windows10 x64线程隐藏
提示:最近在研究Windows驱动
前言
发展到windows10 之后,驱动层已经不像之前那样可以hook来hook去了,有了pg保护和页隔离机制
一、环境
1:windows10 19044.2130 属于最新版
2:vs2019
3: vm15.1虚拟机
二、代码数据
代码如下(示例):
UNREFERENCED_PARAMETER(pDriverObject);
//#include <ntddk.h>
#include "ntifs.h"
#include<wdm.h>
//+ 0x220 Process : 0xffffbf0f`64bde340 _KPROCESS
//PROCESS ffffbf0f64bde340
//srv*C:\Symbols;F:\xiangmu\MyDriver2\x64\Debug
UCHAR* PsGetProcessImageFileName(PEPROCESS Process);
VOID HideThread(PUCHAR szProcessName)
{
BOOLEAN bFlag = FALSE;
NTSTATUS ntstatus = 0;
PEPROCESS pEprocess = NULL;
//1.定位进程内核结构
for (size_t i = 4; i < 0x100000; i += 4)
{
ntstatus = PsLookupProcessByProcessId((HANDLE)i, &pEprocess);
if (NT_SUCCESS(ntstatus))
{
//释放内核对应引用计次
ObDereferenceObject(pEprocess);
//+0x5a8 ImageFileName : [15] UChar
//获取进程名
szProcessName = PsGetProcessImageFileName(pEprocess);
//DbgPrint("%s\n", szProcessName);
if (strcmp("Project3.exe", szProcessName) == 0)
{
DbgPrint("pEprocess1 value = %p\n", pEprocess);
bFlag = TRUE;
break;
}
}
}
if (!bFlag)
{
return;
}
DbgPrint("Project3.exe \r\n");
//2.隐藏线程头部
RemoveEntryList((PLIST_ENTRY)(*(PULONGLONG)((char*)pEprocess + 0x030))); //KTHREAD -> ThreadListEntry
RemoveEntryList((PLIST_ENTRY)(*(PULONGLONG)((char*)pEprocess + 0x5e0))); //ETHREAD -> ThreadListEntry
}
NTSTATUS DriverUnload(PDRIVER_OBJECT DriverObject)
{
DbgPrint("Driver Exit \r\n");
return STATUS_SUCCESS;
}
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING Regedit)
{
DbgPrint("Driver Load \r\n");
HideThread("Project3.exe");
DriverObject->DriverUnload = DriverUnload;
return STATUS_SUCCESS;
}
下次更新指定隐藏线程id,有问题可私聊我。
总结
`提示:虚拟机需要关闭禁止驱动签名
具体步骤:菜单栏—》设置—》更新和安全—》恢复—》高级启动(立即重新启动)
启动后按疑难选项----》按F7禁止驱动签名