#include"ntifs.h"
ULONG yuanshi_OpenProcedure;
typedef enum _OB_OPEN_REASON {
    ObCreateHandle,
    ObOpenHandle,
    ObDuplicateHandle,
    ObInheritHandle,
    ObMaxOpenReason
} OB_OPEN_REASON;
 
typedef NTSTATUS(*OB_OPEN_METHOD)(
    IN ULONG Unknown,
    IN OB_OPEN_REASON OpenReason,
    IN PEPROCESS Process OPTIONAL,
    IN PVOID Object,
    IN ACCESS_MASK GrantedAccess,
    IN ULONG HandleCount
    );
NTSTATUS openprocesscallback(
    IN ULONG Unknown,
    IN OB_OPEN_REASON OpenReason,
    IN PEPROCESS Process OPTIONAL,
    IN PVOID Object,
    IN ACCESS_MASK GrantedAccess,
    IN ULONG HandleCount
    )
{
    KdPrint(("源程序%s", (char*)Process + 0x16c));
    KdPrint(("目標程序%s", (char*)Object + 0x16c));
    if (
        strstr(((char*)Object + 0x16c), "VistaLKD.exe")!=0||
        strstr(((char*)Object + 0x16c), "notepad.exe") != 0
        
        )
    {
 
        return STATUS_UNSUCCESSFUL;
    }
    return ((OB_OPEN_METHOD)yuanshi_OpenProcedure)(0,OpenReason, Process, Object, GrantedAccess, HandleCount);
}
 
void setprocesscallback()
{
    yuanshi_OpenProcedure=*(ULONG*)((ULONG)(*(POBJECT_TYPE*)PsProcessType) + 0x5c);
    *(ULONG*)((ULONG)(*(POBJECT_TYPE*)PsProcessType) + 0x5c) = (ULONG)openprocesscallback;
}
void resprocesscallback()
{
    *(ULONG*)((ULONG)(*(POBJECT_TYPE*)PsProcessType) + 0x5c) = yuanshi_OpenProcedure;
}
VOID xiezai1(PDRIVER_OBJECT qudongduixiang)
{
    resprocesscallback();
    KdPrint(("驅動解除安裝"));
}
 
NTSTATUS DriverEntry(PDRIVER_OBJECT qudongduixiang, PUNICODE_STRING zhucebiao)
{
    KdPrint(("驅動開始"));
    setprocesscallback();
 
    qudongduixiang->DriverUnload = xiezai1;
    return STATUS_SUCCESS;
 
}