NTSTATUS __stdcall MyNtReadVirtualMemory(
IN HANDLE ProcessHandle,
IN PVOID BaseAddress,
OUT PVOID Buffer,
IN ULONG NumberOfBytesToRead,
OUT PULONG NumberOfBytesReaded OPTIONAL
)
{
NTSTATUS status;
PEPROCESS pEProcess=0;
char* proname=0;
if (!strcmp("calc.exe",GetProcessNameFromEProc(0))) //此处GetProcessNameFromEProc(0) 不成功有别的办法没还是我写错了
{
if (!ProcessHandle)
{
return 0;
}
status = ObReferenceObjectByHandle(ProcessHandle,PROCESS_ALL_ACCESS,NULL,0,(PVOID*)(&pEProcess),NULL);
if(!NT_SUCCESS(status))
{
return 0;
}
ObDereferenceObject(pEProcess);
proname=GetProcessNameFromEProc(pEProcess);
if (PsGetCurrentProcessId()!=PsGetProcessId(pEProcess))
{
if (!strcmp("calc.exe",proname) || !strcmp("MDL.exe",proname))
{
return STATUS_ACCESS_DENIED;
}
}
}
return (NTSTATUS)RealNtReadVirtualMemory(ProcessHandle,BaseAddress,Buffer,NumberOfBytesToRead,NumberOfBytesReaded OPTIONAL);
}
IN HANDLE ProcessHandle,
IN PVOID BaseAddress,
OUT PVOID Buffer,
IN ULONG NumberOfBytesToRead,
OUT PULONG NumberOfBytesReaded OPTIONAL
)
{
NTSTATUS status;
PEPROCESS pEProcess=0;
char* proname=0;
if (!strcmp("calc.exe",GetProcessNameFromEProc(0))) //此处GetProcessNameFromEProc(0) 不成功有别的办法没还是我写错了
{
if (!ProcessHandle)
{
return 0;
}
status = ObReferenceObjectByHandle(ProcessHandle,PROCESS_ALL_ACCESS,NULL,0,(PVOID*)(&pEProcess),NULL);
if(!NT_SUCCESS(status))
{
return 0;
}
ObDereferenceObject(pEProcess);
proname=GetProcessNameFromEProc(pEProcess);
if (PsGetCurrentProcessId()!=PsGetProcessId(pEProcess))
{
if (!strcmp("calc.exe",proname) || !strcmp("MDL.exe",proname))
{
return STATUS_ACCESS_DENIED;
}
}
}
return (NTSTATUS)RealNtReadVirtualMemory(ProcessHandle,BaseAddress,Buffer,NumberOfBytesToRead,NumberOfBytesReaded OPTIONAL);
}