#include <ntddk.h>
ULONG g_NtTerminateProcess = 0x8058f695;
UCHAR g_OrigCode[5];
UCHAR g_JmpHookCode[5] = {0xe9};
VOID WpOn()
{
__asm
{
mov eax,cr0
or eax,10000h
mov cr0,eax
sti
}
}
VOID WpOff()
{
__asm
{
cli
mov eax,cr0
and eax,not 10000h
mov cr0,eax
}
}
int NTAPI MyNtTerminateProcess(IN HANDLE ProcessHandle, IN NTSTATUS ExitStatus)
{
return 1;
}
__declspec(naked) NTSTATUS NTAPI HOOK_NtTerminateProcess(IN HANDLE ProcessHandle, IN NTSTATUS ExitStatus)
{
__asm
{
mov edi,edi
push ebp
mov ebp,esp
push [ebp+0xc]
push [ebp+0x8]
call MyNtTerminateProcess
cmp eax,1
jz end
mov eax,g_NtTerminateProcess
add eax,5
jmp eax
end:
mov [ebp+8],0
mov eax,g_NtTerminateProcess
add eax,5
jmp eax
}
}
VOID StartHook()
{
KIRQL OldIrql;
RtlCopyMemory((PUCHAR)g_OrigCode, (PUCHAR)g_NtTerminateProcess, 5);
*(PULONG)((PUCHAR)g_JmpHookCode + 1) = (ULONG)HOOK_NtTerminateProcess - (ULONG)g_NtTerminateProcess - 5;
WpOff();
OldIrql = KeRaiseIrqlToDpcLevel();
RtlCopyMemory((PUCHAR)g_NtTerminateProcess, g_JmpHookCode, 5);
KeLowerIrql(OldIrql);
WpOn();
}
VOID StopHook()
{
KIRQL OldIrql;
WpOff();
OldIrql = KeRaiseIrqlToDpcLevel();
RtlCopyMemory((PUCHAR)g_NtTerminateProcess, (PUCHAR)g_OrigCode, 5);
KeLowerIrql(OldIrql);
WpOn();
}
VOID DriverUnload(IN PDRIVER_OBJECT DriverObject)
{
StopHook();
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
{
DriverObject->DriverUnload = DriverUnload;
StartHook();
return STATUS_SUCCESS;
}