-
Notifications
You must be signed in to change notification settings - Fork 47
Expand file tree
/
Copy pathobcallback.c
More file actions
114 lines (99 loc) · 4.19 KB
/
obcallback.c
File metadata and controls
114 lines (99 loc) · 4.19 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
#include "global.h"
#include "obcallback.h"
PVOID g_obHandle = NULL;
extern
PSYSTEM_ROUTINE_ADDRESS g_pSysRotineAddr;
//
//bypass objecthookÇ©Ãû
//
void BypassCheckSign(
_In_ PDRIVER_OBJECT pDriverObj)
{
//STRUCT FOR WIN64
typedef struct _LDR_DATA // 24 elements, 0xE0 bytes (sizeof)
{
LIST_ENTRY64 InLoadOrderLinks;
LIST_ENTRY64 InMemoryOrderLinks;
LIST_ENTRY64 InInitializationOrderLinks;
ULONG64 DllBase;
ULONG64 EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
}LDR_DATA, *PLDR_DATA;
PLDR_DATA ldr;
ldr = (PLDR_DATA)(pDriverObj->DriverSection);
ldr->Flags |= 0x20;
}
//
//±£»¤½ø³Ì
//
NTSTATUS ObRegiserCllabck(
_In_ PVOID ObjectCllbackAddr)
{
NTSTATUS status;
OB_CALLBACK_REGISTRATION obReg;
OB_OPERATION_REGISTRATION opReg;
memset(&obReg, 0, sizeof(obReg));
obReg.Version = ObGetFilterVersion();
obReg.OperationRegistrationCount = 1;
obReg.RegistrationContext = NULL;
RtlInitUnicodeString(&obReg.Altitude, L"354156");
obReg.OperationRegistration = &opReg;
memset(&opReg, 0, sizeof(opReg));
opReg.ObjectType = PsProcessType;
opReg.Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE;
opReg.PreOperation = (POB_PRE_OPERATION_CALLBACK)ObjectCllbackAddr;
status = ObRegisterCallbacks(&obReg, &g_obHandle);
return status;
}
//
//½ø³Ì±£»¤callback
//
OB_PREOP_CALLBACK_STATUS ObPreopCallback(
_In_ PVOID RegistrationContext,
_In_ POB_PRE_OPERATION_INFORMATION pOperationInformation)
{
UNREFERENCED_PARAMETER(RegistrationContext);
if (pOperationInformation == NULL || pOperationInformation->Object == NULL)
{
return OB_PREOP_SUCCESS;
}
#if DBG
volatile PSYSTEM_ROUTINE_ADDRESS g_pSRA = (PSYSTEM_ROUTINE_ADDRESS)g_pSysRotineAddr;
#else
volatile PSYSTEM_ROUTINE_ADDRESS g_pSRA = (PSYSTEM_ROUTINE_ADDRESS)0x9090909090909090;
#endif
HANDLE pid = g_pSRA->pfn_PsGetProcessId((PEPROCESS)pOperationInformation->Object);
if (g_pSRA->ProtectPid == pid)
{
if (pOperationInformation->Operation == OB_OPERATION_HANDLE_CREATE)
{
if (pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess & PROCESS_TERMINATE)
pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= (~PROCESS_TERMINATE);
if (pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess & PROCESS_VM_OPERATION)
pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= (~PROCESS_VM_OPERATION);
if (pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess & PROCESS_VM_READ)
pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= (~PROCESS_VM_READ);
if (pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess & PROCESS_VM_WRITE)
pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= (~PROCESS_VM_WRITE);
if (pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess & PROCESS_SUSPEND_RESUME)
pOperationInformation->Parameters->CreateHandleInformation.DesiredAccess &= (~PROCESS_SUSPEND_RESUME);
}
if (pOperationInformation->Operation == OB_OPERATION_HANDLE_DUPLICATE)
{
if (pOperationInformation->Parameters->DuplicateHandleInformation.DesiredAccess & PROCESS_TERMINATE)
pOperationInformation->Parameters->DuplicateHandleInformation.DesiredAccess &= (~PROCESS_TERMINATE);
if (pOperationInformation->Parameters->DuplicateHandleInformation.DesiredAccess & PROCESS_VM_OPERATION)
pOperationInformation->Parameters->DuplicateHandleInformation.DesiredAccess &= (~PROCESS_VM_OPERATION);
if (pOperationInformation->Parameters->DuplicateHandleInformation.DesiredAccess & PROCESS_VM_READ)
pOperationInformation->Parameters->DuplicateHandleInformation.DesiredAccess &= (~PROCESS_VM_READ);
if (pOperationInformation->Parameters->DuplicateHandleInformation.DesiredAccess & PROCESS_VM_WRITE)
pOperationInformation->Parameters->DuplicateHandleInformation.DesiredAccess &= (~PROCESS_VM_WRITE);
if (pOperationInformation->Parameters->DuplicateHandleInformation.DesiredAccess & PROCESS_SUSPEND_RESUME)
pOperationInformation->Parameters->DuplicateHandleInformation.DesiredAccess &= (~PROCESS_SUSPEND_RESUME);
}
}
return OB_PREOP_SUCCESS;
}