- 注册时间
- 2021-4-16
- 最后登录
- 2024-3-13
- 在线时间
- 2 小时
编程入门
- 龙马币
- 114
|
实现隐藏进程和保护进程的手段依然是DKOM,不过是修改的位置不同而已。
至于怎么在64位操作系统上加载驱动,我已经说过了,请参考这里。
驱动使用WDK7的x64 Free Build Environment编译。
核心源码:
更新内容:
- #define PROCESS_ACTIVE_PROCESS_LINKS_OFFSET 0x188
- #define PROCESS_FLAG2_OFFSET 0x43C
- #define CROSS_THREAD_FLAGS_OFFSET 0x448
- VOID Test(ULONG uIoControlCode)
- {
- switch(uIoControlCode)
- {
- case IOCTL_ProtectProcess:
- {
- __try
- {
- memcpy(&dwInPid,pIoBuffer,sizeof(dwInPid));
- dprintf("[x64Drv] dwInPid=%ld",dwInPid);
- status=PsLookupProcessByProcessId(dwInPid,&eProcess);
- if(NT_SUCCESS(status))
- {
- dwPOV=Get64bitValue((PULONG64)((ULONG64)eProcess+PROCESS_FLAG2_OFFSET));
- Set64bitValue((PULONG64)((ULONG64)eProcess+PROCESS_FLAG2_OFFSET),dwPNV);
- dprintf("[x64Drv] Protect Process finished");
- }
- }
- __except(EXCEPTION_EXECUTE_HANDLER)
- {
- ;
- }
- break;
- }
- case IOCTL_ProtectThread:
- {
- __try
- {
- memcpy(&dwInTid,pIoBuffer,sizeof(dwInTid));
- dprintf("[x64Drv] dwInTid=%ld",dwInTid);
- status=PsLookupThreadByThreadId(dwInTid,&eThread);
- if(NT_SUCCESS(status))
- {
- dwTOV=Get32bitValue((PULONG64)((ULONG64)eThread+CROSS_THREAD_FLAGS_OFFSET));
- Set32bitValue((PULONG64)((ULONG64)eThread+CROSS_THREAD_FLAGS_OFFSET),dwTNV);
- dprintf("[x64Drv] Protect Thread finished");
- }
- }
- __except(EXCEPTION_EXECUTE_HANDLER)
- {
- ;
- }
- break;
- }
- case IOCTL_UnprotectProcess:
- {
- __try
- {
- Set64bitValue((PULONG64)((ULONG64)eProcess+PROCESS_FLAG2_OFFSET),dwPOV);
- Set32bitValue((PULONG64)((ULONG64)eThread+CROSS_THREAD_FLAGS_OFFSET),dwTOV);
- dprintf("[x64Drv] Unprotect Process and Thread finished");
- }
- __except(EXCEPTION_EXECUTE_HANDLER)
- {
- ;
- }
- break;
- }
- case IOCTL_PauseThrdProtect:
- {
- __try
- {
- Set32bitValue((PULONG64)((ULONG64)eThread+CROSS_THREAD_FLAGS_OFFSET),dwTOV);
- dprintf("[x64Drv] Thread Protect Suspended!");
- }
- __except(EXCEPTION_EXECUTE_HANDLER)
- {
- ;
- }
- break;
- }
- case IOCTL_ResumeThrdProtect:
- {
- __try
- {
- Set32bitValue((PULONG64)((ULONG64)eThread+CROSS_THREAD_FLAGS_OFFSET),dwTNV);
- dprintf("[x64Drv] Thread Protect Resumed!");
- }
- __except(EXCEPTION_EXECUTE_HANDLER)
- {
- ;
- }
- break;
- }
- }
- }
复制代码
警告:此代码在没有破解内核的WIN7 X64上使用,会触发PatchGuard引起蓝屏。
Warning: If you use this code in WIN7 X64 without "crack kernel", it will trigger PatchGuard and cause BSOD.
|
|