进程自我保护 适用于WIN7 X64

 1 //进程自我保护，注意只有X64 WIN7可用
 2 #include <ntddk.h>
 3 #define PROCESS_TERMINATE 1
 4 typedef struct _LDR_DATA                                     // 24 elements, 0xE0 bytes (sizeof)
 5 {
 6     struct _LIST_ENTRY InLoadOrderLinks;                     // 2 elements, 0x10 bytes (sizeof)
 7     struct _LIST_ENTRY InMemoryOrderLinks;                   // 2 elements, 0x10 bytes (sizeof)
 8     struct _LIST_ENTRY InInitializationOrderLinks;           // 2 elements, 0x10 bytes (sizeof)
 9     VOID*        DllBase;
10     VOID*        EntryPoint;
11     ULONG32      SizeOfImage;
12     UINT8        _PADDING0_[0x4];
13     struct _UNICODE_STRING FullDllName;                      // 3 elements, 0x10 bytes (sizeof)
14     struct _UNICODE_STRING BaseDllName;                      // 3 elements, 0x10 bytes (sizeof)
15     ULONG32      Flags;
16 }LDR_DATA, *PLDR_DATA;
17 
18 char* GetProcessImageFileName(PEPROCESS Process)
19 {
20     char *FileName;
21     FileName = (char *)Process + 0x16c;
22     return FileName;
23 }
24 
25 
26 BOOLEAN IsProtectedProcessName(PEPROCESS eprocess)
27 {
28     char *Name = GetProcessImageFileName(eprocess);
29     if (!_stricmp("vb.exe", Name))
30         return 1;
31     else
32         return 0;
33 }
34 
35     
36 OB_PREOP_CALLBACK_STATUS ProccessProtectCallBack(PVOID RegContext,
37     POB_PRE_OPERATION_INFORMATION pOperationInformation)
38 {
39     if (pOperationInformation->ObjectType != *PsProcessType)
40     {
41         return OB_PREOP_SUCCESS;
42     }
43     if (IsProtectedProcessName((PEPROCESS)pOperationInformation->Object))
44     
45     {
46         if (pOperationInformation->Operation == OB_OPERATION_HANDLE_CREATE)
47         {
48             if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess&
49                 PROCESS_TERMINATE) == PROCESS_TERMINATE)
50             {
51                 pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_TERMINATE;
52             }
53         }
54         if (pOperationInformation->Operation == OB_OPERATION_HANDLE_DUPLICATE)
55         {
56             if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess&
57                 PROCESS_TERMINATE) == PROCESS_TERMINATE)
58             {
59                 pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_TERMINATE;
60             }
61         }
62     }
63     return OB_PREOP_SUCCESS;
64 }
65 
66 
67 NTSTATUS SelfProtection()
68 {
69     NTSTATUS obst1 = 0;
70     HANDLE obHandle;
71     LARGE_INTEGER CallbackCookie = { 0 };
72     OB_CALLBACK_REGISTRATION obReg;
73     OB_OPERATION_REGISTRATION opReg;
74     memset(&obReg, 0, sizeof(obReg));
75     obReg.Version = ObGetFilterVersion();
76     obReg.OperationRegistrationCount = 1;
77     obReg.RegistrationContext = NULL;
78     RtlInitUnicodeString(&obReg.Altitude, L"321124");
79     obReg.OperationRegistration = &opReg;
80     memset(&opReg, 0, sizeof(&opReg));
81     opReg.ObjectType = PsProcessType;
82     opReg.Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE;
83     opReg.PreOperation = (POB_PRE_OPERATION_CALLBACK)&ProccessProtectCallBack;
84     //保护自身进程对象不被打开
85     obst1 = ObRegisterCallbacks(&obReg, &obHandle);
86     return 0;
87 }
88 NTSTATUS DriverEntry(PDRIVER_OBJECT MyDriver, PUNICODE_STRING reg_path)
89 {
90     PLDR_DATA ldr;
91     ldr = (PLDR_DATA)MyDriver->DriverSection;
92     ldr->Flags |= 0x20;
93     SelfProtection();
94     return 0;
95 }