16,472
社区成员
发帖
与我相关
我的任务
分享请发表友善的回复…
发表回复
Cpp权哥 2009-01-14
- 打赏
- 举报
把你的进程设置成系统关键进程试试。
用SetSecurityDescriptorOwner函数。
用SetSecurityDescriptorOwner函数。
zlshum 2009-01-14
- 打赏
- 举报
没有办法完全不被结束掉,理由如下:
如果要永远不被结束掉,那么该程序必须满足下列条件
控制运行过程中所有的结束该程序的指令,要做到这一点:
必须且只需要保证该程序运行的地址空间中没有结束此进程的指令(简单的Hook Api是不行的)
做到这一点必须防止任意dll的加载,控制系统的调度信息.
挺困难的....
顶一个先
如果要永远不被结束掉,那么该程序必须满足下列条件
控制运行过程中所有的结束该程序的指令,要做到这一点:
必须且只需要保证该程序运行的地址空间中没有结束此进程的指令(简单的Hook Api是不行的)
做到这一点必须防止任意dll的加载,控制系统的调度信息.
挺困难的....
顶一个先
GkfSyser 2009-01-14
- 打赏
- 举报
加了内核dpc每5秒检测是否被Hook,还是有办法结束掉的,这还不够底层,没有办法可以保证永远不被结束掉
include <ntddk.h>
NTSTATUS OnUnload(IN PDRIVER_OBJECT theObject);
void BeginHook();
void StopHook();
typedef unsigned long ULONG;
typedef unsigned long* PULONG;
typedef VOID* LPVOID;
static ULONG myPid;
void GetPid();
NTSYSAPI
NTSTATUS
NTAPI ZwOpenProcess(OUT PHANDLE ProcessHandle,
IN ACCESS_MASK AccessMask,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId);
NTSYSAPI
NTSTATUS
NTAPI
ZwQuerySystemInformation(
IN ULONG SystemInformationClass,
IN OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength);
typedef struct _SYSTEM_THREAD_INFORMATION {
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER CreateTime;
ULONG WaitTime;
PVOID StartAddress;
CLIENT_ID ClientId;
KPRIORITY Priority;
KPRIORITY BasePriority;
ULONG ContextSwitchCount;
LONG State;
LONG WaitReason;
} SYSTEM_THREAD_INFORMATION, * PSYSTEM_THREAD_INFORMATION;
typedef struct _SYSTEM_PROCESS_INFORMATION {
ULONG NextEntryDelta;
ULONG ThreadCount;
ULONG Reserved1[6];
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ProcessName;
KPRIORITY BasePriority;
ULONG ProcessId;
ULONG InheritedFromProcessId;
ULONG HandleCount;
ULONG Reserved2[2];
VM_COUNTERS VmCounters;
IO_COUNTERS IoCounters;
SYSTEM_THREAD_INFORMATION Threads[1];
} SYSTEM_PROCESS_INFORMATION, * PSYSTEM_PROCESS_INFORMATION;
typedef struct SYSTEM_SERVICE_TABLE
{
unsigned int * ServiceTableBase;
unsigned int * ServiceCounterTableBase;
unsigned int NumberOfservice;
unsigned int * ParmterTableBase;
}SystemServiceDescriptorTable,*PSystemServiceDescriptorTable;
extern PSystemServiceDescriptorTable KeServiceDescriptorTable;
typedef NTSTATUS (*NTOPENPROCESS)(OUT PHANDLE ProcessHandle,
IN ACCESS_MASK AccessMask,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId );
NTOPENPROCESS OldNtOpenProcess;
KTIMER mytime;
KDPC dpc;
LARGE_INTEGER t;
void BeginXssdt();
void StopXssdt();
void MyXssdtDpc(PKDPC dpc,PVOID context,PVOID junk1,PVOID junk2);
//ULONG realAddress;
/*------------------------------------------------------------------------------------------*/
NTSTATUS myNtOpenProcess(OUT PHANDLE ProcessHandle,
IN ACCESS_MASK AccessMask,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId )
{
NTSTATUS status;
ULONG pid;
GetPid();
status = (NTSTATUS)OldNtOpenProcess(ProcessHandle,AccessMask,ObjectAttributes,ClientId);
if ((ClientId!= NULL))
{
pid = (ULONG)ClientId->UniqueProcess;
if (pid == myPid)
{
// DbgPrint("%d",myPid);
// DbgPrint("GetOpenProcess");
ProcessHandle = NULL;
status = STATUS_ACCESS_DENIED;
}
}
return status;
}
NTSTATUS DriverEntry(PDRIVER_OBJECT theObject,PUNICODE_STRING thePath) //入口例程
{
theObject->DriverUnload = OnUnload;
DbgPrint("I am load");
BeginXssdt();
return STATUS_SUCCESS;
}
NTSTATUS OnUnload(IN PDRIVER_OBJECT theObject)
{
DbgPrint("I am Unload");
StopXssdt();
return STATUS_SUCCESS;
}
void BeginHook()
{
NTOPENPROCESS address;
address = (NTOPENPROCESS)KeServiceDescriptorTable->ServiceTableBase[*((PUCHAR)ZwOpenProcess+1)];
if ((ULONG)address==(ULONG)myNtOpenProcess)
{
DbgPrint("is Hooked \n");
return;
}
OldNtOpenProcess = address;
__asm
{
cli
mov eax, cr0
and eax, not 10000h
mov cr0, eax
}
KeServiceDescriptorTable->ServiceTableBase[*((PUCHAR)ZwOpenProcess+1)] = (ULONG)myNtOpenProcess;
__asm
{
mov eax, cr0
or eax, 10000h
mov cr0, eax
sti
}
}
void StopHook()
{
__asm
{
cli
mov eax, cr0
and eax, not 10000h
mov cr0, eax
}
KeServiceDescriptorTable->ServiceTableBase[*((PUCHAR)ZwOpenProcess+1)] = (ULONG)OldNtOpenProcess;
__asm
{
mov eax, cr0
or eax, 10000h
mov cr0, eax
sti
}
}
void GetPid()
{
LPVOID buffer;
ULONG Lbuffer =0x10000;
ANSI_STRING myName;
ANSI_STRING OutName;
NTSTATUS status;
PSYSTEM_PROCESS_INFORMATION pInfo;
buffer = ExAllocatePool(NonPagedPool, Lbuffer);
RtlInitAnsiString(&myName,"wow.exe");
if (buffer ==NULL)
{
DbgPrint("B NULL");
myPid=0;
}
else
{
status = ZwQuerySystemInformation(5,buffer,Lbuffer,NULL);
if (!NT_SUCCESS(status))
{
DbgPrint("%d",Lbuffer);
myPid = 0;
ExFreePool(buffer);
DbgPrint("ZwQuerySystemInformation faild");
}
else
{
pInfo = (PSYSTEM_PROCESS_INFORMATION)buffer;
while (pInfo)
{
RtlUnicodeStringToAnsiString(&OutName,&pInfo->ProcessName,TRUE);
if (RtlCompareMemory(myName.Buffer,OutName.Buffer,myName.Length)==myName.Length)
{
myPid=pInfo->ProcessId;
//DbgPrint("I get It"); 测试
}
if (pInfo->NextEntryDelta==0)
{
break;
}
pInfo = (PSYSTEM_PROCESS_INFORMATION)((PUCHAR)pInfo+pInfo->NextEntryDelta);
}
ExFreePool(buffer);
}
}
}
void
BeginXssdt()
{
t.QuadPart=-50000000;
ASSERT(KeGetCurrentIrql()<=DISPATCH_LEVEL);
KeInitializeTimer(&mytime);
KeInitializeDpc(&dpc,MyXssdtDpc,NULL);
KeSetTimer(&mytime,t,&dpc);
}
void
MyXssdtDpc(PKDPC dpc,PVOID context,PVOID junk1,PVOID junk2)
{
DbgPrint("Xssdt \n");
BeginHook();
KeSetTimer(&mytime,t,dpc);
}
void
StopXssdt()
{
KeCancelTimer(&mytime);
StopHook();
}
GkfSyser 2009-01-14
- 打赏
- 举报
Hook NtOpenProcess NTxxxxx等等 系列函数
