Tag Cloud

CRM 2011 (161) CRM 4.0 (144) C# (116) JScript (109) Plugin (92) Registry (90) Techpedia (77) PyS60 (68) WScript (43) Plugin Message (31) Exploit (27) ShellCode (26) FAQ (22) JavaScript (21) Killer Codes (21) Hax (18) VB 6.0 (17) Commands (16) VBScript (16) Quotes (15) Turbo C++ (13) WMI (13) Security (11) 1337 (10) Tutorials (10) Asp.Net (9) Safe Boot (9) Python (8) Interview Questions (6) video (6) Ajax (5) VC++ (5) WebService (5) Workflow (5) Bat (4) Dorks (4) Sql Server (4) Aptitude (3) Picklist (3) Tweak (3) WCF (3) regex (3) Config (2) LINQ (2) PHP (2) Shell (2) Silverlight (2) TSql (2) flowchart (2) serialize (2) ASHX (1) CRM 4.0 Videos (1) Debug (1) FetchXml (1) GAC (1) General (1) Generics (1) HttpWebRequest (1) InputParameters (1) Lookup (1) Offline Plug-ins (1) OutputParameters (1) Plug-in Constructor (1) Protocol (1) RIA (1) Sharepoint (1) Walkthrough (1) Web.config (1) design patterns (1) generic (1) iframe (1) secure config (1) unsecure config (1) url (1)

Pages

Thursday, August 11, 2011

Hooking ZwOpenProcess To Protect Processes

protect processes by returning a STATUS_ACCESS_DENIED.



#include "ntddk.h"

// Hooking ZwOpenProcess to protect a process by returning a STATUS_ACCESS_DENIED 



// The PID of my process

int PID = 1234; // I want to get the PID from the process "SERVER.EXE"



NTSYSAPI

NTSTATUS

NTAPI ZwOpenProcess (OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId OPTIONAL);



typedef NTSTATUS (*ZWOPENPROCESS)(OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId OPTIONAL);



// OldZwOpenProcess points to the original function

ZWOPENPROCESS        OldZwOpenProcess;



// This is my hook function that will replace the kernel function ZwOpenProcess in the System Service Dispatch Table (SSDT)

NTSTATUS NewZwOpenProcess(OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId OPTIONAL)

{

  HANDLE ProcessId; 

__try

{

 ProcessId = ClientId->UniqueProcess;

}

__except(EXCEPTION_EXECUTE_HANDLER) 

{

 return STATUS_INVALID_PARAMETER;

}

if (ProcessId == (HANDLE)PID) // Check if the PID matches my protected process

{

 return STATUS_ACCESS_DENIED; // Return a Acess Denied 

}

else

{

 return OldZwOpenProcess(ProcessHandle, DesiredAccess,ObjectAttributes, ClientId); // Return the original ZwOpenProcess

}

}

By KillerCodez at 1:03:00 am
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)