├── LICENSE
├── README.md
├── bin
    ├── driver_loader.exe
    ├── protection.cer
    └── protection.sys
├── driver_loader
    ├── driver_loader.c
    ├── driver_loader.filters
    ├── driver_loader.h
    ├── driver_loader.user
    ├── driver_loader.vcxproj
    └── driver_operation.c
├── kernel_mode_process_protection.sln
└── protection
    ├── device.c
    ├── driver.c
    ├── driver.h
    ├── major_functions.c
    ├── message_handler.c
    ├── protection.c
    ├── protection.inf
    ├── protection.vcxproj
    ├── protection.vcxproj.filters
    └── protection.vcxproj.user


/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2020 Hanson
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # kernel_mode_process_protection
 2 | My first kernel-mode process protection driver!
 3 | 
 4 | # [bin](bin) folder
 5 | This folder contains the executable binaries, including the driver loader (.exe file) and the driver (.sys file).
 6 | 
 7 | <b> !! IT IS RECOMMENDED TO TEST THIS PROGRAM IN A VIRTUAL MACHINE !! </b>
 8 | 
 9 | How to use these files:
10 | 1. Put driver_loader.exe and protection.sys in the same folder.
11 | 2. Run driver_loader.exe as Administrator
12 | 3. Press 1, Enter. The driver loader will load the driver. This step may be failed because I don't have an appropriate digital signature. You may want to [disable driver signature enforcement](https://windowsreport.com/driver-signature-enforcement-windows-10/).
13 | 4. Press 2, Enter. Input the PID of the process you want to protect. The driver loader will communicate with the driver and the driver will start the protection.
14 | 5. Try to terminate the target process with Task Manager or taskkill.
15 | 5. Press 3, Enter. The driver loader will communicate with the driver and the driver will stop the protection.
16 | 6. Press 4, Enter. The driver loader will unload the driver.
17 | 
18 | # [driver_loader](driver_loader) folder
19 | The source code of driver loader executable (driver_loader.exe).
20 | 
21 | Most of the code is copied from [my first kernel-mode driver](https://github.com/SweetIceLolly/My_First_Driver).
22 | 
23 | This program does driver-related operations, including loading the driver, communicating with it, and unloading it.
24 | 
25 | # [protection](protection) folder
26 | The source code of the driver executable (protection.sys).
27 | 
28 | Part of the code is copied from [my first kernel-mode driver](https://github.com/SweetIceLolly/My_First_Driver).
29 | 
30 | [driver.c](protection/driver.c): This file defines `DriverEntry`, which is the entry point of the driver. This file also defines `on_driver_unload`. When the driver is being unloaded, this procedure is called and the protection is stopped.
31 | 
32 | [device.c](protection/device.c): This file defines device-related functions. `SetupIoDevice` creates an IO device to communicate with the user-mode driver loader.
33 | 
34 | [major_functions.c](protection/major_functions.c): This file defines major functions handler for `IRP_MJ_*`. Specifically, `IRP_MJ_CREATE` , `IRP_MJ_CLOSE` and `IRP_MJ_WRITE` are handled. The program will use `handle_buffer_message` to process the message received from `IRP_MJ_WRITE`.
35 | 
36 | [major_functions.c](protection/major_functions.c): Thie file defines `handle_buffer_message` to process the message received from `IRP_MJ_WRITE`. Depending on the command received, the driver will call `enable_protection` or `disable_protection`.
37 | 
38 | [protection.c](protection/protection.c): This file does everything related to process protection. In `enable_protection` function, the program uses `ObRegisterCallbacks` to register handle creation callbacks. The callback functions are `PreOperationCallback` and `PostOperationCallback`. `PreOperationCallback` is called when a handle to a process is being created. When the driver finds that the opening process handle is the process we want to protect, the access rights are removed so that nobody can access the protected process. In `disable_protection` function, the program uses `ObUnRegisterCallbacks` to unregister callbacks so that the target process is not being protected anymore.
39 | 
40 | # Acknowledgment/Credits
41 | I found [this helpful tutorial](https://www.evilsocket.net/2014/02/05/termination-and-injection-self-defense-on-windows/), which helped me to implement the protection. Thank you for the valuable and detailed tutorial! ❤
42 | 
43 | This is my first kernel-mode process protection driver. I hope you can find what you need in this repo :)
44 | 


--------------------------------------------------------------------------------
/bin/driver_loader.exe:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SweetIceLolly/Kernel_Mode_Process_Protection/f3fe46823ca9a06a3ead602b7a400b8d3bee3f88/bin/driver_loader.exe


--------------------------------------------------------------------------------
/bin/protection.cer:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SweetIceLolly/Kernel_Mode_Process_Protection/f3fe46823ca9a06a3ead602b7a400b8d3bee3f88/bin/protection.cer


--------------------------------------------------------------------------------
/bin/protection.sys:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/SweetIceLolly/Kernel_Mode_Process_Protection/f3fe46823ca9a06a3ead602b7a400b8d3bee3f88/bin/protection.sys


--------------------------------------------------------------------------------
/driver_loader/driver_loader.c:
--------------------------------------------------------------------------------
  1 | #include "driver_loader.h"
  2 | 
  3 | #define SERVICE_NAME	"MyProtectionDriver"
  4 | #define DEVICE_NAME		"\\\\.\\MyProtectionDriver"
  5 | 
  6 | #ifndef __GNUC__			//Use scanf_s for Visual Studio, but not for gcc
  7 | #define scanf scanf_s
  8 | #endif
  9 | 
 10 | HANDLE	hIoHandle = INVALID_HANDLE_VALUE;
 11 | 
 12 | /*
 13 | Purpose:	Load the driver
 14 | Args:		driver_file: Path to the driver file
 15 | Return:		0:Failed; 1: Succeed
 16 | */
 17 | int load_driver(const char *driver_file) {
 18 | 	//Create service
 19 | 	if (Create_Service(SERVICE_NAME, driver_file) == 1) {
 20 | 		printf("Create_Service() succeed!\n");
 21 | 	}
 22 | 	else {
 23 | 		printf("Create_Service() failed!\n");
 24 | 		return 0;
 25 | 	}
 26 | 
 27 | 	//Start service
 28 | 	if (Start_Service(SERVICE_NAME) == 1) {
 29 | 		printf("Start_Service() succeed!\n");
 30 | 	}
 31 | 	else {
 32 | 		printf("Start_Service() failed!\n");
 33 | 		return 0;
 34 | 	}
 35 | 
 36 | 	//Get IO handle
 37 | 	hIoHandle = Get_IO_Handle(DEVICE_NAME);
 38 | 	if (hIoHandle != INVALID_HANDLE_VALUE) {
 39 | 		printf("Get_IO_Handle() succeed!\n");
 40 | 	}
 41 | 	else {
 42 | 		printf("Get_IO_Handle() failed: %i\n", GetLastError());
 43 | 		return 0;
 44 | 	}
 45 | 
 46 | 	return 1;
 47 | }
 48 | 
 49 | /*
 50 | Purpose:	Send message to the device to start the protection
 51 | Args:		pid: The process ID to protect
 52 | Return:		0:Failed; 1: Succeed
 53 | */
 54 | int protect_process(int pid) {
 55 | 	char command[6] = { 0 };
 56 | 
 57 | 	command[0] = 'e';				//'e' for enable protection
 58 | 	*((int*)&command[1]) = pid;
 59 | 
 60 | 	if (Write_IO_Handle(hIoHandle, command, 5) == 1) {
 61 | 		printf("Write_IO_Handle() succeed!\n");
 62 | 	}
 63 | 	else {
 64 | 		printf("Write_IO_Handle() failed!\n");
 65 | 		return 0;
 66 | 	}
 67 | 
 68 | 	return 1;
 69 | }
 70 | 
 71 | int stop_protection() {
 72 | 	char command[1] = { 'd' };			//'d' for disable protection
 73 | 
 74 | 	if (Write_IO_Handle(hIoHandle, command, 1) == 1) {
 75 | 		printf("Write_IO_Handle() succeed!\n");
 76 | 	}
 77 | 	else {
 78 | 		printf("Write_IO_Handle() failed!\n");
 79 | 		return 0;
 80 | 	}
 81 | 
 82 | 	return 1;
 83 | }
 84 | 
 85 | void unload_driver() {
 86 | 	Close_IO_Handle(hIoHandle);
 87 | 	printf("Close_IO_Handle() called!\n");
 88 | 
 89 | 	if (Stop_Service(SERVICE_NAME) == 1) {
 90 | 		printf("Stop_Service() succeed!\n");
 91 | 	}
 92 | 	else {
 93 | 		printf("Stop_Service() failed!\n");
 94 | 	}
 95 | 
 96 | 	if (Delete_Service(SERVICE_NAME) == 1) {
 97 | 		printf("Delete_Service() succeed!\n");
 98 | 	}
 99 | 	else {
100 | 		printf("Delete_Service() failed!\n");
101 | 	}
102 | }
103 | 
104 | int main(void) {
105 | 	int		selection;
106 | 	int		pid;
107 | 	char	driver_file[MAX_PATH];
108 | 
109 | 	printf(
110 | 		"1: Load Driver\n"
111 | 		"2: Protect Process\n"
112 | 		"3: Stop Protection\n"
113 | 		"4: Unload Driver\n"
114 | 		"5: Bye!\n"
115 | 		"\n"
116 | 		);
117 | 
118 | 	GetCurrentDirectory(MAX_PATH, driver_file);
119 | #ifndef __GNUC__			//Use strcat_s for Visual Studio, but not for gcc
120 | 	strcat_s(driver_file, MAX_PATH, "\\protection.sys");
121 | #else
122 | 	strcat(driver_file, "\\protection.sys");
123 | #endif
124 | 
125 | 	for (;;) {
126 | 		scanf("%i", &selection);
127 | 
128 | 		switch (selection) {
129 | 		case 1:							//Load driver
130 | 			load_driver(driver_file);
131 | 			break;
132 | 
133 | 		case 2:							//Protect process
134 | 			printf("PID: ");
135 | 			scanf("%i", &pid);
136 | 			protect_process(pid);
137 | 			break;
138 | 
139 | 		case 3:							//Stop protection
140 | 			stop_protection();
141 | 			break;
142 | 			
143 | 		case 4:							//Unload driver
144 | 			unload_driver();
145 | 			break;
146 | 
147 | 		case 5:							//Exit
148 | 			stop_protection();
149 | 			unload_driver();
150 | 			return 0;
151 | 			break;
152 | 
153 | 		default:
154 | 			printf("What?\n");
155 | 		}
156 | 	}
157 | 
158 | 	return 0;
159 | }
160 | 


--------------------------------------------------------------------------------
/driver_loader/driver_loader.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |   </ItemGroup>
 9 |   <ItemGroup>
10 |     <ClCompile Include="driver_operation.c">
11 |       <Filter>Source Files</Filter>
12 |     </ClCompile>
13 |     <ClCompile Include="driver_loader.c">
14 |       <Filter>Source Files</Filter>
15 |     </ClCompile>
16 |   </ItemGroup>
17 |   <ItemGroup>
18 |     <ClInclude Include="driver_loader.h">
19 |       <Filter>Source Files</Filter>
20 |     </ClInclude>
21 |   </ItemGroup>
22 | </Project>


--------------------------------------------------------------------------------
/driver_loader/driver_loader.h:
--------------------------------------------------------------------------------
 1 | #include <stdio.h>
 2 | #include <Windows.h>
 3 | 
 4 | int Create_Service(const char *ServiceName, const char *ExecutablePath);
 5 | int Start_Service(const char *ServiceName);
 6 | int Stop_Service(const char *ServiceName);
 7 | int Delete_Service(const char *ServiceName);
 8 | HANDLE Get_IO_Handle(char *DeviceName);
 9 | void Close_IO_Handle(HANDLE hIO);
10 | int Write_IO_Handle(HANDLE hDevice, const char *Buffer, const int WriteSize);
11 | 


--------------------------------------------------------------------------------
/driver_loader/driver_loader.user:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <Project ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3 |   <PropertyGroup />
4 | </Project>


--------------------------------------------------------------------------------
/driver_loader/driver_loader.vcxproj:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup Label="ProjectConfigurations">
 4 |     <ProjectConfiguration Include="Debug|Win32">
 5 |       <Configuration>Debug</Configuration>
 6 |       <Platform>Win32</Platform>
 7 |     </ProjectConfiguration>
 8 |     <ProjectConfiguration Include="Release|Win32">
 9 |       <Configuration>Release</Configuration>
10 |       <Platform>Win32</Platform>
11 |     </ProjectConfiguration>
12 |   </ItemGroup>
13 |   <PropertyGroup Label="Globals">
14 |     <ProjectGuid>{CB7F8236-DFD9-4D73-85F6-C4C6C658ACCD}</ProjectGuid>
15 |     <Keyword>Win32Proj</Keyword>
16 |     <RootNamespace>driver_loader</RootNamespace>
17 |     <ProjectName>driver_loader</ProjectName>
18 |   </PropertyGroup>
19 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
20 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
21 |     <ConfigurationType>Application</ConfigurationType>
22 |     <UseDebugLibraries>true</UseDebugLibraries>
23 |     <PlatformToolset>v120_xp</PlatformToolset>
24 |     <CharacterSet>MultiByte</CharacterSet>
25 |   </PropertyGroup>
26 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
27 |     <ConfigurationType>Application</ConfigurationType>
28 |     <UseDebugLibraries>false</UseDebugLibraries>
29 |     <PlatformToolset>v120_xp</PlatformToolset>
30 |     <WholeProgramOptimization>true</WholeProgramOptimization>
31 |     <CharacterSet>MultiByte</CharacterSet>
32 |   </PropertyGroup>
33 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
34 |   <ImportGroup Label="ExtensionSettings">
35 |   </ImportGroup>
36 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
37 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
38 |   </ImportGroup>
39 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
40 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
41 |   </ImportGroup>
42 |   <PropertyGroup Label="UserMacros" />
43 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
44 |     <LinkIncremental>true</LinkIncremental>
45 |   </PropertyGroup>
46 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
47 |     <LinkIncremental>false</LinkIncremental>
48 |   </PropertyGroup>
49 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
50 |     <ClCompile>
51 |       <PrecompiledHeader>NotUsing</PrecompiledHeader>
52 |       <WarningLevel>Level3</WarningLevel>
53 |       <Optimization>Disabled</Optimization>
54 |       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
55 |       <SDLCheck>true</SDLCheck>
56 |     </ClCompile>
57 |     <Link>
58 |       <SubSystem>Console</SubSystem>
59 |       <GenerateDebugInformation>true</GenerateDebugInformation>
60 |     </Link>
61 |   </ItemDefinitionGroup>
62 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
63 |     <ClCompile>
64 |       <WarningLevel>Level3</WarningLevel>
65 |       <PrecompiledHeader>NotUsing</PrecompiledHeader>
66 |       <Optimization>MaxSpeed</Optimization>
67 |       <FunctionLevelLinking>true</FunctionLevelLinking>
68 |       <IntrinsicFunctions>true</IntrinsicFunctions>
69 |       <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
70 |       <SDLCheck>true</SDLCheck>
71 |       <PrecompiledHeaderFile />
72 |     </ClCompile>
73 |     <Link>
74 |       <SubSystem>Console</SubSystem>
75 |       <GenerateDebugInformation>true</GenerateDebugInformation>
76 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
77 |       <OptimizeReferences>true</OptimizeReferences>
78 |     </Link>
79 |   </ItemDefinitionGroup>
80 |   <ItemGroup>
81 |     <ClCompile Include="driver_loader.c" />
82 |     <ClCompile Include="driver_operation.c" />
83 |   </ItemGroup>
84 |   <ItemGroup>
85 |     <ClInclude Include="driver_loader.h" />
86 |   </ItemGroup>
87 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
88 |   <ImportGroup Label="ExtensionTargets">
89 |   </ImportGroup>
90 | </Project>


--------------------------------------------------------------------------------
/driver_loader/driver_operation.c:
--------------------------------------------------------------------------------
  1 | #include "driver_loader.h"
  2 | 
  3 | /*
  4 | Purpose:	Create the driver service
  5 | Args:		ServiceName: The name of the service
  6 | .			ExecutablePath: File path of the driver file
  7 | Return:		0:Failed; 1: Succeed
  8 | */
  9 | int Create_Service(const char *ServiceName, const char *ExecutablePath) {
 10 | 	printf("Creating service: %s\n", ServiceName);
 11 | 
 12 | 	SC_HANDLE sh = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);		//Open a handle to Service Manager
 13 | 	if (sh == INVALID_HANDLE_VALUE) {
 14 | 		printf("OpenSCManager() failed!\n");
 15 | 		return 0;
 16 | 	}
 17 | 
 18 | 	SC_HANDLE hService = CreateService(sh, ServiceName, ServiceName,		//Create the driver service
 19 | 		SERVICE_ALL_ACCESS, SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, SERVICE_ERROR_NORMAL,
 20 | 		ExecutablePath, NULL, NULL, NULL, NULL, NULL);
 21 | 	CloseServiceHandle(sh);													//Use this instead of CloseHandle()
 22 | 
 23 | 	if (hService == NULL) {
 24 | 		printf("CreateService() failed!\n");
 25 | 		return 0;
 26 | 	}
 27 | 
 28 | 	CloseServiceHandle(hService);
 29 | 	return 1;
 30 | }
 31 | 
 32 | /*
 33 | Purpose:	Start the specified service
 34 | Args:		ServiceName: Name of the service
 35 | Return:		0: Failed; 1: Succeed
 36 | */
 37 | int Start_Service(const char *ServiceName) {
 38 | 	SC_HANDLE sh = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);		//Open a handle to Service Manager
 39 | 	if (sh == INVALID_HANDLE_VALUE) {
 40 | 		printf("OpenSCManager() failed!\n");
 41 | 		return 0;
 42 | 	}
 43 | 
 44 | 	SC_HANDLE hService = OpenService(sh, ServiceName, SERVICE_ALL_ACCESS);	//Get a handle to the driver service
 45 | 	CloseServiceHandle(sh);
 46 | 	if (hService == NULL) {
 47 | 		printf("OpenService() failed!\n");
 48 | 		return 0;
 49 | 	}
 50 | 
 51 | 	if (StartService(hService, 0, NULL) == 0) {
 52 | 		int err_code = (int)GetLastError();
 53 | 		printf("StartService() failed: %i\n", err_code);
 54 | 		return 0;
 55 | 	}
 56 | 
 57 | 	CloseServiceHandle(hService);
 58 | 	return 1;
 59 | }
 60 | 
 61 | /*
 62 | Purpose:	Stop the specified service
 63 | Args:		ServiceName: Name of the service
 64 | Return:		0: Failed; 1: Succeed
 65 | */
 66 | int Stop_Service(const char *ServiceName) {
 67 | 	SC_HANDLE sh = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);		//Open a handle to Service Manager
 68 | 	if (sh == INVALID_HANDLE_VALUE) {
 69 | 		printf("OpenSCManager() failed!\n");
 70 | 		return 0;
 71 | 	}
 72 | 
 73 | 	SC_HANDLE hService = OpenService(sh, ServiceName, SERVICE_ALL_ACCESS);	//Get a handle to the driver service
 74 | 	CloseServiceHandle(sh);
 75 | 	if (hService == NULL) {
 76 | 		printf("OpenService() failed!\n");
 77 | 		return 0;
 78 | 	}
 79 | 
 80 | 	SERVICE_STATUS ss;
 81 | 	if (ControlService(hService, SERVICE_CONTROL_STOP, &ss) == 0) {
 82 | 		CloseServiceHandle(hService);
 83 | 		return 0;
 84 | 	}
 85 | 
 86 | 	CloseServiceHandle(hService);
 87 | 	return 1;
 88 | }
 89 | 
 90 | /*
 91 | Purpose:	Delete the specified service
 92 | Args:		ServiceName: Name of the service
 93 | Return:		0: Failed; 1: Succeed
 94 | */
 95 | int Delete_Service(const char *ServiceName) {
 96 | 	SC_HANDLE sh = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);		//Open a handle to Service Manager
 97 | 	if (sh == INVALID_HANDLE_VALUE) {
 98 | 		printf("OpenSCManager() failed!\n");
 99 | 		return 0;
100 | 	}
101 | 
102 | 	SC_HANDLE hService = OpenService(sh, ServiceName, SERVICE_ALL_ACCESS);	//Get a handle to the driver service
103 | 	CloseServiceHandle(sh);
104 | 	if (hService == NULL) {
105 | 		printf("OpenService() failed!\n");
106 | 		return 0;
107 | 	}
108 | 
109 | 	if (DeleteService(hService) == 0) {
110 | 		CloseServiceHandle(hService);
111 | 		return 0;
112 | 	}
113 | 
114 | 	CloseServiceHandle(hService);
115 | 	return 1;
116 | }
117 | 
118 | /*
119 | Purpose:	Get an IO handle
120 | Args:		DeviceName: Device name
121 | Return:		The IO handle. -1 if failed
122 | Note:		Remember to close the handle with Close_IO_Handle()
123 | */
124 | HANDLE Get_IO_Handle(char *DeviceName) {
125 | 	printf("Opening: %s\n", DeviceName);
126 | 	return (HANDLE)CreateFile(DeviceName, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, 0);
127 | }
128 | 
129 | /*
130 | Purpose:	Close an IO handle
131 | Args:		hIO: The IO handle
132 | */
133 | void Close_IO_Handle(HANDLE hIO) {
134 | 	if (hIO != INVALID_HANDLE_VALUE) {
135 | 		CloseHandle(hIO);
136 | 	}
137 | }
138 | 
139 | /*
140 | Purpose:	Write data to an IO handle
141 | Args:		hDevice: The IO handle
142 | .			Buffer: Data to write
143 | .			WriteSize: The length of data to write
144 | Return:		0: failed; 1: succeed
145 | */
146 | int Write_IO_Handle(HANDLE hDevice, const char *Buffer, const int WriteSize) {
147 | 	if (WriteFile(hDevice, Buffer, WriteSize, NULL, NULL) != 0) {
148 | 		return 1;
149 | 	}
150 | 	else {
151 | 		return 0;
152 | 	}
153 | }
154 | 


--------------------------------------------------------------------------------
/kernel_mode_process_protection.sln:
--------------------------------------------------------------------------------
  1 | 
  2 | Microsoft Visual Studio Solution File, Format Version 12.00
  3 | # Visual Studio 2013
  4 | VisualStudioVersion = 12.0.21005.1
  5 | MinimumVisualStudioVersion = 10.0.40219.1
  6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "protection", "protection\protection.vcxproj", "{FA7EC13B-E085-4691-82E8-F74B3E05A68F}"
  7 | EndProject
  8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "driver_loader", "driver_loader\driver_loader.vcxproj", "{CB7F8236-DFD9-4D73-85F6-C4C6C658ACCD}"
  9 | EndProject
 10 | Global
 11 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 12 | 		Debug|Mixed Platforms = Debug|Mixed Platforms
 13 | 		Debug|Win32 = Debug|Win32
 14 | 		Debug|x64 = Debug|x64
 15 | 		Release|Mixed Platforms = Release|Mixed Platforms
 16 | 		Release|Win32 = Release|Win32
 17 | 		Release|x64 = Release|x64
 18 | 		Win7 Debug|Mixed Platforms = Win7 Debug|Mixed Platforms
 19 | 		Win7 Debug|Win32 = Win7 Debug|Win32
 20 | 		Win7 Debug|x64 = Win7 Debug|x64
 21 | 		Win7 Release|Mixed Platforms = Win7 Release|Mixed Platforms
 22 | 		Win7 Release|Win32 = Win7 Release|Win32
 23 | 		Win7 Release|x64 = Win7 Release|x64
 24 | 		Win8 Debug|Mixed Platforms = Win8 Debug|Mixed Platforms
 25 | 		Win8 Debug|Win32 = Win8 Debug|Win32
 26 | 		Win8 Debug|x64 = Win8 Debug|x64
 27 | 		Win8 Release|Mixed Platforms = Win8 Release|Mixed Platforms
 28 | 		Win8 Release|Win32 = Win8 Release|Win32
 29 | 		Win8 Release|x64 = Win8 Release|x64
 30 | 		Win8.1 Debug|Mixed Platforms = Win8.1 Debug|Mixed Platforms
 31 | 		Win8.1 Debug|Win32 = Win8.1 Debug|Win32
 32 | 		Win8.1 Debug|x64 = Win8.1 Debug|x64
 33 | 		Win8.1 Release|Mixed Platforms = Win8.1 Release|Mixed Platforms
 34 | 		Win8.1 Release|Win32 = Win8.1 Release|Win32
 35 | 		Win8.1 Release|x64 = Win8.1 Release|x64
 36 | 	EndGlobalSection
 37 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
 38 | 		{FA7EC13B-E085-4691-82E8-F74B3E05A68F}.Debug|Mixed Platforms.ActiveCfg = Win8.1 Debug|Win32
 39 | 		{FA7EC13B-E085-4691-82E8-F74B3E05A68F}.Debug|Mixed Platforms.Build.0 = Win8.1 Debug|Win32
 40 | 		{FA7EC13B-E085-4691-82E8-F74B3E05A68F}.Debug|Mixed Platforms.Deploy.0 = Win8.1 Debug|Win32
 41 | 		{FA7EC13B-E085-4691-82E8-F74B3E05A68F}.Debug|Win32.ActiveCfg = Win7 Debug|Win32
 42 | 		{FA7EC13B-E085-4691-82E8-F74B3E05A68F}.Debug|Win32.Build.0 = Win7 Debug|Win32
 43 | 		{FA7EC13B-E085-4691-82E8-F74B3E05A68F}.Debug|x64.ActiveCfg = Win8.1 Debug|x64
 44 | 		{FA7EC13B-E085-4691-82E8-F74B3E05A68F}.Debug|x64.Build.0 = Win8.1 Debug|x64
 45 | 		{FA7EC13B-E085-4691-82E8-F74B3E05A68F}.Debug|x64.Deploy.0 = Win8.1 Debug|x64
 46 | 		{FA7EC13B-E085-4691-82E8-F74B3E05A68F}.Release|Mixed Platforms.ActiveCfg = Win8.1 Release|Win32
 47 | 		{FA7EC13B-E085-4691-82E8-F74B3E05A68F}.Release|Mixed Platforms.Build.0 = Win8.1 Release|Win32
 48 | 		{FA7EC13B-E085-4691-82E8-F74B3E05A68F}.Release|Mixed Platforms.Deploy.0 = Win8.1 Release|Win32
 49 | 		{FA7EC13B-E085-4691-82E8-F74B3E05A68F}.Release|Win32.ActiveCfg = Win7 Release|Win32
 50 | 		{FA7EC13B-E085-4691-82E8-F74B3E05A68F}.Release|Win32.Build.0 = Win7 Release|Win32
 51 | 		{FA7EC13B-E085-4691-82E8-F74B3E05A68F}.Release|x64.ActiveCfg = Win7 Release|x64
 52 | 		{FA7EC13B-E085-4691-82E8-F74B3E05A68F}.Release|x64.Build.0 = Win7 Release|x64
 53 | 		{FA7EC13B-E085-4691-82E8-F74B3E05A68F}.Release|x64.Deploy.0 = Win7 Release|x64
 54 | 		{FA7EC13B-E085-4691-82E8-F74B3E05A68F}.Win7 Debug|Mixed Platforms.ActiveCfg = Win7 Debug|Win32
 55 | 		{FA7EC13B-E085-4691-82E8-F74B3E05A68F}.Win7 Debug|Mixed Platforms.Build.0 = Win7 Debug|Win32
 56 | 		{FA7EC13B-E085-4691-82E8-F74B3E05A68F}.Win7 Debug|Mixed Platforms.Deploy.0 = Win7 Debug|Win32
 57 | 		{FA7EC13B-E085-4691-82E8-F74B3E05A68F}.Win7 Debug|Win32.ActiveCfg = Win7 Debug|Win32
 58 | 		{FA7EC13B-E085-4691-82E8-F74B3E05A68F}.Win7 Debug|Win32.Build.0 = Win7 Debug|Win32
 59 | 		{FA7EC13B-E085-4691-82E8-F74B3E05A68F}.Win7 Debug|x64.ActiveCfg = Win7 Debug|x64
 60 | 		{FA7EC13B-E085-4691-82E8-F74B3E05A68F}.Win7 Debug|x64.Build.0 = Win7 Debug|x64
 61 | 		{FA7EC13B-E085-4691-82E8-F74B3E05A68F}.Win7 Debug|x64.Deploy.0 = Win7 Debug|x64
 62 | 		{FA7EC13B-E085-4691-82E8-F74B3E05A68F}.Win7 Release|Mixed Platforms.ActiveCfg = Win7 Release|Win32
 63 | 		{FA7EC13B-E085-4691-82E8-F74B3E05A68F}.Win7 Release|Mixed Platforms.Build.0 = Win7 Release|Win32
 64 | 		{FA7EC13B-E085-4691-82E8-F74B3E05A68F}.Win7 Release|Mixed Platforms.Deploy.0 = Win7 Release|Win32
 65 | 		{FA7EC13B-E085-4691-82E8-F74B3E05A68F}.Win7 Release|Win32.ActiveCfg = Win7 Release|Win32
 66 | 		{FA7EC13B-E085-4691-82E8-F74B3E05A68F}.Win7 Release|Win32.Build.0 = Win7 Release|Win32
 67 | 		{FA7EC13B-E085-4691-82E8-F74B3E05A68F}.Win7 Release|x64.ActiveCfg = Win7 Release|x64
 68 | 		{FA7EC13B-E085-4691-82E8-F74B3E05A68F}.Win7 Release|x64.Build.0 = Win7 Release|x64
 69 | 		{FA7EC13B-E085-4691-82E8-F74B3E05A68F}.Win7 Release|x64.Deploy.0 = Win7 Release|x64
 70 | 		{FA7EC13B-E085-4691-82E8-F74B3E05A68F}.Win8 Debug|Mixed Platforms.ActiveCfg = Win8 Debug|Win32
 71 | 		{FA7EC13B-E085-4691-82E8-F74B3E05A68F}.Win8 Debug|Mixed Platforms.Build.0 = Win8 Debug|Win32
 72 | 		{FA7EC13B-E085-4691-82E8-F74B3E05A68F}.Win8 Debug|Mixed Platforms.Deploy.0 = Win8 Debug|Win32
 73 | 		{FA7EC13B-E085-4691-82E8-F74B3E05A68F}.Win8 Debug|Win32.ActiveCfg = Win8 Debug|Win32
 74 | 		{FA7EC13B-E085-4691-82E8-F74B3E05A68F}.Win8 Debug|Win32.Build.0 = Win8 Debug|Win32
 75 | 		{FA7EC13B-E085-4691-82E8-F74B3E05A68F}.Win8 Debug|x64.ActiveCfg = Win8 Debug|x64
 76 | 		{FA7EC13B-E085-4691-82E8-F74B3E05A68F}.Win8 Debug|x64.Build.0 = Win8 Debug|x64
 77 | 		{FA7EC13B-E085-4691-82E8-F74B3E05A68F}.Win8 Debug|x64.Deploy.0 = Win8 Debug|x64
 78 | 		{FA7EC13B-E085-4691-82E8-F74B3E05A68F}.Win8 Release|Mixed Platforms.ActiveCfg = Win8 Release|Win32
 79 | 		{FA7EC13B-E085-4691-82E8-F74B3E05A68F}.Win8 Release|Mixed Platforms.Build.0 = Win8 Release|Win32
 80 | 		{FA7EC13B-E085-4691-82E8-F74B3E05A68F}.Win8 Release|Mixed Platforms.Deploy.0 = Win8 Release|Win32
 81 | 		{FA7EC13B-E085-4691-82E8-F74B3E05A68F}.Win8 Release|Win32.ActiveCfg = Win8 Release|Win32
 82 | 		{FA7EC13B-E085-4691-82E8-F74B3E05A68F}.Win8 Release|Win32.Build.0 = Win8 Release|Win32
 83 | 		{FA7EC13B-E085-4691-82E8-F74B3E05A68F}.Win8 Release|x64.ActiveCfg = Win8 Release|x64
 84 | 		{FA7EC13B-E085-4691-82E8-F74B3E05A68F}.Win8 Release|x64.Build.0 = Win8 Release|x64
 85 | 		{FA7EC13B-E085-4691-82E8-F74B3E05A68F}.Win8 Release|x64.Deploy.0 = Win8 Release|x64
 86 | 		{FA7EC13B-E085-4691-82E8-F74B3E05A68F}.Win8.1 Debug|Mixed Platforms.ActiveCfg = Win8.1 Debug|Win32
 87 | 		{FA7EC13B-E085-4691-82E8-F74B3E05A68F}.Win8.1 Debug|Mixed Platforms.Build.0 = Win8.1 Debug|Win32
 88 | 		{FA7EC13B-E085-4691-82E8-F74B3E05A68F}.Win8.1 Debug|Mixed Platforms.Deploy.0 = Win8.1 Debug|Win32
 89 | 		{FA7EC13B-E085-4691-82E8-F74B3E05A68F}.Win8.1 Debug|Win32.ActiveCfg = Win8.1 Debug|Win32
 90 | 		{FA7EC13B-E085-4691-82E8-F74B3E05A68F}.Win8.1 Debug|Win32.Build.0 = Win8.1 Debug|Win32
 91 | 		{FA7EC13B-E085-4691-82E8-F74B3E05A68F}.Win8.1 Debug|x64.ActiveCfg = Win8.1 Debug|x64
 92 | 		{FA7EC13B-E085-4691-82E8-F74B3E05A68F}.Win8.1 Debug|x64.Build.0 = Win8.1 Debug|x64
 93 | 		{FA7EC13B-E085-4691-82E8-F74B3E05A68F}.Win8.1 Debug|x64.Deploy.0 = Win8.1 Debug|x64
 94 | 		{FA7EC13B-E085-4691-82E8-F74B3E05A68F}.Win8.1 Release|Mixed Platforms.ActiveCfg = Win8.1 Release|Win32
 95 | 		{FA7EC13B-E085-4691-82E8-F74B3E05A68F}.Win8.1 Release|Mixed Platforms.Build.0 = Win8.1 Release|Win32
 96 | 		{FA7EC13B-E085-4691-82E8-F74B3E05A68F}.Win8.1 Release|Mixed Platforms.Deploy.0 = Win8.1 Release|Win32
 97 | 		{FA7EC13B-E085-4691-82E8-F74B3E05A68F}.Win8.1 Release|Win32.ActiveCfg = Win8.1 Release|Win32
 98 | 		{FA7EC13B-E085-4691-82E8-F74B3E05A68F}.Win8.1 Release|Win32.Build.0 = Win8.1 Release|Win32
 99 | 		{FA7EC13B-E085-4691-82E8-F74B3E05A68F}.Win8.1 Release|x64.ActiveCfg = Win8.1 Release|x64
100 | 		{FA7EC13B-E085-4691-82E8-F74B3E05A68F}.Win8.1 Release|x64.Build.0 = Win8.1 Release|x64
101 | 		{FA7EC13B-E085-4691-82E8-F74B3E05A68F}.Win8.1 Release|x64.Deploy.0 = Win8.1 Release|x64
102 | 		{CB7F8236-DFD9-4D73-85F6-C4C6C658ACCD}.Debug|Mixed Platforms.ActiveCfg = Debug|Win32
103 | 		{CB7F8236-DFD9-4D73-85F6-C4C6C658ACCD}.Debug|Mixed Platforms.Build.0 = Debug|Win32
104 | 		{CB7F8236-DFD9-4D73-85F6-C4C6C658ACCD}.Debug|Win32.ActiveCfg = Debug|Win32
105 | 		{CB7F8236-DFD9-4D73-85F6-C4C6C658ACCD}.Debug|Win32.Build.0 = Debug|Win32
106 | 		{CB7F8236-DFD9-4D73-85F6-C4C6C658ACCD}.Debug|x64.ActiveCfg = Debug|Win32
107 | 		{CB7F8236-DFD9-4D73-85F6-C4C6C658ACCD}.Release|Mixed Platforms.ActiveCfg = Release|Win32
108 | 		{CB7F8236-DFD9-4D73-85F6-C4C6C658ACCD}.Release|Mixed Platforms.Build.0 = Release|Win32
109 | 		{CB7F8236-DFD9-4D73-85F6-C4C6C658ACCD}.Release|Win32.ActiveCfg = Release|Win32
110 | 		{CB7F8236-DFD9-4D73-85F6-C4C6C658ACCD}.Release|Win32.Build.0 = Release|Win32
111 | 		{CB7F8236-DFD9-4D73-85F6-C4C6C658ACCD}.Release|x64.ActiveCfg = Release|Win32
112 | 		{CB7F8236-DFD9-4D73-85F6-C4C6C658ACCD}.Win7 Debug|Mixed Platforms.ActiveCfg = Debug|Win32
113 | 		{CB7F8236-DFD9-4D73-85F6-C4C6C658ACCD}.Win7 Debug|Mixed Platforms.Build.0 = Debug|Win32
114 | 		{CB7F8236-DFD9-4D73-85F6-C4C6C658ACCD}.Win7 Debug|Win32.ActiveCfg = Debug|Win32
115 | 		{CB7F8236-DFD9-4D73-85F6-C4C6C658ACCD}.Win7 Debug|Win32.Build.0 = Debug|Win32
116 | 		{CB7F8236-DFD9-4D73-85F6-C4C6C658ACCD}.Win7 Debug|x64.ActiveCfg = Debug|Win32
117 | 		{CB7F8236-DFD9-4D73-85F6-C4C6C658ACCD}.Win7 Release|Mixed Platforms.ActiveCfg = Release|Win32
118 | 		{CB7F8236-DFD9-4D73-85F6-C4C6C658ACCD}.Win7 Release|Mixed Platforms.Build.0 = Release|Win32
119 | 		{CB7F8236-DFD9-4D73-85F6-C4C6C658ACCD}.Win7 Release|Win32.ActiveCfg = Release|Win32
120 | 		{CB7F8236-DFD9-4D73-85F6-C4C6C658ACCD}.Win7 Release|Win32.Build.0 = Release|Win32
121 | 		{CB7F8236-DFD9-4D73-85F6-C4C6C658ACCD}.Win7 Release|x64.ActiveCfg = Release|Win32
122 | 		{CB7F8236-DFD9-4D73-85F6-C4C6C658ACCD}.Win8 Debug|Mixed Platforms.ActiveCfg = Debug|Win32
123 | 		{CB7F8236-DFD9-4D73-85F6-C4C6C658ACCD}.Win8 Debug|Mixed Platforms.Build.0 = Debug|Win32
124 | 		{CB7F8236-DFD9-4D73-85F6-C4C6C658ACCD}.Win8 Debug|Win32.ActiveCfg = Debug|Win32
125 | 		{CB7F8236-DFD9-4D73-85F6-C4C6C658ACCD}.Win8 Debug|Win32.Build.0 = Debug|Win32
126 | 		{CB7F8236-DFD9-4D73-85F6-C4C6C658ACCD}.Win8 Debug|x64.ActiveCfg = Debug|Win32
127 | 		{CB7F8236-DFD9-4D73-85F6-C4C6C658ACCD}.Win8 Release|Mixed Platforms.ActiveCfg = Release|Win32
128 | 		{CB7F8236-DFD9-4D73-85F6-C4C6C658ACCD}.Win8 Release|Mixed Platforms.Build.0 = Release|Win32
129 | 		{CB7F8236-DFD9-4D73-85F6-C4C6C658ACCD}.Win8 Release|Win32.ActiveCfg = Release|Win32
130 | 		{CB7F8236-DFD9-4D73-85F6-C4C6C658ACCD}.Win8 Release|Win32.Build.0 = Release|Win32
131 | 		{CB7F8236-DFD9-4D73-85F6-C4C6C658ACCD}.Win8 Release|x64.ActiveCfg = Release|Win32
132 | 		{CB7F8236-DFD9-4D73-85F6-C4C6C658ACCD}.Win8.1 Debug|Mixed Platforms.ActiveCfg = Debug|Win32
133 | 		{CB7F8236-DFD9-4D73-85F6-C4C6C658ACCD}.Win8.1 Debug|Mixed Platforms.Build.0 = Debug|Win32
134 | 		{CB7F8236-DFD9-4D73-85F6-C4C6C658ACCD}.Win8.1 Debug|Win32.ActiveCfg = Debug|Win32
135 | 		{CB7F8236-DFD9-4D73-85F6-C4C6C658ACCD}.Win8.1 Debug|Win32.Build.0 = Debug|Win32
136 | 		{CB7F8236-DFD9-4D73-85F6-C4C6C658ACCD}.Win8.1 Debug|x64.ActiveCfg = Debug|Win32
137 | 		{CB7F8236-DFD9-4D73-85F6-C4C6C658ACCD}.Win8.1 Release|Mixed Platforms.ActiveCfg = Release|Win32
138 | 		{CB7F8236-DFD9-4D73-85F6-C4C6C658ACCD}.Win8.1 Release|Mixed Platforms.Build.0 = Release|Win32
139 | 		{CB7F8236-DFD9-4D73-85F6-C4C6C658ACCD}.Win8.1 Release|Win32.ActiveCfg = Release|Win32
140 | 		{CB7F8236-DFD9-4D73-85F6-C4C6C658ACCD}.Win8.1 Release|Win32.Build.0 = Release|Win32
141 | 		{CB7F8236-DFD9-4D73-85F6-C4C6C658ACCD}.Win8.1 Release|x64.ActiveCfg = Release|Win32
142 | 	EndGlobalSection
143 | 	GlobalSection(SolutionProperties) = preSolution
144 | 		HideSolutionNode = FALSE
145 | 	EndGlobalSection
146 | EndGlobal
147 | 


--------------------------------------------------------------------------------
/protection/device.c:
--------------------------------------------------------------------------------
 1 | #include "driver.h"
 2 | 
 3 | //Global variables -----------------------------------------------
 4 | const wchar_t	*DeviceName = L"\\Device\\MyProtectionDriver";
 5 | const wchar_t	*SymbolicLink = L"\\DosDevices\\MyProtectionDriver";
 6 | 
 7 | UNICODE_STRING	ustrDeviceName;
 8 | UNICODE_STRING	ustrSymbolicLink;
 9 | 
10 | PDEVICE_OBJECT	CreatedDeviceObject = NULL;
11 | //----------------------------------------------------------------
12 | 
13 | void init_unicode_strings() {
14 | 	RtlInitUnicodeString(&ustrDeviceName, DeviceName);
15 | 	RtlInitUnicodeString(&ustrSymbolicLink, SymbolicLink);
16 | }
17 | 
18 | /*
19 | Purpose:	Create I/O device
20 | Args:		DriverObject: Driver Object
21 | Return:		0: Failed; 1: Succeed
22 | */
23 | int SetupIoDevice(PDRIVER_OBJECT DriverObject) {
24 | 	DbgPrint("Creating I/O device! name: %ws", ustrDeviceName.Buffer);
25 | 
26 | 	int ret = IoCreateDevice(DriverObject, 0, &ustrDeviceName, FILE_DEVICE_UNKNOWN,
27 | 		FILE_DEVICE_SECURE_OPEN, FALSE, &CreatedDeviceObject);
28 | 	if (ret != STATUS_SUCCESS) {
29 | 		DbgPrint("IoCreateDevice() failed!");
30 | 		return 0;
31 | 	}
32 | 
33 | 	CreatedDeviceObject->Flags |= DO_BUFFERED_IO;
34 | 	CreatedDeviceObject->Flags &= (~DO_DEVICE_INITIALIZING);
35 | 	DbgPrint("Device created!");
36 | 
37 | 	ret = IoCreateSymbolicLink(&ustrSymbolicLink, &ustrDeviceName);
38 | 	if (ret != STATUS_SUCCESS) {
39 | 		DbgPrint("IoCreateSymbolicLink() failed!");
40 | 		return 0;
41 | 	}
42 | 	DbgPrint("Symbolic link created!: %ws -> %ws", ustrSymbolicLink.Buffer, ustrDeviceName.Buffer);
43 | 	return 1;
44 | }
45 | 


--------------------------------------------------------------------------------
/protection/driver.c:
--------------------------------------------------------------------------------
 1 | #include "driver.h"
 2 | 
 3 | //Function prototypes --------------------------------------------
 4 | void on_driver_unload(PDRIVER_OBJECT DriverObject);
 5 | NTSTATUS DriverEntry(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath);
 6 | //----------------------------------------------------------------
 7 | 
 8 | NTSTATUS DriverEntry(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath) {
 9 | 	UNREFERENCED_PARAMETER(RegistryPath);
10 | 
11 | 	DriverObject->DriverUnload = on_driver_unload;
12 | 
13 | 	unsigned int i;
14 | 	for (i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++) {
15 | 		DriverObject->MajorFunction[i] = Io_Unsupported;
16 | 	}
17 | 	DriverObject->MajorFunction[IRP_MJ_CREATE] = Create_DeviceIo;
18 | 	DriverObject->MajorFunction[IRP_MJ_CLOSE] = Close_DeviceIo;
19 | 	DriverObject->MajorFunction[IRP_MJ_WRITE] = Buffered_Write;
20 | 
21 | 	init_unicode_strings();
22 | 	if (SetupIoDevice(DriverObject) == 1) {
23 | 		DbgPrint("SetupIoDevice() succeed!");
24 | 	}
25 | 	else {
26 | 		DbgPrint("SetupIoDevice() failed!");
27 | 	}
28 | 
29 | 	DbgPrint("Driver loaded!");
30 | 
31 | 	return STATUS_SUCCESS;
32 | }
33 | 
34 | void on_driver_unload(PDRIVER_OBJECT DriverObject) {
35 | 	UNREFERENCED_PARAMETER(DriverObject);
36 | 
37 | 	disable_protection();
38 | 
39 | 	DbgPrint("Driver unloaded.");
40 | }
41 | 


--------------------------------------------------------------------------------
/protection/driver.h:
--------------------------------------------------------------------------------
 1 | #include <ntddk.h>
 2 | #include <wdf.h>
 3 | 
 4 | //Define major functions
 5 | NTSTATUS Io_Unsupported(PDEVICE_OBJECT DeviceObject, PIRP Irp);		//IRP_MJ_*
 6 | NTSTATUS Create_DeviceIo(PDEVICE_OBJECT DeviceObject, PIRP Irp);	//IRP_MJ_CREATE
 7 | NTSTATUS Close_DeviceIo(PDEVICE_OBJECT DeviceObject, PIRP Irp);		//IRP_MJ_CLOSE
 8 | NTSTATUS Buffered_Write(PDEVICE_OBJECT DeviceObject, PIRP Irp);		//IRP_MJ_WRITE
 9 | 
10 | //Define buffer messaege handler function (for Buffered_Write)
11 | void handle_buffer_message(char *buffer, int len);
12 | 
13 | //Define device-related functions
14 | void init_unicode_strings();
15 | int SetupIoDevice(PDRIVER_OBJECT DriverObject);
16 | 
17 | //Define protection functions
18 | void disable_protection();
19 | int enable_protection(int pid);
20 | 


--------------------------------------------------------------------------------
/protection/major_functions.c:
--------------------------------------------------------------------------------
 1 | #include "driver.h"
 2 | 
 3 | NTSTATUS Io_Unsupported(PDEVICE_OBJECT DeviceObject, PIRP Irp) {
 4 | 	UNREFERENCED_PARAMETER(DeviceObject);
 5 | 	UNREFERENCED_PARAMETER(Irp);
 6 | 
 7 | 	DbgPrint("Io_Unsupported() called!");
 8 | 	return STATUS_SUCCESS;
 9 | }
10 | 
11 | NTSTATUS Create_DeviceIo(PDEVICE_OBJECT DeviceObject, PIRP Irp) {
12 | 	UNREFERENCED_PARAMETER(DeviceObject);
13 | 	UNREFERENCED_PARAMETER(Irp);
14 | 
15 | 	DbgPrint("Create_DeviceIo() called!");
16 | 	return STATUS_SUCCESS;
17 | }
18 | 
19 | NTSTATUS Close_DeviceIo(PDEVICE_OBJECT DeviceObject, PIRP Irp) {
20 | 	UNREFERENCED_PARAMETER(DeviceObject);
21 | 	UNREFERENCED_PARAMETER(Irp);
22 | 
23 | 	DbgPrint("Close_DeviceIo() called!");
24 | 	return STATUS_SUCCESS;
25 | }
26 | 
27 | NTSTATUS Buffered_Write(PDEVICE_OBJECT DeviceObject, PIRP Irp) {
28 | 	UNREFERENCED_PARAMETER(DeviceObject);
29 | 	PIO_STACK_LOCATION pIoStack = NULL;
30 | 	char *Buffer = NULL;
31 | 
32 | 	DbgPrint("Buffered_Write() called!");
33 | 
34 | 	pIoStack = IoGetCurrentIrpStackLocation(Irp);
35 | 	if (pIoStack) {											//Check for NULL pointer
36 | 		Buffer = (char*)(Irp->AssociatedIrp.SystemBuffer);
37 | 
38 | 		if (Buffer) {											//Check for NULL pointer
39 | 			handle_buffer_message(Buffer, pIoStack->Parameters.Write.Length);
40 | 			DbgPrint("Message received: size: %u, msg: %s", pIoStack->Parameters.Write.Length, Buffer);
41 | 		}
42 | 		else {
43 | 			DbgPrint("Buffer is a NULL pointer!");
44 | 		}
45 | 	}
46 | 	else {
47 | 		DbgPrint("Invalid IRP stack pointer!");
48 | 	}
49 | 
50 | 	return STATUS_SUCCESS;
51 | }
52 | 


--------------------------------------------------------------------------------
/protection/message_handler.c:
--------------------------------------------------------------------------------
 1 | #include "driver.h"
 2 | 
 3 | void handle_buffer_message(char *buffer, int len) {
 4 | 	if (len == 1) {
 5 | 		if (buffer[0] == 'd') {				//'d' for disable protection
 6 | 			disable_protection();
 7 | 		}
 8 | 	}
 9 | 	else if (len == 5) {
10 | 		if (buffer[0] == 'e') {				//'e' for enable protection
11 | 			int pid;
12 | 
13 | 			memcpy(&pid, &buffer[1], 4);
14 | 			DbgPrint("Got it! Target pid: %i", pid);
15 | 			if (enable_protection(pid)) {
16 | 				DbgPrint("enable_protection() succeed!");
17 | 			}
18 | 			else {
19 | 				DbgPrint("enable_protection() failed!");
20 | 			}
21 | 		}
22 | 	}
23 | }


--------------------------------------------------------------------------------
/protection/protection.c:
--------------------------------------------------------------------------------
  1 | #include "driver.h"
  2 | 
  3 | /*
  4 | Referenced from https://www.evilsocket.net/2014/02/05/termination-and-injection-self-defense-on-windows/
  5 | Thank you!
  6 | */
  7 | 
  8 | //Function prototypes --------------------------------------------
  9 | void PostOperationCallback(PVOID RegistrationContext, POB_POST_OPERATION_INFORMATION OperationInformation);
 10 | OB_PREOP_CALLBACK_STATUS PreOperationCallback(PVOID RegistrationContext, POB_PRE_OPERATION_INFORMATION OperationInformation);
 11 | //----------------------------------------------------------------
 12 | 
 13 | //Global variables -----------------------------------------------
 14 | void *CallbackRegistrationHandle = NULL;
 15 | int ProtectedPid = 0;
 16 | //----------------------------------------------------------------
 17 | 
 18 | void disable_protection() {
 19 | 	if (CallbackRegistrationHandle != NULL) {
 20 | 		ObUnRegisterCallbacks(CallbackRegistrationHandle);
 21 | 		CallbackRegistrationHandle = NULL;
 22 | 	}
 23 | 	DbgPrint("disable_protection() called!");
 24 | }
 25 | 
 26 | /*
 27 | Purpose:	Register a handle creation callback function to enable process protection
 28 | Args:		pid: The process ID to protect
 29 | Return:		0: Failed; 1: Succeed
 30 | */
 31 | int enable_protection(int pid) {
 32 | 	OB_OPERATION_REGISTRATION OperationRegistrations[1] = { { 0 } };
 33 | 	OB_CALLBACK_REGISTRATION CallbackRegistration = { 0 };
 34 | 	UNICODE_STRING ustrAltitude = { 0 };
 35 | 	NTSTATUS status = STATUS_SUCCESS;
 36 | 	ProtectedPid = pid;
 37 | 
 38 | 	OperationRegistrations[0].ObjectType = PsProcessType;					//Set type to process
 39 | 	OperationRegistrations[0].Operations = OB_OPERATION_HANDLE_CREATE;		//Intercept all handle creation
 40 | 	OperationRegistrations[0].PreOperation = PreOperationCallback;
 41 | 	OperationRegistrations[0].PostOperation = PostOperationCallback;
 42 | 
 43 | 	RtlInitUnicodeString(&ustrAltitude, L"1000");
 44 | 	CallbackRegistration.Version = OB_FLT_REGISTRATION_VERSION;
 45 | 	CallbackRegistration.OperationRegistrationCount = 1;
 46 | 	CallbackRegistration.Altitude = ustrAltitude;
 47 | 	CallbackRegistration.RegistrationContext = (PVOID)&ProtectedPid;
 48 | 	CallbackRegistration.OperationRegistration = OperationRegistrations;
 49 | 
 50 | 	status = ObRegisterCallbacks(&CallbackRegistration, &CallbackRegistrationHandle);
 51 | 	if (NT_SUCCESS(status)) {
 52 | 		DbgPrint("ObRegisterCallbacks() succeed!");
 53 | 		return 1;
 54 | 	}
 55 | 	else {
 56 | 		DbgPrint("ObRegisterCallbacks() failed! status: %i", status);
 57 | 		return 0;
 58 | 	}
 59 | }
 60 | 
 61 | /*
 62 | Purpose:	This callback function is called when a process handle is created
 63 | Args:		RegistrationContext: Unused. Should be the PID of the protected process
 64 | .			OperationInformation: Unused. Information of the operation
 65 | */
 66 | void PostOperationCallback(PVOID RegistrationContext, POB_POST_OPERATION_INFORMATION OperationInformation) {
 67 | 	//Do nothing here
 68 | 	UNREFERENCED_PARAMETER(RegistrationContext);
 69 | 	UNREFERENCED_PARAMETER(OperationInformation);
 70 | }
 71 | 
 72 | /*
 73 | Purpose:	Register a handle creation callback function to enable process protection
 74 | Args:		pid: The process ID to protect
 75 | Return:		Must be OB_PREOP_SUCCESS
 76 | */
 77 | OB_PREOP_CALLBACK_STATUS PreOperationCallback(PVOID RegistrationContext, POB_PRE_OPERATION_INFORMATION OperationInformation) {
 78 | 	PEPROCESS	TargetProcess = OperationInformation->Object;
 79 | 	PEPROCESS	CurrentProcess = PsGetCurrentProcess();
 80 | 	HANDLE		TargetPid = PsGetProcessId(TargetProcess);
 81 | 
 82 | 	//Allow operations from the process itself
 83 | 	if (CurrentProcess == TargetProcess) {
 84 | 		return OB_PREOP_SUCCESS;
 85 | 	}
 86 | 
 87 | 	//Allow operations from the kernel
 88 | 	if (OperationInformation->KernelHandle == 1) {
 89 | 		return OB_PREOP_SUCCESS;
 90 | 	}
 91 | 
 92 | 	//Ignore other processes
 93 | 	if (TargetPid != (HANDLE)(*(int*)RegistrationContext)) {
 94 | 		return OB_PREOP_SUCCESS;
 95 | 	}
 96 | 	else {
 97 | 		//Someone is trying to obtain a handle to the protected process
 98 | 		//Remove "dangerous" access rights!!
 99 | 		OperationInformation->Parameters->CreateHandleInformation.DesiredAccess = 0;
100 | 		DbgPrint("Hahahaha! Operation blocked! Don't even try to kill me!");
101 | 	}
102 | 	
103 | 	return OB_PREOP_SUCCESS;
104 | }
105 | 


--------------------------------------------------------------------------------
/protection/protection.inf:
--------------------------------------------------------------------------------
 1 | ;
 2 | ; protection.inf
 3 | ;
 4 | 
 5 | [Version]
 6 | Signature="$WINDOWS NT$"
 7 | Class=Sample ; TODO: edit Class
 8 | ClassGuid={78A1C341-4539-11d3-B88D-00C04FAD5171} ; TODO: edit ClassGuid
 9 | Provider=%ManufacturerName%
10 | CatalogFile=protection.cat
11 | DriverVer= ; TODO: set DriverVer in stampinf property pages
12 | 
13 | [DestinationDirs]
14 | DefaultDestDir = 12
15 | 
16 | ; ================= Class section =====================
17 | 
18 | [ClassInstall32]
19 | Addreg=SampleClassReg
20 | 
21 | [SampleClassReg]
22 | HKR,,,0,%ClassName%
23 | HKR,,Icon,,-5
24 | 
25 | [SourceDisksNames]
26 | 1 = %DiskName%,,,""
27 | 
28 | [SourceDisksFiles]
29 | protection.sys  = 1,,
30 | 
31 | ;*****************************************
32 | ; Install Section
33 | ;*****************************************
34 | 
35 | [Manufacturer]
36 | %ManufacturerName%=Standard,NT$ARCH$
37 | 
38 | [Standard.NT$ARCH$]
39 | %protection.DeviceDesc%=protection_Device, Root\protection ; TODO: edit hw-id
40 | 
41 | [protection_Device.NT]
42 | CopyFiles=Drivers_Dir
43 | 
44 | [Drivers_Dir]
45 | protection.sys
46 | 
47 | ;-------------- Service installation
48 | [protection_Device.NT.Services]
49 | AddService = protection,%SPSVCINST_ASSOCSERVICE%, protection_Service_Inst
50 | 
51 | ; -------------- protection driver install sections
52 | [protection_Service_Inst]
53 | DisplayName    = %protection.SVCDESC%
54 | ServiceType    = 1               ; SERVICE_KERNEL_DRIVER
55 | StartType      = 3               ; SERVICE_DEMAND_START
56 | ErrorControl   = 1               ; SERVICE_ERROR_NORMAL
57 | ServiceBinary  = %12%\protection.sys
58 | LoadOrderGroup = Extended Base
59 | 
60 | ;
61 | ;--- protection_Device Coinstaller installation ------
62 | ;
63 | 
64 | [DestinationDirs]
65 | protection_Device_CoInstaller_CopyFiles = 11
66 | 
67 | [protection_Device.NT.CoInstallers]
68 | AddReg=protection_Device_CoInstaller_AddReg
69 | CopyFiles=protection_Device_CoInstaller_CopyFiles
70 | 
71 | [protection_Device_CoInstaller_AddReg]
72 | HKR,,CoInstallers32,0x00010000, "WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll,WdfCoInstaller"
73 | 
74 | [protection_Device_CoInstaller_CopyFiles]
75 | WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll
76 | 
77 | [SourceDisksFiles]
78 | WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll=1 ; make sure the number matches with SourceDisksNames
79 | 
80 | [protection_Device.NT.Wdf]
81 | KmdfService =  protection, protection_wdfsect
82 | [protection_wdfsect]
83 | KmdfLibraryVersion = $KMDFVERSION$
84 | 
85 | [Strings]
86 | SPSVCINST_ASSOCSERVICE= 0x00000002
87 | ManufacturerName="" ; TODO: add ManufacturerName
88 | ClassName="Samples" ; TODO: edit ClassName
89 | DiskName = "protection Installation Disk"
90 | protection.DeviceDesc = "protection Device"
91 | protection.SVCDESC = "protection Service"
92 | 


--------------------------------------------------------------------------------
/protection/protection.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Win8.1 Debug|Win32">
  5 |       <Configuration>Win8.1 Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Win8.1 Release|Win32">
  9 |       <Configuration>Win8.1 Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Win8 Debug|Win32">
 13 |       <Configuration>Win8 Debug</Configuration>
 14 |       <Platform>Win32</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Win8 Release|Win32">
 17 |       <Configuration>Win8 Release</Configuration>
 18 |       <Platform>Win32</Platform>
 19 |     </ProjectConfiguration>
 20 |     <ProjectConfiguration Include="Win7 Debug|Win32">
 21 |       <Configuration>Win7 Debug</Configuration>
 22 |       <Platform>Win32</Platform>
 23 |     </ProjectConfiguration>
 24 |     <ProjectConfiguration Include="Win7 Release|Win32">
 25 |       <Configuration>Win7 Release</Configuration>
 26 |       <Platform>Win32</Platform>
 27 |     </ProjectConfiguration>
 28 |     <ProjectConfiguration Include="Win8.1 Debug|x64">
 29 |       <Configuration>Win8.1 Debug</Configuration>
 30 |       <Platform>x64</Platform>
 31 |     </ProjectConfiguration>
 32 |     <ProjectConfiguration Include="Win8.1 Release|x64">
 33 |       <Configuration>Win8.1 Release</Configuration>
 34 |       <Platform>x64</Platform>
 35 |     </ProjectConfiguration>
 36 |     <ProjectConfiguration Include="Win8 Debug|x64">
 37 |       <Configuration>Win8 Debug</Configuration>
 38 |       <Platform>x64</Platform>
 39 |     </ProjectConfiguration>
 40 |     <ProjectConfiguration Include="Win8 Release|x64">
 41 |       <Configuration>Win8 Release</Configuration>
 42 |       <Platform>x64</Platform>
 43 |     </ProjectConfiguration>
 44 |     <ProjectConfiguration Include="Win7 Debug|x64">
 45 |       <Configuration>Win7 Debug</Configuration>
 46 |       <Platform>x64</Platform>
 47 |     </ProjectConfiguration>
 48 |     <ProjectConfiguration Include="Win7 Release|x64">
 49 |       <Configuration>Win7 Release</Configuration>
 50 |       <Platform>x64</Platform>
 51 |     </ProjectConfiguration>
 52 |   </ItemGroup>
 53 |   <PropertyGroup Label="Globals">
 54 |     <ProjectGuid>{FA7EC13B-E085-4691-82E8-F74B3E05A68F}</ProjectGuid>
 55 |     <TemplateGuid>{497e31cb-056b-4f31-abb8-447fd55ee5a5}</TemplateGuid>
 56 |     <TargetFrameworkVersion>v4.5</TargetFrameworkVersion>
 57 |     <MinimumVisualStudioVersion>11.0</MinimumVisualStudioVersion>
 58 |     <Configuration>Win8.1 Debug</Configuration>
 59 |     <Platform Condition="'$(Platform)' == ''">Win32</Platform>
 60 |     <RootNamespace>protection</RootNamespace>
 61 |   </PropertyGroup>
 62 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 63 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8.1 Debug|Win32'" Label="Configuration">
 64 |     <TargetVersion>WindowsV6.3</TargetVersion>
 65 |     <UseDebugLibraries>true</UseDebugLibraries>
 66 |     <PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
 67 |     <ConfigurationType>Driver</ConfigurationType>
 68 |     <DriverType>KMDF</DriverType>
 69 |   </PropertyGroup>
 70 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8.1 Release|Win32'" Label="Configuration">
 71 |     <TargetVersion>WindowsV6.3</TargetVersion>
 72 |     <UseDebugLibraries>false</UseDebugLibraries>
 73 |     <PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
 74 |     <ConfigurationType>Driver</ConfigurationType>
 75 |     <DriverType>KMDF</DriverType>
 76 |   </PropertyGroup>
 77 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8 Debug|Win32'" Label="Configuration">
 78 |     <TargetVersion>Windows8</TargetVersion>
 79 |     <UseDebugLibraries>true</UseDebugLibraries>
 80 |     <PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
 81 |     <ConfigurationType>Driver</ConfigurationType>
 82 |     <DriverType>KMDF</DriverType>
 83 |   </PropertyGroup>
 84 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8 Release|Win32'" Label="Configuration">
 85 |     <TargetVersion>Windows8</TargetVersion>
 86 |     <UseDebugLibraries>false</UseDebugLibraries>
 87 |     <PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
 88 |     <ConfigurationType>Driver</ConfigurationType>
 89 |     <DriverType>KMDF</DriverType>
 90 |   </PropertyGroup>
 91 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Debug|Win32'" Label="Configuration">
 92 |     <TargetVersion>Windows7</TargetVersion>
 93 |     <UseDebugLibraries>true</UseDebugLibraries>
 94 |     <PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
 95 |     <ConfigurationType>Driver</ConfigurationType>
 96 |     <DriverType>KMDF</DriverType>
 97 |   </PropertyGroup>
 98 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Release|Win32'" Label="Configuration">
 99 |     <TargetVersion>Windows7</TargetVersion>
100 |     <UseDebugLibraries>false</UseDebugLibraries>
101 |     <PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
102 |     <ConfigurationType>Driver</ConfigurationType>
103 |     <DriverType>KMDF</DriverType>
104 |   </PropertyGroup>
105 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8.1 Debug|x64'" Label="Configuration">
106 |     <TargetVersion>WindowsV6.3</TargetVersion>
107 |     <UseDebugLibraries>true</UseDebugLibraries>
108 |     <PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
109 |     <ConfigurationType>Driver</ConfigurationType>
110 |     <DriverType>KMDF</DriverType>
111 |   </PropertyGroup>
112 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8.1 Release|x64'" Label="Configuration">
113 |     <TargetVersion>WindowsV6.3</TargetVersion>
114 |     <UseDebugLibraries>false</UseDebugLibraries>
115 |     <PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
116 |     <ConfigurationType>Driver</ConfigurationType>
117 |     <DriverType>KMDF</DriverType>
118 |   </PropertyGroup>
119 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8 Debug|x64'" Label="Configuration">
120 |     <TargetVersion>Windows8</TargetVersion>
121 |     <UseDebugLibraries>true</UseDebugLibraries>
122 |     <PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
123 |     <ConfigurationType>Driver</ConfigurationType>
124 |     <DriverType>KMDF</DriverType>
125 |   </PropertyGroup>
126 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8 Release|x64'" Label="Configuration">
127 |     <TargetVersion>Windows8</TargetVersion>
128 |     <UseDebugLibraries>false</UseDebugLibraries>
129 |     <PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
130 |     <ConfigurationType>Driver</ConfigurationType>
131 |     <DriverType>KMDF</DriverType>
132 |   </PropertyGroup>
133 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Debug|x64'" Label="Configuration">
134 |     <TargetVersion>Windows7</TargetVersion>
135 |     <UseDebugLibraries>true</UseDebugLibraries>
136 |     <PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
137 |     <ConfigurationType>Driver</ConfigurationType>
138 |     <DriverType>KMDF</DriverType>
139 |   </PropertyGroup>
140 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Release|x64'" Label="Configuration">
141 |     <TargetVersion>Windows7</TargetVersion>
142 |     <UseDebugLibraries>false</UseDebugLibraries>
143 |     <PlatformToolset>WindowsKernelModeDriver8.1</PlatformToolset>
144 |     <ConfigurationType>Driver</ConfigurationType>
145 |     <DriverType>KMDF</DriverType>
146 |   </PropertyGroup>
147 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
148 |   <ImportGroup Label="ExtensionSettings">
149 |   </ImportGroup>
150 |   <ImportGroup Label="PropertySheets">
151 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
152 |   </ImportGroup>
153 |   <PropertyGroup Label="UserMacros" />
154 |   <PropertyGroup />
155 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8.1 Debug|Win32'">
156 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
157 |   </PropertyGroup>
158 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8.1 Release|Win32'">
159 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
160 |   </PropertyGroup>
161 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8 Debug|Win32'">
162 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
163 |   </PropertyGroup>
164 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8 Release|Win32'">
165 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
166 |   </PropertyGroup>
167 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Debug|Win32'">
168 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
169 |   </PropertyGroup>
170 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Release|Win32'">
171 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
172 |   </PropertyGroup>
173 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8.1 Debug|x64'">
174 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
175 |   </PropertyGroup>
176 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8.1 Release|x64'">
177 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
178 |   </PropertyGroup>
179 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8 Debug|x64'">
180 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
181 |   </PropertyGroup>
182 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win8 Release|x64'">
183 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
184 |   </PropertyGroup>
185 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Debug|x64'">
186 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
187 |   </PropertyGroup>
188 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Release|x64'">
189 |     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
190 |   </PropertyGroup>
191 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Win8.1 Debug|Win32'">
192 |     <ClCompile>
193 |       <WppEnabled>false</WppEnabled>
194 |       <WppScanConfigurationData Condition="'%(ClCompile. ScanConfigurationData)'  == ''">trace.h</WppScanConfigurationData>
195 |       <WppKernelMode>true</WppKernelMode>
196 |       <PrecompiledHeaderFile />
197 |     </ClCompile>
198 |   </ItemDefinitionGroup>
199 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Win8.1 Release|Win32'">
200 |     <ClCompile>
201 |       <WppEnabled>true</WppEnabled>
202 |       <WppScanConfigurationData Condition="'%(ClCompile. ScanConfigurationData)'  == ''">trace.h</WppScanConfigurationData>
203 |       <WppKernelMode>true</WppKernelMode>
204 |     </ClCompile>
205 |   </ItemDefinitionGroup>
206 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Win8 Debug|Win32'">
207 |     <ClCompile>
208 |       <WppEnabled>true</WppEnabled>
209 |       <WppScanConfigurationData Condition="'%(ClCompile. ScanConfigurationData)'  == ''">trace.h</WppScanConfigurationData>
210 |       <WppKernelMode>true</WppKernelMode>
211 |     </ClCompile>
212 |   </ItemDefinitionGroup>
213 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Win8 Release|Win32'">
214 |     <ClCompile>
215 |       <WppEnabled>true</WppEnabled>
216 |       <WppScanConfigurationData Condition="'%(ClCompile. ScanConfigurationData)'  == ''">trace.h</WppScanConfigurationData>
217 |       <WppKernelMode>true</WppKernelMode>
218 |     </ClCompile>
219 |   </ItemDefinitionGroup>
220 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Debug|Win32'">
221 |     <ClCompile>
222 |       <WppEnabled>true</WppEnabled>
223 |       <WppScanConfigurationData Condition="'%(ClCompile. ScanConfigurationData)'  == ''">trace.h</WppScanConfigurationData>
224 |       <WppKernelMode>true</WppKernelMode>
225 |     </ClCompile>
226 |   </ItemDefinitionGroup>
227 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Release|Win32'">
228 |     <ClCompile>
229 |       <WppEnabled>true</WppEnabled>
230 |       <WppScanConfigurationData Condition="'%(ClCompile. ScanConfigurationData)'  == ''">trace.h</WppScanConfigurationData>
231 |       <WppKernelMode>true</WppKernelMode>
232 |     </ClCompile>
233 |   </ItemDefinitionGroup>
234 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Win8.1 Debug|x64'">
235 |     <ClCompile>
236 |       <WppEnabled>true</WppEnabled>
237 |       <WppScanConfigurationData Condition="'%(ClCompile. ScanConfigurationData)'  == ''">trace.h</WppScanConfigurationData>
238 |       <WppKernelMode>true</WppKernelMode>
239 |     </ClCompile>
240 |   </ItemDefinitionGroup>
241 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Win8.1 Release|x64'">
242 |     <ClCompile>
243 |       <WppEnabled>true</WppEnabled>
244 |       <WppScanConfigurationData Condition="'%(ClCompile. ScanConfigurationData)'  == ''">trace.h</WppScanConfigurationData>
245 |       <WppKernelMode>true</WppKernelMode>
246 |     </ClCompile>
247 |   </ItemDefinitionGroup>
248 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Win8 Debug|x64'">
249 |     <ClCompile>
250 |       <WppEnabled>true</WppEnabled>
251 |       <WppScanConfigurationData Condition="'%(ClCompile. ScanConfigurationData)'  == ''">trace.h</WppScanConfigurationData>
252 |       <WppKernelMode>true</WppKernelMode>
253 |     </ClCompile>
254 |   </ItemDefinitionGroup>
255 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Win8 Release|x64'">
256 |     <ClCompile>
257 |       <WppEnabled>true</WppEnabled>
258 |       <WppScanConfigurationData Condition="'%(ClCompile. ScanConfigurationData)'  == ''">trace.h</WppScanConfigurationData>
259 |       <WppKernelMode>true</WppKernelMode>
260 |     </ClCompile>
261 |   </ItemDefinitionGroup>
262 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Debug|x64'">
263 |     <ClCompile>
264 |       <WppEnabled>true</WppEnabled>
265 |       <WppScanConfigurationData Condition="'%(ClCompile. ScanConfigurationData)'  == ''">trace.h</WppScanConfigurationData>
266 |       <WppKernelMode>true</WppKernelMode>
267 |     </ClCompile>
268 |   </ItemDefinitionGroup>
269 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Release|x64'">
270 |     <ClCompile>
271 |       <WppEnabled>false</WppEnabled>
272 |       <WppScanConfigurationData Condition="'%(ClCompile. ScanConfigurationData)'  == ''">trace.h</WppScanConfigurationData>
273 |       <WppKernelMode>true</WppKernelMode>
274 |     </ClCompile>
275 |     <Link>
276 |       <AdditionalOptions>/INTEGRITYCHECK %(AdditionalOptions)</AdditionalOptions>
277 |     </Link>
278 |   </ItemDefinitionGroup>
279 |   <ItemGroup>
280 |     <FilesToPackage Include="$(TargetPath)">
281 |       <PackageRelativeDirectory>
282 |       </PackageRelativeDirectory>
283 |     </FilesToPackage>
284 |   </ItemGroup>
285 |   <ItemGroup>
286 |     <None Include="protection.inf" />
287 |   </ItemGroup>
288 |   <ItemGroup>
289 |     <ClCompile Include="device.c" />
290 |     <ClCompile Include="driver.c" />
291 |     <ClCompile Include="major_functions.c" />
292 |     <ClCompile Include="message_handler.c" />
293 |     <ClCompile Include="protection.c" />
294 |   </ItemGroup>
295 |   <ItemGroup>
296 |     <ClInclude Include="driver.h" />
297 |   </ItemGroup>
298 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
299 |   <ImportGroup Label="ExtensionTargets">
300 |   </ImportGroup>
301 | </Project>


--------------------------------------------------------------------------------
/protection/protection.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hpp;hxx;hm;inl;inc;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |     <Filter Include="Driver Files">
17 |       <UniqueIdentifier>{8E41214B-6785-4CFE-B992-037D68949A14}</UniqueIdentifier>
18 |       <Extensions>inf;inv;inx;mof;mc;</Extensions>
19 |     </Filter>
20 |   </ItemGroup>
21 |   <ItemGroup>
22 |     <None Include="protection.inf">
23 |       <Filter>Driver Files</Filter>
24 |     </None>
25 |   </ItemGroup>
26 |   <ItemGroup>
27 |     <ClInclude Include="Driver.h">
28 |       <Filter>Header Files</Filter>
29 |     </ClInclude>
30 |   </ItemGroup>
31 |   <ItemGroup>
32 |     <ClCompile Include="Device.c">
33 |       <Filter>Source Files</Filter>
34 |     </ClCompile>
35 |     <ClCompile Include="Driver.c">
36 |       <Filter>Source Files</Filter>
37 |     </ClCompile>
38 |     <ClCompile Include="major_functions.c">
39 |       <Filter>Source Files</Filter>
40 |     </ClCompile>
41 |     <ClCompile Include="message_handler.c">
42 |       <Filter>Source Files</Filter>
43 |     </ClCompile>
44 |     <ClCompile Include="protection.c">
45 |       <Filter>Source Files</Filter>
46 |     </ClCompile>
47 |   </ItemGroup>
48 | </Project>


--------------------------------------------------------------------------------
/protection/protection.vcxproj.user:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="utf-8"?>
2 | <Project ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
3 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Win7 Release|x64'">
4 |     <SignMode>TestSign</SignMode>
5 |     <TestCertificate>CN="WDKTestCert 12574,132236232621169406" | 1F2B11D6CF700663EC1B0F8FB6D8594D4111F227</TestCertificate>
6 |   </PropertyGroup>
7 | </Project>


--------------------------------------------------------------------------------