环境:win7 64  win8 win 10

SSDT HOOK NtOpenProcess //这一路径上的代码点 in line hook

ObRegisterCallbacks     //注册回调函数 过滤

NTSTATUS  

ObRegisterCallbacks (  

    _In_ POB_CALLBACK_REGISTRATION CallbackRegistration,  

    _Outptr_ PVOID *RegistrationHandle  

    );

上边这是函数定义 。

第一个参数是注册回调的一些信息。

第二个参数返回此回调的指针:

创建一个进程会返回一个进程句柄，类似的创建一个回调会返回一个跟此回调相关的指针。

核心代码：

OB_PREOP_CALLBACK_STATUS RegProtectProcess_Callback(PVOID RegistrationContext, POB_PRE_OPERATION_INFORMATION pOperationInformation)

{

//DbgPrint("yjx:进入RegProtectProcess_Callback--------------OK---------");

HANDLE pid = PsGetProcessId((PEPROCESS)pOperationInformation->Object);

char szProcName[128] = { 0 };

UNREFERENCED_PARAMETER(RegistrationContext);

strcpy(szProcName, GetProcessImageNameByProcessID((ULONG)pid));

if (strstr(szProcName, "yjx150.exe"))

{

DbgPrint("yjx:进入RegProtectProcess_Callback--------------1111111111111111111111111111--------szProcName=%s -", szProcName);

if (pOperationInformation->Operation == OB_OPERATION_HANDLE_CREATE)

{

if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_TERMINATE) == PROCESS_TERMINATE)

{

//Terminate the process, such as by calling the user-mode TerminateProcess routine..

pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_TERMINATE;

}

if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_VM_OPERATION) == PROCESS_VM_OPERATION)

{

//Modify the address space of the process, such as by calling the user-mode WriteProcessMemory and VirtualProtectEx routines.

pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_VM_OPERATION;

}

if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_VM_READ) == PROCESS_VM_READ)

{

//Read to the address space of the process, such as by calling the user-mode ReadProcessMemory routine.

pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_VM_READ;

}

if ((pOperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_VM_WRITE) == PROCESS_VM_WRITE)

{

//Write to the address space of the process, such as by calling the user-mode WriteProcessMemory routine.

pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_VM_WRITE;

}

}

}

return OB_PREOP_SUCCESS;

}

HANDLE g_obHandle_callback=0;

HANDLE g_obHandle_callback2= 0;

//注册保护回调

NTSTATUS RegProtectProcess_callback()

{

NTSTATUS ret = 0;

//LARGE_INTEGER CallbackCookie = { 0 };

OB_CALLBACK_REGISTRATION obregCallBack;

OB_OPERATION_REGISTRATION opReg;

memset(&obregCallBack, 0, sizeof(obregCallBack));

RtlInitUnicodeString(&obregCallBack.Altitude, L"QQ150330575"); // 据说此值需要向微软申请，网络上多用"321000"来填写

obregCallBack.Version =  ObGetFilterVersion() ;//版本 OB_FLT_REGISTRATION_VERSION

obregCallBack.OperationRegistrationCount = 1; //一般为1

obregCallBack.RegistrationContext = NULL;

obregCallBack.OperationRegistration = &opReg; //

//

memset(&opReg, 0, sizeof(opReg)); //

opReg.ObjectType = PsProcessType; //是指我们要监视的对象类型 进程是PsProcessType 线程是PsThreadType

opReg.Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE; //Operations 是指句柄怎么方式 是直接创建呢 还是复制句柄  这里一般填OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE;

opReg.PreOperation = RegProtectProcess_Callback;  //注册回调函数  (POB_PRE_OPERATION_CALLBACK)

//保护自身进程对象不被打开

ret = ObRegisterCallbacks(&obregCallBack, &g_obHandle_callback); //NtOpenProcess 会走入回调中  NtOpenThread会进入 PsThreadType

//protectProcessCallback

//卸载用ObUnRegisterCallbacks(obHandle);

DbgPrint("yjx:---1111-----obHandle=%llx ret=%llx ------RegProtectProcess_callback\n", g_obHandle_callback,ret);

return ret;

}

NTSTATUS RegProtectProcess2()

{

OB_CALLBACK_REGISTRATION obregCallBack;

OB_OPERATION_REGISTRATION opReg;

memset(&obregCallBack, 0, sizeof(obregCallBack));

RtlInitUnicodeString(&obregCallBack.Altitude, L"Q150330575");// L"321000";

obregCallBack.Version = ObGetFilterVersion();

obregCallBack.OperationRegistrationCount = 1;

obregCallBack.RegistrationContext = NULL;

obregCallBack.OperationRegistration = &opReg; //注意这一条语句

  //下面请注意这个结构体的成员字段的设置

memset(&opReg, 0, sizeof(opReg)); //初始化结构体变量

opReg.ObjectType = PsProcessType;

opReg.Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE;

opReg.PreOperation = RegProtectProcess_Callback; //在这里注册一个回调函数指针

NTSTATUS ret= ObRegisterCallbacks(&obregCallBack, &g_obHandle_callback2); //在这里注册回调函数

DbgPrint("yjx:---L156-----obHandle=%llx ret=%llx ------RegProtectProcess2\n", g_obHandle_callback2, ret);

return ret;

}

来源：通化程序员-公众号投稿

GSLAB网站投稿文章仅代表作者本人的观点，与本网站立场无关。

*转载请注明来自游戏安全实验室（GSLAB.QQ.COM）