目录
ActiveProcessLinks?
EPROCESS进程结构中成员ActiveProcessLinks双向链表指向了当前所有活动进程(断链后在任务管理器以及部分API中查询不到).
只需定位到ActiveProcessLinks成员即可实现遍历进程.
代码实现:
#include "ntifs.h"
PUCHAR PsGetProcessImageFileName(__in PEPROCESS Process);
//遍历进程
VOID TraverseProcess()
{
//通过EPROCESS.ActiveProcessLinks双向链表循环遍历
//通过以下几种方式定位到一个进程内核结构体
ULONG uPid = 0;
PUCHAR szProcessName = NULL;
PEPROCESS pEprotemp = NULL;
PEPROCESS pEprocess = NULL;
//1.通过FS:[124] -> CurrentThread(_KTHREAD).Process定位当前线程所属进程的内核结构体
//__asm
//{
// //_KPCR -> _KPRCB -> CurrentThread(_KTHREAD)
// mov eax, fs: [0x124]
// //_KTHREAD -> _KPROCESS
// mov eax, [eax + 0x150]
// mov [pEprocess], eax
//}
//2.通过导出变量PsInitialSystemProcess定位system进程的内核结构体
//pEprocess = (PEPROCESS)PsInitialSystemProcess;
//3.通过PsGetCurrentProcess定位当前线程所属进程的内核结构体
pEprocess = PsGetCurrentProcess();
pEprotemp = pEprocess;
DbgPrint("pEprocess -> [0x%08x] \r\n", pEprocess);
do
{
//获取PID PROCESSNAME
uPid = *(PULONG)((PUCHAR)pEprocess + 0xb4);
szProcessName = PsGetProcessImageFileName(pEprocess);
DbgPrint("PID ->[%08d] ProcessName ->[%s] \r\n", uPid, szProcessName);
//指向下一个进程PEPROCESS
pEprocess = *(PULONG)((PUCHAR)pEprocess + 0xb8) - 0xb8;
} while (pEprocess != pEprotemp);
}
NTSTATUS DriverUnload(PDRIVER_OBJECT pDriver)
{
DbgPrint("Driver Exit \r\n");
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING pReg)
{
DbgPrint("Driver Load \r\n");
TraverseProcess();
pDriver->DriverUnload = DriverUnload;
return STATUS_SUCCESS;
}全局句柄表
所有进程线程都会存储在全局句柄表中(后续章节讲解).通过暴力枚举获取当前活动线程.此方式可解决断链ActiveProcessLinks来隐藏进程.
代码如下:
#include "ntifs.h"
PUCHAR PsGetProcessImageFileName(__in PEPROCESS Process);
//遍历进程
VOID TraverseProcess()
{
NTSTATUS ntstatus = NULL;
PUCHAR szProcessName = NULL;
PEPROCESS pEprocess = NULL;
//通过进程PID暴力枚举
for (size_t i = 4; i < 0x100000; i += 4)
{
ntstatus = PsLookupProcessByProcessId((HANDLE)i, &pEprocess);
if (NT_SUCCESS(ntstatus))
{
//释放内核对应引用计次
ObDereferenceObject(pEprocess);
//获取进程名
szProcessName = PsGetProcessImageFileName(pEprocess);
DbgPrint("PID ->[%08d] ProcessName ->[%s] \r\n", i, szProcessName);
}
}
}
NTSTATUS DriverUnload(PDRIVER_OBJECT pDriver)
{
DbgPrint("Driver Exit \r\n");
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING pReg)
{
DbgPrint("Driver Load \r\n");
TraverseProcess();
pDriver->DriverUnload = DriverUnload;
return STATUS_SUCCESS;
}