Blocking Access to Physical Memory

 

#include <ntddk.h>

#include <stdio.h>

NTSYSAPI NTSTATUS NTAPI ZwOpenSection(PHANDLE pHandle,ACCESS_MASK DesiredAccess,POBJECT_ATTRIBUTES ObjectAttributes);

typedef struct

{

unsigned int *ServiceTableBase;

unsigned int *ServiceCounterTableBase;

unsigned int NumberOfServices;

unsigned char *ParamTableBase;

} sdt;

__declspec(dllimport) sdt KeServiceDescriptorTable;

typedef NTSTATUS (NTAPI *qtype)(PHANDLE,ACCESS_MASK,POBJECT_ATTRIBUTES);

qtype OldZwOpenSection;

NTSTATUS NewZwOpenSection(PHANDLE pHandle,ACCESS_MASK DesiredAccess,POBJECT_ATTRIBUTES ObjectAttributes)

{

NTSTATUS status;

if (_wcsicmp(ObjectAttributes->ObjectName->Buffer,L"\\Device\\PhysicalMemory")==0)

{

DbgPrint("Blocking device/PhysicalMemory access");

return STATUS_ACCESS_DENIED;

}

status = (OldZwOpenSection)(pHandle, DesiredAccess, ObjectAttributes);

return status;

}

long no;

VOID DriverUnload(PDRIVER_OBJECT DriverObject)

{

DbgPrint("Driver Unloading");

_asm cli

KeServiceDescriptorTable.ServiceTableBase[no]=(unsigned int)OldZwOpenSection;

_asm sti

}

NTSTATUS DriverEntry(PDRIVER_OBJECT driverObject, PUNICODE_STRING RegistryPath)

{

char *p;

driverObject->DriverUnload = DriverUnload;

DbgPrint("Vijay Driver");

p = (char *) ZwOpenSection;

p = p + 1;

no = *(long *)p;

OldZwOpenSection = (qtype)KeServiceDescriptorTable. ServiceTableBase [no];

_asm cli

KeServiceDescriptorTable.ServiceTableBase[no]=(unsigned int)NewZwOpenSection;

_asm sti

return(STATUS_SUCCESS);

}

 

Whenever we want to access the device \device\physicalmemory we first open a handle to the device driver using NtOpenSection. The third parameter ObjectAttributes contains a Unicode string to the name of the device we want to open. We check the buffer member for Device\\PhysicalMemory and if true we return an error. This is how we block access to any device.