win10 内核中读取中文进程文件名-软件逆向-看雪-安全社区|安全招聘|kanxue.com

win10 内核中读取中文进程文件名

发表于: 2023-11-20 22:19 6563

win10 内核中读取中文进程文件名

foxkinglxq 活跃值

2023-11-20 22:19

6563

//新人贴子不要  只供自己学习
#include <ntifs.h>
#include "Header.h"
 
void mFindProcess(const wchar_t* ModeName)
{   

    //内核中查找中文进程

    ULONG64 ulProcessName ;

    ULONG64 ulProcessID ;

    int i = 1;

    mPEPROCESS pEprocess = NULL;    

    mPEPROCESS pFirstEprocess = NULL;   

    pEprocess = (mPEPROCESS)PsGetCurrentProcess();  //取得eprocess结构体

    pFirstEprocess = pEprocess; 

    if (pEprocess == NULL)

    {

        DbgPrintEx(0,77,"PsGetCurrentProcess Failed!\n");

        return;

    }

    do  /*win10 19043.1237 版本 如果不是这个版本请需构造EPROCESS结构体*/

    {       

        ulProcessID = (DWORD_PTR)pEprocess->UniqueProcessId;

        if (pEprocess->ImageFilePointer != NULL)

        {

            ulProcessName =(ULONG64) wcsstr(pEprocess->ImageFilePointer->FileName.Buffer, ModeName);

            if (ulProcessName)

            {

                DbgPrintEx(0, 77, "pEprocess = %p Process ID = %08d | DebugPort:%d Process Name=%ws Count:%d\n", pEprocess, ulProcessID,pEprocess->DebugPort, ulProcessName, i);

                break;

            }           

        }       

        pEprocess = (mPEPROCESS)(*(ULONG64*)(pEprocess->ActiveProcessLinks.Flink) - ((ULONG64)&pEprocess->ActiveProcessLinks - (ULONG64)pEprocess));      

        i++;

    } while (pEprocess != pFirstEprocess && pEprocess->UniqueProcessId != NULL); 
}

NTSTATUS mHideProcess/*隐藏进程*/(const wchar_t* ModulName)
{

    //内核中断链进程     注：当退出时会蓝屏

    mPEPROCESS pEprocess;

    DWORD_PTR ulProcessName;

    pEprocess = (mPEPROCESS)PsGetCurrentProcess();

    PLIST_ENTRY pActiveProcessLinks = (LIST_ENTRY*)(pEprocess->ActiveProcessLinks.Flink);  //指向下一个结构

    PLIST_ENTRY pNextLinks = pActiveProcessLinks;

    do{ 

pEprocess =(mPEPROCESS)((DWORD_PTR)pNextLinks- ((ULONG64)&pEprocess->ActiveProcessLinks - (ULONG64)pEprocess));  // +2e8  ActiveProcessLinks 

        if (pEprocess->ImageFilePointer != NULL)

        {   

            ulProcessName = (DWORD_PTR)wcsstr((wchar_t*)((mPEPROCESS)pEprocess->ImageFilePointer->FileName.Buffer), ModulName);

            if (ulProcessName)

            {

                pNextLinks->Blink->Flink = pNextLinks->Flink;

                pNextLinks->Flink->Blink = pNextLinks->Blink;

                DbgPrintEx(0, 77, "Hide Success\n");

                break;

            }

        }

        pNextLinks = pNextLinks->Flink;

    } while (pNextLinks->Flink != pActiveProcessLinks->Flink);

    return STATUS_SUCCESS;
}
 
void DriverUnLoad(PDRIVER_OBJECT pDriverObjct)
{

    DbgPrint("%ws UnLoad success!\n", pDriverObjct->DriverName.Buffer);
}
 
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObjct, PUNICODE_STRING pRegPath)
{

    DbgBreakPoint();    

    DbgPrintEx(0, 77, "Load Success %ws\n", pRegPath->Buffer);

    mFindProcess(L"中文名.exe");   //如果用PsGetProcessImageFileName  取名字为乱码

    mHideProcess(L"中文名.exe");

    pDriverObjct->DriverUnload = DriverUnLoad;

    return STATUS_SUCCESS;
}
#include <ntifs.h>
#include "Header.h"
 
void mFindProcess(const wchar_t* ModeName)
{   

    //内核中查找中文进程

    ULONG64 ulProcessName ;

    ULONG64 ulProcessID ;

    int i = 1;

    mPEPROCESS pEprocess = NULL;    

    mPEPROCESS pFirstEprocess = NULL;   

    pEprocess = (mPEPROCESS)PsGetCurrentProcess();  //取得eprocess结构体

    pFirstEprocess = pEprocess; 

    if (pEprocess == NULL)

    {

        DbgPrintEx(0,77,"PsGetCurrentProcess Failed!\n");

        return;

    }

    do  /*win10 19043.1237 版本 如果不是这个版本请需构造EPROCESS结构体*/

    {       

        ulProcessID = (DWORD_PTR)pEprocess->UniqueProcessId;

        if (pEprocess->ImageFilePointer != NULL)

        {

            ulProcessName =(ULONG64) wcsstr(pEprocess->ImageFilePointer->FileName.Buffer, ModeName);

            if (ulProcessName)

            {

                DbgPrintEx(0, 77, "pEprocess = %p Process ID = %08d | DebugPort:%d Process Name=%ws Count:%d\n", pEprocess, ulProcessID,pEprocess->DebugPort, ulProcessName, i);

                break;

            }           

        }       

        pEprocess = (mPEPROCESS)(*(ULONG64*)(pEprocess->ActiveProcessLinks.Flink) - ((ULONG64)&pEprocess->ActiveProcessLinks - (ULONG64)pEprocess));      

        i++;

    } while (pEprocess != pFirstEprocess && pEprocess->UniqueProcessId != NULL); 
}

NTSTATUS mHideProcess/*隐藏进程*/(const wchar_t* ModulName)
{

    //内核中断链进程     注：当退出时会蓝屏

				登录后可查看完整内容
			
[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

		最后于  2023-11-20 22:43		
				被foxkinglxq编辑
				
		，原因： 		
	
		#系统底层

收藏・1

免费・3

支持

最新回复 (2)
秋狝雪币： 3059 活跃值： (30876) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 1568 粉丝 38 关注私信	秋狝 2 楼感谢分享 2023-11-21 09:34 1
caolinkai 雪币： 3836 活跃值： (4142) 能力值： ( LV2，RANK：10 ) 在线值：发帖 7 回帖 812 粉丝 1 关注私信	caolinkai 3 楼感谢分享 2023-11-21 10:19 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

foxkinglxq

发帖

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (2)
秋狝雪币： 3059 活跃值： (30876) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 1568 粉丝 38 关注私信	秋狝 2 楼感谢分享 2023-11-21 09:34 1
caolinkai 雪币： 3836 活跃值： (4142) 能力值： ( LV2，RANK：10 ) 在线值：发帖 7 回帖 812 粉丝 1 关注私信	caolinkai 3 楼感谢分享 2023-11-21 10:19 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复