win7 x64 改进程名的驱动。调试的心态崩了
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath){
DriverObject->DriverUnload = DriverUnLoad;
PEPROCESS pProcess = EnumProcess("chrome.exe");
ChangeProcessName(pProcess);
return STATUS_SUCCESS;
}
void ChangeProcessName(PEPROCESS pProcess)
{
KIRQL irql = WPOFFx64();
//ImageFileName
//PUCHAR pName1 = (PUCHAR)((ULONG64)pProcess + 0x2e0);
//UCHAR* str1 = "csrss.exe";
//RtlCopyMemory(pName1, str1, 14);
//SE_AUDIT_PROCESS_CREATION_INFO
//改了之后这个ExpGetProcessInformation函数会出现问题导致蓝屏
UNICODE_STRING Name = { 0 };
Name.Length = 0x7e;
Name.MaximumLength = 0x80;
Name.Buffer = L"\\Device\\HarddiskVolume1\\Windows\\System32\\Application\\csrss.exe";
//WCHAR* p = L"\\Device\\HarddiskVolume1\\Windows\\System32\\Application\\csrss.exe";
//SE_AUDIT_PROCESS_CREATION_INFO info1;
//OBJECT_NAME_INFORMATION info2;
//(&info2)->Name = Name;
//info1.ImageFileName = &info2;
PULONG64 pName2 = (PULONG64)((ULONG64)pProcess + 0x390);
*pName2 = &Name;
//PEB-->ProcessParameters-->ImagePathName
//PEB-->ProcessParameters-->CommandLine
//PEB->ProcessParameters-->WindowTitle
/*
PPEB pPeb = (PPEB)((ULONG64)pProcess + PebOffset);
PRTL_USER_PROCESS_PARAMETERS pProcessParameters = (PRTL_USER_PROCESS_PARAMETERS)((ULONG64)pPeb + 0x20);
UNICODE_STRING ImagePathName;
UNICODE_STRING CommandLine;
UNICODE_STRING WindowTitle;
RtlInitUnicodeString(&ImagePathName, L"csrss.exe");
RtlInitUnicodeString(&CommandLine, L"csrss.exe");
RtlInitUnicodeString(&WindowTitle, L"csrss.exe");
pProcessParameters->CommandLine = CommandLine;
pProcessParameters->ImagePathName = ImagePathName;
pProcessParameters->WindowTitle = WindowTitle;
//PEB-->LDR-->InLoadOrderModuleList->第一个结构->FullDllName
//PEB-->LDR-->InLoadOrderModuleList->第一个结构->BaseDllName
//PEB-->LDR-->InMemoryOrderModuleList->第一个结构->FullDllName
PPEB_LDR_DATA pLdr = (PPEB_LDR_DATA)((ULONG64)pPeb + 0x18);
*/
WPONx64(irql);
}
函数的参数是一个进程的PPROCESS结构。
目的是把目标进程改名为csrss.exe
红色标注的是崩溃的地方,大致是内核中_eproecess结构中SE_AUDIT_PROCESS_CREATION_INFO 获取进程名,并修改。任务管理器是靠这个获取的,所以可以看进程管理器,但是修改后每次都乱码,然后1分钟左右崩溃。反汇编后大概是ExpGetProcessInformation出了问题,百度谷歌都没的资料{:301_1008:}。说的可能不太清楚,需要一点内核经验{:301_972:}。 改 _EPROCESS 结构就行了 JuncoJet 发表于 2020-2-2 00:24
改 _EPROCESS 结构就行了
struct EPROCESS
typedef struct _EPROCESS
{
KPROCESS Pcb;
EX_PUSH_LOCK ProcessLock;
LARGE_INTEGER CreateTime;
LARGE_INTEGER ExitTime;
EX_RUNDOWN_REF RundownProtect;
PVOID UniqueProcessId;
LIST_ENTRY ActiveProcessLinks;
ULONG QuotaUsage;
ULONG QuotaPeak;
ULONG CommitCharge;
ULONG PeakVirtualSize;
ULONG VirtualSize;
LIST_ENTRY SessionProcessLinks;
PVOID DebugPort;
union
{
PVOID ExceptionPortData;
ULONG ExceptionPortValue;
ULONG ExceptionPortState: 3;
};
PHANDLE_TABLE ObjectTable;
EX_FAST_REF Token;
ULONG WorkingSetPage;
EX_PUSH_LOCK AddressCreationLock;
PETHREAD RotateInProgress;
PETHREAD ForkInProgress;
ULONG HardwareTrigger;
PMM_AVL_TABLE PhysicalVadRoot;
PVOID CloneRoot;
ULONG NumberOfPrivatePages;
ULONG NumberOfLockedPages;
PVOID Win32Process;
PEJOB Job;
PVOID SectionObject;
PVOID SectionBaseAddress;
_EPROCESS_QUOTA_BLOCK * QuotaBlock;
_PAGEFAULT_HISTORY * WorkingSetWatch;
PVOID Win32WindowStation;
PVOID InheritedFromUniqueProcessId;
PVOID LdtInformation;
PVOID VadFreeHint;
PVOID VdmObjects;
PVOID DeviceMap;
PVOID EtwDataSource;
PVOID FreeTebHint;
union
{
HARDWARE_PTE PageDirectoryPte;
UINT64 Filler;
};
PVOID Session;
UCHAR ImageFileName;
LIST_ENTRY JobLinks;
PVOID LockedPagesList;
LIST_ENTRY ThreadListHead;
PVOID SecurityPort;
PVOID PaeTop;
ULONG ActiveThreads;
ULONG ImagePathHash;
ULONG DefaultHardErrorProcessing;
LONG LastThreadExitStatus;
PPEB Peb;
EX_FAST_REF PrefetchTrace;
LARGE_INTEGER ReadOperationCount;
LARGE_INTEGER WriteOperationCount;
LARGE_INTEGER OtherOperationCount;
LARGE_INTEGER ReadTransferCount;
LARGE_INTEGER WriteTransferCount;
LARGE_INTEGER OtherTransferCount;
ULONG CommitChargeLimit;
ULONG CommitChargePeak;
PVOID AweInfo;
SE_AUDIT_PROCESS_CREATION_INFO SeAuditProcessCreationInfo;
MMSUPPORT Vm;
LIST_ENTRY MmProcessLinks;
ULONG ModifiedPageCount;
ULONG Flags2;
ULONG JobNotReallyActive: 1;
ULONG AccountingFolded: 1;
ULONG NewProcessReported: 1;
ULONG ExitProcessReported: 1;
ULONG ReportCommitChanges: 1;
ULONG LastReportMemory: 1;
ULONG ReportPhysicalPageChanges: 1;
ULONG HandleTableRundown: 1;
ULONG NeedsHandleRundown: 1;
ULONG RefTraceEnabled: 1;
ULONG NumaAware: 1;
ULONG ProtectedProcess: 1;
ULONG DefaultPagePriority: 3;
ULONG PrimaryTokenFrozen: 1;
ULONG ProcessVerifierTarget: 1;
ULONG StackRandomizationDisabled: 1;
ULONG Flags;
ULONG CreateReported: 1;
ULONG NoDebugInherit: 1;
ULONG ProcessExiting: 1;
ULONG ProcessDelete: 1;
ULONG Wow64SplitPages: 1;
ULONG VmDeleted: 1;
ULONG OutswapEnabled: 1;
ULONG Outswapped: 1;
ULONG ForkFailed: 1;
ULONG Wow64VaSpace4Gb: 1;
ULONG AddressSpaceInitialized: 2;
ULONG SetTimerResolution: 1;
ULONG BreakOnTermination: 1;
ULONG DeprioritizeViews: 1;
ULONG WriteWatch: 1;
ULONG ProcessInSession: 1;
ULONG OverrideAddressSpace: 1;
ULONG HasAddressSpace: 1;
ULONG LaunchPrefetched: 1;
ULONG InjectInpageErrors: 1;
ULONG VmTopDown: 1;
ULONG ImageNotifyDone: 1;
ULONG PdeUpdateNeeded: 1;
ULONG VdmAllowed: 1;
ULONG SmapAllowed: 1;
ULONG ProcessInserted: 1;
ULONG DefaultIoPriority: 3;
ULONG SparePsFlags1: 2;
LONG ExitStatus;
WORD Spare7;
union
{
struct
{
UCHAR SubSystemMinorVersion;
UCHAR SubSystemMajorVersion;
};
WORD SubSystemVersion;
};
UCHAR PriorityClass;
MM_AVL_TABLE VadRoot;
ULONG Cookie;
ALPC_PROCESS_CONTEXT AlpcContext;
} EPROCESS, *PEPROCESS;
我该的是红色那个,那个其实是一个unicode指针,但是一改我windbg里看是正常的,任务管理器看的是乱码 不知道 坐等大神回答...... 遇到问题不要慌~掏出手机发个朋友圈~ 改 _EPROCESS 结构就行了
(我不懂 .......参考JuncoJet就行) 帮顶上去,会有大神指点你的 你修改它的目的是为啥??? 谢谢楼主分享 liphily 发表于 2020-2-2 09:24
win7的64位驱动是强制要求数字签名的吧。。。
是不是应为这个问题,导致你的操作被系统本身拦截了
不是这个,内核已经破解了,驱动可以随便打了{:301_978:}
页:
[1]
2