS Process);
char* GetProcessImageNameByProcessID(ULONG ulProcessID);
PVOID obCallbackHandle = NULL; // void* variable, the second perameter of ObRegisterCallbacks
NTSTATUS Unload(PDRIVER_OBJECT driver)
{
DbgPrint("unload driver");
if (obCallbackHandle)
ObUnRegisterCallbacks(obCallbackHandle);
return STATUS_SUCCESS;
}
OB_PREOP_CALLBACK_STATUS ProccessProtectCallBack(PVOID RegContext,
POB_PRE_OPERATION_INFORMATION pOperationInformation)
{
HANDLE pid = PsGetProcessId((PEPROCESS)pOperationInformation->Object);
char szProcName[260] = { 0 };
UNREFERENCED_PARAMETER(RegContext);
strcpy(szProcName, GetProcessImageNameByProcessID((ULONG)pid));
DbgPrint("HitProcess:%s", szProcName);
if (strstr(szProcName, "notepad.exe")) //改成你想保护的进程名
{
if (pOperationInformation->Operation == OB_OPERATION_HANDLE_CREATE)
{
if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_TERMINATE) == PROCESS_TERMINATE)
pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_TERMINATE;
if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_VM_OPERATION) == PROCESS_VM_OPERATION)
pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_VM_OPERATION;
if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_VM_READ) == PROCESS_VM_READ)
pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_VM_READ;
if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_VM_WRITE) == PROCESS_VM_WRITE)
pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_VM_WRITE;
}
}
return OB_PREOP_SUCCESS;
}
NTSTATUS Protect()
{
OB_CALLBACK_REGISTRATION obReg;
OB_OPERATION_REGISTRATION opReg;
memset(&obReg, 0, sizeof(obReg));
obReg.Version = ObGetFilterVersion();
obReg.OperationRegistrationCount = 1;
obReg.RegistrationContext = NULL;
RtlInitUnicodeString(&obReg.Altitude, L"321000");
memset(&opReg, 0, sizeof(opReg)); // init structure viriable
opReg.ObjectType = PsProcessType;
opReg.Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE;
opReg.PreOperation = (POB_PRE_OPERATION_CALLBACK)&ProccessProtectCallBack; //set the callback routine pointer
obReg.OperationRegistration = &opReg; // bind
return ObRegisterCallbacks(&obReg, &obCallbackHandle); // register the callback routine
}
NTSTATUS DriverEntry(PDRIVER_OBJECT driver, PUNICODE_STRING RegPath)
{
DbgPrint("Driver Entry");
driver->DriverUnload = Unload;
PLDR_DATA ldr;
ldr = (PLDR_DATA)driver->DriverSection;
ldr->Flags |= 0x20;
Protect();
return STATUS_SUCCESS;
}
char*
GetProcessImageNameByProcessID(ULONG ulProcessID)
{
NTSTATUS Status;
PEPROCESS EProcess = NULL;
Status = PsLookupProcessByProcessId((HANDLE)ulProcessID, &EProcess); //EPROCESS
//通过句柄获取EProcess
if (!NT_SUCCESS(Status))
{
return FALSE;
}
ObDereferenceObject(EProcess);
//通过EProcess获得进程名称
return (char*)PsGetProcessImageFileName(EProcess);
}
任务管理器不能结束,记事本自己可以结束自己。