Dxt-Code[V]
10-13-2010, 02:18 AM
Big thanks to Dxt-Superman and OSR Online - The Home Page for Windows Driver Developers (http://www.osronline.com/) for helping me with writing drivers.
MSDN
ZwOpenProcess (Windows Driver Kit) (http://msdn.microsoft.com/en-us/library/ff567022(VS.85).aspx)
Introduction
This will show you how to hook ZwOpenProcess, not cover the basics of writing a driver.
This is not for beginners. This is for beginners who have written a driver before that wants to tackle SSDT hook.
What is this used for?
ZwOpenProcess can be hooked and change the status of a process. Have you ever had a process that said that you can't do anything to it? You can't close it with task manager, or attach Ollydbg? This will solve your problem. ZwOpenProcess can lock a process and also open it.
Status that I will be using.
STATUS_ACCESS_DENIED //This will lock the process[/code]
ZwOpenProcess
NTSTATUS ZwOpenProcess( PHANDLE ProcessHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PCLIENT_ID ClientId );
Hooking it
NTSTATUS New_ZwOpenProcess( PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId )
{
return Old_ZwOpenProcess(ProcessHandle, DesiredAccess,ObjectAttributes, ClientId);
}
How to lock a process
Add
HANDLE PID; //ID of Process
PID= ClientId->UniqueProcess;
Then
if (PID == (HANDLE)3168) //ID of Process for which you will be locking / unlocking
{
//NEXT THING
}
Thing to add to lock and unlock
return STATUS_ACCESS_DENIED; //Adding that will lock the process.
This is not perfect and could possibly cause BSOD. Becareful. I am still a bit of a beginner in this so bare with me if I use the wrong terms.
If you do this and do it incorrectly and lock or unlock something important, you can always restore these hooks using Kernel Detective.
MSDN
ZwOpenProcess (Windows Driver Kit) (http://msdn.microsoft.com/en-us/library/ff567022(VS.85).aspx)
Introduction
This will show you how to hook ZwOpenProcess, not cover the basics of writing a driver.
This is not for beginners. This is for beginners who have written a driver before that wants to tackle SSDT hook.
What is this used for?
ZwOpenProcess can be hooked and change the status of a process. Have you ever had a process that said that you can't do anything to it? You can't close it with task manager, or attach Ollydbg? This will solve your problem. ZwOpenProcess can lock a process and also open it.
Status that I will be using.
STATUS_ACCESS_DENIED //This will lock the process[/code]
ZwOpenProcess
NTSTATUS ZwOpenProcess( PHANDLE ProcessHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PCLIENT_ID ClientId );
Hooking it
NTSTATUS New_ZwOpenProcess( PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId )
{
return Old_ZwOpenProcess(ProcessHandle, DesiredAccess,ObjectAttributes, ClientId);
}
How to lock a process
Add
HANDLE PID; //ID of Process
PID= ClientId->UniqueProcess;
Then
if (PID == (HANDLE)3168) //ID of Process for which you will be locking / unlocking
{
//NEXT THING
}
Thing to add to lock and unlock
return STATUS_ACCESS_DENIED; //Adding that will lock the process.
This is not perfect and could possibly cause BSOD. Becareful. I am still a bit of a beginner in this so bare with me if I use the wrong terms.
If you do this and do it incorrectly and lock or unlock something important, you can always restore these hooks using Kernel Detective.