commit 6938616da4570ac1f67e02f9b1d5693dc9dd2760 Author: hyperassembler Date: Mon Jan 20 17:59:49 2014 -0500 Publish Publish diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..412eeda --- /dev/null +++ b/.gitattributes @@ -0,0 +1,22 @@ +# Auto detect text files and perform LF normalization +* text=auto + +# Custom for Visual Studio +*.cs diff=csharp +*.sln merge=union +*.csproj merge=union +*.vbproj merge=union +*.fsproj merge=union +*.dbproj merge=union + +# Standard to msysgit +*.doc diff=astextplain +*.DOC diff=astextplain +*.docx diff=astextplain +*.DOCX diff=astextplain +*.dot diff=astextplain +*.DOT diff=astextplain +*.pdf diff=astextplain +*.PDF diff=astextplain +*.rtf diff=astextplain +*.RTF diff=astextplain diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..b9d6bd9 --- /dev/null +++ b/.gitignore @@ -0,0 +1,215 @@ +################# +## Eclipse +################# + +*.pydevproject +.project +.metadata +bin/ +tmp/ +*.tmp +*.bak +*.swp +*~.nib +local.properties +.classpath +.settings/ +.loadpath + +# External tool builders +.externalToolBuilders/ + +# Locally stored "Eclipse launch configurations" +*.launch + +# CDT-specific +.cproject + +# PDT-specific +.buildpath + + +################# +## Visual Studio +################# + +## Ignore Visual Studio temporary files, build results, and +## files generated by popular Visual Studio add-ons. + +# User-specific files +*.suo +*.user +*.sln.docstates + +# Build results + +[Dd]ebug/ +[Rr]elease/ +x64/ +build/ +[Bb]in/ +[Oo]bj/ + +# MSTest test Results +[Tt]est[Rr]esult*/ +[Bb]uild[Ll]og.* + +*_i.c +*_p.c +*.ilk +*.meta +*.obj +*.pch +*.pdb +*.pgc +*.pgd +*.rsp +*.sbr +*.tlb +*.tli +*.tlh +*.tmp +*.tmp_proj +*.log +*.vspscc +*.vssscc +.builds +*.pidb +*.log +*.scc + +# Visual C++ cache files +ipch/ +*.aps +*.ncb +*.opensdf +*.sdf +*.cachefile + +# Visual Studio profiler +*.psess +*.vsp +*.vspx + +# Guidance Automation Toolkit +*.gpState + +# ReSharper is a .NET coding add-in +_ReSharper*/ +*.[Rr]e[Ss]harper + +# TeamCity is a build add-in +_TeamCity* + +# DotCover is a Code Coverage Tool +*.dotCover + +# NCrunch +*.ncrunch* +.*crunch*.local.xml + +# Installshield output folder +[Ee]xpress/ + +# DocProject is a documentation generator add-in +DocProject/buildhelp/ +DocProject/Help/*.HxT +DocProject/Help/*.HxC +DocProject/Help/*.hhc +DocProject/Help/*.hhk +DocProject/Help/*.hhp +DocProject/Help/Html2 +DocProject/Help/html + +# Click-Once directory +publish/ + +# Publish Web Output +*.Publish.xml +*.pubxml + +# NuGet Packages Directory +## TODO: If you have NuGet Package Restore enabled, uncomment the next line +#packages/ + +# Windows Azure Build Output +csx +*.build.csdef + +# Windows Store app package directory +AppPackages/ + +# Others +sql/ +*.Cache +ClientBin/ +[Ss]tyle[Cc]op.* +~$* +*~ +*.dbmdl +*.[Pp]ublish.xml +*.pfx +*.publishsettings + +# RIA/Silverlight projects +Generated_Code/ + +# Backup & report files from converting an old project file to a newer +# Visual Studio version. Backup files are not needed, because we have git ;-) +_UpgradeReport_Files/ +Backup*/ +UpgradeLog*.XML +UpgradeLog*.htm + +# SQL Server files +App_Data/*.mdf +App_Data/*.ldf + +############# +## Windows detritus +############# + +# Windows image file caches +Thumbs.db +ehthumbs.db + +# Folder config file +Desktop.ini + +# Recycle Bin used on file shares +$RECYCLE.BIN/ + +# Mac crap +.DS_Store + + +############# +## Python +############# + +*.py[co] + +# Packages +*.egg +*.egg-info +dist/ +build/ +eggs/ +parts/ +var/ +sdist/ +develop-eggs/ +.installed.cfg + +# Installer logs +pip-log.txt + +# Unit test / coverage reports +.coverage +.tox + +#Translations +*.mo + +#Mr Developer +.mr.developer.cfg diff --git a/Process Protect/DeviceControl.exe b/Process Protect/DeviceControl.exe new file mode 100644 index 0000000..f7da586 Binary files /dev/null and b/Process Protect/DeviceControl.exe differ diff --git a/Process Protect/DriverLoader.exe b/Process Protect/DriverLoader.exe new file mode 100644 index 0000000..10ef4aa Binary files /dev/null and b/Process Protect/DriverLoader.exe differ diff --git a/Process Protect/ReadMe.doc b/Process Protect/ReadMe.doc new file mode 100644 index 0000000..90d9b06 Binary files /dev/null and b/Process Protect/ReadMe.doc differ diff --git a/Process Protect/Source Code/DriverMain.c b/Process Protect/Source Code/DriverMain.c new file mode 100644 index 0000000..490564d --- /dev/null +++ b/Process Protect/Source Code/DriverMain.c @@ -0,0 +1,33 @@ +#include "drvdef.h" +#include "nthook.h" + +//init code seg. Deleted after using. +#pragma INITCODE + +//Driver Entry-like main +NTSTATUS DriverEntry(PDRIVER_OBJECT pDrv,PUNICODE_STRING pCode) +{ + NTSTATUS status; + //Unload function + pDrv->DriverUnload=Driver_Unload; + //Create Device + status=CreateDevice(pDrv); + //Dispatch functions - for communication + pDrv->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchRoutine_Device_Control; + pDrv->MajorFunction[IRP_MJ_CLOSE] = DispatchRoutine_Close; + pDrv->MajorFunction[IRP_MJ_WRITE] = DispatchRoutine_Write; + pDrv->MajorFunction[IRP_MJ_READ] = DispatchRoutine_Read; + pDrv->MajorFunction[IRP_MJ_CREATE] = DispatchRoutine_Create; + //print + DbgPrint("Driver Successfully Loaded\n"); + //store initial address of NtTerminateProcess + InitialNtTerminateProcessAddress = (PNtTerminateProcess)GetNtCurrentAddress(NtTerminateProcessIndex); + //Hook NtTerminateProcess + status = Nt_SSDT_Hook(NtTerminateProcessIndex,(ULONG)HookedNtTerminateProcess); + //Hook NtTerminateProcess + InitialNtOpenProcessAddress = (PNtOpenProcess)GetNtCurrentAddress(NtOpenProcessIndex); + //Hook NtTerminateProcess + status = Nt_SSDT_Hook(NtOpenProcessIndex,(ULONG)HookedNtOpenProcess); + //return + return status; +} \ No newline at end of file diff --git a/Process Protect/Source Code/controlcode.h b/Process Protect/Source Code/controlcode.h new file mode 100644 index 0000000..5cb06c7 --- /dev/null +++ b/Process Protect/Source Code/controlcode.h @@ -0,0 +1,14 @@ +#ifndef _controlcode_H_ +#define _controlcode_H_ + +#define NtGetPhysicalAddressCode CTL_CODE(FILE_DEVICE_UNKNOWN,0x801,METHOD_BUFFERED,FILE_ANY_ACCESS) + +#define NtProcessProtectCode CTL_CODE(FILE_DEVICE_UNKNOWN,0x802,METHOD_BUFFERED,FILE_ANY_ACCESS) + +#define NtOpenProcessIndex 0x7A + +#define NtTerminateProcessIndex 0x101 + +#define NtQuerySystemInformationIndex 0xAD + +#endif \ No newline at end of file diff --git a/Process Protect/Source Code/drvdef.h b/Process Protect/Source Code/drvdef.h new file mode 100644 index 0000000..cf8efba --- /dev/null +++ b/Process Protect/Source Code/drvdef.h @@ -0,0 +1,83 @@ + +#ifndef _drvdef_H_ +#define _drvdef_H_ +#include + +#include + +#define INITCODE code_seg("INIT") + +#define PAGECODE code_seg("PAGE") + +//For controlcodes +#include "controlcode.h" + + +//function declaration +typedef NTSTATUS (* PNtTerminateProcess)( + IN HANDLE ProcessHandle OPTIONAL, + IN NTSTATUS ExitStatus); +PNtTerminateProcess InitialNtTerminateProcessAddress; + +typedef NTSTATUS (* PNtOpenProcess) ( + __out PHANDLE ProcessHandle, + __in ACCESS_MASK DesiredAccess, + __in POBJECT_ATTRIBUTES ObjectAttributes, + __in_opt PCLIENT_ID ClientId + ); + +PNtOpenProcess InitialNtOpenProcessAddress; + +void Driver_Unload(PDRIVER_OBJECT pDrv); + +NTSTATUS CreateDevice(IN PDRIVER_OBJECT pDriverObject); + +NTSTATUS HookedNtTerminateProcess( + IN HANDLE ProcessHandle OPTIONAL, + IN NTSTATUS ExitStatus); + +NTSTATUS HookedNtOpenProcess( + __out PHANDLE ProcessHandle, + __in ACCESS_MASK DesiredAccess, + __in POBJECT_ATTRIBUTES ObjectAttributes, + __in_opt PCLIENT_ID ClientId + ); + +void GetNtGDT(); + +NTSTATUS DispatchRoutine_Close(IN PDEVICE_OBJECT pDevobj,IN PIRP pIrp); + +NTSTATUS DispatchRoutine_Create(IN PDEVICE_OBJECT pDevobj,IN PIRP pIrp); + +NTSTATUS DispatchRoutine_Read(IN PDEVICE_OBJECT pDevobj,IN PIRP pIrp); + +NTSTATUS DispatchRoutine_Device_Control(IN PDEVICE_OBJECT pDevobj,IN PIRP pIrp); + +NTSTATUS DispatchRoutine_Write(IN PDEVICE_OBJECT pDevobj,IN PIRP pIrp); + +void SSDT_UNHOOK_ALL(); + +//KeServiceDescriptorTable +typedef struct _ServiceDescriptorTable { + PVOID ServiceTableBase; + PVOID ServiceCounterTable; + unsigned int NumberOfServices; + PVOID ParamTableBase; +} *PServiceDescriptorTable; + +extern PServiceDescriptorTable KeServiceDescriptorTable; + +typedef struct _Hook_Entry { + ULONG NtIndex; + ULONG InitialAddress; + ULONG HookedAddress; +} HookEntry, *PHookEntry; + +int SSDT_HOOK_NUMBER = 0; + +int Protect_PID_Number = 0; + +HookEntry Global_Hook_Entry[255]; + +DWORD Global_Protect_PID_Table[255]; +#endif \ No newline at end of file diff --git a/Process Protect/Source Code/nthook.h b/Process Protect/Source Code/nthook.h new file mode 100644 index 0000000..f68fd92 --- /dev/null +++ b/Process Protect/Source Code/nthook.h @@ -0,0 +1,353 @@ +#ifndef _nthook_H_ +#define _nthook_H_ +#include "drvdef.h" + +#include "controlcode.h" + +//Function Declaration +ULONG GetNtInitialAddress(UNICODE_STRING FuncName); + +ULONG GetNtCurrentAddress(ULONG NtIndex); + +BOOL IsProcessProtected(DWORD PID); + +NTSTATUS Nt_SSDT_Hook(ULONG NtIndex,ULONG HookedAddress); + +NTSTATUS Nt_SSDT_UnHook(ULONG NtIndex,ULONG InitialAddress); + +void ClosePageProtection(); + +void OpenPageProtection(); + +void Write_SSDT_Hook_Table(HookEntry* Hook_Entry,ULONG NtIndex,ULONG InitialAddress,ULONG HookedAddress); + +//PAGE +#pragma PAGECODE + +//Used for getting the address of Nt functions +ULONG GetNtInitialAddress(UNICODE_STRING FuncName) +{ + return (ULONG)MmGetSystemRoutineAddress(&FuncName); +} + +#pragma PAGECODE + +ULONG GetNtCurrentAddress(ULONG NtIndex) +{ + ULONG RTN; + ULONG _index = NtIndex * 4; + + __asm + { + push ecx + + mov ecx,KeServiceDescriptorTable + //get the first term + mov ecx,[ecx] + //nth term = base+4n + add ecx,_index + + mov ecx,[ecx] + + mov RTN,ecx + pop ecx + } + return RTN; +} + +#pragma PAGECODE +//the function to hook ssdt table +NTSTATUS Nt_SSDT_Hook(ULONG NtIndex,ULONG HookedAddress) +{ + ULONG _InitialAddress,_HookedAddress; + ULONG _index = NtIndex * 4; + _InitialAddress = GetNtCurrentAddress(NtIndex); + _HookedAddress = HookedAddress; + //close page protection to write the SSDT + ClosePageProtection(); + __asm{ + push ecx + push edx + mov ecx,KeServiceDescriptorTable + mov ecx,[ecx] + add ecx,_index + mov edx,_HookedAddress + mov [ecx],edx + pop edx + pop ecx + } + //don't be a dick to your OS. now reopen the page protection. + OpenPageProtection(); + + Write_SSDT_Hook_Table(&Global_Hook_Entry[0],NtIndex,_InitialAddress,_HookedAddress); + //Print "hi bro, hook finished!" + DbgPrint("Hooked:Initial Address:%X. Hooked Address:%X. NtIndex:%X.",_InitialAddress,_HookedAddress,NtIndex); + return STATUS_SUCCESS; +} + +#pragma PAGECODE +//When the driver unloads, unhook the ssdt +NTSTATUS Nt_SSDT_UnHook(ULONG index,ULONG InitialAddress) +{ + ULONG _index = index * 4; + ClosePageProtection(); + __asm { + push ecx + push edx + mov ecx,KeServiceDescriptorTable + mov ecx,[ecx] + add ecx,_index + mov edx,InitialAddress + mov [ecx],edx + pop edx + pop ecx + } + OpenPageProtection(); + return STATUS_SUCCESS; +} + +#pragma PAGECODE +//used for closing page protection +void ClosePageProtection() +{ + __asm + { + cli + mov eax,cr0 + and eax,not 10000h + mov cr0,eax + } +} + +#pragma PAGECODE +void OpenPageProtection() +{ + __asm + { + mov eax, cr0 + or eax, 10000h + mov cr0, eax + sti + } +} + +#pragma PAGECODE +//Write Hook Table +void Write_SSDT_Hook_Table(HookEntry* Hook_Entry,ULONG NtIndex,ULONG InitialAddress,ULONG HookedAddress) +{ + //index in the SSDT + Hook_Entry[SSDT_HOOK_NUMBER].NtIndex = NtIndex; + //Initial Address + Hook_Entry[SSDT_HOOK_NUMBER].InitialAddress = InitialAddress; + //store hooked address + Hook_Entry[SSDT_HOOK_NUMBER].HookedAddress = HookedAddress; + SSDT_HOOK_NUMBER++; +} + +#pragma PAGECODE + +//used for determining whether PID is in the table +BOOL IsProcessProtected(DWORD PID) +{ + int i = 0; + for(i=0;iParameters.DeviceIoControl.IoControlCode; + //What is the ctrlcode? + switch(ControlCode) + { + //if NtGetPhysicalAddressCode, return physical address(failed) + case NtGetPhysicalAddressCode: + { + PVOID In_Physical_Address_Buffer = (PVOID)pIrp->AssociatedIrp.SystemBuffer; + PPHYSICAL_ADDRESS Out_Physical_Address_Buffer = (PPHYSICAL_ADDRESS)pIrp->AssociatedIrp.SystemBuffer; + DbgPrint("NtGetPhysicalAddressCode Received.\n"); + DbgPrint("The Virtual Address Received is %X\n",In_Physical_Address_Buffer); + *(Out_Physical_Address_Buffer) = MmGetPhysicalAddress(In_Physical_Address_Buffer); + DbgPrint("The Physical Address is %X.\n",(*(Out_Physical_Address_Buffer))); + info = sizeof(PHYSICAL_ADDRESS); + status = STATUS_SUCCESS; + break; + } + //Very Important£º + case NtProcessProtectCode: + { + PDWORD uPID = (PDWORD)pIrp->AssociatedIrp.SystemBuffer; + DbgPrint("NtProcessProtectCode Received.\n"); + //write the HookTable + Global_Protect_PID_Table[Protect_PID_Number] = *uPID; + DbgPrint("Protected Process PID Number:%d\n",*uPID); + //protected process number + 1 + Protect_PID_Number++; + info = 4; + status = STATUS_SUCCESS; + break; + } + //ignore other types + default: + { + DbgPrint("Unknown Type NtControlCode Received.\n"); + status = STATUS_SUCCESS; + info = 0; + break; + } + } + //bytes returned to the user + pIrp->IoStatus.Information=info; + //set status + pIrp->IoStatus.Status=STATUS_SUCCESS; + //complete request + IoCompleteRequest(pIrp,IO_NO_INCREMENT); + DbgPrint("DeviceIoControl Completed.\n"); + return status; +} + +//create device +#pragma INITCODE +NTSTATUS CreateDevice(IN PDRIVER_OBJECT pDriverObject) +{ + PDEVICE_OBJECT pDevObj; + UNICODE_STRING pDevName; + UNICODE_STRING pDevSymLinkName; + NTSTATUS status; + RtlInitUnicodeString(&pDevName,L"\\Device\\Hyper_Assembler"); + status = IoCreateDevice( pDriverObject,0,&pDevName,FILE_DEVICE_UNKNOWN,0, TRUE,&pDevObj); + if(!NT_SUCCESS(status)) + { + DbgPrint("Error creating device\n"); + return status; + } + DbgPrint("Device Create Succeeded\n"); + pDevObj->Flags |= DO_BUFFERED_IO; + RtlInitUnicodeString(&pDevSymLinkName,L"\\??\\Hyper_ASM"); + status = IoCreateSymbolicLink( &pDevSymLinkName,&pDevName); + if (!NT_SUCCESS(status)) + { + DbgPrint("Error Linking Name\n"); + IoDeleteDevice(pDevObj); + return status; + } + DbgPrint("Linking Name Succeeded\n"); + return STATUS_SUCCESS; +} + +#pragma PAGECODE +//Hooked NtTerminateProcess +NTSTATUS HookedNtTerminateProcess( + IN HANDLE ProcessHandle OPTIONAL, + IN NTSTATUS ExitStatus) +{ + DWORD PID; + NTSTATUS status; + PEPROCESS eProcess; + //Get process object + status = ObReferenceObjectByHandle(ProcessHandle,FILE_READ_DATA,NULL,KernelMode,&eProcess,NULL); + if(!NT_SUCCESS(status)) + { + return status; + } + //Get PID + PID = (DWORD)PsGetProcessId(eProcess); + if(IsProcessProtected(PID)) + { + //if pid = protected + DbgPrint("Protected Process Termination Detected. Access has been denied. PID:%d\n",PID); + //return Access Denied! + return STATUS_ACCESS_DENIED; + } + DbgPrint("Normal Process Termination Detected. Call NtTerminateProcess to terminate. PID:%d\n",PID); + //or invoke the original NtOpenProcess to handle the request + status = InitialNtTerminateProcessAddress(ProcessHandle,ExitStatus); + return status; +} + +//The hooked NtOpenProcess +NTSTATUS HookedNtOpenProcess( + __out PHANDLE ProcessHandle, + __in ACCESS_MASK DesiredAccess, + __in POBJECT_ATTRIBUTES ObjectAttributes, + __in_opt PCLIENT_ID ClientId + ) +{ + DWORD PID; + NTSTATUS status; + PEPROCESS eProcess; + status = ObReferenceObjectByHandle(ProcessHandle,FILE_READ_DATA,NULL,KernelMode,&eProcess,NULL); + if(!NT_SUCCESS(status)) + { + return status; + } + + PID = (DWORD)PsGetProcessId(eProcess); + if(IsProcessProtected(PID)) + { + DbgPrint("Protected Process Open Detected. Access has been denied. PID:%d\n",PID); + ProcessHandle = NULL; + return STATUS_ACCESS_DENIED; + } + DbgPrint("Normal Process Open Detected. Call NtOpenProcess to proceed.\n"); + status = InitialNtOpenProcessAddress(ProcessHandle,DesiredAccess,ObjectAttributes,ClientId); + return status; +} + +void Driver_Unload(PDRIVER_OBJECT pDrv) +{ + PDEVICE_OBJECT pDevObj; + UNICODE_STRING SymLink; + //Create Symbol Link Name + RtlInitUnicodeString(&SymLink,L"\\??\\Hyper_ASM"); + pDevObj = pDrv->DeviceObject; + //DeleteDevice + IoDeleteDevice(pDevObj); + IoDeleteSymbolicLink(&SymLink); + SSDT_UNHOOK_ALL(); + DbgPrint("Driver Successfully Unloaded\n"); +} + +//used for restoring system ssdt +void SSDT_UNHOOK_ALL() +{ + int i; + for (i=SSDT_HOOK_NUMBER-1;i>=0;i--) + { + Nt_SSDT_UnHook(Global_Hook_Entry[i].NtIndex,Global_Hook_Entry[i].InitialAddress); + DbgPrint("UnHooked:Initial Address:%X. Hooked Address:%X. NtIndex:%X.",Global_Hook_Entry[i].InitialAddress,Global_Hook_Entry[i].HookedAddress,Global_Hook_Entry[i].NtIndex); + } +} +#endif \ No newline at end of file diff --git a/Process Protect/ddk.sys b/Process Protect/ddk.sys new file mode 100644 index 0000000..59f4187 Binary files /dev/null and b/Process Protect/ddk.sys differ