如未特殊说明均在以下机器测试
Windows 7 Professional with Service Pack 1 (x86) - DVD (Chinese-Simplified)
Windows 10 (business edition), version 1903 (updated June 2019) (x64) - DVD (Chinese-Simplified)
_object_Head.flag用户态进程保护 对于32位内核,一般的内核结构(如eprocess)会有一个_object_Head 在内核结构-0x18处 置_object_Head.flag为KernelOnlyAccess会导致用户态打不开进程句柄
64位内核同样只是偏移不同
#include "drivercommon.h" PEPROCESS g_eprocess = NULL ; NTKERNELAPI UCHAR* PsGetProcessImageFileName (__in PEPROCESS Process) ; PEPROCESS FindProcessByName (UCHAR* targetName) { PEPROCESS pEprocess = NULL ; NTSTATUS status; for (int i = 4 ; i < 100000 ; i += 4 ) { PEPROCESS ptmpEprocess = NULL ; status = PsLookupProcessByProcessId((HANDLE)i, &ptmpEprocess); if (NT_SUCCESS(status) && ptmpEprocess) { UCHAR* name = PsGetProcessImageFileName(ptmpEprocess); ObReferenceObject(ptmpEprocess); if (!_stricmp(targetName, name)) { return ptmpEprocess; } } } return pEprocess; } VOID SetProcessProtect (PEPROCESS eprocess) { PUCHAR ObjHead = NULL ; #ifdef _WIN64 ObjHead = (PUCHAR)eprocess - 0x30 ; *(ObjHead + 0x1b ) |= 4 ; #else ObjHead = (PUCHAR)eprocess - 0x18 ; *(ObjHead + 0xf ) |= 4 ; #endif LOG("protect" ); } VOID CloseProcessProtect (PEPROCESS eprocess) { PUCHAR ObjHead = NULL ; #ifdef _WIN64 ObjHead = (PUCHAR)eprocess - 0x30 ; *(ObjHead + 0x1b ) &= ~4 ; #else ObjHead = (PUCHAR)eprocess - 0x18 ; *(ObjHead + 0xf ) &= ~4 ; #endif LOG("close protect" ); } VOID DriverUnload (_In_ struct _DRIVER_OBJECT* DriverObject) { UNREFERENCED_PARAMETER(DriverObject); LOG("%s" , __FUNCTION__); CloseProcessProtect(g_eprocess); g_eprocess = NULL ; } NTSTATUS DriverEntry ( __in struct _DRIVER_OBJECT* DriverObject, __in PUNICODE_STRING RegistryPath ) { UNREFERENCED_PARAMETER(RegistryPath); DriverObject->DriverUnload = DriverUnload; LOG("%s" , __FUNCTION__); g_eprocess = FindProcessByName("dbgview.exe" ); if (g_eprocess) { SetProcessProtect(g_eprocess); } return STATUS_SUCCESS; }
EPROCESS.ActiveProcessLinks进程断链进程隐藏
断链后要再InitializeListHead被断链的list_entry
RemoveEntryList后 ActiveProcessLinks的flink和blink依旧指向之前的,这样该进程在销毁时,会重新操作flibk和blink可能导致蓝屏
#include "drivercommon.h" PEPROCESS FindProcessByName (PWCH targetName) { NTSTATUS status; for (int i = 4 ; i < 0x100000 ; i += 4 ) { PEPROCESS process = NULL ; status = PsLookupProcessByProcessId((HANDLE)i, &process); if (NT_SUCCESS(status) && process) { ObDereferenceObject(process); PUNICODE_STRING curName = NULL ; status = SeLocateProcessImageName(process, &curName); if (NT_SUCCESS(status) && curName) { if (curName->Length) { _wcsupr(curName->Buffer); if (wcsstr(curName->Buffer, targetName)) { LOG("%S" , targetName); return process; } } ExFreePoolWithTag(curName, 0 ); } } } LOG("not found" ); return NULL ; } ULONG GetActiveProcessLinksOffset () { UNICODE_STRING funcName = { 0 }; RtlInitUnicodeString(&funcName, L"PsGetProcessId" ); PUCHAR funcAddr = (PUCHAR)MmGetSystemRoutineAddress(&funcName); if (!funcAddr) { return -1 ; } for (int i = 0 ; i < 0x100 ; i++) { #ifdef _WIN64 if (funcAddr[i] == 0x8b && funcAddr[i + 1 ] == 0x81 ) { #else if (funcAddr[i] == 0x8b && funcAddr[i + 1 ] == 0x80 ) { #endif return (*(PULONG)(funcAddr + i + 2 )) + sizeof (SIZE_T); } } } VOID DriverUnload (_In_ struct _DRIVER_OBJECT* DriverObject) { UNREFERENCED_PARAMETER(DriverObject); LOG("%s" , __FUNCTION__); } NTSTATUS DriverEntry ( __in struct _DRIVER_OBJECT* DriverObject, __in PUNICODE_STRING RegistryPath ) { UNREFERENCED_PARAMETER(RegistryPath); DriverObject->DriverUnload = DriverUnload; LOG("%s" , __FUNCTION__); PEPROCESS process = FindProcessByName(L"DBGVIEW.EXE" ); if (NULL == process) { return STATUS_UNSUCCESSFUL; } DbgBreakPoint(); ULONG offset = GetActiveProcessLinksOffset(); PLIST_ENTRY ActiveProcessLinks = (PLIST_ENTRY)((PUCHAR)process + offset); RemoveEntryList(ActiveProcessLinks); InitializeListHead(ActiveProcessLinks); return STATUS_SUCCESS; }
BreakOnTermination EPROCESS.BreakOnTermination : 0y0 为1时标识临界进程杀死会导致蓝屏
以下代码仅仅win7下测试
#include "drivercommon.h" PEPROCESS FindProcessByName (PWCH targetName) { NTSTATUS status; for (int i = 4 ; i < 0x100000 ; i += 4 ) { PEPROCESS process = NULL ; status = PsLookupProcessByProcessId((HANDLE)i, &process); if (NT_SUCCESS(status) && process) { ObDereferenceObject(process); PUNICODE_STRING curName = NULL ; status = SeLocateProcessImageName(process, &curName); if (NT_SUCCESS(status) && curName) { if (curName->Length) { _wcsupr(curName->Buffer); if (wcsstr(curName->Buffer, targetName)) { LOG("%S" , targetName); return process; } } ExFreePoolWithTag(curName, 0 ); } } } LOG("not found" ); return NULL ; } VOID DriverUnload (_In_ struct _DRIVER_OBJECT* DriverObject) { UNREFERENCED_PARAMETER(DriverObject); LOG("%s" , __FUNCTION__); } NTSTATUS DriverEntry ( __in struct _DRIVER_OBJECT* DriverObject, __in PUNICODE_STRING RegistryPath ) { UNREFERENCED_PARAMETER(RegistryPath); DriverObject->DriverUnload = DriverUnload; LOG("%s" , __FUNCTION__); PEPROCESS process = FindProcessByName(L"DBGVIEW.EXE" ); if (NULL == process) { return STATUS_UNSUCCESSFUL; } PUCHAR targetAd = (PUCHAR)process + 0x270 ; ULONG32 origin = *(PULONG32)(targetAd); origin |= 0x2000 ; *(PULONG32)(targetAd) = origin; return STATUS_SUCCESS; }
线程进程回调 PsSetCreateProcessNotifyRoutineEx
PsSetCreateThreadNotifyRoutine
