www.pudn.com > UCtrl.rar > process.c
#include "type.h" #includeNTSTATUS GetFullName(HANDLE KeyHandle,char *fullname) { NTSTATUS ns; PVOID pKey=NULL,pFile=NULL; UNICODE_STRING fullUniName; ANSI_STRING akeyname; ULONG actualLen; UNICODE_STRING dosName; fullUniName.Buffer=NULL; fullUniName.Length=0; fullname[0]=0x00; ns= ObReferenceObjectByHandle( KeyHandle, 0, NULL, KernelMode, &pKey, NULL ) ; if( !NT_SUCCESS(ns)) return ns; fullUniName.Buffer = ExAllocatePool( PagedPool, 256*2);//1024*2 fullUniName.MaximumLength = 256*2; __try { pFile=(PVOID)*(ULONG *)((char *)pKey+20); pFile=(PVOID)*(ULONG *)((char *)pFile); pFile=(PVOID)*(ULONG *)((char *)pFile+36); ObReferenceObjectByPointer(pFile, 0, NULL, KernelMode); RtlVolumeDeviceToDosName(((PFILE_OBJECT)pFile)->DeviceObject,&dosName); //ns=ObQueryNameString( pFile, fullUniName, MAXPATHLEN, &actualLen ); RtlCopyUnicodeString(&fullUniName, &dosName); RtlAppendUnicodeStringToString(&fullUniName,&((PFILE_OBJECT)pFile)->FileName); ObDereferenceObject(pFile); ObDereferenceObject(pKey ); RtlUnicodeStringToAnsiString( &akeyname, &fullUniName, TRUE ); if(akeyname.Length<256) { memcpy(fullname,akeyname.Buffer,akeyname.Length); fullname[akeyname.Length]=0x00; } else { memcpy(fullname,akeyname.Buffer,256); fullname[256-1]=0x00; } RtlFreeAnsiString( &akeyname ); ExFreePool(dosName.Buffer); ExFreePool( fullUniName.Buffer ); return STATUS_SUCCESS; } __except(1) { if(fullUniName.Buffer) ExFreePool( fullUniName.Buffer ); if(pKey) ObDereferenceObject(pKey ); return STATUS_SUCCESS; } } NTSTATUS FakedZwCreateProcess( OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN HANDLE InheritFromProcessHandle, IN BOOLEAN InheritHandles, IN HANDLE SectionHandle OPTIONAL, IN HANDLE DebugPort OPTIONAL, IN HANDLE ExceptionPort OPTIONAL, IN HANDLE Unknown ) { char aPathName[256]; int it=92; //'\' char *c; if (STATUS_SUCCESS==GetFullName(SectionHandle,aPathName)) { c=strrchr(aPathName,it); if (c!=NULL) { if (c-aPathName==2)// DbgPrint("%d" ,c-aPathName); { ProcessHandle = NULL; //c=NULL; c=NULL; //-- 这里是不是一定要释放资源?C不懂了... aPathName[0]=0x00; it=NULL; return STATUS_SUCCESS; } } } c=NULL; aPathName[0]=0x00; it=NULL; return RealZwCreateProcess( ProcessHandle, DesiredAccess, ObjectAttributes, InheritFromProcessHandle, InheritHandles, SectionHandle, DebugPort, ExceptionPort, Unknown ); } VOID ProcMoniterOn() { // DbgPrint("ProcMonitorOn\n"); _asm { CLI //disable interrupt MOV EAX, CR0 //move CR0 register into EAX AND EAX, NOT 10000H //disable WP bit MOV CR0, EAX //write register back } (ZWCREATEPROCESS)(*(((PServiceDescriptorTableEntry)KeServiceDescriptorTable)->ServiceTableBase + CreateProcessposition)) = FakedZwCreateProcess ; _asm { MOV EAX, CR0 //move CR0 register into EAX OR EAX, 10000H //enable WP bit MOV CR0, EAX //write register back STI //enable interrupt } } VOID ProcMoniterOff() { // DbgPrint("ProcMonitorOff\n"); _asm { CLI //disable interrupt MOV EAX, CR0 //move CR0 register into EAX AND EAX, NOT 10000H //disable WP bit MOV CR0, EAX //write register back } (ZWCREATEPROCESS)(*(((PServiceDescriptorTableEntry)KeServiceDescriptorTable)->ServiceTableBase + CreateProcessposition)) = RealZwCreateProcess ; _asm { MOV EAX, CR0 //move CR0 register into EAX OR EAX, 10000H //enable WP bit MOV CR0, EAX //write register back STI //enable interrupt } }