标题:关于内核及进程保护的程序的问题
取消只看楼主
mxbwuma
Rank: 1
等 级:新手上路
帖 子:21
专家分:0
注 册:2007-8-24
 问题点数:0 回复次数:0 
关于内核及进程保护的程序的问题
请教高手啊!编译老是通不过,而且很多错误。这是一段关于内核及进程保护的程序,其通过HOOK函数NtTerminateProcess来防止自身进程被外来程序结束。编译的错误太多了,也不好贴出来,麻烦高手耐心解决一下啊,真的是搞不懂了,感激不尽!!!!!

#include "windows.h"
#include "ntddk.h"
__declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable;
#define SYSTEMSERVICE(_function) KeServiceDescriptorTable.ServiceTableBase[*(PULONG)((PUCHAR)_function+1)]
#define SYSCALL_INDEX(_Function) *(PULONG)((PUCHAR)_Function+1)
#define HOOK_SYSCALL(_Function,_Hook,_Orig) _Orig=(PVOID)InterlockedExchange((PLONG)&m_Mapped[SYSCALL_INDEX(_Function)],(LONG)_Hook)
NTSYSAPI NTSTATUS NTAPI ZwOpenProcess(OUT PHANDLE ProcessHandle,IN ACCESS_MASK DesiredAccess,IN POBJECT_ATTRIBUTES ObjectAttributes,IN PCLIENT_ID ClientId OPTIONAL);
    NTSYSAPI NTSTATUS NTAPI ZwTerminateProcess(IN HANDLE ProcessHandle OPTIONAL,IN NTSTATUS ExitStatus);
typedef NTSTATUS (*ZWOPENPROCESS)(OUT PHANDLE ProcessHandle,IN ACCESS_MASK DesiredAccess,IN POBJECT_ATTRIBUTES ObjectAttributes,IN PCLIENT_ID ClientId OPTIONAL);
    typedef NTSTATUS (*ZWTERMINATEPROCESS)(IN HANDLE ProcessHandle OPTIONAL, IN NTSTATUS ExitStatus);
NTSTATUS NewZwOpenProcess(OUT PHANDLE ProcessHandle,IN ACCESS_MASK DesiredAccess,IN POBJECT_ATTRIBUTES ObjectAttributes,IN PCLIENT_ID ClientId OPTIONAL);
    NTSTATUS NewZwTerminateProcess(IN HANDLE ProcessHandle OPTIONAL,IN NTSTATUS ExitStatus);
NTSTATUS PsLookupProcessByProcessId(IN ULONG ulProcId,OUT PEPROCESS *pEProcess);
    ZWOPENPROCESS OldZwOpenProcess=NULL;
    ZWTERMINATEPROCESS OldZwTerminateProcess=NULL;
    long pid=3256;//这里PID随便写的了。
int main()
{   
    PMDL m_MDL;
    PVOID *m_Mapped;
    m_MDL=MmCreateMdl(NULL,KeServiceDescriptorTable.ServiceTableBase,KeServiceDescriptorTable.NumberOfServices*4);
    if(!m_MDL)
        return STATUS_UNSUCCESSFUL;
    MmBuildMdlForNonPagedPool(m_MDL);
    m_MDL->MdlFlags=m_MDL->MdlFlags|MDL_MAPPED_TO_SYSTEM_VA;
    m_Mapped=MmMapLockedPages(m_MDL,KernelMode);
    HOOK_SYSCALL(ZwOpenProcess,NewZwOpenProcess,OldZwOpenProcess);
    HOOK_SYSCALL(ZwTerminateProcess,NewZwTerminateProcess,OldZwTerminateProcess);   
    return 0;
}
NTSTATUS NewZwTerminateProcess(IN HANDLE ProcessHandle OPTIONAL,IN NTSTATUS ExitStatus)
{
    NTSTATUS nStatus=STATUS_SUCCESS;
    PEPROCESS EPROCESSPROTECT=NULL;
    PEPROCESS EPROCESSKILL=NULL;
    PsLookupProcessByProcessId((ULONG)pid,&EPROCESSPROTECT);
    if(ObReferenceObjectByHandle(ProcessHandle,GENERIC_READ,NULL,KernelMode,&EPROCESSKILL,0)==STATUS_SUCCESS)
    {
        if(EPROCESSPROTECT==EPROCESSKILL)
        {
            if(EPROCESSPROTECT!=PsGetCurrentProcess())
            {
                KdPrint(("[-]进程保护,外部程序试图关闭进程\n"));
                nStatus=STATUS_ACCESS_DENIED;
            }
            else
            {
                KdPrint(("[-]进程保护,程序自身退出请求!\n"));
            }
        }
    }
    if(nStatus!=STATUS_SUCCESS)
        return nStatus;
    else
        return OldZwTerminateProcess(ProcessHandle,ExitStatus);
}
搜索更多相关主题的帖子: 内核 进程 
2008-09-30 23:48



参与讨论请移步原网站贴子:https://bbs.bccn.net/thread-235969-1-1.html




关于我们 | 广告合作 | 编程中国 | 清除Cookies | TOP | 手机版

编程中国 版权所有,并保留所有权利。
Powered by Discuz, Processed in 0.391795 second(s), 8 queries.
Copyright©2004-2024, BCCN.NET, All Rights Reserved