利用HOOK保护记事本进程

#include <ntifs.h>
#include <ntddk.h>
#include <ntstrsafe.h>
#include "NtCommon.h"

typedef NTSTATUS (*MyNtOpenProcess)(
PHANDLE ProcessHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PCLIENT_ID ClientId
);

MyNtOpenProcess g_OldNtOpenProcess = NULL;

//根据名字保护进程，只是做个测试
BOOLEAN ProtectProcess(PCLIENT_ID ClientId, PUCHAR pName)
{
NTSTATUS status = STATUS_SUCCESS;
BOOLEAN bRet = FALSE;
PEPROCESS pEprocess = NULL;

__try
{
if (ClientId == NULL) __leave;
if (pName == NULL) __leave;
status = PsLookupProcessByProcessId((HANDLE)ClientId->UniqueProcess, &pEprocess);
if (!NT_SUCCESS(status)) __leave;
if (strcmp((PUCHAR)pEprocess + 0x16c, pName, TRUE) == 0)
bRet = TRUE;
}
__finally
{

if (pEprocess) ObDereferenceObject(pEprocess);
}
return bRet;
}

NTSTATUS HookNtOpenProcess(
PHANDLE ProcessHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PCLIENT_ID ClientId
)
{

if (ProtectProcess(ClientId, "notepad.exe"))
{
return STATUS_UNSUCCESSFUL;
}

return g_OldNtOpenProcess(ProcessHandle, DesiredAccess, ObjectAttributes, ClientId);
}

void StartHook()
{
PageProtectOff();
g_OldNtOpenProcess = (MyNtOpenProcess)InterlockedExchange((PULONG)&NTFUN(ZwOpenProcess), (LONG)HookNtOpenProcess);
PageProtectOn();
}
void StopHook()
{
PageProtectOff();
InterlockedExchange((PULONG)&NTFUN(ZwOpenProcess), (LONG)g_OldNtOpenProcess);
PageProtectOn();
}

VOID DriverUnload(
IN PDRIVER_OBJECT   pDriverObject)
{
StopHook();
KdPrint(("Drive Unload\n"));
}
NTSTATUS DriverEntry(
IN PDRIVER_OBJECT pDriverObject,
IN PUNICODE_STRING pRegistryPath)
{
NTSTATUS status = STATUS_SUCCESS;
pDriverObject->DriverUnload = DriverUnload;
StartHook();
KdPrint(("Drive load\n"));
return status;
}