1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
| Structure ObjectAttributes Align #PB_Structure_AlignC
Length.l
RootDirectory.i
ObjectName.i
Attributes.l
SecurityDescriptor.i
SecurityQualityOfService.i
EndStructure
Declare DriverEntry(*DriverObject, *RegistryPath)
; Объявляем прототип True функции для перехватываемой функции.
Prototype pNtOpenProcess(*ProcessHandle, DesiredAccess,
*ObjectAttributes, *ClientId)
Prototype.i pNtTerminateProcess(ProcessHandle.i, ExitStatus.i)
Prototype pNtCreateFile(FileHandle,DesiredAccess,*naga.ObjectAttributes,IoStatusBlock,AllocationSize,FileAttributes,ShareAccess,CreateDisposition,CreateOptions,EaBuffer,EaLength)
Prototype pNtOpenFile(FileHandle, DesiredAccess,*zaga.ObjectAttributes,IoStatusBlock,ShareAccess,OpenOptions)
Global TrueNtOpenProcess.pNtOpenProcess=0 ; Оригинальная функция из ядра.
Global TrueNtTerminateProcess.pNtTerminateProcess=0 ; Оригинальная функция из ядра.
Global TrueNtCreateFile.pNtCreateFile=0 ; Оригинальная функция из ядра.
Global TrueNtOpenFile.pNtOpenFile=0 ; Оригинальная функция из ядра.
Global gOpenProcId=0, gTerminateProcId=0, gCreateFileId, gOpenFileId, gMyPID.l=0, stat=0,stap=0,load=1,loadstat=1
Global namefile.s, opennamefile.s
Global scanAnalis=0,scanAnalis2=0
*A=@DriverEntry()
!jmp [p_A]
#Debug = #False ; #True
IncludePath #PB_Compiler_Home+"DDK\"
XIncludeFile "ntddk.pbi"
XIncludeFile "ntstatus.pbi"
XIncludeFile "ntfunct.pbi"
Import "ntoskrnl.lib"
*KeServiceDescriptorTable.SERVICE_DESCRIPTOR_TABLE As "__imp__KeServiceDescriptorTable"
*NtBuildNumber.Unicode As "__imp__NtBuildNumber"
*MmUserProbeAddress As "__imp__MmUserProbeAddress"
EndImport
#IOCTL_NewPid = $200
#IOCTL_ScanType = $600
#IOCTL_ScanAn = $800
#IOCTL_Stop = $1000
Macro NTCALL(_function)
*KeServiceDescriptorTable\ntoskrnl\ServiceTable\ar[_function]
EndMacro
Macro CernelDebug(String)
CompilerIf #Debug = #True
DbgPrint(@String)
CompilerEndIf
EndMacro
EnableExplicit
Procedure NewNtOpenProcess(*ProcessHandle, DesiredAccess,
*ObjectAttributes, *ClientId.CLIENT_ID)
Protected ProcessId
If gMyPID<>0
If *ClientId > *MmUserProbeAddress
CernelDebug("*ClientId > *MmUserProbeAddress")
ProcedureReturn #STATUS_INVALID_PARAMETER
EndIf
; MOV ebx, *ClientId
; CMP ebx, *MmUserProbeAddress
; JBE l_newntopenprocess_m1
; CernelDebug("*ClientId > *MmUserProbeAddress")
; ProcedureReturn #STATUS_INVALID_PARAMETER
m1:
If *ClientId
ProcessId = *ClientId\UniqueProcess
Else
CernelDebug("*ClientId = 0")
ProcedureReturn #STATUS_INVALID_PARAMETER
EndIf
If gMyPID = ProcessId
CernelDebug("My Process")
ProcedureReturn #STATUS_ACCESS_DENIED
Else
Goto m2
EndIf
Else
m2:
If TrueNtOpenProcess
ProcedureReturn TrueNtOpenProcess(*ProcessHandle, DesiredAccess,
*ObjectAttributes, *ClientId)
Else
ProcedureReturn #STATUS_INVALID_ADDRESS
EndIf
EndIf
EndProcedure
Procedure GetPID(ProcessHandle)
Protected *obj, ProcessId
ProcessId = $FFFFFFFF
If ObReferenceObjectByHandle(ProcessHandle, 0 ,0, #KernelMode,
@*obj,#Null) = #STATUS_SUCCESS
ProcessId = PsGetProcessId(*obj)
ObDereferenceObject(*obj)
EndIf
ProcedureReturn ProcessId
EndProcedure
Procedure.i NewNtTerminateProcess(ProcessHandle.i, ExitStatus.i)
If gMyPID <> 0 And GetPID(ProcessHandle) = gMyPID
CernelDebug("Terminate my process")
ProcedureReturn #STATUS_ACCESS_DENIED
Else
If TrueNtTerminateProcess
ProcedureReturn TrueNtTerminateProcess(ProcessHandle, ExitStatus)
Else
ProcedureReturn #STATUS_INVALID_ADDRESS
EndIf
EndIf
EndProcedure
Procedure NewNtCreateFile(FileHandle,DesiredAccess,*naga.ObjectAttributes,IoStatusBlock,AllocationSize,FileAttributes,ShareAccess,CreateDisposition,CreateOptions,EaBuffer,EaLength)
Protected *s.UNICODE_STRING=*naga\ObjectName, scn
If *s And *s\Buffer And *s\Length>0
opennamefile = PeekS(*s\Buffer, *s\Length)
Else
opennamefile = "no file"
EndIf
If TrueNtCreateFile
ProcedureReturn TrueNtCreateFile(FileHandle,DesiredAccess,*naga.ObjectAttributes,IoStatusBlock,AllocationSize,FileAttributes,ShareAccess,CreateDisposition,CreateOptions,EaBuffer,EaLength)
Else
ProcedureReturn #STATUS_INVALID_ADDRESS
EndIf
EndProcedure
Procedure NewNtOpenFile(FileHandle, DesiredAccess,*zaga.ObjectAttributes,IoStatusBlock,ShareAccess,OpenOptions)
Protected *g.UNICODE_STRING=*zaga\ObjectName, scn
opennamefile = PeekS(*g\Buffer, *g\Length)
If TrueNtOpenFile
ProcedureReturn TrueNtOpenFile(FileHandle, DesiredAccess,*zaga.ObjectAttributes,IoStatusBlock,ShareAccess,OpenOptions)
Else
ProcedureReturn #STATUS_INVALID_ADDRESS
EndIf
EndProcedure
Procedure CreateDispatch(*DeviceObject.DEVICE_OBJECT, *pIrp.IRP)
*pIrp\IoStatus\Information = 0
*pIrp\IoStatus\Status = #STATUS_SUCCESS
IoCompleteRequest(*pIrp, #IO_NO_INCREMENT)
ProcedureReturn #STATUS_SUCCESS
EndProcedure
Macro UnInterception()
CLI ; запрещаем прерывания
MOV eax, cr0
MOV CR0Reg,eax
AND eax,$FFFEFFFF ; сбросить WP bit
MOV cr0, eax
If TrueNtOpenProcess
NTCALL(gOpenProcId) = TrueNtOpenProcess
EndIf
If TrueNtTerminateProcess
NTCALL(gTerminateProcId) = TrueNtTerminateProcess
EndIf
If TrueNtCreateFile
NTCALL(gCreateFileId) = TrueNtCreateFile
EndIf
If TrueNtOpenFile
NTCALL(gOpenFileId) = TrueNtOpenFile
EndIf
MOV eax, CR0Reg
MOV cr0, eax ; востановить содержимое CR0
STI ; разрешаем прерывания
EndMacro
Procedure DeviceIoControl(*DeviceObject.DEVICE_OBJECT, *pIrp.IRP)
Protected ntStatus, *Point, *Stack.IO_STACK_LOCATION
Protected inBuffersize, outBuffersize, CtrlBuff.l
Protected Code, Delay.q, Size=0
Protected uniDOSString.UNICODE_STRING
Protected CR0Reg.i
;Protected *namefile.UNICODE_STRING
*Stack = *pIrp\Tail\Overlay\CurrentStackLocation
inBuffersize = *Stack\Parameters\DeviceIoControl\InputBufferLength
outBuffersize = *Stack\Parameters\DeviceIoControl\OutputBufferLength
CtrlBuff = PeekL(*pIrp\SystemBuffer)
Code = *Stack\Parameters\DeviceIoControl\IoControlCode
ntStatus = #STATUS_SUCCESS
Select Code
Case #IOCTL_NewPid
scanAnalis2 = 2
gMyPID = CtrlBuff
Size=15
If Size>0
If outBuffersize>=Size
Size=PokeS(*pIrp\SystemBuffer, "security active", Size)
Else
ntStatus = #STATUS_BUFFER_TOO_SMALL
Size=0
EndIf
EndIf
Case #IOCTL_ScanType
Size=StringByteLength(opennamefile)
If Size>0
If outBuffersize>=Size
Size=PokeS(*pIrp\SystemBuffer,opennamefile,Size)
Else
ntStatus = #STATUS_BUFFER_TOO_SMALL
Size=0
EndIf
EndIf
Case #IOCTL_Stop
UnInterception()
Case #IOCTL_ScanAn
Size=1
If Size>0
If outBuffersize>=Size
If CtrlBuff = 2
scanAnalis = 2
scanAnalis2 = 2
Size=PokeS(*pIrp\SystemBuffer, "enabled", 7)
EndIf
If CtrlBuff = 3
scanAnalis = 3
scanAnalis2 = 3
Size=PokeS(*pIrp\SystemBuffer,"disabled", 8)
EndIf
Else
ntStatus = #STATUS_BUFFER_TOO_SMALL
Size=0
EndIf
EndIf
Default
ntStatus = #STATUS_UNSUCCESSFUL
EndSelect
*pIrp\IoStatus\Information = Size
*pIrp\IoStatus\Status = ntStatus
IoCompleteRequest(*pIrp, #IO_NO_INCREMENT)
ProcedureReturn ntStatus
EndProcedure
Procedure DriverUnload(*DriverObject.DRIVER_OBJECT)
Protected uniDOSString.UNICODE_STRING
Protected CR0Reg.i
load=2
UnInterception()
loadstat=3
RtlInitUnicodeString(@uniDOSString, ?DosDevices)
IoDeleteSymbolicLink (@uniDOSString)
IoDeleteDevice(*DriverObject\DeviceObject)
namefile=""
EndProcedure
Macro Interception()
Select *NtBuildNumber\u
Case 2195 ; Win 2000
gOpenProcId = $06A
gTerminateProcId = 0 ; Не перехватывать, т. к. в ядре отсутствует Native фукнция PsGetProcessId()!
Case 2600 ; Win XP
gOpenProcId = 0
gTerminateProcId = 0
gCreateFileId = $25
gOpenFileId = 0
Case 3790 ; Win 2003.
gOpenProcId = $80
gTerminateProcId = $10A
Case 6000, ; Win Vista RTM.
6001, ; Win Vista SP1 и Win Server 2008 RTM.
6002 ; Win Vista SP2 и Win Server 2008 SP2.
gOpenProcId = $C2
If *NtBuildNumber\u=6000
gTerminateProcId = $152
Else
gTerminateProcId = $14e
EndIf
Case 7600, ; Win 7 RTM и Win Server 2008 R2 RTM.
7601 ; Win 7 SP1 и Win Server 2008 R2 SP1.
gOpenProcId = 0
gTerminateProcId = 0
gCreateFileId = $42
gOpenFileId = 0
Case 9200 ; Win 8.
gOpenProcId = 0 ; Не перехватывать, т. к. BSoD.
gTerminateProcId = $23
Default
ProcedureReturn #STATUS_NOT_IMPLEMENTED
EndSelect
; Устанавливаем перехваты.
If gOpenProcId>0
TrueNtOpenProcess = NTCALL(gOpenProcId)
If TrueNtOpenProcess = 0
ProcedureReturn #STATUS_INVALID_ADDRESS
EndIf
Else
TrueNtOpenProcess = 0
EndIf
If gCreateFileId>0
TrueNtCreateFile = NTCALL(gCreateFileId)
If TrueNtCreateFile = 0
ProcedureReturn #STATUS_INVALID_ADDRESS
EndIf
Else
TrueNtCreateFile = 0
EndIf
If gOpenFileId>0
TrueNtOpenFile = NTCALL(gOpenFileId)
If TrueNtOpenFile = 0
ProcedureReturn #STATUS_INVALID_ADDRESS
EndIf
Else
TrueNtOpenFile = 0
EndIf
If gTerminateProcId>0
TrueNtTerminateProcess = NTCALL(gTerminateProcId)
If TrueNtTerminateProcess = 0
ProcedureReturn #STATUS_INVALID_ADDRESS
EndIf
Else
TrueNtTerminateProcess = 0
EndIf
CLI ; запрещаем прерывания
MOV eax, cr0
MOV CR0Reg,eax
AND eax,$FFFEFFFF ; сбросить WP bit
MOV cr0, eax
If gOpenProcId>0
NTCALL(gOpenProcId) = @NewNtOpenProcess()
EndIf
If gTerminateProcId>0
NTCALL(gTerminateProcId) = @NewNtTerminateProcess()
EndIf
If gCreateFileId>0
NTCALL(gCreateFileId) = @NewNtCreateFile()
EndIf
If gOpenFileId>0
NTCALL(gOpenFileId) = @NewNtOpenFile()
EndIf
MOV eax, CR0Reg
MOV cr0, eax ; востановить содержимое CR0
STI ; разрешаем прерывания
EndMacro
Procedure DriverEntry(*DriverObject.DRIVER_OBJECT, *RegistryPath.UNICODE_STRING)
Protected deviceObject.DEVICE_OBJECT
Protected uniNameString.UNICODE_STRING
Protected uniDOSString.UNICODE_STRING, status
Protected CR0Reg.i
If *KeServiceDescriptorTable And *NtBuildNumber
Interception()
RtlInitUnicodeString(@uniNameString, ?Device)
RtlInitUnicodeString(@uniDOSString, ?DosDevices)
status = IoCreateDevice(*DriverObject, 0, @uniNameString, #FILE_DEVICE_UNKNOWN,
0, #False, @deviceObject)
If status <> #STATUS_SUCCESS
UnInterception()
ProcedureReturn status
EndIf
status = IoCreateSymbolicLink(@uniDOSString, @uniNameString)
If status <> #STATUS_SUCCESS
IoDeleteDevice(@deviceObject) ; Мы должны сами убирать "хвосты" в режиме ядра!
UnInterception()
ProcedureReturn status
EndIf
*DriverObject\DriverUnload = @DriverUnload()
*DriverObject\MajorFunction[#IRP_MJ_CREATE] = @CreateDispatch()
*DriverObject\MajorFunction[#IRP_MJ_CLOSE] = @CreateDispatch()
*DriverObject\MajorFunction[#IRP_MJ_DEVICE_CONTROL] = @DeviceIoControl()
ProcedureReturn #STATUS_SUCCESS
Else
ProcedureReturn #STATUS_INVALID_SYSTEM_SERVICE
EndIf
EndProcedure
DataSection
CompilerSelect #PB_Compiler_Processor
CompilerCase #PB_Processor_x86
Device:
!du '\Device\pbNoKill', 0, 0
DosDevices:
!du '\DosDevices\pbNoKill', 0, 0
CompilerCase #PB_Processor_x64
Device:
!du '\Device\pbNoKill_x64', 0, 0
DosDevices:
!du '\DosDevices\pbNoKill_x64', 0, 0
CompilerEndSelect
EndDataSection |
(
