91av视频/亚洲h视频/操亚洲美女/外国一级黄色毛片 - 国产三级三级三级三级

資源簡介

經(jīng)過N多輾轉(zhuǎn)和持續(xù)驗證,終于搞定了在驅(qū)動程序中同時保護(hù)進(jìn)程和文件(經(jīng)持久測試后,避免了導(dǎo)致系統(tǒng)藍(lán)屏的情況),重點
1)拒絕通過進(jìn)程管理器關(guān)閉進(jìn)程,同時又允許某些進(jìn)程可以管理
2)通過比較文件名,截獲被保護(hù)的文件操作

資源截圖

代碼片段和文件信息 

#ifndef?CXX_PROTECTPROCESSX64_H
#????include?“ProtectProcessx64.h“
#endif

#include?
#include?

#include?

#define?TRACE?ATLTRACE

//進(jìn)程保護(hù)CallBackHandle
PVOID?processCallBackHandle?=?NULL;		//定義一個void*類型的變量,它將會作為ObRegisterCallbacks函數(shù)的第二個參數(shù)。
PEPROCESS?parentsProtectedProcess;		//被保護(hù)進(jìn)程的父進(jìn)程(來自該進(jìn)程的處理,被排外)

//文件保護(hù)
PVOID??fileCallBackHandle?=?NULL;

//驅(qū)動入口
NTSTATUS
	DriverEntry(IN?PDRIVER_object?pDriverObj?IN?PUNICODE_STRING?pRegistryString)
{
	DbgPrint(“begin?to?load?driver...\n“);
	KdPrint((“begin?to?load?driver...\n“));

	//OutputDebugString(“begin?to?load?driver...\n“);
	NTSTATUS?status?=?STATUS_SUCCESS;
	PLDR_DATA_TABLE_ENTRY64?ldr;

	pDriverObj->DriverUnload?=?DriverUnload;
	//?繞過MmVerifyCallbackFunction
	ldr?=?(PLDR_DATA_TABLE_ENTRY64)pDriverObj->DriverSection;
	ldr->Flags?|=?0x20;

	DbgPrint(“begin?to?ProtectProcess...\n“);
	//保護(hù)線程回調(diào)
	ProtectProcess(TRUE);

	//保護(hù)文件
	ProtectFileByObRegisterCallbacks();

	return?STATUS_SUCCESS;
}

#define?MY_MAX_PATH?256
BOOLEAN?UnicodeStringToChar(char*?DestinationString?PUNICODE_STRING?SourceString)
{
????ANSI_STRING?v1;
????NTSTATUS????Status;
????char*???????v2?=?NULL;
????__try
????{
????????Status?=?RtlUnicodeStringToAnsiString(&v1?SourceString?TRUE);
????????if?(v1.Length?????????{
????????????v2?=?(PCHAR)v1.Buffer;
????????????strcpy(DestinationString?_strupr(v2));
????????}
????????RtlFreeAnsiString(&v1);
????}
????__except?(EXCEPTION_EXECUTE_HANDLER)
????{
????????return?FALSE;
????}
????return?TRUE;
}

void?MyUpper(char?*s)
{
	while((*s)!=0){
		if((*s)>=‘a(chǎn)‘&&(*s)<=‘z‘)
			(*s)+=(‘A‘-‘a(chǎn)‘);
		s++;
	}
}

OB_PREOP_CALLBACK_STATUS?FilePreCallBack(PVOID?RegistrationContext?POB_PRE_OPERATION_INFORMATION?OperationInformation)
{
????UNICODE_STRING?uniDosName;
	uniDosName.Length?=?0;

	ACCESS_MASK?oldCreateDesiredAccess?=?0;
	ACCESS_MASK?oldDuplicateDesiredAccess?=?0;

	//參數(shù)檢查
	if(NULL?==?OperationInformation)
		return?OB_PREOP_SUCCESS;

????PFILE_object?Fileobject?=?(PFILE_object)OperationInformation->object;
????HANDLE?CurrentProcessId?=?PsGetCurrentProcessId();

	UNREFERENCED_PARAMETER(RegistrationContext);

	//有效性檢查
	if(NULL?==?Fileobject)
		return?OB_PREOP_SUCCESS;
	
	//(1)屏蔽非IoFileobjectType類型的處理
????if(?OperationInformation->objectType!=*IoFileobjectType)
????{
????????return?OB_PREOP_SUCCESS;
????}

????//(2)過濾無效指針
????if(????Fileobject->FileName.Buffer==NULL??????????????||?
????????!MmIsAddressValid(Fileobject->FileName.Buffer)????||
????????Fileobject->Deviceobject==NULL????????????????????||
????????!MmIsAddressValid(Fileobject->Deviceobject)????????)
????{
????????return?OB_PREOP_SUCCESS;
????}
	
	//(3)過濾無效路徑?否則使用RtlVolumeDeviceToDosName獲取盤符會藍(lán)屏
	/**/
	if(?!_wcsicmp(Fileobject->FileName.BufferL“\\Endpoint“)	||
		!_wcsicmp(Fileobject->FileName.BufferL“?“)	||
		!_wcsicmp(Fileobject->FileName.BufferL“\\.\\.“)	||
		!_wcsicmp(Fileobject->Fi

?屬性????????????大小?????日期????時間???名稱
-----------?---------??----------?-----??----

?????文件??????13414??2020-02-11?08:47??ProtectProcessx64.cpp

?????文件???????4348??2020-02-11?08:45??ProtectProcessx64.h

-----------?---------??----------?-----??----

????????????????17762????????????????????2


評論

共有 條評論

相關(guān)資源