Created
February 22, 2022 22:15
-
-
Save veil-ivy/f736ad22dbc388ca88cbf47ef8ebf69e to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <ntddk.h> | |
#define BLOCK_PROCESS "notepad.exe" | |
static OB_CALLBACK_REGISTRATION obcallback_registration; | |
static OB_OPERATION_REGISTRATION oboperation_callback; | |
#define PROCESS_CREATE_THREAD (0x0002) | |
#define PROCESS_CREATE_PROCESS (0x0080) | |
#define PROCESS_TERMINATE (0x0001) | |
#define PROCESS_VM_WRITE (0x0020) | |
#define PROCESS_VM_READ (0x0010) | |
#define PROCESS_VM_OPERATION (0x0008) | |
#define PROCESS_SUSPEND_RESUME (0x0800) | |
static PVOID registry = NULL; | |
static UNICODE_STRING altitude = RTL_CONSTANT_STRING(L"300000"); | |
//1: kd > dt nt!_EPROCESS ImageFileName | |
//+ 0x5a8 ImageFileName : [15] UChar | |
static const unsigned int imagefilename_offset = 0x5a8; | |
auto drv_unload(PDRIVER_OBJECT DriverObject) { | |
UNREFERENCED_PARAMETER(DriverObject); | |
ObUnRegisterCallbacks(registry); | |
} | |
OB_PREOP_CALLBACK_STATUS | |
PreOperationCallback( | |
_In_ PVOID RegistrationContext, | |
_Inout_ POB_PRE_OPERATION_INFORMATION PreInfo | |
) { | |
UNREFERENCED_PARAMETER(RegistrationContext); | |
if (strcmp(BLOCK_PROCESS, (char*)PreInfo->Object + imagefilename_offset) == 0) { | |
if ((PreInfo->Operation == OB_OPERATION_HANDLE_CREATE)) | |
{ | |
if ((PreInfo->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_TERMINATE) == PROCESS_TERMINATE) | |
{ | |
PreInfo->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_TERMINATE; | |
} | |
if ((PreInfo->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_VM_READ) == PROCESS_VM_READ) | |
{ | |
PreInfo->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_VM_READ; | |
} | |
if ((PreInfo->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_VM_OPERATION) == PROCESS_VM_OPERATION) | |
{ | |
PreInfo->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_VM_OPERATION; | |
} | |
if ((PreInfo->Parameters->CreateHandleInformation.OriginalDesiredAccess & PROCESS_VM_WRITE) == PROCESS_VM_WRITE) | |
{ | |
PreInfo->Parameters->CreateHandleInformation.DesiredAccess &= ~PROCESS_VM_WRITE; | |
} | |
} | |
} | |
return OB_PREOP_SUCCESS; | |
} | |
VOID | |
PostOperationCallback( | |
_In_ PVOID RegistrationContext, | |
_In_ POB_POST_OPERATION_INFORMATION PostInfo | |
) | |
{ | |
UNREFERENCED_PARAMETER(RegistrationContext); | |
UNREFERENCED_PARAMETER(PostInfo); | |
} | |
extern "C" auto DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath) -> NTSTATUS { | |
UNREFERENCED_PARAMETER(RegistryPath); | |
DriverObject->DriverUnload = drv_unload; | |
auto status = STATUS_SUCCESS; | |
static OB_CALLBACK_REGISTRATION ob_callback_register; | |
static OB_OPERATION_REGISTRATION oboperation_registration; | |
oboperation_registration.Operations = OB_OPERATION_HANDLE_CREATE; | |
oboperation_registration.ObjectType = PsProcessType; | |
oboperation_registration.PreOperation = PreOperationCallback; | |
oboperation_registration.PostOperation = PostOperationCallback; | |
ob_callback_register.Altitude = altitude; | |
ob_callback_register.Version = OB_FLT_REGISTRATION_VERSION; | |
ob_callback_register.OperationRegistrationCount = 1; | |
ob_callback_register.OperationRegistration = &oboperation_registration; | |
status = ObRegisterCallbacks(&ob_callback_register, ®istry); | |
if (!NT_SUCCESS(status)) { | |
DbgPrint("failed to register callback: %x \r\n",status); | |
} | |
return status; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment