From b68c55b38348cb0acf25228227aef1cc51f5ad9e Mon Sep 17 00:00:00 2001 From: 1114135188 <1114135188@QQ.com> Date: Thu, 7 Jul 2022 17:25:12 +0800 Subject: [PATCH 01/10] =?UTF-8?q?=E6=B5=8B=E8=AF=95=E9=9A=90=E8=97=8F?= =?UTF-8?q?=E6=A3=80=E6=B5=8B?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- SuperKernelHacking/DriverMaim.c | 50 +++------ SuperKernelHacking/EnumeProcess.c | 140 +++++++++++++++--------- SuperKernelHacking/EnumeProcess.h | 4 - SuperKernelHacking/ProcessAllocMemory.c | 15 ++- SuperKernelHacking/ProcessAllocMemory.h | 4 +- 5 files changed, 121 insertions(+), 92 deletions(-) diff --git a/SuperKernelHacking/DriverMaim.c b/SuperKernelHacking/DriverMaim.c index b38064f..75bd621 100644 --- a/SuperKernelHacking/DriverMaim.c +++ b/SuperKernelHacking/DriverMaim.c @@ -20,40 +20,8 @@ NTSTATUS SkExtraDispatch(PDEVICE_OBJECT pDevObj, PIRP pIrp) NTSTATUS SkDispatch(PDEVICE_OBJECT pDevObj, PIRP pIrp) { - NTSTATUS Status = STATUS_SUCCESS; - PIO_STACK_LOCATION psl = IoGetCurrentIrpStackLocation(pIrp); - ULONG Code = psl->Parameters.DeviceIoControl.IoControlCode; - PVOID Buffer = pIrp->AssociatedIrp.SystemBuffer; - switch (Code) - { - case GET_PROCESS_LIST: - { - if (*(ULONG64 *)Buffer == 0) - { - break; - } - - __try - { - *(ULONG64 *)(*(ULONG64 *)Buffer) = (ULONG64)SkEnumeProcess(); - } - __except (1) - { - Status = STATUS_UNSUCCESSFUL; - goto $EXIT; - } - break; - } - - - default: - break; - } - -$EXIT: - pIrp->IoStatus.Information = psl->Parameters.DeviceIoControl.OutputBufferLength; - pIrp->IoStatus.Status = Status; + pIrp->IoStatus.Status = STATUS_SUCCESS; IoCompleteRequest(pIrp, IO_NO_INCREMENT); return STATUS_SUCCESS; } @@ -79,6 +47,22 @@ NTSTATUS DriverEntry(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING Regi + //测试参数专用括号 + { + /* + PROCESS ffff9e09a337c080 + SessionId: 1 Cid: 03b0 Peb: 12e95bc000 ParentCid: 0224 + DirBase: 309a0000 ObjectTable: ffffb3838fc0b5c0 HandleCount: 701. + Image: dwm.exe + 此信息为1803虚拟机的 + */ + + KeAttachProcess((PEPROCESS)0Xffff9e09a337c080); + SkEnumeProcess(); + KeDetachProcess(); + } + + DriverObject->DriverUnload = UnLoadDriver; OUTDEBUGINFO("执行完成.驱动加载成功"); diff --git a/SuperKernelHacking/EnumeProcess.c b/SuperKernelHacking/EnumeProcess.c index ab2e735..21cc610 100644 --- a/SuperKernelHacking/EnumeProcess.c +++ b/SuperKernelHacking/EnumeProcess.c @@ -6,6 +6,21 @@ #define FAKER_PROCESS_NAME 4 + +/* + SkAllocProcessImageStringMemory:申请用于存放进程路径,进程名等内存 +*/ +PVOID SkAllocProcessImageStringMemory() +{ + return SkUserAllocExecuteMemory(PATH_MAX); +} + +NTSTATUS SkFreeProcessImageStringMemory(PVOID Address) +{ + RtlZeroMemory(Address, PATH_MAX); + return SkFreeUserMemory(Address,PATH_MAX,(HANDLE)-1); +} + /* SkAddProcessChain:添加进程链表 参数1:链表头 @@ -51,20 +66,70 @@ void SKFreeProcessChainNode(PSkProcessChain ProcessChainNode) { if (ProcessChainNode->ImageFileName) { + SkFreeProcessImageStringMemory(ProcessChainNode->ImageFileName); + } + if (ProcessChainNode->ImageFilePath) + { + SkFreeProcessImageStringMemory(ProcessChainNode->ImageFilePath); } + + + SkFreeUserMemory(ProcessChainNode, sizeof(SkProcessChain), (HANDLE)-1); + ProcessChainNode = NULL; } return; } + /* - SkAllocProcessImageStringMemory:申请用于存放进程路径,进程名等内存 + SkCheckProcessHide_0:通过ZwQuerySystemInformation来查找进程 */ -PVOID SkAllocProcessImageStringMemory() +ULONG64 SkCheckProcessHide_0(HANDLE ProcessId) { - return SkUserAllocExecuteMemory(PATH_MAX); + UNICODE_STRING TagName = { 0 }; + + PVOID pBuffer = NULL; + + ULONG buffer_size = 0; + + + NTSTATUS Status = ZwQuerySystemInformation(SystemProcessInformation, pBuffer, 0, &buffer_size); + + while (Status == STATUS_INFO_LENGTH_MISMATCH) + { + if (pBuffer) + { + ExFreePoolWithTag(pBuffer, 0); + } + + pBuffer = ExAllocatePool(NonPagedPool, buffer_size); + + Status = ZwQuerySystemInformation(SystemProcessInformation, pBuffer, buffer_size, &buffer_size); + } + + PSYSTEM_PROCESS_INFORMATION ProcessInformation = (PSYSTEM_PROCESS_INFORMATION)pBuffer; + + for (;;) + { + if (ProcessInformation->ProcessId == ProcessId) + { + return 0; + } + + if (ProcessInformation->NextEntryOffset == 0) + break; + + ProcessInformation = (PSYSTEM_PROCESS_INFORMATION)(((PUCHAR)ProcessInformation) + ProcessInformation->NextEntryOffset); + } + + return 1; } + + + + /* ProcessChainDataInput:给ProcessChain结构成员写入数据 参数1:ProcessChain指针 @@ -82,9 +147,10 @@ BOOLEAN SkProcessChainDataInput(_In_ PSkProcessChain ProcessChain, _In_ PEPROCES } ProcessChain->Eprocess = (ULONG64)Eprocess; - ProcessChain->IsHideProcess = FALSE; ProcessChain->InheritedFromUniqueProcessId = (ULONG64)PsGetProcessInheritedFromUniqueProcessId(Eprocess); ProcessChain->UniqueProcessId = (ULONG64)PsGetProcessId(Eprocess); + ProcessChain->IsHideProcess = SkCheckProcessHide_0((HANDLE)ProcessChain->UniqueProcessId); + { POBJECT_NAME_INFORMATION Info = SkGetProcessImagePathNameByPNI(Eprocess); @@ -118,8 +184,7 @@ BOOLEAN SkProcessChainDataInput(_In_ PSkProcessChain ProcessChain, _In_ PEPROCES if (!SkGetProcessImageNameByAPI_0(Eprocess, ProcessChain->ImageFilePath)) { - ProcessChain->IsHideProcess = FAKER_PROCESS_NAME; - ProcessChain->Type = FAKER_PROCESS_NAME; + //继续获取 } } } @@ -133,19 +198,23 @@ BOOLEAN SkProcessChainDataInput(_In_ PSkProcessChain ProcessChain, _In_ PEPROCES { if (!SkGetProcessImageNameByAPI_0(Eprocess, ProcessChain->ImageFileName)) { - ProcessChain->IsHideProcess = 1; - ProcessChain->Type = FAKER_PROCESS_NAME; + //继续获取 + } } } } + if (ProcessChain->IsHideProcess == 1) + { + OUTDEBUGINFO("隐藏进程.%d %ws\n", ProcessChain->UniqueProcessId, ProcessChain->ImageFileName); + } return nRet; } - + PSkProcessChain SKEnumeProcessByPsLookupProcessByProcessId() { NTSTATUS Status = STATUS_SUCCESS; @@ -164,11 +233,13 @@ PSkProcessChain SKEnumeProcessByPsLookupProcessByProcessId() for (ULONG64 Index = 0; Index < MAX_PROCESS_ID; Index = Index + 4) { + Status = PsLookupProcessByProcessId((HANDLE)Index, &Eprocess); if (NT_SUCCESS(Status)) { if (PsGetProcessExitStatus(Eprocess) == STATUS_PENDING) { + if (First == NULL) { First = ProcessChain; @@ -184,7 +255,9 @@ PSkProcessChain SKEnumeProcessByPsLookupProcessByProcessId() { /* 多此一举的判断 后面里面可以加判断 判断是不是奇奇怪怪的东西嘿嘿 + 先释放把 */ + SKFreeProcessChainNode(Node); ObDereferenceObject(Eprocess); continue; @@ -215,56 +288,17 @@ PSkProcessChain SKEnumeProcessByPsLookupProcessByProcessId() } -PSkProcessChain SKEnumeProcessByAPI_0() -{ - PVOID Buffer = NULL; - - ULONG BufferSize = 0; - - PSYSTEM_PROCESS_INFORMATION ProcessInformation = NULL; - NTSTATUS Status = ZwQuerySystemInformation(SystemProcessInformation, Buffer, 0, &BufferSize); - - PSkProcessChain ProcessChain = SkCreatProcessChain(); - Buffer = ExAllocatePool(NonPagedPool, BufferSize); - if (!Buffer) - { - RtlZeroMemory(Buffer, BufferSize); - } - - while (Status == STATUS_INFO_LENGTH_MISMATCH) - { - if (Buffer) - { - ExFreePool(Buffer); - } - - Buffer = ExAllocatePool(NonPagedPool, BufferSize); - - Status = ZwQuerySystemInformation(SystemProcessInformation, Buffer, BufferSize, &BufferSize); - - } - - ProcessInformation = (PSYSTEM_PROCESS_INFORMATION)Buffer; - - for (;;) - { - if (ProcessInformation->NextEntryOffset == 0) - break; - - } +PSkProcessChain SkEnumeProcess() +{ - return ProcessChain; -} + PSkProcessChain ProcessChain = NULL; + PSkProcessChain ProcessChainAPI = NULL; + ProcessChain = SKEnumeProcessByPsLookupProcessByProcessId(); -PSkProcessChain SkEnumeProcess() -{ - PSkProcessChain ProcessChain = NULL; - - ProcessChain = SKEnumeProcessByPsLookupProcessByProcessId(); return ProcessChain; } diff --git a/SuperKernelHacking/EnumeProcess.h b/SuperKernelHacking/EnumeProcess.h index 608b024..90b1bc6 100644 --- a/SuperKernelHacking/EnumeProcess.h +++ b/SuperKernelHacking/EnumeProcess.h @@ -37,9 +37,6 @@ typedef struct _SkProcessChain /*隐藏进程*/ ULONG64 IsHideProcess; - /*隐藏方式 1为句柄表断链 2为EPROCESS断链 3为线程篡改所属 4为修改进程名*/ - ULONG64 Type; - struct _SkProcessChain *Next; }SkProcessChain, *PSkProcessChain; @@ -58,7 +55,6 @@ PSkProcessChain SKEnumeProcessByPsLookupProcessByProcessId(); 返回值:返回所有已找到的进程,存放在SkPProcessChain链表里 备注:PSkProcessChain需要自行释放 在不使用时 */ -PSkProcessChain SKEnumeProcessByAPI_0(); diff --git a/SuperKernelHacking/ProcessAllocMemory.c b/SuperKernelHacking/ProcessAllocMemory.c index d7ab94f..e26284b 100644 --- a/SuperKernelHacking/ProcessAllocMemory.c +++ b/SuperKernelHacking/ProcessAllocMemory.c @@ -40,4 +40,17 @@ PVOID SkUserAllocExecuteMemory(SIZE_T Size) { return SkUserVirtualAlloc(NULL, Size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); -} \ No newline at end of file +} + +NTSTATUS SkFreeUserMemory(PVOID BaseAddress, SIZE_T Size, HANDLE ProcessHandle) +{ + NTSTATUS Status = STATUS_MEMORY_NOT_ALLOCATED; + + if (BaseAddress != NULL) + { + RtlZeroMemory(BaseAddress, Size); + Status = NtFreeVirtualMemory(ProcessHandle, &BaseAddress, &Size, MEM_DECOMMIT | MEM_RELEASE); + } + + return Status; +} diff --git a/SuperKernelHacking/ProcessAllocMemory.h b/SuperKernelHacking/ProcessAllocMemory.h index 1cdb20e..42a8bcb 100644 --- a/SuperKernelHacking/ProcessAllocMemory.h +++ b/SuperKernelHacking/ProcessAllocMemory.h @@ -5,4 +5,6 @@ PVOID SkUserVirtualAllocEx(_In_ HANDLE hProcess, _In_ PVOID lpAddress, _In_ PVOID SkUserVirtualAlloc(_In_ PVOID lpAddress, _In_ SIZE_T dwSize, _In_ DWORD flAllocationType, _In_ DWORD flProtect); -PVOID SkUserAllocExecuteMemory(_In_ SIZE_T Size); \ No newline at end of file +PVOID SkUserAllocExecuteMemory(_In_ SIZE_T Size); + +NTSTATUS SkFreeUserMemory(PVOID BaseAddress, SIZE_T Size, HANDLE ProcessHandle); \ No newline at end of file -- Gitee From 278551f933512d7a1b7718f443246f8ea72ae22a Mon Sep 17 00:00:00 2001 From: 1114135188 <1114135188@QQ.com> Date: Fri, 8 Jul 2022 16:30:39 +0800 Subject: [PATCH 02/10] =?UTF-8?q?=E5=A2=9E=E5=8A=A0=E4=B8=80=E7=A7=8D?= =?UTF-8?q?=E6=89=AB=E6=8F=8F=E8=BF=9B=E7=A8=8B=E7=9A=84=E6=96=B9=E6=B3=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- SuperKernelHacking/DriverMaim.c | 37 ++++++++++++++++++++ SuperKernelHacking/EnumeProcess.c | 56 ++++++++++++++++++++++++------- SuperKernelHacking/EnumeProcess.h | 9 ----- SuperKernelHacking/Log.h | 8 +++++ SuperKernelHacking/ProcessFile.h | 4 ++- 5 files changed, 91 insertions(+), 23 deletions(-) diff --git a/SuperKernelHacking/DriverMaim.c b/SuperKernelHacking/DriverMaim.c index 75bd621..878930c 100644 --- a/SuperKernelHacking/DriverMaim.c +++ b/SuperKernelHacking/DriverMaim.c @@ -2,6 +2,7 @@ #include "EnumeProcess.h" #include "Log.h" +KernelOffset g_OffsetData; @@ -26,13 +27,49 @@ NTSTATUS SkDispatch(PDEVICE_OBJECT pDevObj, PIRP pIrp) return STATUS_SUCCESS; } +NTSTATUS SkInitializationData(PKernelOffset Data) +{ + RTL_OSVERSIONINFOW Version = { 0 }; + Version.dwOSVersionInfoSize = sizeof(Version); + RtlGetVersion(&Version); + + if (Version.dwBuildNumber < 17134) + { + return STATUS_NOT_FOUND; + } + + + //KiProcessList + { + switch (Version.dwBuildNumber) + { + + case 17134: Data->KiProcessList = 0x0240; break; + case 17763: Data->KiProcessList = 0x0240; break; + case 18362:Data->KiProcessList = 0x0248; break; + case 18363:Data->KiProcessList = 0x0248; break; + default:Data->KiProcessList = 0x350; break; + + } + } + + + return STATUS_SUCCESS; + +} + NTSTATUS DriverEntry(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegisterPath) { PDEVICE_OBJECT DeviceObject = NULL; NTSTATUS Status = STATUS_SUCCESS; + Status = SkInitializationData(&g_OffsetData); + if (!NT_SUCCESS(Status)) { + return Status; + } + SkInitDispatch(DriverObject, SkDispatch, SkExtraDispatch); Status = SKIoCreateDevice(DriverObject, &DeviceObject); diff --git a/SuperKernelHacking/EnumeProcess.c b/SuperKernelHacking/EnumeProcess.c index 21cc610..84a7596 100644 --- a/SuperKernelHacking/EnumeProcess.c +++ b/SuperKernelHacking/EnumeProcess.c @@ -94,7 +94,6 @@ ULONG64 SkCheckProcessHide_0(HANDLE ProcessId) ULONG buffer_size = 0; - NTSTATUS Status = ZwQuerySystemInformation(SystemProcessInformation, pBuffer, 0, &buffer_size); while (Status == STATUS_INFO_LENGTH_MISMATCH) @@ -115,6 +114,7 @@ ULONG64 SkCheckProcessHide_0(HANDLE ProcessId) { if (ProcessInformation->ProcessId == ProcessId) { + ExFreePoolWithTag(pBuffer, 0); return 0; } @@ -128,7 +128,43 @@ ULONG64 SkCheckProcessHide_0(HANDLE ProcessId) } +/* + 遍历KiProcessList取EPROCESS + Eprocess->Kprcess->KiProcessList 这个是PG保存的进程链表 直接遍历这里 当然一般情况断链 人家这里也断了 + 为了凑代码 家上去 + 参数1:待查找的EPROCESS +*/ +ULONG64 SkCheckProcessHide_1(PEPROCESS Eprocess) +{ + PEPROCESS GurrentProcess = PsGetCurrentProcess(); + + PEPROCESS TagEprocess = NULL; + + PLIST_ENTRY KiProcessList = (PLIST_ENTRY)(((ULONG64)GurrentProcess + g_OffsetData.KiProcessList)); + + PLIST_ENTRY pNextLinks = KiProcessList; + do + { + if (MmIsAddressValid(pNextLinks) == FALSE || pNextLinks == NULL) + { + break; + } + + TagEprocess = (PEPROCESS)((ULONG64)pNextLinks - g_OffsetData.KiProcessList); + if (TagEprocess == Eprocess) + { + return 0; + } + + + pNextLinks = pNextLinks->Flink; + + } while (pNextLinks->Flink != KiProcessList->Flink); + + + return 1; +} /* ProcessChainDataInput:给ProcessChain结构成员写入数据 @@ -149,8 +185,12 @@ BOOLEAN SkProcessChainDataInput(_In_ PSkProcessChain ProcessChain, _In_ PEPROCES ProcessChain->Eprocess = (ULONG64)Eprocess; ProcessChain->InheritedFromUniqueProcessId = (ULONG64)PsGetProcessInheritedFromUniqueProcessId(Eprocess); ProcessChain->UniqueProcessId = (ULONG64)PsGetProcessId(Eprocess); - ProcessChain->IsHideProcess = SkCheckProcessHide_0((HANDLE)ProcessChain->UniqueProcessId); - + + { + ProcessChain->IsHideProcess = SkCheckProcessHide_0((HANDLE)ProcessChain->UniqueProcessId); + ProcessChain->IsHideProcess = SkCheckProcessHide_1(Eprocess); + } + { POBJECT_NAME_INFORMATION Info = SkGetProcessImagePathNameByPNI(Eprocess); @@ -199,17 +239,12 @@ BOOLEAN SkProcessChainDataInput(_In_ PSkProcessChain ProcessChain, _In_ PEPROCES if (!SkGetProcessImageNameByAPI_0(Eprocess, ProcessChain->ImageFileName)) { //继续获取 - } } } } - if (ProcessChain->IsHideProcess == 1) - { - OUTDEBUGINFO("隐藏进程.%d %ws\n", ProcessChain->UniqueProcessId, ProcessChain->ImageFileName); - } return nRet; } @@ -253,12 +288,7 @@ PSkProcessChain SKEnumeProcessByPsLookupProcessByProcessId() { if (!SkProcessChainDataInput(Node, Eprocess)) { - /* - 多此一举的判断 后面里面可以加判断 判断是不是奇奇怪怪的东西嘿嘿 - 先释放把 - */ SKFreeProcessChainNode(Node); - ObDereferenceObject(Eprocess); continue; } diff --git a/SuperKernelHacking/EnumeProcess.h b/SuperKernelHacking/EnumeProcess.h index 90b1bc6..d9b7a2f 100644 --- a/SuperKernelHacking/EnumeProcess.h +++ b/SuperKernelHacking/EnumeProcess.h @@ -49,15 +49,6 @@ typedef struct _SkProcessChain PSkProcessChain SKEnumeProcessByPsLookupProcessByProcessId(); - -/* - SKEnumeProcessByAPI_0:通过ZwQuerySystemInformation来获取进程 注:任务管理器使用的就是这个 - 返回值:返回所有已找到的进程,存放在SkPProcessChain链表里 - 备注:PSkProcessChain需要自行释放 在不使用时 -*/ - - - /* SkEnumeProcess:枚举系统所有进程 返回值:返回所有已找到的进程,存放在SkPProcessChain链表里 diff --git a/SuperKernelHacking/Log.h b/SuperKernelHacking/Log.h index edf7c21..af33a12 100644 --- a/SuperKernelHacking/Log.h +++ b/SuperKernelHacking/Log.h @@ -228,3 +228,11 @@ typedef struct _SYSTEM_PROCESS_INFORMATION { IO_COUNTERS IoCounters; SYSTEM_THREADS Threads; } SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION; + + +typedef struct _KernelOffset +{ + ULONG64 KiProcessList; +}KernelOffset,*PKernelOffset; + +extern KernelOffset g_OffsetData; \ No newline at end of file diff --git a/SuperKernelHacking/ProcessFile.h b/SuperKernelHacking/ProcessFile.h index 50e99e2..e1f72ee 100644 --- a/SuperKernelHacking/ProcessFile.h +++ b/SuperKernelHacking/ProcessFile.h @@ -141,4 +141,6 @@ POBJECT_NAME_INFORMATION SkGetProcessImagePathNameByPNI(_In_ PEPROCESS Eprocess 参数1:进程EPROCESS 参数2:用于接收进程名的指针 */ -NTSTATUS SkGetProcessImageNameByPEB(_In_ PEPROCESS Eprocess,_Inout_ PVOID ImageName); \ No newline at end of file +NTSTATUS SkGetProcessImageNameByPEB(_In_ PEPROCESS Eprocess,_Inout_ PVOID ImageName); + + \ No newline at end of file -- Gitee From 6aceaea2d7ee6a502dc0b9c53cc453664c3b05ea Mon Sep 17 00:00:00 2001 From: 1114135188 <1114135188@QQ.com> Date: Fri, 8 Jul 2022 17:47:54 +0800 Subject: [PATCH 03/10] =?UTF-8?q?=E6=9C=80=E5=90=8E=E4=B8=80=E6=AC=A1?= =?UTF-8?q?=E6=8F=90=E4=BA=A4=E4=B8=8B=E7=8F=AD=E5=89=8D=E7=9A=84?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- SuperKernelHacking/EnumeProcess.c | 36 ++++++++++++++++++++++++++++++- 1 file changed, 35 insertions(+), 1 deletion(-) diff --git a/SuperKernelHacking/EnumeProcess.c b/SuperKernelHacking/EnumeProcess.c index 84a7596..2ed1305 100644 --- a/SuperKernelHacking/EnumeProcess.c +++ b/SuperKernelHacking/EnumeProcess.c @@ -159,13 +159,15 @@ ULONG64 SkCheckProcessHide_1(PEPROCESS Eprocess) pNextLinks = pNextLinks->Flink; - } while (pNextLinks->Flink != KiProcessList->Flink); return 1; } + + + /* ProcessChainDataInput:给ProcessChain结构成员写入数据 参数1:ProcessChain指针 @@ -319,6 +321,38 @@ PSkProcessChain SKEnumeProcessByPsLookupProcessByProcessId() +/* + SkFindEProcess:查找进程链表的EPROCESS是否存在 +*/ +BOOLEAN SkFindEProcess(PEPROCESS Eprocess, PSkProcessChain ListHead) +{ + +} + +/* + SKFindHideProcessByThread 通过线程查找隐藏进程,然后更新进程链表,线程一般情况无法造假,因为CPU调度的是线程, + 如果改THREAD->Process 线程所属进程 一般进程可以 但是 你无法修改APC_STATE->Process 这里是线程运行环境,你改了100%炸 + 除了你牛逼 重写切换逻辑 所以在加一个判断 if(ETHREAD->Process != ETHREAD->Kehtread->APC_STATE->Process)如果不等于 + 你他妈的就是不正常 锻炼了 闸总 + 参数1:现存在的进程链表 + 返回:更新后的链表 +*/ +PSkProcessChain SKFindHideProcessByThread(PSkProcessChain ProcessChain) +{ + PETHREAD TempThread = NULL; + for (ULONG64 Index = 0; Index < MAX_PROCESS_ID; Index = Index + 4) + { + if (NT_SUCCESS(PsLookupThreadByThreadId((HANDLE)Index, &TempThread))) + { + if (!PsIsThreadTerminating(TempThread)) + { + + } + + ObDereferenceObject(TempThread); + } + } +} PSkProcessChain SkEnumeProcess() { -- Gitee From 9c1683955d58bebdb8f076c9a2981569e8d15c4a Mon Sep 17 00:00:00 2001 From: 1114135188 <1114135188@QQ.com> Date: Thu, 14 Jul 2022 13:52:18 +0800 Subject: [PATCH 04/10] =?UTF-8?q?=E9=93=BE=E8=A1=A8=E6=9C=89=E7=82=B9?= =?UTF-8?q?=E5=B0=8F=E9=97=AE=E9=A2=98=E7=AD=89=E7=AD=89=E4=BF=AE=E9=81=8D?= =?UTF-8?q?=E5=8E=86=E7=BA=BF=E7=A8=8B=E4=BC=9A=E5=87=BA=E7=8E=B0=E9=87=8D?= =?UTF-8?q?=E5=A4=8D=E5=8A=A0=E5=85=A5=E8=BF=9B=E7=A8=8B=E9=93=BE=E8=A1=A8?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- SuperKernelHacking/DriverMaim.c | 3 +- SuperKernelHacking/EnumeProcess.c | 57 +++++++++++++++++++++++++------ SuperKernelHacking/Log.h | 3 +- 3 files changed, 51 insertions(+), 12 deletions(-) diff --git a/SuperKernelHacking/DriverMaim.c b/SuperKernelHacking/DriverMaim.c index 878930c..87d484e 100644 --- a/SuperKernelHacking/DriverMaim.c +++ b/SuperKernelHacking/DriverMaim.c @@ -38,7 +38,7 @@ NTSTATUS SkInitializationData(PKernelOffset Data) return STATUS_NOT_FOUND; } - + Data->SystemEprocess = IoGetCurrentProcess(); //KiProcessList { switch (Version.dwBuildNumber) @@ -72,6 +72,7 @@ NTSTATUS DriverEntry(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING Regi SkInitDispatch(DriverObject, SkDispatch, SkExtraDispatch); + Status = SKIoCreateDevice(DriverObject, &DeviceObject); if (!NT_SUCCESS(Status)){ return Status; diff --git a/SuperKernelHacking/EnumeProcess.c b/SuperKernelHacking/EnumeProcess.c index 2ed1305..b509660 100644 --- a/SuperKernelHacking/EnumeProcess.c +++ b/SuperKernelHacking/EnumeProcess.c @@ -136,7 +136,7 @@ ULONG64 SkCheckProcessHide_0(HANDLE ProcessId) */ ULONG64 SkCheckProcessHide_1(PEPROCESS Eprocess) { - PEPROCESS GurrentProcess = PsGetCurrentProcess(); + PEPROCESS GurrentProcess = g_OffsetData.SystemEprocess; PEPROCESS TagEprocess = NULL; @@ -144,6 +144,7 @@ ULONG64 SkCheckProcessHide_1(PEPROCESS Eprocess) PLIST_ENTRY pNextLinks = KiProcessList; + do { if (MmIsAddressValid(pNextLinks) == FALSE || pNextLinks == NULL) @@ -160,7 +161,7 @@ ULONG64 SkCheckProcessHide_1(PEPROCESS Eprocess) pNextLinks = pNextLinks->Flink; } while (pNextLinks->Flink != KiProcessList->Flink); - + return 1; } @@ -171,9 +172,10 @@ ULONG64 SkCheckProcessHide_1(PEPROCESS Eprocess) /* ProcessChainDataInput:给ProcessChain结构成员写入数据 参数1:ProcessChain指针 - 参数2:进程的_EPROCESS + 参数2:进程的 + _EPROCESS */ -BOOLEAN SkProcessChainDataInput(_In_ PSkProcessChain ProcessChain, _In_ PEPROCESS Eprocess) +BOOLEAN SkProcessChainDataInput(_In_ PSkProcessChain ProcessChain, _In_ PEPROCESS Eprocess,_In_ BOOLEAN IsHide) { BOOLEAN nRet = TRUE; @@ -189,8 +191,15 @@ BOOLEAN SkProcessChainDataInput(_In_ PSkProcessChain ProcessChain, _In_ PEPROCES ProcessChain->UniqueProcessId = (ULONG64)PsGetProcessId(Eprocess); { - ProcessChain->IsHideProcess = SkCheckProcessHide_0((HANDLE)ProcessChain->UniqueProcessId); - ProcessChain->IsHideProcess = SkCheckProcessHide_1(Eprocess); + if (IsHide == FALSE) + { + ProcessChain->IsHideProcess = SkCheckProcessHide_0((HANDLE)ProcessChain->UniqueProcessId); + ProcessChain->IsHideProcess = SkCheckProcessHide_1(Eprocess); + } + else + { + ProcessChain->IsHideProcess = TRUE; + } } @@ -280,7 +289,7 @@ PSkProcessChain SKEnumeProcessByPsLookupProcessByProcessId() if (First == NULL) { First = ProcessChain; - SkProcessChainDataInput(First, Eprocess); + SkProcessChainDataInput(First, Eprocess,FALSE); ObDereferenceObject(Eprocess); continue; } @@ -288,7 +297,7 @@ PSkProcessChain SKEnumeProcessByPsLookupProcessByProcessId() PSkProcessChain Node = SkCreatProcessChain(); if (Node != NULL) { - if (!SkProcessChainDataInput(Node, Eprocess)) + if (!SkProcessChainDataInput(Node, Eprocess,FALSE)) { SKFreeProcessChainNode(Node); ObDereferenceObject(Eprocess); @@ -326,7 +335,18 @@ PSkProcessChain SKEnumeProcessByPsLookupProcessByProcessId() */ BOOLEAN SkFindEProcess(PEPROCESS Eprocess, PSkProcessChain ListHead) { + PSkProcessChain Entry = ListHead; + while (Entry->Next != NULL) + { + if (Entry->Eprocess == (ULONG64)Eprocess) + { + return TRUE; + } + + Entry = Entry->Next; + } + return FALSE; } /* @@ -339,19 +359,35 @@ BOOLEAN SkFindEProcess(PEPROCESS Eprocess, PSkProcessChain ListHead) */ PSkProcessChain SKFindHideProcessByThread(PSkProcessChain ProcessChain) { - PETHREAD TempThread = NULL; + PETHREAD TempThread = NULL; + PSkProcessChain Temp = ProcessChain; + while (Temp->Next != NULL) + { + Temp = Temp->Next; + } + for (ULONG64 Index = 0; Index < MAX_PROCESS_ID; Index = Index + 4) { if (NT_SUCCESS(PsLookupThreadByThreadId((HANDLE)Index, &TempThread))) { if (!PsIsThreadTerminating(TempThread)) { - + if (!SkFindEProcess(PsGetThreadProcess(TempThread), ProcessChain)) + { + //隐藏进程 + DbgBreakPoint(); + PSkProcessChain Entry = SkCreatProcessChain(); + SkProcessChainDataInput(Entry, (PEPROCESS)PsGetThreadProcess(TempThread), TRUE); + Temp->Next = Entry; + Temp = Entry; + OUTDEBUGINFO("隐藏进程 %ws %p", Temp->ImageFileName, PsGetThreadProcess(TempThread)); + } } ObDereferenceObject(TempThread); } } + return ProcessChain; } PSkProcessChain SkEnumeProcess() @@ -363,6 +399,7 @@ PSkProcessChain SkEnumeProcess() ProcessChain = SKEnumeProcessByPsLookupProcessByProcessId(); + ProcessChain = SKFindHideProcessByThread(ProcessChain); return ProcessChain; } diff --git a/SuperKernelHacking/Log.h b/SuperKernelHacking/Log.h index af33a12..66b7e26 100644 --- a/SuperKernelHacking/Log.h +++ b/SuperKernelHacking/Log.h @@ -232,7 +232,8 @@ typedef struct _SYSTEM_PROCESS_INFORMATION { typedef struct _KernelOffset { - ULONG64 KiProcessList; + ULONG64 KiProcessList; + PEPROCESS SystemEprocess; }KernelOffset,*PKernelOffset; extern KernelOffset g_OffsetData; \ No newline at end of file -- Gitee From 1db4516996d0d8cd27bf18eec8640090a00c5e64 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=BC=82=E7=95=8C=E6=9D=A5=E5=AE=A2?= <2281160+UnCodeJob@user.noreply.gitee.com> Date: Thu, 14 Jul 2022 05:54:43 +0000 Subject: [PATCH 05/10] =?UTF-8?q?add=20README.md.=20=E6=8B=89=E9=97=B8?= =?UTF-8?q?=E4=BA=86?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 1 + 1 file changed, 1 insertion(+) create mode 100644 README.md diff --git a/README.md b/README.md new file mode 100644 index 0000000..41a6985 --- /dev/null +++ b/README.md @@ -0,0 +1 @@ +骞插暐鍟ヤ笉琛 鎽搁奔绗竴鍚 涓婄彮鏃犺亰鍐欒繖鐜 \ No newline at end of file -- Gitee From c9ea44d78f0b0cf6f021ecbee5039e06acd410a9 Mon Sep 17 00:00:00 2001 From: 1114135188 <1114135188@QQ.com> Date: Thu, 14 Jul 2022 14:02:17 +0800 Subject: [PATCH 06/10] =?UTF-8?q?=E6=8B=89=E9=97=B8=20=E9=93=BE=E8=A1=A8?= =?UTF-8?q?=E6=B7=BB=E5=8A=A0BUG=E5=AF=BC=E8=87=B4=E5=81=B6=E5=B0=94?= =?UTF-8?q?=E8=93=9D=E5=B1=8F=20=E5=B7=B2=E7=BB=8F=E6=B3=A8=E9=87=8A?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- SuperKernelHacking/EnumeProcess.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/SuperKernelHacking/EnumeProcess.c b/SuperKernelHacking/EnumeProcess.c index b509660..875dea3 100644 --- a/SuperKernelHacking/EnumeProcess.c +++ b/SuperKernelHacking/EnumeProcess.c @@ -335,18 +335,20 @@ PSkProcessChain SKEnumeProcessByPsLookupProcessByProcessId() */ BOOLEAN SkFindEProcess(PEPROCESS Eprocess, PSkProcessChain ListHead) { + BOOLEAN IsFind = FALSE; PSkProcessChain Entry = ListHead; while (Entry->Next != NULL) { if (Entry->Eprocess == (ULONG64)Eprocess) { - return TRUE; + IsFind = TRUE; + return IsFind; } Entry = Entry->Next; } - return FALSE; + return IsFind; } /* @@ -375,12 +377,12 @@ PSkProcessChain SKFindHideProcessByThread(PSkProcessChain ProcessChain) if (!SkFindEProcess(PsGetThreadProcess(TempThread), ProcessChain)) { //隐藏进程 - DbgBreakPoint(); - PSkProcessChain Entry = SkCreatProcessChain(); - SkProcessChainDataInput(Entry, (PEPROCESS)PsGetThreadProcess(TempThread), TRUE); - Temp->Next = Entry; - Temp = Entry; - OUTDEBUGINFO("隐藏进程 %ws %p", Temp->ImageFileName, PsGetThreadProcess(TempThread)); + // DbgBreakPoint(); + // PSkProcessChain Entry = SkCreatProcessChain(); + // SkProcessChainDataInput(Entry, (PEPROCESS)PsGetThreadProcess(TempThread), TRUE); + // Temp->Next = Entry; + // Temp = Entry; + // OUTDEBUGINFO("隐藏进程 %ws %p", Temp->ImageFileName, PsGetThreadProcess(TempThread)); } } -- Gitee From 5361563f5a625c569eafd00bed3033d1828f74de Mon Sep 17 00:00:00 2001 From: 1114135188 <1114135188@QQ.com> Date: Thu, 14 Jul 2022 14:53:17 +0800 Subject: [PATCH 07/10] =?UTF-8?q?=E4=BF=AE=E5=A4=8D=E6=9F=90=E4=BA=9B?= =?UTF-8?q?=E8=BF=9B=E7=A8=8B=E7=89=B9=E6=AE=8A=E6=83=85=E5=86=B5=E4=B8=8B?= =?UTF-8?q?=E6=97=A0LDR=E7=9A=84=E9=97=AE=E9=A2=98=E5=AF=BC=E8=87=B4?= =?UTF-8?q?=E8=93=9D=E5=B1=8F?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- SuperKernelHacking/EnumeProcess.c | 17 +++++++++++------ SuperKernelHacking/ProcessFile.c | 20 ++++++++++++++++++-- 2 files changed, 29 insertions(+), 8 deletions(-) diff --git a/SuperKernelHacking/EnumeProcess.c b/SuperKernelHacking/EnumeProcess.c index 875dea3..62f1f6e 100644 --- a/SuperKernelHacking/EnumeProcess.c +++ b/SuperKernelHacking/EnumeProcess.c @@ -236,12 +236,17 @@ BOOLEAN SkProcessChainDataInput(_In_ PSkProcessChain ProcessChain, _In_ PEPROCES if (!SkGetProcessImageNameByAPI_0(Eprocess, ProcessChain->ImageFilePath)) { //继续获取 + }else + { + nRet = TRUE; + return nRet; } } } { + ProcessChain->ImageFileName = SkAllocProcessImageStringMemory(PATH_MAX); if (ProcessChain->ImageFileName) { @@ -377,12 +382,12 @@ PSkProcessChain SKFindHideProcessByThread(PSkProcessChain ProcessChain) if (!SkFindEProcess(PsGetThreadProcess(TempThread), ProcessChain)) { //隐藏进程 - // DbgBreakPoint(); - // PSkProcessChain Entry = SkCreatProcessChain(); - // SkProcessChainDataInput(Entry, (PEPROCESS)PsGetThreadProcess(TempThread), TRUE); - // Temp->Next = Entry; - // Temp = Entry; - // OUTDEBUGINFO("隐藏进程 %ws %p", Temp->ImageFileName, PsGetThreadProcess(TempThread)); + + PSkProcessChain Entry = SkCreatProcessChain(); + SkProcessChainDataInput(Entry, (PEPROCESS)PsGetThreadProcess(TempThread), TRUE); + Temp->Next = Entry; + Temp = Entry; + OUTDEBUGINFO("隐藏进程 %ws %p", Temp->ImageFileName, PsGetThreadProcess(TempThread)); } } diff --git a/SuperKernelHacking/ProcessFile.c b/SuperKernelHacking/ProcessFile.c index 27c0f2a..744a9eb 100644 --- a/SuperKernelHacking/ProcessFile.c +++ b/SuperKernelHacking/ProcessFile.c @@ -89,14 +89,16 @@ NTSTATUS SkGetProcessImageNameByPEB(PEPROCESS Eprocess, PVOID ImageName) ERRORLOG(0xc0000005, L"缓冲区错误指针"); return Status; } - - if (Eprocess != PsGetCurrentProcess()) + + if (Eprocess != PsGetThreadProcess(PsGetCurrentThread())) { + KeStackAttachProcess(Eprocess, &ApcState); IsAttch = TRUE; } + RtlZeroMemory(TmpName, PATH_MAX); if (PsGetProcessWow64Process(Eprocess) == NULL) @@ -104,10 +106,22 @@ NTSTATUS SkGetProcessImageNameByPEB(PEPROCESS Eprocess, PVOID ImageName) //64位 PPEB Peb = PsGetProcessPeb(Eprocess); + if (Peb) { + + if (Peb->Ldr == NULL) + { + /*啥情况....可能是进程退出过程中*/ + KeUnstackDetachProcess(&ApcState); + return Status; + } + PLIST_ENTRY pListEntry = Peb->Ldr->InLoadOrderModuleList.Flink; + PLDR_DATA_TABLE_ENTRY pEntry = CONTAINING_RECORD(pListEntry, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks); + + __try { RtlCopyMemory(TmpName, (PVOID)pEntry->BaseDllName.Buffer, pEntry->BaseDllName.Length); @@ -122,6 +136,7 @@ NTSTATUS SkGetProcessImageNameByPEB(PEPROCESS Eprocess, PVOID ImageName) } else { + //32位 PPEB32 pPeb32 = (PPEB32)PsGetProcessWow64Process(Eprocess); if (pPeb32) @@ -144,6 +159,7 @@ NTSTATUS SkGetProcessImageNameByPEB(PEPROCESS Eprocess, PVOID ImageName) if (IsAttch) { + KeUnstackDetachProcess(&ApcState); } -- Gitee From 047a1acaa96bf35bc3fa5a83a1e41554fff7eb55 Mon Sep 17 00:00:00 2001 From: 1114135188 <1114135188@QQ.com> Date: Thu, 14 Jul 2022 14:56:47 +0800 Subject: [PATCH 08/10] =?UTF-8?q?=E4=B8=8A=E9=94=81=E7=9A=84=E9=97=AE?= =?UTF-8?q?=E9=A2=98=20=E6=B2=A1=E4=BF=AE=E5=A4=8D=20=E5=90=8E=E9=9D=A2?= =?UTF-8?q?=E5=86=8D=E8=AF=B4?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- SuperKernelHacking/ProcessFile.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/SuperKernelHacking/ProcessFile.c b/SuperKernelHacking/ProcessFile.c index 744a9eb..d53b19c 100644 --- a/SuperKernelHacking/ProcessFile.c +++ b/SuperKernelHacking/ProcessFile.c @@ -67,6 +67,9 @@ POBJECT_NAME_INFORMATION SkGetProcessImagePathNameByPNI(_In_ PEPROCESS Eprocess) return NULL; } +/* + 这个玩意要上锁 偷懒放着里 后面再说 +*/ NTSTATUS SkGetProcessImageNameByPEB(PEPROCESS Eprocess, PVOID ImageName) { BOOLEAN IsAttch = FALSE; @@ -141,6 +144,13 @@ NTSTATUS SkGetProcessImageNameByPEB(PEPROCESS Eprocess, PVOID ImageName) PPEB32 pPeb32 = (PPEB32)PsGetProcessWow64Process(Eprocess); if (pPeb32) { + if (pPeb32->Ldr == 0) + { + /*啥情况....可能是进程退出过程中*/ + KeUnstackDetachProcess(&ApcState); + return Status; + } + PLIST_ENTRY32 pListEntry = (PLIST_ENTRY32)((PPEB_LDR_DATA32)pPeb32->Ldr)->InLoadOrderModuleList.Flink; PLDR_DATA_TABLE_ENTRY32 pEntry = CONTAINING_RECORD(pListEntry, LDR_DATA_TABLE_ENTRY32, InLoadOrderLinks); __try -- Gitee From 9a09a5d3a58adf418d4cecd41f0dc09bb6c6745f Mon Sep 17 00:00:00 2001 From: 1114135188 <1114135188@QQ.com> Date: Thu, 14 Jul 2022 16:12:00 +0800 Subject: [PATCH 09/10] =?UTF-8?q?=E4=BF=AE=E5=A4=8D=E8=93=9D=E5=B1=8F?= =?UTF-8?q?=E5=92=8C=E9=87=8D=E5=A4=8D=E6=B7=BB=E5=8A=A0BUG?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- SuperKernelHacking/EnumeProcess.c | 8 ++++---- SuperKernelHacking/ProcessFile.c | 7 ++++++- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/SuperKernelHacking/EnumeProcess.c b/SuperKernelHacking/EnumeProcess.c index 62f1f6e..1cf0bc0 100644 --- a/SuperKernelHacking/EnumeProcess.c +++ b/SuperKernelHacking/EnumeProcess.c @@ -342,7 +342,7 @@ BOOLEAN SkFindEProcess(PEPROCESS Eprocess, PSkProcessChain ListHead) { BOOLEAN IsFind = FALSE; PSkProcessChain Entry = ListHead; - while (Entry->Next != NULL) + while (Entry != NULL) { if (Entry->Eprocess == (ULONG64)Eprocess) { @@ -353,6 +353,8 @@ BOOLEAN SkFindEProcess(PEPROCESS Eprocess, PSkProcessChain ListHead) Entry = Entry->Next; } + + return IsFind; } @@ -381,13 +383,11 @@ PSkProcessChain SKFindHideProcessByThread(PSkProcessChain ProcessChain) { if (!SkFindEProcess(PsGetThreadProcess(TempThread), ProcessChain)) { - //隐藏进程 - PSkProcessChain Entry = SkCreatProcessChain(); SkProcessChainDataInput(Entry, (PEPROCESS)PsGetThreadProcess(TempThread), TRUE); Temp->Next = Entry; Temp = Entry; - OUTDEBUGINFO("隐藏进程 %ws %p", Temp->ImageFileName, PsGetThreadProcess(TempThread)); + OUTDEBUGINFO("隐藏进程 %ws %p %ws", Temp->ImageFileName, PsGetThreadProcess(TempThread), Temp->ImageFilePath); } } diff --git a/SuperKernelHacking/ProcessFile.c b/SuperKernelHacking/ProcessFile.c index d53b19c..3d87d01 100644 --- a/SuperKernelHacking/ProcessFile.c +++ b/SuperKernelHacking/ProcessFile.c @@ -78,8 +78,11 @@ NTSTATUS SkGetProcessImageNameByPEB(PEPROCESS Eprocess, PVOID ImageName) KAPC_STATE ApcState; + LARGE_INTEGER time = { 0 }; + PVOID TmpName = ExAllocatePool(NonPagedPool,PATH_MAX); + time.QuadPart = -250ll * 10 * 1000; if (TmpName == NULL) { ERRORLOG(0xc0000005, L"申请内存失败"); @@ -113,9 +116,10 @@ NTSTATUS SkGetProcessImageNameByPEB(PEPROCESS Eprocess, PVOID ImageName) if (Peb) { + if (Peb->Ldr == NULL) { - /*啥情况....可能是进程退出过程中*/ + KeUnstackDetachProcess(&ApcState); return Status; } @@ -144,6 +148,7 @@ NTSTATUS SkGetProcessImageNameByPEB(PEPROCESS Eprocess, PVOID ImageName) PPEB32 pPeb32 = (PPEB32)PsGetProcessWow64Process(Eprocess); if (pPeb32) { + if (pPeb32->Ldr == 0) { /*啥情况....可能是进程退出过程中*/ -- Gitee From f9acdbefec75ae711f16040195922e704de01325 Mon Sep 17 00:00:00 2001 From: 1114135188 <1114135188@QQ.com> Date: Thu, 14 Jul 2022 16:35:47 +0800 Subject: [PATCH 10/10] =?UTF-8?q?=E8=B0=83=E7=94=A8demo?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- SuperKernelHacking.sln | 14 ++ SuperKernelHacking/DriverMaim.c | 33 ++++ SuperKernelHacking/EnumeProcess.c | 14 +- SuperKernelHacking/EnumeProcess.h | 3 + .../SuperKernelHackingClentDemo.cpp | 107 ++++++++++++ .../SuperKernelHackingClentDemo.vcxproj | 163 ++++++++++++++++++ ...uperKernelHackingClentDemo.vcxproj.filters | 22 +++ 7 files changed, 351 insertions(+), 5 deletions(-) create mode 100644 SuperKernelHackingClentDemo/SuperKernelHackingClentDemo.cpp create mode 100644 SuperKernelHackingClentDemo/SuperKernelHackingClentDemo.vcxproj create mode 100644 SuperKernelHackingClentDemo/SuperKernelHackingClentDemo.vcxproj.filters diff --git a/SuperKernelHacking.sln b/SuperKernelHacking.sln index 7e64dac..cb495c4 100644 --- a/SuperKernelHacking.sln +++ b/SuperKernelHacking.sln @@ -5,6 +5,8 @@ VisualStudioVersion = 15.0.28307.1800 MinimumVisualStudioVersion = 10.0.40219.1 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "SuperKernelHacking", "SuperKernelHacking\SuperKernelHacking.vcxproj", "{E16FE8D6-4E16-4B1D-BBAF-F6A032CF8846}" EndProject +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "SuperKernelHackingClentDemo", "SuperKernelHackingClentDemo\SuperKernelHackingClentDemo.vcxproj", "{B3E34474-8754-4D2D-A44D-C985B7D3CBF0}" +EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|ARM = Debug|ARM @@ -41,6 +43,18 @@ Global {E16FE8D6-4E16-4B1D-BBAF-F6A032CF8846}.Release|x86.ActiveCfg = Release|Win32 {E16FE8D6-4E16-4B1D-BBAF-F6A032CF8846}.Release|x86.Build.0 = Release|Win32 {E16FE8D6-4E16-4B1D-BBAF-F6A032CF8846}.Release|x86.Deploy.0 = Release|Win32 + {B3E34474-8754-4D2D-A44D-C985B7D3CBF0}.Debug|ARM.ActiveCfg = Debug|Win32 + {B3E34474-8754-4D2D-A44D-C985B7D3CBF0}.Debug|ARM64.ActiveCfg = Debug|Win32 + {B3E34474-8754-4D2D-A44D-C985B7D3CBF0}.Debug|x64.ActiveCfg = Debug|x64 + {B3E34474-8754-4D2D-A44D-C985B7D3CBF0}.Debug|x64.Build.0 = Debug|x64 + {B3E34474-8754-4D2D-A44D-C985B7D3CBF0}.Debug|x86.ActiveCfg = Debug|Win32 + {B3E34474-8754-4D2D-A44D-C985B7D3CBF0}.Debug|x86.Build.0 = Debug|Win32 + {B3E34474-8754-4D2D-A44D-C985B7D3CBF0}.Release|ARM.ActiveCfg = Release|Win32 + {B3E34474-8754-4D2D-A44D-C985B7D3CBF0}.Release|ARM64.ActiveCfg = Release|Win32 + {B3E34474-8754-4D2D-A44D-C985B7D3CBF0}.Release|x64.ActiveCfg = Release|x64 + {B3E34474-8754-4D2D-A44D-C985B7D3CBF0}.Release|x64.Build.0 = Release|x64 + {B3E34474-8754-4D2D-A44D-C985B7D3CBF0}.Release|x86.ActiveCfg = Release|Win32 + {B3E34474-8754-4D2D-A44D-C985B7D3CBF0}.Release|x86.Build.0 = Release|Win32 EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE diff --git a/SuperKernelHacking/DriverMaim.c b/SuperKernelHacking/DriverMaim.c index 87d484e..3a7e145 100644 --- a/SuperKernelHacking/DriverMaim.c +++ b/SuperKernelHacking/DriverMaim.c @@ -19,8 +19,41 @@ NTSTATUS SkExtraDispatch(PDEVICE_OBJECT pDevObj, PIRP pIrp) return STATUS_SUCCESS; } +BOOLEAN SkIoGetProcessList(_Outptr_ PVOID Buffer) +{ + if (*(ULONG64 *)Buffer == 0) + { + return FALSE; + } + + __try + { + ProbeForWrite((PVOID)(*(ULONG64 *)Buffer), sizeof(ULONG64), 1); + *(ULONG64 *)(*(ULONG64 *)Buffer) = (ULONG64)SkEnumeProcess(); + } + __except (1) + { + return FALSE; + } + + return TRUE; +} + NTSTATUS SkDispatch(PDEVICE_OBJECT pDevObj, PIRP pIrp) { + + NTSTATUS Status = STATUS_SUCCESS; + PIO_STACK_LOCATION psl = IoGetCurrentIrpStackLocation(pIrp); + ULONG Code = psl->Parameters.DeviceIoControl.IoControlCode; + PVOID Buffer = pIrp->AssociatedIrp.SystemBuffer; + + switch (Code) + { + case GET_PROCESS_LIST:SkIoGetProcessList(Buffer); break; + + + } + pIrp->IoStatus.Status = STATUS_SUCCESS; IoCompleteRequest(pIrp, IO_NO_INCREMENT); diff --git a/SuperKernelHacking/EnumeProcess.c b/SuperKernelHacking/EnumeProcess.c index 1cf0bc0..d0c658e 100644 --- a/SuperKernelHacking/EnumeProcess.c +++ b/SuperKernelHacking/EnumeProcess.c @@ -189,7 +189,7 @@ BOOLEAN SkProcessChainDataInput(_In_ PSkProcessChain ProcessChain, _In_ PEPROCES ProcessChain->Eprocess = (ULONG64)Eprocess; ProcessChain->InheritedFromUniqueProcessId = (ULONG64)PsGetProcessInheritedFromUniqueProcessId(Eprocess); ProcessChain->UniqueProcessId = (ULONG64)PsGetProcessId(Eprocess); - + ProcessChain->CreateTime = PsGetProcessCreateTimeQuadPart(Eprocess); { if (IsHide == FALSE) { @@ -384,10 +384,13 @@ PSkProcessChain SKFindHideProcessByThread(PSkProcessChain ProcessChain) if (!SkFindEProcess(PsGetThreadProcess(TempThread), ProcessChain)) { PSkProcessChain Entry = SkCreatProcessChain(); - SkProcessChainDataInput(Entry, (PEPROCESS)PsGetThreadProcess(TempThread), TRUE); - Temp->Next = Entry; - Temp = Entry; - OUTDEBUGINFO("隐藏进程 %ws %p %ws", Temp->ImageFileName, PsGetThreadProcess(TempThread), Temp->ImageFilePath); + if (Entry) + { + SkProcessChainDataInput(Entry, (PEPROCESS)PsGetThreadProcess(TempThread), TRUE); + Temp->Next = Entry; + Temp = Entry; + OUTDEBUGINFO("隐藏进程 %ws %p %ws", Temp->ImageFileName, PsGetThreadProcess(TempThread), Temp->ImageFilePath); + } } } @@ -397,6 +400,7 @@ PSkProcessChain SKFindHideProcessByThread(PSkProcessChain ProcessChain) return ProcessChain; } + PSkProcessChain SkEnumeProcess() { diff --git a/SuperKernelHacking/EnumeProcess.h b/SuperKernelHacking/EnumeProcess.h index d9b7a2f..85d0403 100644 --- a/SuperKernelHacking/EnumeProcess.h +++ b/SuperKernelHacking/EnumeProcess.h @@ -34,6 +34,9 @@ typedef struct _SkProcessChain /*进程路径*/ PVOID ImageFilePath; + /*创建时间*/ + LONG64 CreateTime; + /*隐藏进程*/ ULONG64 IsHideProcess; diff --git a/SuperKernelHackingClentDemo/SuperKernelHackingClentDemo.cpp b/SuperKernelHackingClentDemo/SuperKernelHackingClentDemo.cpp new file mode 100644 index 0000000..0393731 --- /dev/null +++ b/SuperKernelHackingClentDemo/SuperKernelHackingClentDemo.cpp @@ -0,0 +1,107 @@ +锘// SuperKernelHackingClentDemo.cpp : 姝ゆ枃浠跺寘鍚 "main" 鍑芥暟銆傜▼搴忔墽琛屽皢鍦ㄦ澶勫紑濮嬪苟缁撴潫銆 +// + +#include +#include +#include + +#define DEVICE_NAME L"\\Device\\SuperKernelHacking" +#define LINK_NAME L"\\??\\SuperKernelHacking" + +#define BASE_CODE 0x800 + +#define GET_PROCESS_LIST CTL_CODE(FILE_DEVICE_UNKNOWN, BASE_CODE + 0X100, METHOD_IN_DIRECT, FILE_ANY_ACCESS) + + +typedef struct _SkProcessChain +{ + /*杩涚▼PID*/ + ULONG64 UniqueProcessId; + + /*鐖惰繘绋婸ID*/ + ULONG64 InheritedFromUniqueProcessId; + + /*杩涚▼EPROCESS*/ + ULONG64 Eprocess; + + /*杩涚▼鍚*/ + PVOID ImageFileName; + + /*杩涚▼璺緞*/ + PVOID ImageFilePath; + + /*鍒涘缓鏃堕棿*/ + LONG64 CreateTime; + + /*闅愯棌杩涚▼*/ + ULONG64 IsHideProcess; + + struct _SkProcessChain *Next; +}SkProcessChain, *PSkProcessChain; + +class Drv +{ +public: + Drv(); +public: + PVOID GetProcessList(); +private: + HANDLE m_DeviceHandle; +}; + + +int main() +{ + Drv Test; + PSkProcessChain ProcessList = (PSkProcessChain)Test.GetProcessList(); + while (ProcessList != NULL) + { + printf("CreateTime = %p\n", ProcessList->CreateTime); + printf("EPROCESS = %p\n", ProcessList->Eprocess); + printf("ImageFileName = %ws\n", ProcessList->ImageFileName); + printf("ImageFilePath = %ws\n", ProcessList->ImageFilePath); + printf("InheritedFromUniqueProcessId = %d\n", ProcessList->InheritedFromUniqueProcessId); + printf("Hide = %d\n", ProcessList->IsHideProcess); + printf("UniqueProcessId = %d\n", ProcessList->UniqueProcessId); + printf("-------------------------\n"); + ProcessList = ProcessList->Next; + } + + while (1) Sleep(1000); +} + +Drv::Drv() +{ + m_DeviceHandle = CreateFileW(LINK_NAME, + GENERIC_READ | GENERIC_WRITE, + 0, + NULL, + OPEN_EXISTING, + 0, + NULL + ); + + if (m_DeviceHandle == INVALID_HANDLE_VALUE) + { + MessageBoxA(0, "鍔犺浇椹卞姩澶辫触\n", "OAA_AM_SB", 0); + exit(0); + } +} + +PVOID Drv::GetProcessList() +{ + /*杩斿洖鐨勬槸涓涓寚閽堝瓨鏀惧湪Info閲屾墍浠ヨ繖閲岃浼犲叆info鐨勫湴鍧*/ + ULONG64 Info = 0; + ULONG64 Buffer = (ULONG64)&Info; + DWORD dwRet = 0; + BOOL Status = DeviceIoControl(m_DeviceHandle, + GET_PROCESS_LIST, + &Buffer, + sizeof(ULONG64), + NULL, + NULL, + &dwRet, + NULL + ); + return (PVOID)Info; +} diff --git a/SuperKernelHackingClentDemo/SuperKernelHackingClentDemo.vcxproj b/SuperKernelHackingClentDemo/SuperKernelHackingClentDemo.vcxproj new file mode 100644 index 0000000..28186fe --- /dev/null +++ b/SuperKernelHackingClentDemo/SuperKernelHackingClentDemo.vcxproj @@ -0,0 +1,163 @@ + + + + + Debug + Win32 + + + Release + Win32 + + + Debug + x64 + + + Release + x64 + + + + 15.0 + {B3E34474-8754-4D2D-A44D-C985B7D3CBF0} + Win32Proj + SuperKernelHackingClentDemo + 10.0.19041.0 + + + + Application + true + v141 + Unicode + + + Application + false + v141 + true + Unicode + + + Application + true + v141 + Unicode + Static + + + Application + false + v141 + true + Unicode + Static + + + + + + + + + + + + + + + + + + + + + true + + + true + + + false + + + false + + + + + + Level3 + Disabled + true + _DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + User32.lib + + + + + + + Level3 + Disabled + true + WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + + + + + + + Level3 + MaxSpeed + true + true + true + WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + + + + + + + Level3 + MaxSpeed + true + true + true + NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + + + Console + true + true + true + User32.lib + + + + + + + + + \ No newline at end of file diff --git a/SuperKernelHackingClentDemo/SuperKernelHackingClentDemo.vcxproj.filters b/SuperKernelHackingClentDemo/SuperKernelHackingClentDemo.vcxproj.filters new file mode 100644 index 0000000..9572a84 --- /dev/null +++ b/SuperKernelHackingClentDemo/SuperKernelHackingClentDemo.vcxproj.filters @@ -0,0 +1,22 @@ +锘 + + + + {4FC737F1-C7A5-4376-A066-2A32D752A2FF} + cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx + + + {93995380-89BD-4b04-88EB-625FBE52EBFB} + h;hh;hpp;hxx;hm;inl;inc;ipp;xsd + + + {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} + rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms + + + + + 婧愭枃浠 + + + \ No newline at end of file -- Gitee