嗨,我对内核编程相对陌生(不过我有很多c++开发经验(,我有一个想要实现的目标:
检测并有条件地阻止userland程序向位于我自己的userland进程中的特定内存地址写入或读取的尝试。这必须由驾驶员完成。
我已经设置了一个开发环境(运行最新windows 10+virtualkd+windbg的虚拟机(,并通过visualstudio集成(通过lan(成功部署了一个小型kmdf测试驱动程序。
所以我现在的问题是:如何检测/拦截对我的ring3应用程序的读/写ProcessMemory调用?这里仅仅堵住把手是不够的。
如果有人能通过链接(一个不过时的(例子或告诉我如何做到这一点,为我指明正确的方向,那就太好了。
更新:读了很多关于过滤驱动程序和从内核模式挂钩WindowsApis的文章,但我真的不想惹Patchguard,也不知道如何过滤来自userland的RPM调用。保护我的程序不受驱动程序的影响并不重要,只受ring3应用程序的影响。
谢谢:(
这里的代码应该可以完成任务。
OB_PREOP_CALLBACK_STATUS PreCallback(PVOID RegistrationContext,
POB_PRE_OPERATION_INFORMATION OperationInformation)
{
UNREFERENCED_PARAMETER(RegistrationContext);
PEPROCESS OpenedProcess = (PEPROCESS)OperationInformation->Object,
CurrentProcess = PsGetCurrentProcess();
PsLookupProcessByProcessId(ProtectedProcess, &ProtectedProcessProcess); // Getting the PEPROCESS using the PID
PsLookupProcessByProcessId(Lsass, &LsassProcess); // Getting the PEPROCESS using the PID
PsLookupProcessByProcessId(Csrss1, &Csrss1Process); // Getting the PEPROCESS using the PID
PsLookupProcessByProcessId(Csrss2, &Csrss2Process); // Getting the PEPROCESS using the PID
if (OpenedProcess == Csrss1Process) // Making sure to not strip csrss's Handle, will cause BSOD
return OB_PREOP_SUCCESS;
if (OpenedProcess == Csrss2Process) // Making sure to not strip csrss's Handle, will cause BSOD
return OB_PREOP_SUCCESS;
if (OpenedProcess == CurrentProcess) // make sure the driver isnt getting stripped ( even though we have a second check )
return OB_PREOP_SUCCESS;
if (OpenedProcess == ProtectedProcess) // Making sure that the game can open a process handle to itself
return OB_PREOP_SUCCESS;
if (OperationInformation->KernelHandle) // allow drivers to get a handle
return OB_PREOP_SUCCESS;
// PsGetProcessId((PEPROCESS)OperationInformation->Object) equals to the created handle's PID, so if the created Handle equals to the protected process's PID, strip
if (PsGetProcessId((PEPROCESS)OperationInformation->Object) == ProtectedProcess)
{
if (OperationInformation->Operation == OB_OPERATION_HANDLE_CREATE) // striping handle
{
OperationInformation->Parameters->CreateHandleInformation.DesiredAccess = (SYNCHRONIZE | PROCESS_QUERY_LIMITED_INFORMATION);
}
else
{
OperationInformation->Parameters->DuplicateHandleInformation.DesiredAccess = (SYNCHRONIZE | PROCESS_QUERY_LIMITED_INFORMATION);
}
return OB_PREOP_SUCCESS;
}
}
一旦向ObRegisterCallback注册,此代码将检测何时为受保护的进程创建新句柄,如果该句柄不是来自Lsass、Csrss或其本身,则会将其杀死。这是为了防止关键进程的蓝屏被拒绝处理您的申请。