Loading... 用到的结构体 http://www.irohane.top/index.php/archives/613/ 用到的函数 http://www.irohane.top/index.php/archives/527/ http://www.irohane.top/index.php/archives/636/ ![image.png](http://www.irohane.top/usr/uploads/2021/03/3858226024.png) --- 1. 使用 PsLookupProcessByProcessId 函数获取EPROCESS 来判断进程是否有效,返回值成功返回0 2. EPROCESS 0xb4为进程ID`UniqueProcessId; `,PsGetProcessImageFileName获取进程名 3. EPROCESS 0xb8 为活动进程双向链表,可以对链表切断来达到进程隐藏 ``` PEPROCESS D_LookupProcess(HANDLE hPid) //获取EPROCESS 并判断进程是否存在 { PEPROCESS pEProcess = NULL; if (NT_SUCCESS(PsLookupProcessByProcessId(hPid, &pEProcess))) { return pEProcess; } return NULL; } VOID EnumProcess() //枚举进程 { //DbgBreakPoint(); PEPROCESS pEProc = NULL; PETHREAD pthread = NULL; //循环遍历进程 ULONG id = 0; for (id = 4;id < 0x25600;id = id + 4) { // 根据PID返回PEPROCESS pEProc = D_LookupProcess((HANDLE)id);//强转 if (!pEProc) { //如果没有就跳过本次 continue; }; //输出进程信息 if (NT_SUCCESS(PsLookupProcessByProcessId(ULongToHandle(id), &pEProc))) { KdPrint(("EPROCESS = [%p] - PID = [%d] - Name =[%s]\n", pEProc, (*((UINT32*)((PUCHAR)pEProc + 0xb4))), PsGetProcessImageFileName(pEProc))); //引用计数减去1 ObDereferenceObject(pEProc); } } } //结束进程 VOID KillProcess(UINT32 PID) { HANDLE hProcess = NULL; CLIENT_ID Clientld = { 0 }; OBJECT_ATTRIBUTES objAttribut = { sizeof(OBJECT_ATTRIBUTES) }; Clientld.UniqueProcess = (HANDLE)PID; Clientld.UniqueThread = 0; //打进程如果有效就结束 ZwOpenProcess( &hProcess, //返回打开后的句柄 1, //访问权限 &objAttribut, //对象属性 &Clientld //进程结构体 ); } //隐藏进程 简单的 摘链 VOID RemoveListEntry(PLIST_ENTRY ListEntry) { KIRQL OldIrql; //提升中断权限 OldIrql = KeRaiseIrqlToDpcLevel(); //把当前链表摘除 ListEntry->Flink->Blink = ListEntry->Blink; ListEntry->Blink->Flink = ListEntry->Flink; KeLowerIrql(OldIrql); } //隐藏进程仅限于任务栏 VOID HideProcess(int PID) { PEPROCESS pEProc; if (NT_SUCCESS(PsLookupProcessByProcessId(ULongToHandle(PID), &pEProc))) { KdPrint(("EPROCESS = [%p] - PID = [%d] - Name =[%s]\n", pEProc, (DWORD32)PsGetProcessInheritedFromUniqueProcessId(pEProc), PsGetProcessImageFileName(pEProc))); //使用偏移方式进行 RemoveListEntry((PLIST_ENTRY)((ULONG32)pEProc + PROCESS_ACTIVE_PROCESS_LINKS_OFFSET)); //引用计数减去1 ObDereferenceObject(pEProc); } } ``` 最后修改:2021 年 03 月 23 日 © 允许规范转载 赞 0 如果觉得我的文章对你有用,请随意赞赏