鑫郁飞

 找回密码
 立即注册
搜索
热搜: 活动 交友 discuz
查看: 170|回复: 0

绕过PG 实现进程保护

[复制链接]

管理员

Rank: 9Rank: 9Rank: 9

阅读权限
200
积分
109433
精华
71
主题
150
帖子
167
分享
0
日志
0
在线时间
56 小时
最后登录
2018-6-17
注册时间
2016-11-22
听众
0
收听
0
发表于 2018-6-6 14:44:53 | 显示全部楼层 |阅读模式
鑫郁飞技术 www.feiyuol.com
微信公众号 任鸟飞逆向
郁金香灬老师 QQ 150330575
环境:win7 64  win8 win 10

SSDT HOOK NtOpenProcess //这一路径上的代码点 in line hook
ObRegisterCallbacks     //注册回调函数 过滤

NTSTATUS  
ObRegisterCallbacks (  
    _In_ POB_CALLBACK_REGISTRATION CallbackRegistration,  
    _Outptr_ PVOID *RegistrationHandle  
    );

上边这是函数定义 。
第一个参数是注册回调的一些信息。
第二个参数返回此回调的指针:
创建一个进程会返回一个进程句柄,类似的创建一个回调会返回一个跟此回调相关的指针。

核心代码:

OB_PREOP_CALLBACK_STATUS RegProtectProcess_Callback(PVOID RegistrationContext, POB_PRE_OPERATION_INFORMATION pOperationInformation)
{
        //DbgPrint("yjx:进入RegProtectProcess_Callback--------------OK---------");
        HANDLE pid = PsGetProcessId((PEPROCESS)pOperationInformation->Object);
        char szProcName[128] = { 0 };
        UNREFERENCED_PARAMETER(RegistrationContext);
       
        strcpy(szProcName, GetProcessImageNameByProcessID((ULONG)pid));
       
        if (strstr(szProcName, "yjx150.exe"))
        {
                DbgPrint("yjx:进入RegProtectProcess_Callback--------------1111111111111111111111111111--------szProcName=%s -", szProcName);
                if (pOperationInformation->Operation == OB_OPERATION_HANDLE_CREATE)
                {
                        if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_TERMINATE) == PROCESS_TERMINATE)
                        {
                                //Terminate the process, such as by calling the user-mode TerminateProcess routine..
                                pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_TERMINATE;
                        }
                        if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_VM_OPERATION) == PROCESS_VM_OPERATION)
                        {
                                //Modify the address space of the process, such as by calling the user-mode WriteProcessMemory and VirtualProtectEx routines.
                                pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_VM_OPERATION;
                        }
                        if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_VM_READ) == PROCESS_VM_READ)
                        {
                                //Read to the address space of the process, such as by calling the user-mode ReadProcessMemory routine.
                                pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_VM_READ;
                        }
                        if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_VM_WRITE) == PROCESS_VM_WRITE)
                        {
                                //Write to the address space of the process, such as by calling the user-mode WriteProcessMemory routine.
                                pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_VM_WRITE;
                        }
                }
        }
        return OB_PREOP_SUCCESS;
}

HANDLE g_obHandle_callback=0;
HANDLE g_obHandle_callback2= 0;
//注册保护回调
NTSTATUS RegProtectProcess_callback()
{
        NTSTATUS ret = 0;
       
        //LARGE_INTEGER CallbackCookie = { 0 };
        OB_CALLBACK_REGISTRATION obregCallBack;
        OB_OPERATION_REGISTRATION opReg;
        memset(&obregCallBack, 0, sizeof(obregCallBack));
        RtlInitUnicodeString(&obregCallBack.Altitude, L"QQ150330575"); // 据说此值需要向微软申请,网络上多用"321000"来填写
        obregCallBack.Version =  ObGetFilterVersion() ;//版本 OB_FLT_REGISTRATION_VERSION
        obregCallBack.OperationRegistrationCount = 1; //一般为1
        obregCallBack.RegistrationContext = NULL;
        obregCallBack.OperationRegistration = &opReg; //
        //
        memset(&opReg, 0, sizeof(opReg)); //
        opReg.ObjectType = PsProcessType; //是指我们要监视的对象类型 进程是PsProcessType 线程是PsThreadType
        opReg.Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE; //Operations 是指句柄怎么方式 是直接创建呢 还是复制句柄  这里一般填OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE;
        opReg.PreOperation = RegProtectProcess_Callback;  //注册回调函数  (POB_PRE_OPERATION_CALLBACK)
        //保护自身进程对象不被打开
        ret = ObRegisterCallbacks(&obregCallBack, &g_obHandle_callback); //NtOpenProcess 会走入回调中  NtOpenThread会进入 PsThreadType
        //protectProcessCallback
        //卸载用ObUnRegisterCallbacks(obHandle);
        DbgPrint("yjx:---1111-----obHandle=%llx ret=%llx ------RegProtectProcess_callback\n", g_obHandle_callback,ret);
        return ret;
}

NTSTATUS RegProtectProcess2()
{

        OB_CALLBACK_REGISTRATION obregCallBack;
        OB_OPERATION_REGISTRATION opReg;

        memset(&obregCallBack, 0, sizeof(obregCallBack));
        RtlInitUnicodeString(&obregCallBack.Altitude, L"Q150330575");// L"321000";
        obregCallBack.Version = ObGetFilterVersion();
        obregCallBack.OperationRegistrationCount = 1;
        obregCallBack.RegistrationContext = NULL;
        obregCallBack.OperationRegistration = &opReg; //注意这一条语句

                                                                                                  //下面请注意这个结构体的成员字段的设置
        memset(&opReg, 0, sizeof(opReg)); //初始化结构体变量
        opReg.ObjectType = PsProcessType;
        opReg.Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE;
        opReg.PreOperation = RegProtectProcess_Callback; //在这里注册一个回调函数指针
        NTSTATUS ret= ObRegisterCallbacks(&obregCallBack, &g_obHandle_callback2); //在这里注册回调函数
        DbgPrint("yjx:---L156-----obHandle=%llx ret=%llx ------RegProtectProcess2\n", g_obHandle_callback2, ret);
        return ret;
       
}

回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

QQ|鑫郁飞网络科技有限公司 ( 渝ICP备16011958号-1 )

GMT+8, 2018-6-21 05:07 , Processed in 0.066560 second(s), 20 queries .

Powered by Discuz! X3.4 Licensed

© 2001-2017 Comsenz Inc.

快速回复 返回顶部 返回列表