HOOK SwapContext 枚举隐藏进程(学习笔记4)（3）

190

191	void klisterUnload(IN PDRIVER_OBJECT pDriverObject)

192

{

193	BeTerminate = 1;

194	while (BeTerminate != 3)

01	// = 3时说明创建的线程不是pending状态且马上会结束 这时候可以UNLOAD 否则线程在PENDING状态UNLOADE 会直接蓝

02

{

03

04

}

05

06	if (GoBackAddr) //PBYTE GoBackAddr = NULL;

07	HookSwapFunction(FALSE);

08

}

09

10	void showProcess()

11

{

12

13	PProcessList temp;

14	DWORD count = 0;

15	PUCHAR pFileName;

16	temp = wLastItem;

17

18

19	while (temp) //遍历链表

20

{

21	if (temp->pEPROCESS)

22

{

23

count++;

24	pFileName = ( PUCHAR )((unsigned int )(temp->pEPROCESS) + 0x174);

25	DbgPrint( "0x%08X %s \n" ,(unsigned int )(temp->pEPROCESS), pFileName);

26

}

27	temp = PProcessList(temp->NextItem);

28

}

29

30	DbgPrint( "共有%d个进程" , count);

31

}

32

33

34	void WorkThread(IN PVOID pContext)

35

{

36	LARGE_INTEGER timeout;

37

38	while ( true )

39

{

40	if (MmIsAddressValid(&BeTerminate) )

view
source

print?

01	// 因为BeTerminate是在UNLOAD中设置的 可能驱动卸载后 这个变量不能访问 所以用MmIsAddressValid判断下

02

{

03	if (BeTerminate == 0)

04

{

05

06	//等待单位是 100ns //-10作用是转换成微秒//2000000微秒=2秒

07	timeout = RtlConvertLongToLargeInteger(-10*2000000);

08

09	KeDelayExecutionThread(KernelMode, FALSE, &timeout);

10	DbgPrint( "搜集到的进程是" );

11	showProcess();

12

}

13

else

14

{

15	BeTerminate = 3;

16	PsTerminateSystemThread(STATUS_SUCCESS);

17	goto __end;

18

}

19

}

20

else

21

{

22	BeTerminate = 3;

23	PsTerminateSystemThread(STATUS_SUCCESS);

24	goto __end;

25

}

26

}

27

__end:;

28

}

29

30

31	// 驱动程序加载时调用DriverEntry例程

32	NTSTATUS DriverEntry(

33	IN PDRIVER_OBJECTpDriverObject,

34	IN PUNICODE_STRING pRegistryPath

35

)

36

{

37	NTSTATUS dwStAtus;

38	HANDLE hThread;

39

40	pDriverObject->DriverUnload=klisterUnload;

41

42	dwStAtus = PsCreateSystemThread(&hThread,

43	(ACCESS_MASK)0,

44

NULL,

45	( HANDLE )0,

46

NULL,

47	WorkThread,

48

NULL

49

);

50

51

52	GetSwapAddr();

53	if (GoBackAddr){

54	HookSwapFunction(TRUE);

55

}

56	return STATUS_SUCCESS;

57

}