2022驱动学习-03解密过驱动保护原理
运行环境:WIN10
涉及工具:
windbg,vs2019,VMware Workstation Pro
教程类型:
驱动学习笔记
视频是否带有论坛水印:
是
是否讲解思路和原理:
是
百度云盘
提取码:496u
1.启动运行环境
2.启动vs编写代码
3.调试打印结果
4.具体代码
#include <Ntddk.h>
UCHAR* PsGetProcessImageFileName(__in PEPROCESS Process);
VOID CreateProcessNotifyEx(
__inout PEPROCESSProcess,
__in HANDLEProcessId,
__in_opt PPS_CREATE_NOTIFY_INFOCreateInfo
)
{
//通过进程ID过去路径
UCHAR* ImageFileName = PsGetProcessImageFileName(Process);
DbgPrint("ImageFileName:%p\n", ImageFileName);
if (CreateInfo != NULL) {
//对比是不是计算器
if (strstr((const char*)ImageFileName, "calc") != NULL) {
//如果是计算器就返回错误
DbgPrint("%s pid:%d path:%wZ Create\n", ImageFileName, ProcessId, CreateInfo->ImageFileName);
CreateInfo->CreationStatus = STATUS_UNSUCCESSFUL;
}
}
else {
DbgPrint("Exit %s pid:%d %p\n", ImageFileName, ProcessId, Process);
}
}
VOID Unload(
_In_ struct _DRIVER_OBJECT* DriverObject) {
UNREFERENCED_PARAMETER(DriverObject);
DbgPrint("Unload!");
//卸载挂钩函数
PsSetCreateProcessNotifyRoutineEx(&CreateProcessNotifyEx, TRUE);
}
NTSTATUS DriverEntry(
__in struct _DRIVER_OBJECT* DriverObject,
__in PUNICODE_STRINGRegistryPath
)
{
//告诉编译器,这个参数不适用
UNREFERENCED_PARAMETER(RegistryPath);
DbgPrint("DriverEntry! DriverObject:%p\n", DriverObject);
//挂钩函数
NTSTATUS Status = PsSetCreateProcessNotifyRoutineEx(&CreateProcessNotifyEx, FALSE);
DbgPrint("Status:%d CreateProcessNotifyEx:%p\n", Status, &CreateProcessNotifyEx);
//注册卸载函数
DriverObject->DriverUnload = Unload;
return STATUS_SUCCESS;
}
大佬无敌 感谢楼主 谢谢分享 感谢大佬的分享 谢谢分享 感谢楼主 谢谢分享 感谢楼主 谢谢分享