win7 x64 改进程名的驱动。调试的心态崩了

b917893200

NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
{
        DriverObject->DriverUnload = DriverUnLoad;
        PEPROCESS pProcess = EnumProcess("chrome.exe");
        ChangeProcessName(pProcess);
        return STATUS_SUCCESS;
}

void ChangeProcessName(PEPROCESS pProcess)
{
        KIRQL irql = WPOFFx64();

        //ImageFileName
        //PUCHAR pName1 = (PUCHAR)((ULONG64)pProcess + 0x2e0);
        //UCHAR* str1 = "csrss.exe";
        //RtlCopyMemory(pName1, str1, 14);

        //SE_AUDIT_PROCESS_CREATION_INFO
        //改了之后这个ExpGetProcessInformation函数会出现问题导致蓝屏
        UNICODE_STRING Name = { 0 };
        Name.Length = 0x7e;
        Name.MaximumLength = 0x80;
        Name.Buffer = L"\\Device\\HarddiskVolume1\\Windows\\System32\\Application\\csrss.exe";
        //WCHAR* p = L"\\Device\\HarddiskVolume1\\Windows\\System32\\Application\\csrss.exe";
        //SE_AUDIT_PROCESS_CREATION_INFO info1;
        //OBJECT_NAME_INFORMATION info2;
        //(&info2)->Name = Name;
        //info1.ImageFileName = &info2;
        PULONG64 pName2 = (PULONG64)((ULONG64)pProcess + 0x390);
        *pName2 = &Name;
       

        //PEB-->ProcessParameters-->ImagePathName
        //PEB-->ProcessParameters-->CommandLine
        //PEB->ProcessParameters-->WindowTitle
        /*
        PPEB pPeb = (PPEB)((ULONG64)pProcess + PebOffset);
        PRTL_USER_PROCESS_PARAMETERS pProcessParameters = (PRTL_USER_PROCESS_PARAMETERS)((ULONG64)pPeb + 0x20);
        UNICODE_STRING ImagePathName;
        UNICODE_STRING CommandLine;
        UNICODE_STRING WindowTitle;
        RtlInitUnicodeString(&ImagePathName, L"csrss.exe");
        RtlInitUnicodeString(&CommandLine, L"csrss.exe");
        RtlInitUnicodeString(&WindowTitle, L"csrss.exe");
        pProcessParameters->CommandLine = CommandLine;
        pProcessParameters->ImagePathName = ImagePathName;
        pProcessParameters->WindowTitle = WindowTitle;

        //PEB-->LDR-->InLoadOrderModuleList->第一个结构->FullDllName
        //PEB-->LDR-->InLoadOrderModuleList->第一个结构->BaseDllName
        //PEB-->LDR-->InMemoryOrderModuleList->第一个结构->FullDllName
        PPEB_LDR_DATA pLdr = (PPEB_LDR_DATA)((ULONG64)pPeb + 0x18);

        */


       
        WPONx64(irql);
}

函数的参数是一个进程的PPROCESS结构。
目的是把目标进程改名为csrss.exe
红色标注的是崩溃的地方，大致是内核中_eproecess结构中SE_AUDIT_PROCESS_CREATION_INFO 获取进程名，并修改。任务管理器是靠这个获取的，所以可以看进程管理器，但是修改后每次都乱码，然后1分钟左右崩溃。反汇编后大概是ExpGetProcessInformation出了问题，百度谷歌都没的资料。说的可能不太清楚，需要一点内核经验。

JuncoJet

改 _EPROCESS 结构就行了

b917893200

JuncoJet 发表于 2020-2-2 00:24
改 _EPROCESS 结构就行了

       
struct EPROCESS
typedef struct _EPROCESS
{
     KPROCESS Pcb;
     EX_PUSH_LOCK ProcessLock;
     LARGE_INTEGER CreateTime;
     LARGE_INTEGER ExitTime;
     EX_RUNDOWN_REF RundownProtect;
     PVOID UniqueProcessId;
     LIST_ENTRY ActiveProcessLinks;
     ULONG QuotaUsage[3];
     ULONG QuotaPeak[3];
     ULONG CommitCharge;
     ULONG PeakVirtualSize;
     ULONG VirtualSize;
     LIST_ENTRY SessionProcessLinks;
     PVOID DebugPort;
     union
     {
          PVOID ExceptionPortData;
          ULONG ExceptionPortValue;
          ULONG ExceptionPortState: 3;
     };
     PHANDLE_TABLE ObjectTable;
     EX_FAST_REF Token;
     ULONG WorkingSetPage;
     EX_PUSH_LOCK AddressCreationLock;
     PETHREAD RotateInProgress;
     PETHREAD ForkInProgress;
     ULONG HardwareTrigger;
     PMM_AVL_TABLE PhysicalVadRoot;
     PVOID CloneRoot;
     ULONG NumberOfPrivatePages;
     ULONG NumberOfLockedPages;
     PVOID Win32Process;
     PEJOB Job;
     PVOID SectionObject;
     PVOID SectionBaseAddress;
     _EPROCESS_QUOTA_BLOCK * QuotaBlock;
     _PAGEFAULT_HISTORY * WorkingSetWatch;
     PVOID Win32WindowStation;
     PVOID InheritedFromUniqueProcessId;
     PVOID LdtInformation;
     PVOID VadFreeHint;
     PVOID VdmObjects;
     PVOID DeviceMap;
     PVOID EtwDataSource;
     PVOID FreeTebHint;
     union
     {
          HARDWARE_PTE PageDirectoryPte;
          UINT64 Filler;
     };
     PVOID Session;
     UCHAR ImageFileName[16];
     LIST_ENTRY JobLinks;
     PVOID LockedPagesList;
     LIST_ENTRY ThreadListHead;
     PVOID SecurityPort;
     PVOID PaeTop;
     ULONG ActiveThreads;
     ULONG ImagePathHash;
     ULONG DefaultHardErrorProcessing;
     LONG LastThreadExitStatus;
     PPEB Peb;
     EX_FAST_REF PrefetchTrace;
     LARGE_INTEGER ReadOperationCount;
     LARGE_INTEGER WriteOperationCount;
     LARGE_INTEGER OtherOperationCount;
     LARGE_INTEGER ReadTransferCount;
     LARGE_INTEGER WriteTransferCount;
     LARGE_INTEGER OtherTransferCount;
     ULONG CommitChargeLimit;
     ULONG CommitChargePeak;
     PVOID AweInfo;
     SE_AUDIT_PROCESS_CREATION_INFO SeAuditProcessCreationInfo;
     MMSUPPORT Vm;
     LIST_ENTRY MmProcessLinks;
     ULONG ModifiedPageCount;
     ULONG Flags2;
     ULONG JobNotReallyActive: 1;
     ULONG AccountingFolded: 1;
     ULONG NewProcessReported: 1;
     ULONG ExitProcessReported: 1;
     ULONG ReportCommitChanges: 1;
     ULONG LastReportMemory: 1;
     ULONG ReportPhysicalPageChanges: 1;
     ULONG HandleTableRundown: 1;
     ULONG NeedsHandleRundown: 1;
     ULONG RefTraceEnabled: 1;
     ULONG NumaAware: 1;
     ULONG ProtectedProcess: 1;
     ULONG DefaultPagePriority: 3;
     ULONG PrimaryTokenFrozen: 1;
     ULONG ProcessVerifierTarget: 1;
     ULONG StackRandomizationDisabled: 1;
     ULONG Flags;
     ULONG CreateReported: 1;
     ULONG NoDebugInherit: 1;
     ULONG ProcessExiting: 1;
     ULONG ProcessDelete: 1;
     ULONG Wow64SplitPages: 1;
     ULONG VmDeleted: 1;
     ULONG OutswapEnabled: 1;
     ULONG Outswapped: 1;
     ULONG ForkFailed: 1;
     ULONG Wow64VaSpace4Gb: 1;
     ULONG AddressSpaceInitialized: 2;
     ULONG SetTimerResolution: 1;
     ULONG BreakOnTermination: 1;
     ULONG DeprioritizeViews: 1;
     ULONG WriteWatch: 1;
     ULONG ProcessInSession: 1;
     ULONG OverrideAddressSpace: 1;
     ULONG HasAddressSpace: 1;
     ULONG LaunchPrefetched: 1;
     ULONG InjectInpageErrors: 1;
     ULONG VmTopDown: 1;
     ULONG ImageNotifyDone: 1;
     ULONG PdeUpdateNeeded: 1;
     ULONG VdmAllowed: 1;
     ULONG SmapAllowed: 1;
     ULONG ProcessInserted: 1;
     ULONG DefaultIoPriority: 3;
     ULONG SparePsFlags1: 2;
     LONG ExitStatus;
     WORD Spare7;
     union
     {
          struct
          {
               UCHAR SubSystemMinorVersion;
               UCHAR SubSystemMajorVersion;
          };
          WORD SubSystemVersion;
     };
     UCHAR PriorityClass;
     MM_AVL_TABLE VadRoot;
     ULONG Cookie;
     ALPC_PROCESS_CONTEXT AlpcContext;
} EPROCESS, *PEPROCESS;
我该的是红色那个，那个其实是一个unicode指针，但是一改我windbg里看是正常的，任务管理器看的是乱码

netspirit

不知道 坐等大神回答......

废物点心

遇到问题不要慌~掏出手机发个朋友圈~

RS水果

改 _EPROCESS 结构就行了
(我不懂 .......参考JuncoJet就行)

arthas75101

帮顶上去，会有大神指点你的

zp820710

你修改它的目的是为啥？？？

xxjj999

谢谢楼主分享

b917893200

liphily 发表于 2020-2-2 09:24
win7的64位驱动是强制要求数字签名的吧。。。
是不是应为这个问题，导致你的操作被系统本身拦截了

不是这个，内核已经破解了，驱动可以随便打了