在Win7x64下隐藏进程和保护进程

#include "ntddk.h" #include <windef.h> #include <stdlib.h> #include "dbghelp.h" #include "Win7x64Drv.h" #define PROCESS_FLAGS_OFFSET 0x440 #define PROCESS_ACTIVE_PROCESS_LINKS_OFFSET 0x188 #define PROCESS_RUNDOWN_PROTECT_OFFSET 0x178 NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegistryString); NTSTATUS DispatchCreate(PDEVICE_OBJECT pDevObj, PIRP pIrp); NTSTATUS DispatchClose(PDEVICE_OBJECT pDevObj, PIRP pIrp); VOID DriverUnload(PDRIVER_OBJECT pDriverObj); NTSTATUS DispatchIoctl(PDEVICE_OBJECT pDevObj, PIRP pIrp); NTKERNELAPI NTSTATUS PsLookupProcessByProcessId (IN ULONG ProcessId,OUT PEPROCESS *Process); ULONG32 dwInputPid=0; PEPROCESS eProcess=NULL; ULONG64 OldVal; ULONG64 RdpVal=1; ULONG64 Get64bitValue(PVOID p) { if(MmIsAddressValid(p)==FALSE) return 0; return *(PULONG64)p; } VOID Set64bitValue(PVOID p, ULONG64 v) { KIRQL OldIrql; if(MmIsAddressValid(p)==FALSE) return ; OldIrql = KeRaiseIrqlToDpcLevel(); *(PULONG64)p=v; KeLowerIrql(OldIrql); } VOID RemoveListEntry(PLIST_ENTRY ListEntry) { KIRQL OldIrql; OldIrql = KeRaiseIrqlToDpcLevel(); if (ListEntry->Flink != ListEntry && ListEntry->Blink != ListEntry && ListEntry->Blink->Flink == ListEntry && ListEntry->Flink->Blink == ListEntry) { ListEntry->Flink->Blink = ListEntry->Blink; ListEntry->Blink->Flink = ListEntry->Flink; ListEntry->Flink = ListEntry; ListEntry->Blink = ListEntry; } KeLowerIrql(OldIrql); } VOID HideProcess(PEPROCESS Process) { RemoveListEntry((PLIST_ENTRY)((ULONG64)Process + PROCESS_ACTIVE_PROCESS_LINKS_OFFSET)); } NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegistryString) { NTSTATUS status = STATUS_SUCCESS; UNICODE_STRING ustrLinkName; UNICODE_STRING ustrDevName; PDEVICE_OBJECT pDevObj; dprintf("[x64Drv] DriverEntry: %S\n",pRegistryString->Buffer); //Create dispatch points for device control, create, close. pDriverObj->MajorFunction[IRP_MJ_CREATE] = DispatchCreate; pDriverObj->MajorFunction[IRP_MJ_CLOSE] = DispatchClose; pDriverObj->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DispatchIoctl; pDriverObj->DriverUnload = DriverUnload; RtlInitUnicodeString(&ustrDevName, DEVICE_NAME); status = IoCreateDevice(pDriverObj, 0,&ustrDevName, FILE_DEVICE_UNKNOWN,0,FALSE,&pDevObj); dprintf("[x64Drv] Device Name %S",ustrDevName.Buffer); if(!NT_SUCCESS(status)) { dprintf("[x64Drv] IoCreateDevice = 0x%x\n", status); return status; } RtlInitUnicodeString(&ustrLinkName, LINK_NAME); status = IoCreateSymbolicLink(&ustrLinkName, &ustrDevName); if(!NT_SUCCESS(status)) { dprintf("[x64Drv] IoCreateSymbolicLink = 0x%x\n", status); IoDeleteDevice(pDevObj); return status; } dprintf("[x64Drv] SymbolicLink:%S",ustrLinkName.Buffer); return STATUS_SUCCESS; } VOID DriverUnload(PDRIVER_OBJECT pDriverObj) { UNICODE_STRING strLink; RtlInitUnicodeString(&strLink, LINK_NAME); IoDeleteSymbolicLink(&strLink); IoDeleteDevice(pDriverObj->DeviceObject); dprintf("[x64Drv] Unloaded\n"); } NTSTATUS DispatchCreate(PDEVICE_OBJECT pDevObj, PIRP pIrp) { pIrp->IoStatus.Status = STATUS_SUCCESS; pIrp->IoStatus.Information = 0; dprintf("[x64Drv] IRP_MJ_CREATE\n"); IoCompleteRequest(pIrp, IO_NO_INCREMENT); return STATUS_SUCCESS; } NTSTATUS DispatchClose(PDEVICE_OBJECT pDevObj, PIRP pIrp) { pIrp->IoStatus.Status = STATUS_SUCCESS; pIrp->IoStatus.Information = 0; dprintf("[x64Drv] IRP_MJ_CLOSE\n"); IoCompleteRequest(pIrp, IO_NO_INCREMENT); return STATUS_SUCCESS; } NTSTATUS DispatchIoctl(PDEVICE_OBJECT pDevObj, PIRP pIrp) { NTSTATUS status = STATUS_INVALID_DEVICE_REQUEST; PIO_STACK_LOCATION pIrpStack; ULONG uIoControlCode; PVOID pIoBuffer; ULONG uInSize; ULONG uOutSize; pIrpStack = IoGetCurrentIrpStackLocation(pIrp); uIoControlCode = pIrpStack->Parameters.DeviceIoControl.IoControlCode; pIoBuffer = pIrp->AssociatedIrp.SystemBuffer; uInSize = pIrpStack->Parameters.DeviceIoControl.InputBufferLength; uOutSize = pIrpStack->Parameters.DeviceIoControl.OutputBufferLength; switch(uIoControlCode) { case IOCTL_HideProcess: { __try { memcpy(&dwInputPid,pIoBuffer,sizeof(dwInputPid)); dprintf("[x64Drv] dwInputPid=%ld",dwInputPid); status=PsLookupProcessByProcessId(dwInputPid,&eProcess); if(NT_SUCCESS(status)) { HideProcess(eProcess); dprintf("[x64Drv] Hide Process finished"); } } __except(EXCEPTION_EXECUTE_HANDLER) { ; } break; } case IOCTL_ProtectProcess: { __try { memcpy(&dwInputPid,pIoBuffer,sizeof(dwInputPid)); dprintf("[x64Drv] dwInputPid=%ld",dwInputPid); status=PsLookupProcessByProcessId(dwInputPid,&eProcess); if(NT_SUCCESS(status)) { //memcpy(&OldVal,(ULONG64 *)((ULONG64)eProcess+PROCESS_RUNDOWN_PROTECT_OFFSET),8); OldVal=Get64bitValue((PULONG64)((ULONG64)eProcess+PROCESS_RUNDOWN_PROTECT_OFFSET)); dprintf("[x64Drv] RundownProtect Old Value=%ld",OldVal); //memcpy((ULONG64 *)((ULONG64)eProcess+PROCESS_RUNDOWN_PROTECT_OFFSET),&RdpVal,8); Set64bitValue((PULONG64)((ULONG64)eProcess+PROCESS_RUNDOWN_PROTECT_OFFSET),RdpVal); dprintf("[x64Drv] RundownProtect New Value=%ld",*(ULONG64 *)((ULONG64)eProcess+PROCESS_RUNDOWN_PROTECT_OFFSET)); dprintf("[x64Drv] Protect Process finished"); } } __except(EXCEPTION_EXECUTE_HANDLER) { ; } break; } case IOCTL_UnprotectProcess: { __try { //memcpy((ULONG64 *)((ULONG64)eProcess+PROCESS_RUNDOWN_PROTECT_OFFSET),&OldVal,8); Set64bitValue((PULONG64)((ULONG64)eProcess+PROCESS_RUNDOWN_PROTECT_OFFSET),OldVal); dprintf("[x64Drv] Unprotect process finished"); } __except(EXCEPTION_EXECUTE_HANDLER) { ; } break; } } if(status == STATUS_SUCCESS) pIrp->IoStatus.Information = uOutSize; else pIrp->IoStatus.Information = 0; pIrp->IoStatus.Status = status; IoCompleteRequest(pIrp, IO_NO_INCREMENT); return status; }