在EPORCESS结构体中,偏移0x26c的地方是一个标志位

在标志位中第12位为进程保护位,当该位为1时,调试器无法附加该进程
没设置保护位:


PCHUNTER没显示拒绝且OD可以附加该进程
设置保护位:

现在我们PCHUNTER显示拒绝访问,OD也找不到该进程,无法进行附加.
原理
我们遍历进程,取出该进程的偏移0x26c的标志位,或上0x800,置第12位2保护位为1,然后再放回去
代码实现
include<ntifs.h>
VOID DriverUnload(PDRIVER_OBJECT pDriverObject) {
DbgPrint("Unload Driver Success! ");
}
NTSTATUS ProtectedProcess(ULONG ulPid) {
DWORD_PTR pEprocess = NULL;
ULONG ulProcessID = 0;
ULONG ulProtectedFlag = 0;
pEprocess = (DWORD_PTR)PsGetCurrentProcess();
PLIST_ENTRY pActiveProcessLinks = (PLIST_ENTRY)(pEprocess + 0xb8);
PLIST_ENTRY pNextLinks = pActiveProcessLinks->Flink;
while (pNextLinks->Flink!= pActiveProcessLinks->Flink)
{
pEprocess = (DWORD_PTR)pNextLinks - 0xb8;
ulProcessID = ((ULONG)(pEprocess + 0xb4));
if (ulProcessID == ulPid)
{
//主要操作代码
ulProtectedFlag = ((ULONG)(pEprocess + 0x26c));
DbgPrint("OLD FLAGS: 0x%X", ulProtectedFlag);
((ULONG)(pEprocess + 0x26c))= 0x800| ulProtectedFlag;
ulProtectedFlag= ((ULONG*)(pEprocess + 0x26c));
DbgPrint("NEW FLAGS: 0x%X", ulProtectedFlag);
return STATUS_SUCCESS;
}
pNextLinks = pNextLinks->Flink;
}
DbgPrint("Failed!");
return STATUS_SUCCESS;
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegPath) {
DbgPrint("Load Driver Success!");
pDriverObject->DriverUnload = DriverUnload;
ProtectedProcess(836);
return STATUS_SUCCESS;
} |