Theqiqi_blog

内核中进程与句柄互转123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177#include <ntifs.h>#define Log(X) DbgPrint("qi:"X##) ...

根据进程名获得pid,例如exploer.exe12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419 ...

获取自身驱动的模块地址和大小长度123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166//https://blog.csdn.net/i735740559/article/details/121010037#include <ntifs.h>#include & ...

使用系统api ZwOpenProcess打开句柄123456789101112131415161718192021222324HANDLE PidToHandle(ULONG PID){ if (!PID)return NULL; HANDLE hProcessHandle; OBJECT_ATTRIBUTES obj; CLIENT_ID clientid; clientid.UniqueProcess = PID; clientid.UniqueThread = 0; // 属性初始化 InitializeObjectAttributes(&obj, 0, OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, 0, 0); NTSTATUS status = ZwOpenProcess(&hProcessHandle, PROCESS_ALL_ACCESS, &obj, &clientid); if (status == STATUS_SUCCESS) { DbgPrint("[*] 已 ...

驱动实现遍历系统进程 打印进程并打印进程名称123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354#include <ntddk.h>//https://bbs.kanxue.com/thread-263982.htm//[原创]驱动遍历系统进程 #define pid_offset 0x180#define list_offset 0x188#define name_offset 0x2e0NTSTATUS Get_Name();VOID DriverUnload(PDRIVER_OBJECT DriverObject){ UNREFERENCED_PARAMETER(DriverObject); DbgPrintEx(0, 0, "[%ws] Unload Successful \n", __FUNCTIONW__);}NTSTATUS DriverEntry(PDRI ...

断链隐藏自身模块方法一12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152//https://developer.aliyun.com/article/1061479//驱动开发：断链隐藏驱动程序自身#include <ntifs.h>HANDLE hThread;VOID ThreadRun(PVOID StartContext);VOID UnDriver(PDRIVER_OBJECT driver){ DbgPrint(("Uninstall Driver Is OK \n"));}NTSTATUS DriverEntry(IN PDRIVER_OBJECT Driver, PUNICODE_STRING RegistryPath){ DbgPrint(("hello lyshark \n")); PLIST_ENTRY pModuleList; ...

断链隐藏进程写法一12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667#include <ntifs.h>NTKERNELAPI CHAR* PsGetProcessImageFileName(PEPROCESS Process);////传入进程名字通过遍历进程得到PEPROCESSPEPROCESS GetProcessObjectByName(char* name){ if (!name)return NULL; SIZE_T temp; for (temp = 100; temp < 10000; temp += 4) { NTSTATUS status; PEPROCESS ep; status = PsLookupProcessByProcessId((HANDLE)temp, &ep); if (NT_SUCCESS(sta ...

恢复句柄权限的方法1.使用高度拦截在回调函数中恢复句柄权限回调函数在系统中依次由高到低执行，查看回调函数的高度，此时注册一个回调函数只要高度比降低权限的回调低，就会形成先降低权限再提高权限。 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283#include<ntifs.h>PVOID RegistrationHandle = NULL;BOOLEAN is_callback = FALSE;HANDLE g_pid;VOID uninstall_callback(){ if (RegistrationHandle != NULL && is_callback) ObUnRegisterCallbacks(RegistrationHandle);}//回调提升进程权 ...

编写C语言代码使用回调函数保护进程不被读写1. 驱动中注册一个回调函数，当驱动被注册时打印消息12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849#include <ntifs.h>#define Log(X) DbgPrint("qi:"X##)VOID processcreate_callback(_In_ HANDLE ParentId, _In_ HANDLE ProcessId, _In_ BOOLEAN Create);VOID TestCallback();NTSTATUS DriverUnload(PDRIVER_OBJECT pdriver){ PsSetCreateProcessNotifyRoutine(processcreate_callback, TRUE); DbgPrint("unload...\n"); return STATUS_SUCCESS;}NTSTA ...

驱动程序中读取与写入内存数据的几种方式1.读取与写入系统虚拟内存地址数据 使用指针直接读取与写入。 使用C语言内存复制函数读取与写入,例如memcpy()函数。 使用windows驱动函数，例如，RtllCopyMemory。 使用MDL映射的方式写入系统虚拟地址 2.读取与写入物理地址的方式操作系统与驱动程序都运行在系统虚拟地址高位空间中，要想读取与写入物理地址需要将物理地址映射到系统虚拟地址中。才能在驱动程序中读取与写入数据。 映射物理地址到系统虚拟地址的方法 方法一：使用函数 方法二：使用MDL的方式使用函数 3.读取与写入应用程序虚拟内存地址的方式高位系统虚拟地址运行的是内核与驱动的指令，低位系统虚拟地址运行的是应用程序的指令。每个应用程序进程的地址空间都会通过四级页表映射到系统虚拟地址空间中。 读取与写入应用程序内存数据的方法 方法一：使用windows驱动函数MmCopyVirtualMemory. 方法二: 根据应用pid获得eprocess后挂靠就可以通过指针或者内存复制函数来读取或写入。 方法三：找到应用程序进程中虚拟地址对应的物理地址后->将物理地址 ...