[讨论]监控进程运行
[讨论]监控进程运行议题作者:sislcb
信息来源:邪恶八进制信息安全团队([url=http://www.eviloctal.com/]www.eviloctal.com[/url])
我想实现在进程启动时进行提示,就是一运行程序就会提示,如果同意运行,则正常运行,否则则不允许其运行。
我在codeproject找的一篇文章,就是通过hook ssdt中的ntcreatesection函数来实现的。
测试了下他的程序,可以达到监视进程的运行,但是禁止进程运行时,会弹出一个对话框:
“不是有效的win32程序”,我现在不知道怎么把这个对话框去掉?请指教。
他的做法是在不允许运行时,返回一个status_access_deny作为ntstatus返回值给ntcreatesection这个函数。所以这个对话框是系统弹出来的。我的想法是:有没有什么ntstatus,即可以不让进程运行,又可以不出现警告对话框。
驱动代码如下:
Code Language : C
#include \"ntddk.h\"
struct SYS_SERVICE_TABLE {
void **ServiceTable;
unsigned long CounterTable;
unsigned long ServiceLimit;
void **ArgumentsTable;
};
const WCHAR devicename[]=L\"\\Device\\Protector\";
const WCHAR devicelink[]=L\"\\DosDevices\\PROTECTOR\";
KEVENT event;
ULONG Index,RealCallee;
char*output;
extern struct SYS_SERVICE_TABLE *KeServiceDescriptorTable;
//this function decides whether we should allow NtCreateSection() call to be successfull
ULONG __stdcall check(PULONG arg)
{
HANDLE hand=0;PFILE_OBJECT file=0;POBJECT_HANDLE_INFORMATION info;ULONG a;char*buff;
ANSI_STRING str; LARGE_INTEGER li;li.QuadPart=-10000;
//check the flags. If PAGE_EXECUTE access to the section is not requested,
//it does not make sense to be bothered about it
if((arg[4]&0xf0)==0)return 1;
if((arg[5]&0x01000000)==0)return 1;
//get the file name via the file handle
hand=(HANDLE)arg[6];
ObReferenceObjectByHandle(hand,0,0,KernelMode,&file,&info);
if(!file)return 1;
RtlUnicodeStringToAnsiString(&str,&file->FileName,1);
a=str.Length;buff=str.Buffer;
while(1)
{
if(buff[a]=='.'){a++;break;}
a--;
}
ObDereferenceObject(file);
//if it is not executable, it does not make sense to be bothered about it
//return 1
if(_stricmp(&buff[a],\"exe\")){RtlFreeAnsiString(&str);return 1;}
//now we are going to ask user's opinion. Write file name to the buffer, and wait until
//the user indicates the response (1 as a first DWORD means we can proceed)
//synchronize access to the buffer
KeWaitForSingleObject(&event,Executive,KernelMode,0,0);
// set first 2 DWORD of a buffer to zero, copy the string into the buffer, and loop
//until the user sets first DWORD to 1. The value of the second DWORD indicates user's
//response
strcpy(&output[8],buff);
RtlFreeAnsiString(&str);
a=1;
memmove(&output[0],&a,4);
while(1)
{
KeDelayExecutionThread(KernelMode,0,&li);
memmove(&a,&output[0],4);
if(!a)break;
}
memmove(&a,&output[4],4);
KeSetEvent(&event,0,0);
return a;
}
//just saves execution contect and calls check()
_declspec(naked) Proxy()
{
_asm{
//save execution contect and calls check() -the rest depends upon the value check() returns
// if it is 1, proceed to the actual callee. Otherwise,return STATUS_ACCESS_DENIED
pushfd
pushad
mov ebx,esp
add ebx,40
push ebx
call check
cmp eax,1
jne block
//proceed to the actual callee
popad
popfd
jmp RealCallee
//return STATUS_ACCESS_DENIED
block:popad
mov ebx, dword ptr[esp+8]
mov dword ptr[ebx],0
mov eax,0xC0000022L
popfd
ret 32
}
}
NTSTATUS DrvDispatch(IN PDEVICE_OBJECT device,IN PIRP Irp)
{
UCHAR*buff=0; ULONG a,base;
PIO_STACK_LOCATION loc=IoGetCurrentIrpStackLocation(Irp);
if(loc->Parameters.DeviceIoControl.IoControlCode==1000)
{
buff=(UCHAR*)Irp->AssociatedIrp.SystemBuffer;
// hook service dispatch table
memmove(&Index,buff,4);
a=4*Index+(ULONG)KeServiceDescriptorTable->ServiceTable;
base=(ULONG)MmMapIoSpace(MmGetPhysicalAddress((void*)a),4,0);
a=(ULONG)&Proxy;
_asm
{
mov eax,base
mov ebx,dword ptr[eax]
mov RealCallee,ebx
mov ebx,a
mov dword ptr[eax],ebx
}
MmUnmapIoSpace(base,4);
memmove(&a,&buff[4],4);
output=(char*)MmMapIoSpace(MmGetPhysicalAddress((void*)a),256,0);
}
Irp->IoStatus.Status=0;
IoCompleteRequest(Irp,IO_NO_INCREMENT);
return 0;
}
// nothing special
NTSTATUS DrvCreateClose(IN PDEVICE_OBJECT device,IN PIRP Irp)
{
Irp->IoStatus.Information=0;
Irp->IoStatus.Status=0;
IoCompleteRequest(Irp,IO_NO_INCREMENT);
return 0;
}
// nothing special -just a cleanup
void DrvUnload(IN PDRIVER_OBJECT driver)
{
UNICODE_STRING devlink;
ULONG a,base;
//unhook dispatch table
a=4*Index+(ULONG)KeServiceDescriptorTable->ServiceTable;
base=(ULONG)MmMapIoSpace(MmGetPhysicalAddress((void*)a),4,0);
_asm
{
mov eax,base
mov ebx,RealCallee
mov dword ptr[eax],ebx
}
MmUnmapIoSpace(base,4);
MmUnmapIoSpace(output,256);
RtlInitUnicodeString(&devlink,devicelink);
IoDeleteSymbolicLink(&devlink);
IoDeleteDevice(driver->DeviceObject);
}
//DriverEntry just creates our device - nothing special here
NTSTATUS DriverEntry(IN PDRIVER_OBJECT driver,IN PUNICODE_STRING path)
{
PDEVICE_OBJECT devobject=0;
UNICODE_STRING devlink,devname;
ULONG a,b;
RtlInitUnicodeString(&devname,devicename);
RtlInitUnicodeString(&devlink,devicelink);
IoCreateDevice(driver,256,&devname,FILE_DEVICE_UNKNOWN,0,TRUE,&devobject);
IoCreateSymbolicLink(&devlink,&devname);
driver->MajorFunction[IRP_MJ_DEVICE_CONTROL]=DrvDispatch;
driver->MajorFunction[IRP_MJ_CREATE]=DrvCreateClose;
driver->MajorFunction[IRP_MJ_CLOSE]=DrvCreateClose;
driver->DriverUnload=DrvUnload;
KeInitializeEvent(&event,SynchronizationEvent,1);
return 0;
}
Parsed in 0.036 seconds
实现的比较简单。就是遇到这个问题,不知道怎么解决,大家讨论下。
帖子6 精华[url=http://forum.eviloctal.com/digest.php?authorid=32322]0[/url] 积分23 阅读权限40 性别男 在线时间6 小时 注册时间2006-2-14 最后登录2008-3-31 [url=http://forum.eviloctal.com/space.php?action=viewpro&uid=32322]查看详细资料[/url]TOP [url=http://www.google.cn/search?q=鲜花预定&client=pub-0204114945524753&forid=1&prog=aff&ie=UTF-8&oe=UTF-8&cof=GALT%3A#008000;GL%3A1;DIV%3A336699;VLC%3A663399;AH%3Acenter;BGC%3AFFFFFF;LBGC%3A336699;ALC%3A0000FF;LC%3A0000FF;T%3A000000;GFNT%3A0000FF;GIMP%3A0000FF;FORID%3A1&hl=zh-CN]爱要怎么说出口[/url]
[url=http://forum.eviloctal.com/space-uid-69539.html]sudami[/url]
大米米
[img]http://forum.eviloctal.com/customavatars/69539.gif[/img]
运维管理组
[img]http://forum.eviloctal.com/images/default/star_level2.gif[/img][img]http://forum.eviloctal.com/images/default/star_level1.gif[/img][img]http://forum.eviloctal.com/images/default/star_level1.gif[/img][img]http://forum.eviloctal.com/images/default/star_level1.gif[/img] 呵呵,kanxue上有人发过了。参考的也是codeproject上的这篇文章。 MS都会弹出个提示框的。
有人说HOOK MessageBox。你试试是否可行WINDOWS内核疯狂爱好者
帖子242 精华[url=http://forum.eviloctal.com/digest.php?authorid=69539]6[/url] 积分5536 阅读权限150 性别男 在线时间1113 小时 注册时间2007-1-10 最后登录2008-7-23 [url=http://hi.baidu.com/sudami]查看个人网站[/url]
[url=http://forum.eviloctal.com/space.php?action=viewpro&uid=69539]查看详细资料[/url]TOP [url=http://www.google.cn/search?q=DHC化妆品&client=pub-0204114945524753&forid=1&prog=aff&ie=UTF-8&oe=UTF-8&cof=GALT%3A#008000;GL%3A1;DIV%3A336699;VLC%3A663399;AH%3Acenter;BGC%3AFFFFFF;LBGC%3A336699;ALC%3A0000FF;LC%3A0000FF;T%3A000000;GFNT%3A0000FF;GIMP%3A0000FF;FORID%3A1&hl=zh-CN]让女孩一夜变的更有女人味[/url]
[url=http://forum.eviloctal.com/space-uid-49119.html]zshoucheng[/url] [img]http://forum.eviloctal.com/customavatars/49119.jpg[/img]
荣誉会员
[img]http://forum.eviloctal.com/images/default/star_level2.gif[/img][img]http://forum.eviloctal.com/images/default/star_level1.gif[/img][img]http://forum.eviloctal.com/images/default/star_level1.gif[/img] Hook ZwCreateProcessEx 就够了
不会有此问题。。。 [img]http://forum.eviloctal.com/images/smilies/yangcong/59.gif[/img]---> 伱 能 領 導 潮 流. 我 可 領 導 全 賕! <---
[url=http://wpa.qq.com/msgrd?V=1&Uin=6592816&Site=邪恶八进制信息安全团队技术讨论组&Menu=yes][img]http://forum.eviloctal.com/images/default/qq.gif[/img][/url]
帖子238 精华[url=http://forum.eviloctal.com/digest.php?authorid=49119]12[/url] 积分4746 阅读权限100 性别男 来自gd 在线时间1268 小时 注册时间2006-5-19 最后登录2008-7-18 [url=http://forum.eviloctal.com/space.php?action=viewpro&uid=49119]查看详细资料[/url]TOP [url=http://www.google.cn/search?q=软件外包&client=pub-0204114945524753&forid=1&prog=aff&ie=UTF-8&oe=UTF-8&cof=GALT%3A#008000;GL%3A1;DIV%3A336699;VLC%3A663399;AH%3Acenter;BGC%3AFFFFFF;LBGC%3A336699;ALC%3A0000FF;LC%3A0000FF;T%3A000000;GFNT%3A0000FF;GIMP%3A0000FF;FORID%3A1&hl=zh-CN]软件项目外包[/url]
[url=http://forum.eviloctal.com/space-uid-32322.html]sislcb[/url] [img]http://forum.eviloctal.com/images/avatars/noavatar.gif[/img]
晶莹剔透§烈日灼然 Hook ZwCreateProcessEx 就够了!!!
所有程序都必须调用这个才能创建吗?
帖子6 精华[url=http://forum.eviloctal.com/digest.php?authorid=32322]0[/url] 积分23 阅读权限40 性别男 在线时间6 小时 注册时间2006-2-14 最后登录2008-3-31 [url=http://forum.eviloctal.com/space.php?action=viewpro&uid=32322]查看详细资料[/url]TOP
[url=http://forum.eviloctal.com/space-uid-32322.html]sislcb[/url] [img]http://forum.eviloctal.com/images/avatars/noavatar.gif[/img]
晶莹剔透§烈日灼然 包括在cmd里面创建的进程的进程都能监视吗?
帖子6 精华[url=http://forum.eviloctal.com/digest.php?authorid=32322]0[/url] 积分23 阅读权限40 性别男 在线时间6 小时 注册时间2006-2-14 最后登录2008-3-31 [url=http://forum.eviloctal.com/space.php?action=viewpro&uid=32322]查看详细资料[/url]TOP [url=http://www.google.cn/search?q=干洗店加盟&client=pub-0204114945524753&forid=1&prog=aff&ie=UTF-8&oe=UTF-8&cof=GALT%3A#008000;GL%3A1;DIV%3A336699;VLC%3A663399;AH%3Acenter;BGC%3AFFFFFF;LBGC%3A336699;ALC%3A0000FF;LC%3A0000FF;T%3A000000;GFNT%3A0000FF;GIMP%3A0000FF;FORID%3A1&hl=zh-CN]少女暴富的隐秘(图)[/url]
[url=http://forum.eviloctal.com/space-uid-5074.html]skyxnet[/url] [img]http://forum.eviloctal.com/images/avatars/noavatar.gif[/img]
晶莹剔透§烈日灼然 可以.
帖子6 精华[url=http://forum.eviloctal.com/digest.php?authorid=5074]0[/url] 积分17 阅读权限40 在线时间7 小时 注册时间2005-5-27 最后登录2008-5-6 [url=http://forum.eviloctal.com/space.php?action=viewpro&uid=5074]查看详细资料[/url]TOP [url=http://www.google.cn/search?q=风水&client=pub-0204114945524753&forid=1&prog=aff&ie=UTF-8&oe=UTF-8&cof=GALT%3A#008000;GL%3A1;DIV%3A336699;VLC%3A663399;AH%3Acenter;BGC%3AFFFFFF;LBGC%3A336699;ALC%3A0000FF;LC%3A0000FF;T%3A000000;GFNT%3A0000FF;GIMP%3A0000FF;FORID%3A1&hl=zh-CN]良辰择日,预测咨询,公司改名,权威易经[/url]
[url=http://forum.eviloctal.com/space-uid-141181.html]7个b[/url] [img]http://forum.eviloctal.com/images/avatars/14.gif[/img]
晶莹剔透§烈日灼然 ZwCreateProcessEx 函数熟悉系统底层API函数,几乎所有创建文件操作都调用到它,重要就是HOOK它的算法,如果慎会减低系统性能,减慢系统速度的...
还是练习一个HOOK MessAgeBox的挂勾吧.
帖子35 精华[url=http://forum.eviloctal.com/digest.php?authorid=141181]0[/url] 积分128 阅读权限40 在线时间18 小时 注册时间2007-9-24 最后登录2008-7-6 [url=http://forum.eviloctal.com/space.php?action=viewpro&uid=141181]查看详细资料[/url]TOP [url=http://www.google.cn/search?q=DHC化妆品&client=pub-0204114945524753&forid=1&prog=aff&ie=UTF-8&oe=UTF-8&cof=GALT%3A#008000;GL%3A1;DIV%3A336699;VLC%3A663399;AH%3Acenter;BGC%3AFFFFFF;LBGC%3A336699;ALC%3A0000FF;LC%3A0000FF;T%3A000000;GFNT%3A0000FF;GIMP%3A0000FF;FORID%3A1&hl=zh-CN]让女孩一夜变的更有女人味[/url]
[url=http://forum.eviloctal.com/space-uid-155681.html]xiaohao[/url] [img]http://forum.eviloctal.com/images/avatars/pw/mon4.gif[/img]
晶莹剔透§烈日灼然 可 以不呀
帖子2 精华[url=http://forum.eviloctal.com/digest.php?authorid=155681]0[/url] 积分9 阅读权限40 性别男 在线时间4 小时 注册时间2008-1-9 最后登录2008-5-5 [url=http://forum.eviloctal.com/space.php?action=viewpro&uid=155681]查看详细资料[/url]TOP
[url=http://forum.eviloctal.com/space-uid-23325.html]zhuwg[/url] [img]http://forum.eviloctal.com/images/avatars/pw/sky3.gif[/img]
运维管理组
[img]http://forum.eviloctal.com/images/default/star_level2.gif[/img][img]http://forum.eviloctal.com/images/default/star_level1.gif[/img][img]http://forum.eviloctal.com/images/default/star_level1.gif[/img][img]http://forum.eviloctal.com/images/default/star_level1.gif[/img]
页:
[1]