#include "ntddk.h"
// Hooking ZwOpenProcess to protect a process by returning a STATUS_ACCESS_DENIED
// The PID of my process
int PID = 1234; // I want to get the PID from the process "SERVER.EXE"
NTSYSAPI
NTSTATUS
NTAPI ZwOpenProcess (OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId OPTIONAL);
typedef NTSTATUS (*ZWOPENPROCESS)(OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId OPTIONAL);
// OldZwOpenProcess points to the original function
ZWOPENPROCESS OldZwOpenProcess;
// This is my hook function that will replace the kernel function ZwOpenProcess in the System Service Dispatch Table (SSDT)
NTSTATUS NewZwOpenProcess(OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId OPTIONAL)
{
HANDLE ProcessId;
__try
{
ProcessId = ClientId->UniqueProcess;
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
return STATUS_INVALID_PARAMETER;
}
if (ProcessId == (HANDLE)PID) // Check if the PID matches my protected process
{
return STATUS_ACCESS_DENIED; // Return a Acess Denied
}
else
{
return OldZwOpenProcess(ProcessHandle, DesiredAccess,ObjectAttributes, ClientId); // Return the original ZwOpenProcess
}
}
My LogiX is Undeniable.
Hooking ZwOpenProcess To Protect Processes
protect processes by returning a STATUS_ACCESS_DENIED.
