ObRegisterCallbacks文件保护

#include <ntifs.h>#include <devioctl.h>#include <Ntstrsafe.h>NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegisterPath);VOID UnloadDriver(PDRIVER_OBJECT  DriverObject);typedef struct _LDR_DATA_TABLE_ENTRY64{LIST_ENTRY64    InLoadOrderLinks;LIST_ENTRY64    InMemoryOrderLinks;LIST_ENTRY64    InInitializationOrderLinks;PVOID            DllBase;PVOID            EntryPoint;ULONG            SizeOfImage;UNICODE_STRING    FullDllName;UNICODE_STRING     BaseDllName;ULONG            Flags;USHORT            LoadCount;USHORT            TlsIndex;PVOID            SectionPointer;ULONG            CheckSum;PVOID            LoadedImports;PVOID            EntryPointActivationContext;PVOID            PatchInformation;LIST_ENTRY64    ForwarderLinks;LIST_ENTRY64    ServiceTagLinks;LIST_ENTRY64    StaticLinks;PVOID            ContextInformation;ULONG64            OriginalBase;LARGE_INTEGER    LoadTime;} LDR_DATA_TABLE_ENTRY64, *PLDR_DATA_TABLE_ENTRY64;typedef struct _OBJECT_TYPE_INITIALIZER{UINT16       Length;union{UINT8        ObjectTypeFlags;struct{UINT8        CaseInsensitive : 1;                                                                                   UINT8        UnnamedObjectsOnly : 1;                                                                                 UINT8        UseDefaultObject : 1;                                                                                    UINT8        SecurityRequired : 1;                                                                                    UINT8        MaintainHandleCount : 1;                                                                                 UINT8        MaintainTypeList : 1;                                                                                    UINT8        SupportsObjectCallbacks : 1;};};ULONG32      ObjectTypeCode;ULONG32      InvalidAttributes;struct _GENERIC_MAPPING GenericMapping;ULONG32      ValidAccessMask;ULONG32      RetainAccess;enum _POOL_TYPE PoolType;ULONG32      DefaultPagedPoolCharge;ULONG32      DefaultNonPagedPoolCharge;PVOID        DumpProcedure;PVOID        OpenProcedure;PVOID         CloseProcedure;PVOID         DeleteProcedure;PVOID         ParseProcedure;PVOID        SecurityProcedure;PVOID         QueryNameProcedure;PVOID         OkayToCloseProcedure;}OBJECT_TYPE_INITIALIZER, *POBJECT_TYPE_INITIALIZER;typedef struct _OBJECT_TYPE_TEMP{struct _LIST_ENTRY TypeList;struct _UNICODE_STRING Name;VOID*        DefaultObject;UINT8        Index;UINT8        _PADDING0_[0x3];ULONG32      TotalNumberOfObjects;ULONG32      TotalNumberOfHandles;ULONG32      HighWaterNumberOfObjects;ULONG32      HighWaterNumberOfHandles;UINT8        _PADDING1_[0x4];struct _OBJECT_TYPE_INITIALIZER TypeInfo;ULONG64 TypeLock;ULONG32      Key;UINT8        _PADDING2_[0x4];struct _LIST_ENTRY CallbackList;}OBJECT_TYPE_TEMP, *POBJECT_TYPE_TEMP;VOID EnableObType(POBJECT_TYPE ObjectType);UNICODE_STRING  GetFilePathByFileObject(PVOID FileObject);OB_PREOP_CALLBACK_STATUS PreCallBack(PVOID RegistrationContext, POB_PRE_OPERATION_INFORMATION OperationInformation);NTSTATUS ProtectFileByObRegisterCallbacks();

<pre name="code" class="cpp">#include "Header.h"PVOID  CallBackHandle = NULL;UNICODE_STRING gStrProFile;NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegisterPath){PLDR_DATA_TABLE_ENTRY64 ldr;DriverObject->DriverUnload = UnloadDriver;ldr = (PLDR_DATA_TABLE_ENTRY64)DriverObject->DriverSection;ldr->Flags |= 0x20;RtlInitUnicodeString(&gStrProFile, L"c:\\helloworld.exe");//DbgBreakPoint();ProtectFileByObRegisterCallbacks();return STATUS_SUCCESS;}NTSTATUS ProtectFileByObRegisterCallbacks(){OB_CALLBACK_REGISTRATION  CallBackReg;OB_OPERATION_REGISTRATION OperationReg;NTSTATUS  Status;EnableObType(*IoFileObjectType);      //开启文件对象回调RtlZeroMemory(&CallBackReg,sizeof(OB_CALLBACK_REGISTRATION));CallBackReg.Version = ObGetFilterVersion();CallBackReg.OperationRegistrationCount = 1;CallBackReg.RegistrationContext = NULL;RtlInitUnicodeString(&CallBackReg.Altitude, L"321000");RtlZeroMemory(&OperationReg,sizeof(OB_OPERATION_REGISTRATION)); //初始化结构体变量OperationReg.ObjectType = IoFileObjectType;OperationReg.Operations = OB_OPERATION_HANDLE_CREATE | OB_OPERATION_HANDLE_DUPLICATE;OperationReg.PreOperation = (POB_PRE_OPERATION_CALLBACK)&PreCallBack; //在这里注册一个回调函数指针CallBackReg.OperationRegistration = &OperationReg; //注意这一条语句   将结构体信息放入大结构体Status = ObRegisterCallbacks(&CallBackReg, &CallBackHandle);if (!NT_SUCCESS(Status)){Status = STATUS_UNSUCCESSFUL;}else{Status = STATUS_SUCCESS;}return Status;}OB_PREOP_CALLBACK_STATUS PreCallBack(PVOID RegistrationContext, POB_PRE_OPERATION_INFORMATION OperationInformation){NTSTATUS status;UNICODE_STRING uniFilePath;PFILE_OBJECT FileObject = (PFILE_OBJECT)OperationInformation->Object;HANDLE CurrentProcessId = PsGetCurrentProcessId();if (OperationInformation->ObjectType != *IoFileObjectType){return OB_PREOP_SUCCESS;}//过滤无效指针if (FileObject->FileName.Buffer == NULL ||!MmIsAddressValid(FileObject->FileName.Buffer) ||FileObject->DeviceObject == NULL ||!MmIsAddressValid(FileObject->DeviceObject)){return OB_PREOP_SUCCESS;}uniFilePath = GetFilePathByFileObject(FileObject);if (uniFilePath.Buffer == NULL || uniFilePath.Length == 0){return OB_PREOP_SUCCESS;}KdPrint(("%wZ\n", &uniFilePath));if (RtlEqualUnicodeString(&uniFilePath,&gStrProFile,TRUE)){if (FileObject->DeleteAccess == TRUE || FileObject->WriteAccess == TRUE){if (OperationInformation->Operation == OB_OPERATION_HANDLE_CREATE){OperationInformation->Parameters->CreateHandleInformation.DesiredAccess = 0;}if (OperationInformation->Operation == OB_OPERATION_HANDLE_DUPLICATE){OperationInformation->Parameters->DuplicateHandleInformation.DesiredAccess = 0;}}}return OB_PREOP_SUCCESS;}UNICODE_STRING  GetFilePathByFileObject(PVOID FileObject){POBJECT_NAME_INFORMATION ObjetNameInfor;if (NT_SUCCESS(IoQueryFileDosDeviceName((PFILE_OBJECT)FileObject, &ObjetNameInfor))){return ObjetNameInfor->Name;}}VOID EnableObType(POBJECT_TYPE ObjectType){POBJECT_TYPE_TEMP  ObjectTypeTemp = (POBJECT_TYPE_TEMP)ObjectType;ObjectTypeTemp->TypeInfo.SupportsObjectCallbacks = 1;}VOID UnloadDriver(PDRIVER_OBJECT  DriverObject){if (CallBackHandle != NULL){ObUnRegisterCallbacks(CallBackHandle);}DbgPrint("UnloadDriver\r\n");}