├── README.md ├── clean ├── makefile ├── objfre_win7_ia64 │ └── ia64 │ │ └── _objects.mac └── sources ├── dirs ├── inc ├── anarchy.h └── ioctls.h ├── main.c └── sources.inc /README.md: -------------------------------------------------------------------------------- 1 | # protect-process 2 | Protect process fsfilter driver. Windows x64 3 | 4 | 5 | Makes use a fsfilter driver to apply irp on your process and deny access. 6 | 7 | # os 8 | 9 | windows 7, 8.1, 10 x64 10 | 11 | # compile 12 | 13 | use winddk 7.1.0 14 | and type 'build' 15 | 16 | compatible with WDK 8.1/10 17 | 18 | 19 | #example 20 | 21 | 22 | ``` 23 | 24 | if (wcsstr(nameInfo->Name.Buffer, L"your_file.exe") != NULL) 25 | { 26 | Data->IoStatus.Status = STATUS_NO_SUCH_FILE; 27 | Data->IoStatus.Information = 0; 28 | return FLT_PREOP_COMPLETE; 29 | } 30 | 31 | ``` 32 | 33 | # contact 34 | 0xdr@protonmail.ch 35 | > Dr. R 36 | 37 | -------------------------------------------------------------------------------- /clean/makefile: -------------------------------------------------------------------------------- 1 | !INCLUDE $(NTMAKEENV)\makefile.def -------------------------------------------------------------------------------- /clean/objfre_win7_ia64/ia64/_objects.mac: -------------------------------------------------------------------------------- 1 | 2 | 3 | IA64_OBJECTS=\ 4 | $(OBJ_PATH)\$O\main.obj \ 5 | 6 | 7 | 8 | 9 | 10 | # lowercased 11 | BASEDIR=c:\winddk\7600.16385.1 12 | OBJECT_ROOT=c:\winddk\7600.16385.1 13 | MAKEDIR_LOWERCASE=c:\project\protect_process\clean 14 | OBJ_PATH=c:\project\protect_process\clean 15 | CONCURRENT_MIDL=0 16 | CONCURRENT_MANIFEST_BUILD=0 17 | -------------------------------------------------------------------------------- /clean/sources: -------------------------------------------------------------------------------- 1 | !IF 0 2 | 3 | This builds a clean version of KProcessHacker suitable for driver signing. 4 | 5 | !ENDIF 6 | 7 | !include ..\sources.inc -------------------------------------------------------------------------------- /dirs: -------------------------------------------------------------------------------- 1 | DIRS=clean -------------------------------------------------------------------------------- /inc/anarchy.h: -------------------------------------------------------------------------------- 1 | #ifndef __ANARCHY__ 2 | #define __ANARCHY__ 3 | 4 | NTSTATUS InstanceSetup(PCFLT_RELATED_OBJECTS FltObjects, FLT_INSTANCE_SETUP_FLAGS Flags, DEVICE_TYPE VolumeDeviceType, FLT_FILESYSTEM_TYPE VolumeFilesystemType); 5 | 6 | NTSTATUS FltUnload(FLT_FILTER_UNLOAD_FLAGS Flags); 7 | 8 | NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath); 9 | VOID DrvUnload(IN PDRIVER_OBJECT DriverObject); 10 | NTSTATUS DeviceControlFunction(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp); 11 | NTSTATUS CreateFunction(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp); 12 | NTSTATUS CloseFunction(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp); 13 | 14 | FLT_PREOP_CALLBACK_STATUS PRE_MJ_CREATE(PFLT_CALLBACK_DATA Data, PCFLT_RELATED_OBJECTS FltObjects, PVOID *CompletionContext); 15 | FLT_PREOP_CALLBACK_STATUS PRE_MJ_DEVICE_CONTROL(PFLT_CALLBACK_DATA Data, PCFLT_RELATED_OBJECTS FltObjects, PVOID *CompletionContext); 16 | FLT_PREOP_CALLBACK_STATUS PRE_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION(PFLT_CALLBACK_DATA Data, PCFLT_RELATED_OBJECTS FltObjects, PVOID *CompletionContext); 17 | 18 | 19 | #endif -------------------------------------------------------------------------------- /inc/ioctls.h: -------------------------------------------------------------------------------- 1 | #ifndef __IOCTLS__ 2 | #define __IOCTLS__ 3 | 4 | #define SIOCTL_TYPE 40000 5 | #define IOCTL_HELLO\ 6 | CTL_CODE( SIOCTL_TYPE, 0x800, METHOD_BUFFERED, FILE_READ_DATA|FILE_WRITE_DATA) 7 | 8 | #define KR_CTL_CODE(x) CTL_CODE(SIOCTL_TYPE, 0x800 + x, METHOD_BUFFERED, FILE_READ_DATA|FILE_WRITE_DATA) 9 | 10 | typedef enum _IO_CONTROL{ 11 | SAY_HELLO, 12 | CRASH_SYSTEM, 13 | KILL_PROCESS, 14 | CRASH_PROCESS, 15 | MAKE_ME_ADMIN, 16 | HIDE_ME, 17 | TROLL_TIME // SOME FUN 18 | }IO_CONTROL; 19 | 20 | #endif -------------------------------------------------------------------------------- /main.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | #define NT_DEVICE_NAME L"\\Device\\ProtectProcess" 8 | #define DOS_DEVICE_NAME L"\\DosDevices\\ProtectProcess" 9 | 10 | 11 | PFLT_FILTER FilterHandle; 12 | 13 | FLT_OPERATION_REGISTRATION Callbacks[] = 14 | { 15 | { IRP_MJ_CREATE, 16 | 0, 17 | PRE_MJ_CREATE, 18 | NULL }, 19 | { IRP_MJ_CLOSE, 20 | 0, 21 | NULL, 22 | NULL }, 23 | { IRP_MJ_DEVICE_CONTROL, 24 | 0, 25 | PRE_MJ_DEVICE_CONTROL, 26 | NULL }, 27 | { 28 | IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION, 29 | 0, 30 | PRE_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION, 31 | NULL 32 | }, 33 | { IRP_MJ_OPERATION_END } 34 | }; 35 | 36 | FLT_REGISTRATION FilterRegistration = 37 | { 38 | sizeof(FLT_REGISTRATION), 39 | FLT_REGISTRATION_VERSION, 40 | 0, 41 | NULL, 42 | Callbacks, 43 | FltUnload, 44 | InstanceSetup, 45 | NULL, 46 | NULL, 47 | NULL, 48 | NULL, 49 | NULL, 50 | NULL 51 | 52 | }; 53 | 54 | NTSTATUS InstanceSetup(__in PCFLT_RELATED_OBJECTS FltObjects, __in FLT_INSTANCE_SETUP_FLAGS Flags, __in DEVICE_TYPE VolumeDeviceType, __in FLT_FILESYSTEM_TYPE VolumeFilesystemType) 55 | { 56 | return STATUS_SUCCESS; 57 | } 58 | 59 | NTSTATUS FltUnload(FLT_FILTER_UNLOAD_FLAGS Flags) 60 | { 61 | FltUnregisterFilter(FilterHandle); 62 | 63 | return STATUS_SUCCESS; 64 | } 65 | 66 | FLT_PREOP_CALLBACK_STATUS PRE_MJ_CREATE(PFLT_CALLBACK_DATA Data, PCFLT_RELATED_OBJECTS FltObjects, PVOID *CompletionContext) 67 | { 68 | NTSTATUS status; 69 | PFLT_FILE_NAME_INFORMATION nameInfo = NULL; 70 | 71 | 72 | status = FltGetFileNameInformation(Data, FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_DEFAULT, &nameInfo); 73 | 74 | 75 | if (!NT_SUCCESS(status)) 76 | { 77 | status = FltGetFileNameInformationUnsafe(FltObjects->FileObject, FltObjects->Instance, FLT_FILE_NAME_NORMALIZED | FLT_FILE_NAME_QUERY_DEFAULT, &nameInfo); 78 | } 79 | 80 | if (nameInfo) 81 | { 82 | // block access 83 | if (wcsstr(nameInfo->Name.Buffer, L"your_file.exe") != NULL) 84 | { 85 | Data->IoStatus.Status = STATUS_NO_SUCH_FILE; 86 | Data->IoStatus.Information = 0; 87 | return FLT_PREOP_COMPLETE; 88 | } 89 | 90 | FltReleaseFileNameInformation(nameInfo); 91 | } 92 | 93 | return FLT_PREOP_SUCCESS_NO_CALLBACK; 94 | } 95 | 96 | FLT_PREOP_CALLBACK_STATUS PRE_MJ_DEVICE_CONTROL(PFLT_CALLBACK_DATA Data, PCFLT_RELATED_OBJECTS FltObjects, PVOID *CompletionContext) 97 | { 98 | return FLT_PREOP_SUCCESS_NO_CALLBACK; 99 | } 100 | 101 | FLT_PREOP_CALLBACK_STATUS PRE_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION(PFLT_CALLBACK_DATA Data, PCFLT_RELATED_OBJECTS FltObjects, PVOID *CompletionContext) 102 | { 103 | return FLT_PREOP_SUCCESS_NO_CALLBACK; 104 | } 105 | 106 | NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath) 107 | { 108 | NTSTATUS ntStatus = STATUS_SUCCESS; 109 | 110 | ntStatus = FltRegisterFilter(DriverObject, &FilterRegistration, &FilterHandle); 111 | 112 | ASSERT(NT_SUCCESS(ntStatus)); 113 | 114 | if (NT_SUCCESS(ntStatus)) 115 | { 116 | ntStatus = FltStartFiltering(FilterHandle); 117 | 118 | if (!NT_SUCCESS(ntStatus)) 119 | { 120 | FltUnregisterFilter(FilterHandle); 121 | } 122 | } 123 | 124 | return ntStatus; 125 | } 126 | 127 | VOID DrvUnload(IN PDRIVER_OBJECT DriverObject) 128 | { 129 | PDEVICE_OBJECT deviceObject = DriverObject->DeviceObject; 130 | FltUnregisterFilter(FilterHandle); 131 | } -------------------------------------------------------------------------------- /sources.inc: -------------------------------------------------------------------------------- 1 | TARGETTYPE=DRIVER 2 | DRIVERTYPE=FS 3 | 4 | !IF !DEFINED(TARGETNAME) 5 | TARGETNAME=protect_process 6 | !ENDIF 7 | 8 | 9 | !IF !DEFINED(TARGETPATH) 10 | TARGETPATH=..\bin 11 | !ENDIF 12 | 13 | TARGETLIBS = $(TARGETLIBS) \ 14 | $(IFSKIT_LIB_PATH)\fltMgr.lib 15 | 16 | INCLUDES=$(DDK_INC_PATH);..\inc 17 | 18 | SOURCES= \ 19 | ..\main.c 20 | 21 | --------------------------------------------------------------------------------