X64 process protection under HOOK

Process under (32) x64 protect the callback.

Dian process protection to protect a thread

1. Introduction and principles

Before we talked about .SSDT can do many things, such as to prevent the end of the process is
actually to the next x64. You can also HOOK SSDT. You just need to look over PatchGuard
, however. In fact, the operating system also gives in case you fail to get a PG you provide a callback for protection.
this can also be called an object callback hook (OBject)

This callback function is primarily ** ObRegisterCallbacks () **
In fact, on a callback function. Queries go to MSDN. Blog also said that before. But now
want to re-write it.

MSDN: https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/wdm/nf-wdm-obregistercallbacks

This function is actually a continuous structure to fill in. According to MSDN instructions to fill out.

In fact, a particularly simple function parameter 1 is a structure, you go to fill out. Parameter 2 is a handle. When you uninstall use.

Structure will include a structure mainly is for you can set multiple callbacks.
The new structure is only specify the type of address and a callback function that you want to monitor.

The only focus is because you have not driven signed drivers can not use these operating systems provide a callback For example there's (PsSetCreateProcessEx), etc. In x64
, but all right. Because it was early abroad Why can not reverse it. And we only You need to set a flag.

Just at the entrance in the program. Add code.

as follows:

PLDR_DATA_TABLE_ENTRY ldr;
    ldr = (PLDR_DATA_TABLE_ENTRY)DriverObject->DriverSection;
    ldr->Flags |= 0x20;//加载驱动的时候会判断此值。必须有特殊签名才行，增加0x20即可。否则将调用失败             

Structure is defined as follows:

typedef struct _LDR_DATA_TABLE_ENTRY {
    LIST_ENTRY64    InLoadOrderLinks;
    LIST_ENTRY64    InMemoryOrderLinks;
    LIST_ENTRY64    InInitializationOrderLinks;
    PVOID            DllBase;
    PVOID            EntryPoint;
    ULONG            SizeOfImage;
    UNICODE_STRING    FullDllName;
    UNICODE_STRING     BaseDllName;
    ULONG            Flags;
    USHORT            LoadCount;
    USHORT            TlsIndex;
    PVOID            SectionPointer;
    ULONG            CheckSum;
    PVOID            LoadedImports;
    PVOID            EntryPointActivationContext;
    PVOID            PatchInformation;
    LIST_ENTRY64    ForwarderLinks;
    LIST_ENTRY64    ServiceTagLinks;
    LIST_ENTRY64    StaticLinks;
    PVOID            ContextInformation;
    ULONG            OriginalBase;
    LARGE_INTEGER    LoadTime;
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;

Under here you can pay attention to the size of the .32 bit. LIST_ENTRY32 to use.
In this case be completed in accordance with the structure of our body. To install the driver.
As for how to write callbacks. MSDN look at themselves to see to understand. You write your own The callback function can be.

As follows:
function declarations in header files into a Driver.h own definition does not affect...

1.2 Code

#include "Driver.h"

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegPath)
{
    ULONG iCount = 0;
    NTSTATUS ntStatus;
    PLDR_DATA_TABLE_ENTRY ldr;
    ldr = (PLDR_DATA_TABLE_ENTRY)pDriverObj->DriverSection;
    ldr->Flags |= 0x20;

    pDriverObj->DriverUnload = DriverUnLoad;
    /*ntStatus = InitDeviceAnSybolicLinkName(pDriverObj);
    if (!NT_SUCCESS(ntStatus))
    {
        return ntStatus;
    }

    ntStatus = InitDisPatchFunction(pDriverObj);
    if (!NT_SUCCESS(ntStatus))
    {
        return ntStatus;
    }*/
    InitHook();
    return STATUS_SUCCESS;
}
//我们的回调函数
OB_PREOP_CALLBACK_STATUS MyObjectCallBack(
    PVOID RegistrationContext,
    POB_PRE_OPERATION_INFORMATION OperationInformation
)
{
    DbgPrint("1111\r\n");

    return STATUS_SUCCESS;
}
PVOID g_ObjHandle;

VOID InitHook()
{
    //进行HOOK 回调钩子写法. 
    OB_OPERATION_REGISTRATION oper; //你的回调函数以及类型都放在这个结构体中,可以是结构体数组.
    OB_CALLBACK_REGISTRATION CallbackRegistration;
    CallbackRegistration.Version = OB_FLT_REGISTRATION_VERSION; //版本号
    CallbackRegistration.OperationRegistrationCount = 1;//下几个钩子,也就是结构体数组个数
    RtlUnicodeStringInit(&CallbackRegistration.Altitude, L"600000");//给个UNICODEstring表明您是干啥的
    CallbackRegistration.RegistrationContext = NULL;         //当你的回调函数到的时候参数是什么.由这里给出
    CallbackRegistration.OperationRegistration = &oper; //钩子结构体类型设置.
    //为钩子结构体赋值
    oper.ObjectType = PsProcessType; //进程操作的类型.当进程操作回来. PsThreadType则是线程操作
    oper.Operations = OB_OPERATION_HANDLE_CREATE; //操作的类型是将要打开.以及将要重复
    oper.PreOperation = MyObjectCallBack; //有两个指针,前指针跟后指针.意思分别是 进程创建之前通知你还是之后
    oper.PostOperation = NULL;
    ObRegisterCallbacks(&CallbackRegistration,&g_ObjHandle);
}

VOID UnHook()
{
    ObUnRegisterCallbacks(g_ObjHandle);
}

1.3 Note that the problem

When writing code blue screen will occur. The reason is that after you set before pointer after pointer needs to be set to NULL
because if the process protection words. Array of objects when creating process will be traversed. Turn calls.
And your ex-pointer calls Thereafter the pointer is not set to NULL. but a garbage value it will cause a blue screen.
this is a caveat.

Two Dian Dian callback wording

Problems encountered 2.1.

About callback function. We must look at access, but did not find.
The MSDN just tell you what's what. We want to know how.
First listed first

#define PROCESS_TERMINATE         (0x0001)  // winnt
#define PROCESS_CREATE_THREAD     (0x0002)  // winnt
#define PROCESS_SET_SESSIONID     (0x0004)  // winnt
#define PROCESS_VM_OPERATION      (0x0008)  // winnt
#define PROCESS_VM_READ           (0x0010)  // winnt
#define PROCESS_VM_WRITE          (0x0020)  // winnt
// begin_ntddk begin_wdm begin_ntifs
#define PROCESS_DUP_HANDLE        (0x0040)  // winnt
// end_ntddk end_wdm end_ntifs
#define PROCESS_CREATE_PROCESS    (0x0080)  // winnt
#define PROCESS_SET_QUOTA         (0x0100)  // winnt
#define PROCESS_SET_INFORMATION   (0x0200)  // winnt
#define PROCESS_QUERY_INFORMATION (0x0400)  // winnt
#define PROCESS_SET_PORT          (0x0800)
#define PROCESS_SUSPEND_RESUME    (0x0800)  // winnt

Then look WRK can see.

Then we can write code in a separate callback.

2.2 callback code

NTKERNELAPI
UCHAR * PsGetProcessImageFileName(__in PEPROCESS Process);


OB_PREOP_CALLBACK_STATUS MyObjectCallBack(
    PVOID RegistrationContext,
    POB_PRE_OPERATION_INFORMATION OperationInformation
)
{
    PEPROCESS pProcess = NULL; 
    UCHAR *pszName = NULL;

    pProcess = (PEPROCESS)OperationInformation->Object;
    pszName = PsGetProcessImageFileName(pProcess);

    //判断标志是否要打开进程
    if (OperationInformation->Operation == OB_OPERATION_HANDLE_CREATE)
    {
        //获取名字匹配
        if (strstr(pszName, "calc"))
        {
            KdPrint(("%s \r\n", pszName));
            //判断是不是结束
            if ((OperationInformation->Parameters->CreateHandleInformation.OriginalDesiredAccess 
                & PROCESS_TERMINATE) == 1)
            {
                //如果是我们的.则设置DesiredAccess权限.去掉结束权限.
                OperationInformation->Parameters->CreateHandleInformation.DesiredAccess 
                    = ~PROCESS_TERMINATE;
                return STATUS_UNSUCCESSFUL;
            }
        }
    }


    return STATUS_SUCCESS;
}