-
Notifications
You must be signed in to change notification settings - Fork 278
Process Operations
Protecting processes from killing and dumping using PsProcessType obcallback that runs every time a handle to a process is requested. This feature is not enabled when the driver is loaded reflectively.
OB_PREOP_CALLBACK_STATUS OnPreOpenProcess(PVOID RegistrationContext, POB_PRE_OPERATION_INFORMATION Info)
RegistrationContext [PVOID] -- Unused.
Info [POB_PRE_OPERATION_INFORMATION] -- Contains important information such as process name, handle to the process, process type, etc.# Protect process
NidhoggClient.exe process add <PID>
# Unprotect process
NidhoggClient.exe process remove <PID>The function begins by checking if the operation is a kernel handle operation. If it is, it returns OB_PREOP_SUCCESS.
Next, it checks if there are any protected processes. If there are none, it returns OB_PREOP_SUCCESS.
The function then gets the process ID of the process object in the Info structure.
It checks if the process ID is in the list of protected processes. If it is, it removes the following permissions from the process:
-
PROCESS_VM_OPERATION: The ability to perform virtual memory operations. -
PROCESS_VM_READ: The ability to read from the process's virtual memory. -
PROCESS_CREATE_THREAD: The ability to create a new thread in the process. -
PROCESS_DUP_HANDLE: The ability to duplicate the process's handles. -
PROCESS_TERMINATE: The ability to terminate the process. Finally, it returnsOB_PREOP_SUCCESS.
Hiding processes by removing the entry from from the process links list. This operation is not PatchGuard safe.
NTSTATUS ProcessUtils::HideProcess(ULONG pid)
pid [ULONG] -- PID to hide.# Hiding process
NidhoggClient.exe process hide <PID>
# Unhiding process
NidhoggClient.exe process unhide <PID>The function begins by getting the offsets of the ActiveProcessLinks and ProcessLock in the EPROCESS structure. If either of these operations fail, it returns STATUS_UNSUCCESSFUL.
Next, it looks up the process by the provided PID. If this operation fails, it returns the status of the operation.
The function then gets the list entry of the process in the process list and the lock of the process list.
It acquires the process list lock to avoid accessing problems.
The function then adds the process to the list of hidden processes. If this operation fails, it releases the process list lock, dereferences the process object, and returns STATUS_UNSUCCESSFUL.
The function then removes the process from the process list, releases the process list lock, and dereferences the process object.
Finally, it returns the status of the operation. If the operation was successful, it means that the process was successfully hidden. If the status is STATUS_UNSUCCESSFUL, it means that the process was not hidden.
Elevating process by changing the token to SYSTEM token.
NTSTATUS ProcessUtils::ElevateProcess(ULONG pid)
pid [ULONG] -- PID to elevate.NidhoggClient.exe process elevate<PID>The function begins by looking up the target process using the provided PID and the SYSTEM process. It also gets the offset of the token in the EPROCESS structure.
If either of these operations fail, it returns the status of the operation.
The function then replaces the token of the target process with the token of the SYSTEM process. This effectively gives the target process the same privileges as the SYSTEM process.
Finally, it dereferences the SYSTEM process and the target process and returns the status of the operation. If the operation was successful, it means that the process was successfully elevated. If the status is not STATUS_SUCCESS, it means that the process was not elevated.