#include <ntddk.h>
ULONG g_NtTerminateProcess = 0x8058f695;
UCHAR g_OrigCode[5];
UCHAR g_JmpHookCode[5] = {0xe9};
VOID WpOn()
{
?__asm
?{
??mov eax,cr0
??or eax,10000h
??mov cr0,eax
??sti
?}
}
VOID WpOff()
{
?__asm
?{
??cli
??mov eax,cr0
??and eax,not 10000h
??mov cr0,eax
?}
}
int NTAPI MyNtTerminateProcess(IN HANDLE ProcessHandle, IN NTSTATUS ExitStatus)
{
?return 1;
}
__declspec(naked) NTSTATUS NTAPI HOOK_NtTerminateProcess(IN HANDLE ProcessHandle, IN NTSTATUS ExitStatus)
{
?__asm
?{
??mov edi,edi
??push ebp
??mov ebp,esp
??push [ebp+0xc]
??push [ebp+0x8]
?call MyNtTerminateProcess
?cmp eax,1
??jz end
??mov eax,g_NtTerminateProcess
??add eax,5
??jmp eax
??end:
??mov [ebp+8],0
??mov eax,g_NtTerminateProcess
??add eax,5
??jmp eax
?}
}
VOID StartHook()
{
?KIRQL OldIrql;
?RtlCopyMemory((PUCHAR)g_OrigCode, (PUCHAR)g_NtTerminateProcess, 5);
?*(PULONG)((PUCHAR)g_JmpHookCode + 1) = (ULONG)HOOK_NtTerminateProcess - (ULONG)g_NtTerminateProcess - 5;
?WpOff();
?OldIrql = KeRaiseIrqlToDpcLevel();
?RtlCopyMemory((PUCHAR)g_NtTerminateProcess, g_JmpHookCode, 5);
?KeLowerIrql(OldIrql);
?WpOn();
}
VOID StopHook()
{
?KIRQL OldIrql;
?WpOff();
?OldIrql = KeRaiseIrqlToDpcLevel();
?RtlCopyMemory((PUCHAR)g_NtTerminateProcess, (PUCHAR)g_OrigCode, 5);
?KeLowerIrql(OldIrql);
?WpOn();
}
VOID DriverUnload(IN PDRIVER_OBJECT DriverObject)
{
?StopHook();
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
{
?DriverObject->DriverUnload = DriverUnload;
?StartHook();
?return STATUS_SUCCESS;
}