跳过签名-回调

admin

#pragma once
#include<ntddk.h>
#include<wdm.h>
//#include<ntifs.h>
#include<windef.h>
#define PROCESS_TERMINATE                  (0x0001)  
#define PROCESS_CREATE_THREAD              (0x0002)  
#define PROCESS_SET_SESSIONID              (0x0004)  
#define PROCESS_VM_OPERATION               (0x0008)  
#define PROCESS_VM_READ                    (0x0010)  
#define PROCESS_VM_WRITE                   (0x0020)  
#define PROCESS_DUP_HANDLE                 (0x0040)  
#define PROCESS_CREATE_PROCESS             (0x0080)  
#define PROCESS_SET_QUOTA                  (0x0100)  
#define PROCESS_SET_INFORMATION            (0x0200)  
#define PROCESS_QUERY_INFORMATION          (0x0400)  
#define PROCESS_SUSPEND_RESUME             (0x0800)  
#define PROCESS_QUERY_LIMITED_INFORMATION  (0x1000)  

#define THREAD_TERMINATE                 (0x0001)  
#define THREAD_SUSPEND_RESUME            (0x0002)  
#define THREAD_GET_CONTEXT               (0x0008)  
#define THREAD_SET_CONTEXT               (0x0010)  
#define THREAD_QUERY_INFORMATION         (0x0040)  
#define THREAD_SET_INFORMATION           (0x0020)  
#define THREAD_SET_THREAD_TOKEN          (0x0080)
#define THREAD_IMPERSONATE               (0x0100)
#define THREAD_DIRECT_IMPERSONATION      (0x0200)
// begin_wdm
#define THREAD_SET_LIMITED_INFORMATION   (0x0400)  // winnt
#define THREAD_QUERY_LIMITED_INFORMATION (0x0800)  // winnt
#define THREAD_RESUME                    (0x1000)  // winnt

typedef struct _LDR_DATA_TABLE_ENTRY
{
LIST_ENTRY InLoadOrderLinks;
LIST_ENTRY InMemoryOrderLinks;
LIST_ENTRY InInitializationOrderLinks;
LPVOID DllBase;//==========对应 ptr64
LPVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
union 
{
UCHAR FlagGroup[4];
ULONG Flags;
UCHAR PackagedBinary : 1;// PackagedBinary   : Pos 0, 1 Bit
UCHAR MarkedForRemoval : 1;
UCHAR ImageDll : 1;
UCHAR LoadNotificationsSent : 1;
UCHAR TelemetryEntryProcessed : 1;
UCHAR ProcessStaticImport : 1;
UCHAR InLegacyLists : 1;
UCHAR InIndexes : 1;
UCHAR ShimDll : 1;
UCHAR InExceptionTable : 1;
UCHAR ReservedFlags1 : 2;
UCHAR LoadInProgress : 1;
UCHAR LoadConfigProcessed : 1;
UCHAR EntryProcessed : 1;
UCHAR ProtectDelayLoad : 1;
UCHAR ReservedFlags3 : 2;
UCHAR DontCallForThreads : 1;
UCHAR ProcessAttachCalled : 1;
UCHAR ProcessAttachFailed : 1;
UCHAR CorDeferredValidate : 1;
UCHAR CorImage : 1;
UCHAR DontRelocate : 1;
UCHAR CorILOnly : 1;
UCHAR ChpeImage : 1;
UCHAR ReservedFlags5 : 2;
UCHAR Redirected : 1;
UCHAR ReservedFlags6 : 2;
UCHAR CompatDatabaseProcessed : 1;
};
USHORT ObsoleteLoadCount;//=Uint 2B
USHORT TlsIndex;
LIST_ENTRY HashLinks;
ULONG TimeDateStamp;
LPVOID EntryPointActivationContext;
LPVOID Lock;
LPVOID DdagNode;
LIST_ENTRY NodeModuleLink;
LPVOID LoadContext;
LPVOID ParentDllBase;
LPVOID SwitchBackContext;
RTL_BALANCED_NODE BaseAddressIndexNode;
RTL_BALANCED_NODE MappingInfoIndexNode;
ULONG64 OriginalBase;//==Uint8B
LARGE_INTEGER LoadTime;
ULONG BaseNameHashValue;//==Uint4B
LPVOID LoadReason;
ULONG ImplicitPathOptions;
ULONG ReferenceCount;
ULONG DependentLoadFlags;
UCHAR SigningLevel;
}LDR_DATA_TABLE_ENTRY,*PLDR_DATA_TABLE_ENTRY;


OB_CALLBACK_REGISTRATION CBoRegistertion = { 0 };
OB_OPERATION_REGISTRATION CBOpertionRegostertons[2] = { {0},{0} };
PVOID pCBRegisertionHandle = NULL;
UNICODE_STRING  CBAltitude;
OB_PREOP_CALLBACK_STATUS CBTdPreOpertionCallback_1(PVOID RegistertionCountext, POB_PRE_OPERATION_INFORMATION PreInfo)
{
PACCESS_MASK DesiredAccess = NULL;
ACCESS_MASK OriginalDesireAccess = 0;
HANDLE Pid = PsGetProcessId((PEPROCESS)PreInfo->Object);
if (PreInfo->ObjectType == *PsThreadType)
{
HANDLE ProcessOfTargeTherad = PsGetThreadProcessId((PETHREAD)PreInfo->Object);
if (7260!= ProcessOfTargeTherad)
{
goto Exit;
}
if (ProcessOfTargeTherad == PsGetCurrentProcessId())
{
KdPrint(("Current Thread"));
goto Exit;
}
}
switch (PreInfo->Operation)
{
case OB_OPERATION_HANDLE_CREATE:
DesiredAccess = &PreInfo->Parameters->CreateHandleInformation.DesiredAccess;
OriginalDesireAccess = PreInfo->Parameters->DuplicateHandleInformation.OriginalDesiredAccess;
break;
case OB_OPERATION_HANDLE_DUPLICATE:
DesiredAccess = &PreInfo->Parameters->CreateHandleInformation.DesiredAccess;
OriginalDesireAccess = PreInfo->Parameters->CreateHandleInformation.OriginalDesiredAccess;
break;
default:
break;
}
if (PreInfo->KernelHandle != 1)
{
__try//尝试干掉所有进程得读取操作和终止权限
{
if ((*DesiredAccess & THREAD_TERMINATE) == THREAD_TERMINATE)
*DesiredAccess &= ~THREAD_TERMINATE;
if ((*DesiredAccess &= THREAD_SUSPEND_RESUME) == THREAD_SUSPEND_RESUME)
*DesiredAccess &= ~THREAD_SUSPEND_RESUME;
if ((*DesiredAccess &= THREAD_SET_THREAD_TOKEN) == THREAD_SET_THREAD_TOKEN)
*DesiredAccess &= ~THREAD_SET_THREAD_TOKEN;
}
__except (1)
{
goto Exit;
}
}
Exit:
return OB_PREOP_SUCCESS;
}
OB_PREOP_CALLBACK_STATUS CBTdPreOpertionCallback(PVOID RegistertionCountext, POB_PRE_OPERATION_INFORMATION PreInfo)
{
PACCESS_MASK DesiredAccess = NULL;
ACCESS_MASK OriginalDesireAccess = 0;
HANDLE Pid = PsGetProcessId((PEPROCESS)PreInfo->Object);
if (PreInfo->ObjectType == *PsProcessType)
{
if (Pid != 7260)
{
goto Exit;
}
if (PreInfo->Object == PsGetCurrentProcess())
{
KdPrint(("Current Process"));
goto Exit;
}
}
switch (PreInfo->Operation)
{
case OB_OPERATION_HANDLE_CREATE:
DesiredAccess = &PreInfo->Parameters->CreateHandleInformation.DesiredAccess;
OriginalDesireAccess = PreInfo->Parameters->DuplicateHandleInformation.OriginalDesiredAccess;
break;
case OB_OPERATION_HANDLE_DUPLICATE:
DesiredAccess = &PreInfo->Parameters->CreateHandleInformation.DesiredAccess;
OriginalDesireAccess = PreInfo->Parameters->CreateHandleInformation.OriginalDesiredAccess;
break;
default:
break;
}
if (PreInfo->KernelHandle != 1)
{
__try//尝试干掉所有进程得读取操作和终止权限
{
if ((*DesiredAccess & PROCESS_TERMINATE) == PROCESS_TERMINATE)
*DesiredAccess &= ~PROCESS_TERMINATE;
if ((*DesiredAccess &= PROCESS_CREATE_THREAD) == PROCESS_CREATE_THREAD)
*DesiredAccess &= ~PROCESS_CREATE_THREAD;
if ((*DesiredAccess &= PROCESS_VM_OPERATION) == PROCESS_VM_OPERATION)
*DesiredAccess &= ~PROCESS_VM_OPERATION;
if ((*DesiredAccess & PROCESS_VM_READ) == PROCESS_VM_READ)
*DesiredAccess &= ~PROCESS_VM_READ;
if ((*DesiredAccess & PROCESS_VM_WRITE) == PROCESS_VM_WRITE)
*DesiredAccess &= ~PROCESS_VM_WRITE;
}
__except (1)
{
goto Exit;
}
}
Exit:
return OB_PREOP_SUCCESS;
}
NTSTATUS SetProtectCallBack()
{
NTSTATUS status = STATUS_SUCCESS;
CBOpertionRegostertons[0].ObjectType = PsProcessType;//回调类型
CBOpertionRegostertons[0].Operations |= OB_OPERATION_HANDLE_CREATE;
CBOpertionRegostertons[0].Operations |= OB_OPERATION_HANDLE_DUPLICATE;
CBOpertionRegostertons[0].PreOperation = CBTdPreOpertionCallback;//进程回调
CBOpertionRegostertons[1].ObjectType = PsThreadType;//回调类型
CBOpertionRegostertons[1].Operations |= OB_OPERATION_HANDLE_CREATE;
CBOpertionRegostertons[1].Operations|= OB_OPERATION_HANDLE_DUPLICATE;
CBOpertionRegostertons[1].PreOperation = CBTdPreOpertionCallback_1;//线程回调
RtlInitUnicodeString(&CBAltitude, L"2000");
CBoRegistertion.Version = OB_FLT_REGISTRATION_VERSION;//版本
CBoRegistertion.OperationRegistrationCount = 2;//回调数量
CBoRegistertion.Altitude = CBAltitude;//指向unicode 字符串
CBoRegistertion.RegistrationContext = NULL;//附加参数
CBoRegistertion.OperationRegistration = CBOpertionRegostertons;
status = ObRegisterCallbacks(&CBoRegistertion, &pCBRegisertionHandle);
if (!NT_SUCCESS(status))
{
KdPrint(("ObRegistert CallBack Error Code:0x%X", status));
}
return status;
}


void HelloDDKUnload(PDRIVER_OBJECT pDriverObject)
{
KdPrint(("DriverUn"));
if (pCBRegisertionHandle != NULL)
ObUnRegisterCallbacks(pCBRegisertionHandle);
}

NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject,IN PUNICODE_STRING pRegistryPath)
{
NTSTATUS ntStatus=STATUS_SUCCESS;;
KdPrint(("Driver Star\n"));
KdPrint(("Driver =%p", pDriverObject));
PLDR_DATA_TABLE_ENTRY ldr = (PLDR_DATA_TABLE_ENTRY)pDriverObject->DriverSection;
ldr->Flags |= 0x20;
//注册其他驱动调用函数入口
pDriverObject->DriverUnload = HelloDDKUnload;
// 设置进程和线程回调
SetProtectCallBack();
return ntStatus;
}
复制代码

云淡风轻舞飞扬

学习一下，感谢分享资料

明媚阳光

thanks for share.

李粤

可以看看，学习一下

流光溢彩

这个超级喜欢，我要学习学习

程序小魔灵

非常感谢，谢谢分享

血染的风采

楼主威武，抱走包走！！！！！！！！！

用心追求质量

看看学习一下

莫待花开空自怜

感谢，正要找呢..

你不懂我伤悲

学习学习，保存一下