win10 内核中读取中文进程文件名-软件逆向-看雪-安全社区|安全招聘|kanxue.com

win10 内核中读取中文进程文件名

2023-11-20 22:19 4806

win10 内核中读取中文进程文件名

foxkinglxq 活跃值

2023-11-20 22:19

4806

//新人贴子不要只供自己学习

#include <ntifs.h>
#include "Header.h"
 
 
void mFindProcess(const wchar_t* ModeName)
{   
    //内核中查找中文进程
    ULONG64 ulProcessName ;
    ULONG64 ulProcessID ;
    int i = 1;
    mPEPROCESS pEprocess = NULL;    
    mPEPROCESS pFirstEprocess = NULL;   
    pEprocess = (mPEPROCESS)PsGetCurrentProcess();  //取得eprocess结构体
    pFirstEprocess = pEprocess; 
    if (pEprocess == NULL)
    {
        DbgPrintEx(0,77,"PsGetCurrentProcess Failed!\n");
        return;
    }
    do  /*win10 19043.1237 版本 如果不是这个版本请需构造EPROCESS结构体*/
    {       
        ulProcessID = (DWORD_PTR)pEprocess->UniqueProcessId;
        if (pEprocess->ImageFilePointer != NULL)
        {
            ulProcessName =(ULONG64) wcsstr(pEprocess->ImageFilePointer->FileName.Buffer, ModeName);
            if (ulProcessName)
            {
                DbgPrintEx(0, 77, "pEprocess = %p Process ID = %08d | DebugPort:%d Process Name=%ws Count:%d\n", pEprocess, ulProcessID,pEprocess->DebugPort, ulProcessName, i);
                break;
            }           
        }       
        pEprocess = (mPEPROCESS)(*(ULONG64*)(pEprocess->ActiveProcessLinks.Flink) - ((ULONG64)&pEprocess->ActiveProcessLinks - (ULONG64)pEprocess));      
        i++;
    } while (pEprocess != pFirstEprocess && pEprocess->UniqueProcessId != NULL); 
}
NTSTATUS mHideProcess/*隐藏进程*/(const wchar_t* ModulName)
{
    //内核中断链进程     注：当退出时会蓝屏
    mPEPROCESS pEprocess;
    DWORD_PTR ulProcessName;
    pEprocess = (mPEPROCESS)PsGetCurrentProcess();
    PLIST_ENTRY pActiveProcessLinks = (LIST_ENTRY*)(pEprocess->ActiveProcessLinks.Flink);  //指向下一个结构
    PLIST_ENTRY pNextLinks = pActiveProcessLinks;
     
    do{ 
pEprocess =(mPEPROCESS)((DWORD_PTR)pNextLinks- ((ULONG64)&pEprocess->ActiveProcessLinks - (ULONG64)pEprocess));  // +2e8  ActiveProcessLinks 
        if (pEprocess->ImageFilePointer != NULL)
        {   
            ulProcessName = (DWORD_PTR)wcsstr((wchar_t*)((mPEPROCESS)pEprocess->ImageFilePointer->FileName.Buffer), ModulName);
            if (ulProcessName)
            {
                pNextLinks->Blink->Flink = pNextLinks->Flink;
                pNextLinks->Flink->Blink = pNextLinks->Blink;
                DbgPrintEx(0, 77, "Hide Success\n");
                break;
            }
        }
        pNextLinks = pNextLinks->Flink;
    } while (pNextLinks->Flink != pActiveProcessLinks->Flink);
    return STATUS_SUCCESS;
}
 
void DriverUnLoad(PDRIVER_OBJECT pDriverObjct)
{
    DbgPrint("%ws UnLoad success!\n", pDriverObjct->DriverName.Buffer);
}
 
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObjct, PUNICODE_STRING pRegPath)
{
    DbgBreakPoint();    
    DbgPrintEx(0, 77, "Load Success %ws\n", pRegPath->Buffer);
    mFindProcess(L"中文名.exe");   //如果用PsGetProcessImageFileName  取名字为乱码
    mHideProcess(L"中文名.exe");
    pDriverObjct->DriverUnload = DriverUnLoad;
     
    return STATUS_SUCCESS;
}

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

最后于 2023-11-20 22:43 被foxkinglxq编辑，原因：

#系统底层

收藏・1

点赞・3

打赏

最新回复 (2)
秋狝雪币： 19461 活跃值： (29125) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 1584 粉丝 31 关注私信	秋狝 2023-11-21 09:34 2 楼 1 感谢分享
caolinkai 雪币： 3676 活跃值： (3864) 能力值： ( LV2，RANK：10 ) 在线值：发帖 7 回帖 814 粉丝 1 关注私信	caolinkai 2023-11-21 10:19 3 楼 0 感谢分享
	游客登录 \| 注册方可回帖　回帖　表情雪币赚取及消费高级回复