Publish

Publish

.gitattributes

@@ -0,0 +1,22 @@
+# Auto detect text files and perform LF normalization
+* text=auto
+
+# Custom for Visual Studio
+*.cs     diff=csharp
+*.sln    merge=union
+*.csproj merge=union
+*.vbproj merge=union
+*.fsproj merge=union
+*.dbproj merge=union
+
+# Standard to msysgit
+*.doc	 diff=astextplain
+*.DOC	 diff=astextplain
+*.docx diff=astextplain
+*.DOCX diff=astextplain
+*.dot  diff=astextplain
+*.DOT  diff=astextplain
+*.pdf  diff=astextplain
+*.PDF	 diff=astextplain
+*.rtf	 diff=astextplain
+*.RTF	 diff=astextplain

.gitignore

@@ -0,0 +1,215 @@
+#################
+## Eclipse
+#################
+
+*.pydevproject
+.project
+.metadata
+bin/
+tmp/
+*.tmp
+*.bak
+*.swp
+*~.nib
+local.properties
+.classpath
+.settings/
+.loadpath
+
+# External tool builders
+.externalToolBuilders/
+
+# Locally stored "Eclipse launch configurations"
+*.launch
+
+# CDT-specific
+.cproject
+
+# PDT-specific
+.buildpath
+
+
+#################
+## Visual Studio
+#################
+
+## Ignore Visual Studio temporary files, build results, and
+## files generated by popular Visual Studio add-ons.
+
+# User-specific files
+*.suo
+*.user
+*.sln.docstates
+
+# Build results
+
+[Dd]ebug/
+[Rr]elease/
+x64/
+build/
+[Bb]in/
+[Oo]bj/
+
+# MSTest test Results
+[Tt]est[Rr]esult*/
+[Bb]uild[Ll]og.*
+
+*_i.c
+*_p.c
+*.ilk
+*.meta
+*.obj
+*.pch
+*.pdb
+*.pgc
+*.pgd
+*.rsp
+*.sbr
+*.tlb
+*.tli
+*.tlh
+*.tmp
+*.tmp_proj
+*.log
+*.vspscc
+*.vssscc
+.builds
+*.pidb
+*.log
+*.scc
+
+# Visual C++ cache files
+ipch/
+*.aps
+*.ncb
+*.opensdf
+*.sdf
+*.cachefile
+
+# Visual Studio profiler
+*.psess
+*.vsp
+*.vspx
+
+# Guidance Automation Toolkit
+*.gpState
+
+# ReSharper is a .NET coding add-in
+_ReSharper*/
+*.[Rr]e[Ss]harper
+
+# TeamCity is a build add-in
+_TeamCity*
+
+# DotCover is a Code Coverage Tool
+*.dotCover
+
+# NCrunch
+*.ncrunch*
+.*crunch*.local.xml
+
+# Installshield output folder
+[Ee]xpress/
+
+# DocProject is a documentation generator add-in
+DocProject/buildhelp/
+DocProject/Help/*.HxT
+DocProject/Help/*.HxC
+DocProject/Help/*.hhc
+DocProject/Help/*.hhk
+DocProject/Help/*.hhp
+DocProject/Help/Html2
+DocProject/Help/html
+
+# Click-Once directory
+publish/
+
+# Publish Web Output
+*.Publish.xml
+*.pubxml
+
+# NuGet Packages Directory
+## TODO: If you have NuGet Package Restore enabled, uncomment the next line
+#packages/
+
+# Windows Azure Build Output
+csx
+*.build.csdef
+
+# Windows Store app package directory
+AppPackages/
+
+# Others
+sql/
+*.Cache
+ClientBin/
+[Ss]tyle[Cc]op.*
+~$*
+*~
+*.dbmdl
+*.[Pp]ublish.xml
+*.pfx
+*.publishsettings
+
+# RIA/Silverlight projects
+Generated_Code/
+
+# Backup & report files from converting an old project file to a newer
+# Visual Studio version. Backup files are not needed, because we have git ;-)
+_UpgradeReport_Files/
+Backup*/
+UpgradeLog*.XML
+UpgradeLog*.htm
+
+# SQL Server files
+App_Data/*.mdf
+App_Data/*.ldf
+
+#############
+## Windows detritus
+#############
+
+# Windows image file caches
+Thumbs.db
+ehthumbs.db
+
+# Folder config file
+Desktop.ini
+
+# Recycle Bin used on file shares
+$RECYCLE.BIN/
+
+# Mac crap
+.DS_Store
+
+
+#############
+## Python
+#############
+
+*.py[co]
+
+# Packages
+*.egg
+*.egg-info
+dist/
+build/
+eggs/
+parts/
+var/
+sdist/
+develop-eggs/
+.installed.cfg
+
+# Installer logs
+pip-log.txt
+
+# Unit test / coverage reports
+.coverage
+.tox
+
+#Translations
+*.mo
+
+#Mr Developer
+.mr.developer.cfg

Process Protect/Source Code/DriverMain.c

@@ -0,0 +1,33 @@
+#include "drvdef.h"
+#include "nthook.h"
+
+//init code seg. Deleted after using.
+#pragma INITCODE
+
+//Driver Entry-like main
+NTSTATUS DriverEntry(PDRIVER_OBJECT pDrv,PUNICODE_STRING pCode)
+{
+	NTSTATUS status;
+	//Unload function
+	pDrv->DriverUnload=Driver_Unload;
+	//Create Device
+	status=CreateDevice(pDrv);
+	//Dispatch functions - for communication
+	pDrv->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchRoutine_Device_Control;
+	pDrv->MajorFunction[IRP_MJ_CLOSE] = DispatchRoutine_Close;
+	pDrv->MajorFunction[IRP_MJ_WRITE] = DispatchRoutine_Write;
+	pDrv->MajorFunction[IRP_MJ_READ] = DispatchRoutine_Read;
+	pDrv->MajorFunction[IRP_MJ_CREATE] = DispatchRoutine_Create;
+	//print 
+	DbgPrint("Driver Successfully Loaded\n");
+	//store initial address of NtTerminateProcess
+	InitialNtTerminateProcessAddress = (PNtTerminateProcess)GetNtCurrentAddress(NtTerminateProcessIndex);
+	//Hook NtTerminateProcess 
+	status = Nt_SSDT_Hook(NtTerminateProcessIndex,(ULONG)HookedNtTerminateProcess);
+	//Hook NtTerminateProcess 
+	InitialNtOpenProcessAddress = (PNtOpenProcess)GetNtCurrentAddress(NtOpenProcessIndex);
+	//Hook NtTerminateProcess 
+	status = Nt_SSDT_Hook(NtOpenProcessIndex,(ULONG)HookedNtOpenProcess);
+	//return 
+	return status;
+}

Process Protect/Source Code/controlcode.h

@@ -0,0 +1,14 @@
+#ifndef _controlcode_H_
+#define _controlcode_H_
+
+#define NtGetPhysicalAddressCode CTL_CODE(FILE_DEVICE_UNKNOWN,0x801,METHOD_BUFFERED,FILE_ANY_ACCESS)
+
+#define NtProcessProtectCode CTL_CODE(FILE_DEVICE_UNKNOWN,0x802,METHOD_BUFFERED,FILE_ANY_ACCESS)
+
+#define NtOpenProcessIndex 0x7A
+
+#define NtTerminateProcessIndex 0x101
+
+#define NtQuerySystemInformationIndex 0xAD
+
+#endif

Process Protect/Source Code/drvdef.h

@@ -0,0 +1,83 @@
+
+#ifndef _drvdef_H_
+#define _drvdef_H_
+#include <ntddk.h>
+
+#include <windef.h>
+
+#define INITCODE code_seg("INIT") 
+
+#define PAGECODE code_seg("PAGE")
+
+//For controlcodes
+#include "controlcode.h"
+
+
+//function declaration
+typedef NTSTATUS (* PNtTerminateProcess)(
+	IN HANDLE               ProcessHandle OPTIONAL,
+	IN NTSTATUS             ExitStatus);
+PNtTerminateProcess InitialNtTerminateProcessAddress;
+
+typedef NTSTATUS (* PNtOpenProcess) (
+	__out PHANDLE ProcessHandle,
+	__in ACCESS_MASK DesiredAccess,
+	__in POBJECT_ATTRIBUTES ObjectAttributes,
+	__in_opt PCLIENT_ID ClientId
+	);
+
+PNtOpenProcess InitialNtOpenProcessAddress;
+
+void Driver_Unload(PDRIVER_OBJECT pDrv);
+
+NTSTATUS CreateDevice(IN PDRIVER_OBJECT pDriverObject);
+
+NTSTATUS HookedNtTerminateProcess(
+	IN HANDLE               ProcessHandle OPTIONAL,
+	IN NTSTATUS             ExitStatus);
+
+NTSTATUS HookedNtOpenProcess(
+	__out PHANDLE ProcessHandle,
+	__in ACCESS_MASK DesiredAccess,
+	__in POBJECT_ATTRIBUTES ObjectAttributes,
+	__in_opt PCLIENT_ID ClientId
+	);
+
+void GetNtGDT();
+
+NTSTATUS DispatchRoutine_Close(IN PDEVICE_OBJECT pDevobj,IN PIRP pIrp);
+
+NTSTATUS DispatchRoutine_Create(IN PDEVICE_OBJECT pDevobj,IN PIRP pIrp);
+
+NTSTATUS DispatchRoutine_Read(IN PDEVICE_OBJECT pDevobj,IN PIRP pIrp);
+
+NTSTATUS DispatchRoutine_Device_Control(IN PDEVICE_OBJECT pDevobj,IN PIRP pIrp);
+
+NTSTATUS DispatchRoutine_Write(IN PDEVICE_OBJECT pDevobj,IN PIRP pIrp);
+
+void SSDT_UNHOOK_ALL();
+
+//KeServiceDescriptorTable
+typedef struct _ServiceDescriptorTable {
+	PVOID ServiceTableBase; 
+	PVOID ServiceCounterTable;
+	unsigned int NumberOfServices;
+	PVOID ParamTableBase;
+} *PServiceDescriptorTable;
+
+extern PServiceDescriptorTable KeServiceDescriptorTable;
+
+typedef struct _Hook_Entry {
+	ULONG NtIndex;
+	ULONG InitialAddress;
+	ULONG HookedAddress;
+} HookEntry, *PHookEntry;
+
+int SSDT_HOOK_NUMBER = 0;
+
+int Protect_PID_Number = 0;
+
+HookEntry Global_Hook_Entry[255];
+
+DWORD Global_Protect_PID_Table[255];
+#endif

Process Protect/Source Code/nthook.h

@@ -0,0 +1,353 @@
+#ifndef _nthook_H_
+#define _nthook_H_
+#include "drvdef.h"
+
+#include "controlcode.h"
+
+//Function Declaration
+ULONG GetNtInitialAddress(UNICODE_STRING FuncName);
+
+ULONG GetNtCurrentAddress(ULONG NtIndex);
+
+BOOL IsProcessProtected(DWORD PID);
+
+NTSTATUS Nt_SSDT_Hook(ULONG NtIndex,ULONG HookedAddress);
+
+NTSTATUS Nt_SSDT_UnHook(ULONG NtIndex,ULONG InitialAddress);
+
+void ClosePageProtection();
+
+void OpenPageProtection();
+
+void Write_SSDT_Hook_Table(HookEntry* Hook_Entry,ULONG NtIndex,ULONG InitialAddress,ULONG HookedAddress);
+
+//PAGE
+#pragma PAGECODE
+
+//Used for getting the address of Nt functions
+ULONG GetNtInitialAddress(UNICODE_STRING FuncName)
+{
+	return (ULONG)MmGetSystemRoutineAddress(&FuncName);
+}
+
+#pragma PAGECODE
+
+ULONG GetNtCurrentAddress(ULONG NtIndex)
+{
+	ULONG RTN;
+	ULONG _index = NtIndex * 4;
+
+	__asm
+	{
+		push ecx
+		
+			mov ecx,KeServiceDescriptorTable
+			//get the first term
+			mov ecx,[ecx]
+		//nth term = base+4n
+		add ecx,_index
+
+			mov ecx,[ecx]
+
+		mov RTN,ecx
+			pop ecx
+	}
+	return RTN;
+}
+
+#pragma PAGECODE
+//the function to hook ssdt table
+NTSTATUS Nt_SSDT_Hook(ULONG NtIndex,ULONG HookedAddress)
+{
+	ULONG _InitialAddress,_HookedAddress;
+	ULONG _index = NtIndex * 4;
+	_InitialAddress = GetNtCurrentAddress(NtIndex);
+	_HookedAddress = HookedAddress;
+	//close page protection to write the SSDT
+	ClosePageProtection();
+		__asm{
+			push ecx
+				push edx
+				mov ecx,KeServiceDescriptorTable
+				mov ecx,[ecx]
+			add ecx,_index
+				mov edx,_HookedAddress
+				mov [ecx],edx
+				pop edx
+				pop ecx
+	}
+	//don't be a dick to your OS. now reopen the page protection.
+	OpenPageProtection();
+
+	Write_SSDT_Hook_Table(&Global_Hook_Entry[0],NtIndex,_InitialAddress,_HookedAddress);
+	//Print "hi bro, hook finished!"
+	DbgPrint("Hooked:Initial Address:%X. Hooked Address:%X. NtIndex:%X.",_InitialAddress,_HookedAddress,NtIndex);
+	return STATUS_SUCCESS;
+}
+
+#pragma PAGECODE
+//When the driver unloads, unhook the ssdt
+NTSTATUS Nt_SSDT_UnHook(ULONG index,ULONG InitialAddress)
+{
+	ULONG _index = index * 4;
+	ClosePageProtection();
+	__asm {
+		push ecx
+			push edx
+			mov ecx,KeServiceDescriptorTable
+			mov ecx,[ecx]
+		add ecx,_index
+			mov edx,InitialAddress
+			mov [ecx],edx
+			pop edx
+			pop ecx
+	}
+	OpenPageProtection();
+	return STATUS_SUCCESS;
+}
+
+#pragma PAGECODE
+//used for closing page protection
+void ClosePageProtection()
+{
+	__asm
+	{
+		cli
+			mov eax,cr0
+			and eax,not 10000h
+			mov cr0,eax
+	}
+}
+
+#pragma PAGECODE
+void OpenPageProtection()
+{
+	__asm 
+	{ 
+		mov eax, cr0 
+			or eax, 10000h 
+			mov cr0, eax 
+			sti 
+	}   
+}
+
+#pragma PAGECODE
+//Write Hook Table
+void Write_SSDT_Hook_Table(HookEntry* Hook_Entry,ULONG NtIndex,ULONG InitialAddress,ULONG HookedAddress)
+{
+	//index in the SSDT
+	Hook_Entry[SSDT_HOOK_NUMBER].NtIndex = NtIndex;
+	//Initial Address
+	Hook_Entry[SSDT_HOOK_NUMBER].InitialAddress = InitialAddress;
+	//store hooked address
+	Hook_Entry[SSDT_HOOK_NUMBER].HookedAddress = HookedAddress;
+	SSDT_HOOK_NUMBER++;
+}
+
+#pragma PAGECODE
+
+//used for determining whether PID is in the table
+BOOL IsProcessProtected(DWORD PID)
+{
+	int i = 0;
+	for(i=0;i<Protect_PID_Number;i++)
+	{
+		if(Global_Protect_PID_Table[i]==PID)
+			return TRUE;
+	}
+	return FALSE;
+}
+
+#pragma PAGECODE
+NTSTATUS DispatchRoutine_Write(IN PDEVICE_OBJECT pDevobj,IN PIRP pIrp)
+{
+	return STATUS_SUCCESS;
+} 
+
+NTSTATUS DispatchRoutine_Close(IN PDEVICE_OBJECT pDevobj,IN PIRP pIrp)
+{
+	return STATUS_SUCCESS;
+}
+
+#pragma PAGECODE
+NTSTATUS DispatchRoutine_Create(IN PDEVICE_OBJECT pDevobj,IN PIRP pIrp)
+{
+	return STATUS_SUCCESS;
+}
+
+#pragma PAGECODE
+NTSTATUS DispatchRoutine_Read(IN PDEVICE_OBJECT pDevobj,IN PIRP pIrp)
+{
+	return STATUS_SUCCESS;
+}
+
+#pragma PAGECODE
+NTSTATUS DispatchRoutine_Device_Control(IN PDEVICE_OBJECT pDevobj,IN PIRP pIrp)
+{
+	NTSTATUS status=STATUS_UNSUCCESSFUL;
+	ULONG ControlCode,info;
+	//get ctrlcode
+	PIO_STACK_LOCATION stack = IoGetCurrentIrpStackLocation(pIrp);
+	ControlCode = stack->Parameters.DeviceIoControl.IoControlCode;
+	//What is the ctrlcode?
+	switch(ControlCode)
+	{
+		//if NtGetPhysicalAddressCode, return physical address(failed)
+	case NtGetPhysicalAddressCode:
+		{
+			PVOID In_Physical_Address_Buffer = (PVOID)pIrp->AssociatedIrp.SystemBuffer;
+			PPHYSICAL_ADDRESS Out_Physical_Address_Buffer = (PPHYSICAL_ADDRESS)pIrp->AssociatedIrp.SystemBuffer;
+			DbgPrint("NtGetPhysicalAddressCode Received.\n");
+			DbgPrint("The Virtual Address Received is %X\n",In_Physical_Address_Buffer);
+			*(Out_Physical_Address_Buffer) = MmGetPhysicalAddress(In_Physical_Address_Buffer);
+			DbgPrint("The Physical Address is %X.\n",(*(Out_Physical_Address_Buffer)));
+			info = sizeof(PHYSICAL_ADDRESS);
+			status = STATUS_SUCCESS;
+			break;
+		}
+		//Very Important£º 
+	case NtProcessProtectCode:
+		{
+			PDWORD uPID = (PDWORD)pIrp->AssociatedIrp.SystemBuffer;
+			DbgPrint("NtProcessProtectCode Received.\n");
+			//write the HookTable
+			Global_Protect_PID_Table[Protect_PID_Number] = *uPID;
+			DbgPrint("Protected Process PID Number:%d\n",*uPID);
+			//protected process number + 1
+			Protect_PID_Number++;
+			info = 4;
+			status = STATUS_SUCCESS;
+			break;
+		}
+		//ignore other types
+	default:
+		{
+			DbgPrint("Unknown Type NtControlCode Received.\n");
+			status = STATUS_SUCCESS;
+			info = 0;
+			break;
+		}
+	}
+	//bytes returned to the user
+	pIrp->IoStatus.Information=info;
+	//set status
+	pIrp->IoStatus.Status=STATUS_SUCCESS;
+	//complete request
+	IoCompleteRequest(pIrp,IO_NO_INCREMENT);
+	DbgPrint("DeviceIoControl Completed.\n");
+	return status;
+}
+
+//create device 
+#pragma INITCODE
+NTSTATUS CreateDevice(IN PDRIVER_OBJECT pDriverObject)
+{
+	PDEVICE_OBJECT pDevObj;
+	UNICODE_STRING pDevName;
+	UNICODE_STRING pDevSymLinkName;
+	NTSTATUS status;
+	RtlInitUnicodeString(&pDevName,L"\\Device\\Hyper_Assembler");
+	status = IoCreateDevice( pDriverObject,0,&pDevName,FILE_DEVICE_UNKNOWN,0, TRUE,&pDevObj);
+	if(!NT_SUCCESS(status))
+	{
+		DbgPrint("Error creating device\n");
+		return status;
+	}
+	DbgPrint("Device Create Succeeded\n");
+	pDevObj->Flags |= DO_BUFFERED_IO;
+	RtlInitUnicodeString(&pDevSymLinkName,L"\\??\\Hyper_ASM");
+	status = IoCreateSymbolicLink( &pDevSymLinkName,&pDevName);
+	if (!NT_SUCCESS(status))
+	{
+		DbgPrint("Error Linking Name\n");
+		IoDeleteDevice(pDevObj);
+		return status;
+	}
+	DbgPrint("Linking Name Succeeded\n");
+	return STATUS_SUCCESS;
+} 
+
+#pragma PAGECODE
+//Hooked NtTerminateProcess
+NTSTATUS HookedNtTerminateProcess(
+	IN HANDLE               ProcessHandle OPTIONAL,
+	IN NTSTATUS             ExitStatus)
+{
+	DWORD PID;
+	NTSTATUS status;
+	PEPROCESS eProcess;
+	//Get process object
+	status = ObReferenceObjectByHandle(ProcessHandle,FILE_READ_DATA,NULL,KernelMode,&eProcess,NULL); 
+	if(!NT_SUCCESS(status))
+	{
+		return status;
+	}
+	//Get PID
+	PID = (DWORD)PsGetProcessId(eProcess); 
+	if(IsProcessProtected(PID))
+	{
+		//if pid = protected
+		DbgPrint("Protected Process Termination Detected. Access has been denied. PID:%d\n",PID);
+		//return Access Denied!
+		return STATUS_ACCESS_DENIED;
+	}
+	DbgPrint("Normal Process Termination Detected. Call NtTerminateProcess to terminate. PID:%d\n",PID);
+	//or invoke the original NtOpenProcess to handle the request
+	status = InitialNtTerminateProcessAddress(ProcessHandle,ExitStatus);
+	return status;
+}
+
+//The hooked NtOpenProcess
+NTSTATUS HookedNtOpenProcess(
+	__out PHANDLE ProcessHandle,
+	__in ACCESS_MASK DesiredAccess,
+	__in POBJECT_ATTRIBUTES ObjectAttributes,
+	__in_opt PCLIENT_ID ClientId
+	)
+{
+	DWORD PID;
+	NTSTATUS status;
+	PEPROCESS eProcess;
+	status = ObReferenceObjectByHandle(ProcessHandle,FILE_READ_DATA,NULL,KernelMode,&eProcess,NULL);
+	if(!NT_SUCCESS(status))
+	{
+		return status;
+	}
+
+	PID = (DWORD)PsGetProcessId(eProcess);
+	if(IsProcessProtected(PID))
+	{
+		DbgPrint("Protected Process Open Detected. Access has been denied. PID:%d\n",PID);
+		ProcessHandle = NULL;
+		return STATUS_ACCESS_DENIED;
+	}
+	DbgPrint("Normal Process Open Detected. Call NtOpenProcess to proceed.\n");
+	status = InitialNtOpenProcessAddress(ProcessHandle,DesiredAccess,ObjectAttributes,ClientId);
+	return status;
+}
+
+void Driver_Unload(PDRIVER_OBJECT pDrv)
+{
+	PDEVICE_OBJECT pDevObj;
+	UNICODE_STRING SymLink;
+	//Create Symbol Link Name
+	RtlInitUnicodeString(&SymLink,L"\\??\\Hyper_ASM");
+	pDevObj = pDrv->DeviceObject;
+	//DeleteDevice
+	IoDeleteDevice(pDevObj);
+	IoDeleteSymbolicLink(&SymLink);
+	SSDT_UNHOOK_ALL();
+	DbgPrint("Driver Successfully Unloaded\n");
+}
+
+//used for restoring system ssdt
+void SSDT_UNHOOK_ALL()
+{
+	int i;
+	for (i=SSDT_HOOK_NUMBER-1;i>=0;i--)
+	{
+		Nt_SSDT_UnHook(Global_Hook_Entry[i].NtIndex,Global_Hook_Entry[i].InitialAddress);
+		DbgPrint("UnHooked:Initial Address:%X. Hooked Address:%X. NtIndex:%X.",Global_Hook_Entry[i].InitialAddress,Global_Hook_Entry[i].HookedAddress,Global_Hook_Entry[i].NtIndex);
+	}
+}    
+#endif