抱歉,您的浏览器无法访问本站
本页面需要浏览器支持(启用)JavaScript
了解详情 >

Windows内核-KPCR

Windows内核

发布于:2024年11月15日

KPCR_进程

知识点

KPCR 结构

FS=0x30, 在内核中的时候就是指向KPCR;
FS=0x3b, 在应用层的时候指向当前线程的TEB;

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
kd> dt _KPCR
ntdll!_KPCR
   +0x000 NtTib            : _NT_TIB
        kd> dt _NT_TIB
            ntdll!_NT_TIB
            +0x000 ExceptionList    : Ptr32 _EXCEPTION_REGISTRATION_RECORD
            +0x004 StackBase        : Ptr32 Void        // 动态, 记录当前线程堆栈
            +0x008 StackLimit       : Ptr32 Void        // 动态, 记录当前线程堆栈
            +0x00c SubSystemTib     : Ptr32 Void
            +0x010 FiberData        : Ptr32 Void
            +0x010 Version          : Uint4B
            +0x014 ArbitraryUserPointer : Ptr32 Void
            +0x018 Self             : Ptr32 _NT_TIB     // 指向_NT_TIB本身, 在某些情况下会指向TEB
--------------------------------------------------------------
   +0x000 Used_ExceptionList : Ptr32 _EXCEPTION_REGISTRATION_RECORD     // 异常链表
   +0x004 Used_StackBase   : Ptr32 Void
   +0x008 Spare2           : Ptr32 Void
   +0x00c TssCopy          : Ptr32 Void
   +0x010 ContextSwitches  : Uint4B
   +0x014 SetMemberCopy    : Uint4B
   +0x018 Used_Self        : Ptr32 Void
   +0x01c SelfPcr          : Ptr32 _KPCR            // 一定指向自己(KPCR)
   +0x020 Prcb             : Ptr32 _KPRCB           // _KPRCB(CPU控制块拓展块), 指向0x120 PrcbData: _KPRCB
   +0x024 Irql             : UChar                  // 和中断相关
   +0x028 IRR              : Uint4B                 // 和中断相关, 派发的中断
   +0x02c IrrActive        : Uint4B                 // 和中断相关
   +0x030 IDR              : Uint4B                 // 和中断相关, 已经派发的中断
   +0x034 KdVersionBlock   : Ptr32 Void             // kd版本
   +0x038 IDT              : Ptr32 _KIDTENTRY       // IDT表
   +0x03c GDT              : Ptr32 _KGDTENTRY       // GDT表
   +0x040 TSS              : Ptr32 _KTSS
   +0x044 MajorVersion     : Uint2B
   +0x046 MinorVersion     : Uint2B
   +0x048 SetMember        : Uint4B
   +0x04c StallScaleFactor : Uint4B
   +0x050 SpareUnused      : UChar
   +0x051 Number           : UChar
   +0x052 Spare0           : UChar
   +0x053 SecondLevelCacheAssociativity : UChar
   +0x054 VdmAlert         : Uint4B
   +0x058 KernelReserved   : [14] Uint4B
   +0x090 SecondLevelCacheSize : Uint4B
   +0x094 HalReserved      : [16] Uint4B
   +0x0d4 InterruptMode    : Uint4B
   +0x0d8 Spare1           : UChar
   +0x0dc KernelReserved2  : [17] Uint4B
   +0x120 PrcbData         : _KPRCB

KiProcessorBlock CPU控制扩展块数组
KeNumberProcessors CPU核心数量

dd KiProcessorBlock(80b9c120) => dq 80b98800(80409380`c0004fff) => 80b9c000 + 0x120

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
kd> x nt!*ProcessorBlock*
84142fbb          nt!KiConfigureProcessorBlock (_KiConfigureProcessorBlock@8)
83f89a00          nt!KiProcessorBlock = <no type information>
kd> dd KiProcessorBlock
83f89a00  80b9c120 00000000 00000000 00000000
83f89a10  00000000 00000000 00000000 00000000
83f89a20  00000000 00000000 00000000 00000000
83f89a30  00000000 00000000 00000000 00000000
83f89a40  00000000 00000000 00000000 00000000
83f89a50  00000000 00000000 00000000 00000000
83f89a60  00000000 00000000 00000000 00000000
83f89a70  00000000 00000000 00000000 00000000
kd> r gdtr
gdtr=80b98800
kd> dq 80b98800
ReadVirtual: 80b98800 not properly sign extended
80b98800  00000000`00000000 00cf9b00`0000ffff
80b98810  00cf9300`0000ffff 00cffb00`0000ffff
80b98820  00cff300`0000ffff 80008bb9`8c0020ab
80b98830  804093b9`c0004fff 0040f300`00000fff
80b98840  0000f200`0400ffff 00000000`00000000
80b98850  800089b9`ad200067 800089b9`acb00067
80b98860  00000000`00000000 00000000`00000000
80b98870  800092b9`880003ff 00000000`00000000
kd> x nt!*KeNumber*
83f89ac8          nt!KeNumberProcessors = <no type information>
83f89ac4          nt!KeNumberNodes = <no type information>
83f899fb          nt!KeNumberProcessorsGroup0 = <no type information>
kd> dd KeNumberProcessors
83f89ac8  00000001 00000002 00000001 00000000
83f89ad8  00000000 00000020 111f0000 00000006
83f89ae8  0000a502 77516b38 77516a38 77516aa0
83f89af8  77516ae8 7750554f 83e7f414 00000000
83f89b08  00000191 83e7fa5c 00000000 00000000
83f89b18  00000000 00000000 7750554d 77505524
83f89b28  00000000 00cdaa56 841ec5b8 841554f4
83f89b38  83ef468f 00000000 83e7f414 00000000
kd> dt _KPCR 80b9c000
ntdll!_KPCR
   +0x000 NtTib            : _NT_TIB
   +0x000 Used_ExceptionList : 0x83f4913c _EXCEPTION_REGISTRATION_RECORD
   +0x004 Used_StackBase   : (null) 
   +0x008 Spare2           : (null) 
   +0x00c TssCopy          : 0x80b98c00 Void
   +0x010 ContextSwitches  : 0x3998d
   +0x014 SetMemberCopy    : 1
   +0x018 Used_Self        : (null) 
   +0x01c SelfPcr          : 0x80b9c000 _KPCR
   +0x020 Prcb             : 0x80b9c120 _KPRCB
   +0x024 Irql             : 0x1f ''
   +0x028 IRR              : 0
   +0x02c IrrActive        : 0
   +0x030 IDR              : 0xffffffff
   +0x034 KdVersionBlock   : 0x83f4cdc0 Void
   +0x038 IDT              : 0x80b98000 _KIDTENTRY
   +0x03c GDT              : 0x80b98800 _KGDTENTRY
   +0x040 TSS              : 0x80b98c00 _KTSS
   +0x044 MajorVersion     : 1                  // 版本, 扩展使用
   +0x046 MinorVersion     : 1                  // 版本, 扩展使用
   +0x048 SetMember        : 1                  // 线程切换使用
   +0x04c StallScaleFactor : 0xa20
   +0x050 SpareUnused      : 0 ''
   +0x051 Number           : 0 ''               // 当前核数
   +0x052 Spare0           : 0 ''
   +0x053 SecondLevelCacheAssociativity : 0 ''
   +0x054 VdmAlert         : 0
   +0x058 KernelReserved   : [14] 0
   +0x090 SecondLevelCacheSize : 0
   +0x094 HalReserved      : [16] 0x1000000
   +0x0d4 InterruptMode    : 0
   +0x0d8 Spare1           : 0 ''
   +0x0dc KernelReserved2  : [17] 0
   +0x120 PrcbData         : _KPRCB

进程

Ex: 执行体函数, 进程、线程、链表、对象属性赋值、取值, 加锁相关;
Ke: 内核函数, 大部分导出;
Ki: 微内核函数, 不导出, 内部自己使用, 进程、线程、CPU调度相关
Ps: 执行体函数, 进程、线程相关;
Mm: 内存相关函数, 一般导出;
Mi: 内存相关函数, Mm函数底层调用Mi, 不导出;
Io: 文件、设备相关, 导出;
Cc: 文件缓存;
Rtl: 导出函数, 一般是运行库、字符串, 执行体函数;
Zw: SSDT, 但是Zw不需要修改线程的先前模式;
Nt: Zw函数会调用到Nt, 本身Zw函数不实现功能;
CM: 注册表相关;
hal: 硬件相关函数;
Ob: 对象管理器, 句柄、创建内核对象、查询内核对象;
Pnp: 电源管理;
Psp: 执行体函数, 进程、线程, Ps函数实现复杂功能的时候都是调用Psp;

OBJECT_HEADER(对象头结构体)

32位下为0x18, 64位下为0x30;

1
2
3
4
5
6
7
8
9
10
11
12
13
14
kd> dt _OBJECT_HEADER
nt!_OBJECT_HEADER
   +0x000 PointerCount     : Int4B           // Ob类函数引用次数
   +0x004 HandleCount      : Int4B           // 句柄引用
   +0x004 NextToFree       : Ptr32 Void
   +0x008 Lock             : _EX_PUSH_LOCK
   +0x00c TypeIndex        : UChar
   +0x00d TraceFlags       : UChar
   +0x00e InfoMask         : UChar
   +0x00f Flags            : UChar           // 设置为4保护进程
   +0x010 ObjectCreateInfo : Ptr32 _OBJECT_CREATE_INFORMATION
   +0x010 QuotaBlockCharged : Ptr32 Void
   +0x014 SecurityDescriptor : Ptr32 Void
   +0x018 Body             : _QUAD

EPROCESS(执行体结构)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
kd> dt _EPROCESS
ntdll!_EPROCESS
   +0x000 Pcb              : _KPROCESS
   +0x098 ProcessLock      : _EX_PUSH_LOCK            // 进程锁
   +0x0a0 CreateTime       : _LARGE_INTEGER           // 进程创建时间
   +0x0a8 ExitTime         : _LARGE_INTEGER           // 进程结束时间
   +0x0b0 RundownProtect   : _EX_RUNDOWN_REF          // 进程运行保护锁
   +0x0b4 UniqueProcessId  : Ptr32 Void               // 进程ID
   +0x0b8 ActiveProcessLinks : _LIST_ENTRY            // 活动进程链表
   +0x0c0 ProcessQuotaUsage : [2] Uint4B              // 统计进程所用内存
   +0x0c8 ProcessQuotaPeak : [2] Uint4B
   +0x0d0 CommitCharge     : Uint4B
   +0x0d4 QuotaBlock       : Ptr32 _EPROCESS_QUOTA_BLOCK
   +0x0d8 CpuQuotaBlock    : Ptr32 _PS_CPU_QUOTA_BLOCK
   +0x0dc PeakVirtualSize  : Uint4B
   +0x0e0 VirtualSize      : Uint4B
   +0x0e4 SessionProcessLinks : _LIST_ENTRY           // 针对某个用户的进程链表
   +0x0ec DebugPort        : Ptr32 Void               // 有值代表正在被调式
   +0x0f0 ExceptionPortData : Ptr32 Void              // 异常
   +0x0f0 ExceptionPortValue : Uint4B                 // 异常
   +0x0f0 ExceptionPortState : Pos 0, 3 Bits
   +0x0f4 ObjectTable      : Ptr32 _HANDLE_TABLE      // 句柄表
   +0x0f8 Token            : _EX_FAST_REF             // 代表有什么权限
   +0x0fc WorkingSetPage   : Uint4B                   // 目前用了多少页
   +0x100 AddressCreationLock : _EX_PUSH_LOCK      
   +0x104 RotateInProgress : Ptr32 _ETHREAD
   +0x108 ForkInProgress   : Ptr32 _ETHREAD
   +0x10c HardwareTrigger  : Uint4B
   +0x110 PhysicalVadRoot  : Ptr32 _MM_AVL_TABLE
   +0x114 CloneRoot        : Ptr32 Void
   +0x118 NumberOfPrivatePages : Uint4B
   +0x11c NumberOfLockedPages : Uint4B
   +0x120 Win32Process     : Ptr32 Void
   +0x124 Job              : Ptr32 _EJOB
   +0x128 SectionObject    : Ptr32 Void
   +0x12c SectionBaseAddress : Ptr32 Void
   +0x130 Cookie           : Uint4B
   +0x134 Spare8           : Uint4B
   +0x138 WorkingSetWatch  : Ptr32 _PAGEFAULT_HISTORY
   +0x13c Win32WindowStation : Ptr32 Void
   +0x140 InheritedFromUniqueProcessId : Ptr32 Void
   +0x144 LdtInformation   : Ptr32 Void
   +0x148 VdmObjects       : Ptr32 Void
   +0x14c ConsoleHostProcess : Uint4B
   +0x150 DeviceMap        : Ptr32 Void
   +0x154 EtwDataSource    : Ptr32 Void
   +0x158 FreeTebHint      : Ptr32 Void
   +0x160 PageDirectoryPte : Uint8B
   +0x168 Session          : Ptr32 Void
   +0x16c ImageFileName    : [15] UChar            // 进程名称
   +0x17b PriorityClass    : UChar
   +0x17c JobLinks         : _LIST_ENTRY
   +0x184 LockedPagesList  : Ptr32 Void
   +0x188 ThreadListHead   : _LIST_ENTRY           // 线程链表
   +0x190 SecurityPort     : Ptr32 Void
   +0x194 PaeTop           : Ptr32 Void
   +0x198 ActiveThreads    : Uint4B                // 当前进程有多少进程
   +0x19c ImagePathHash    : Uint4B
   +0x1a0 DefaultHardErrorProcessing : Uint4B
   +0x1a4 LastThreadExitStatus : Int4B
   +0x1a8 Peb              : Ptr32 _PEB            // peb
   +0x1ac PrefetchTrace    : _EX_FAST_REF
   +0x1b0 ReadOperationCount : _LARGE_INTEGER
   +0x1b8 WriteOperationCount : _LARGE_INTEGER
   +0x1c0 OtherOperationCount : _LARGE_INTEGER
   +0x1c8 ReadTransferCount : _LARGE_INTEGER
   +0x1d0 WriteTransferCount : _LARGE_INTEGER
   +0x1d8 OtherTransferCount : _LARGE_INTEGER
   +0x1e0 CommitChargeLimit : Uint4B
   +0x1e4 CommitChargePeak : Uint4B
   +0x1e8 AweInfo          : Ptr32 Void
   +0x1ec SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO        // 完整路径
   +0x1f0 Vm               : _MMSUPPORT
   +0x25c MmProcessLinks   : _LIST_ENTRY
   +0x264 HighestUserAddress : Ptr32 Void
   +0x268 ModifiedPageCount : Uint4B
   +0x26c Flags2           : Uint4B
   +0x26c JobNotReallyActive : Pos 0, 1 Bit
   +0x26c AccountingFolded : Pos 1, 1 Bit
   +0x26c NewProcessReported : Pos 2, 1 Bit
   +0x26c ExitProcessReported : Pos 3, 1 Bit
   +0x26c ReportCommitChanges : Pos 4, 1 Bit
   +0x26c LastReportMemory : Pos 5, 1 Bit
   +0x26c ReportPhysicalPageChanges : Pos 6, 1 Bit
   +0x26c HandleTableRundown : Pos 7, 1 Bit
   +0x26c NeedsHandleRundown : Pos 8, 1 Bit
   +0x26c RefTraceEnabled  : Pos 9, 1 Bit
   +0x26c NumaAware        : Pos 10, 1 Bit
   +0x26c ProtectedProcess : Pos 11, 1 Bit            // 进程保护
   +0x26c DefaultPagePriority : Pos 12, 3 Bits
   +0x26c PrimaryTokenFrozen : Pos 15, 1 Bit
   +0x26c ProcessVerifierTarget : Pos 16, 1 Bit
   +0x26c StackRandomizationDisabled : Pos 17, 1 Bit
   +0x26c AffinityPermanent : Pos 18, 1 Bit
   +0x26c AffinityUpdateEnable : Pos 19, 1 Bit
   +0x26c PropagateNode    : Pos 20, 1 Bit
   +0x26c ExplicitAffinity : Pos 21, 1 Bit
   +0x26c Spare1           : Pos 22, 1 Bit
   +0x26c ForceRelocateImages : Pos 23, 1 Bit
   +0x26c DisallowStrippedImages : Pos 24, 1 Bit
   +0x26c LowVaAccessible  : Pos 25, 1 Bit
   +0x26c RestrictIndirectBranchPrediction : Pos 26, 1 Bit
   +0x26c AddressPolicyFrozen : Pos 27, 1 Bit
   +0x26c SpeculativeStoreBypassDisable : Pos 28, 1 Bit
   +0x270 Flags            : Uint4B
   +0x270 CreateReported   : Pos 0, 1 Bit          // 创建进程时是否上报
   +0x270 NoDebugInherit   : Pos 1, 1 Bit
   +0x270 ProcessExiting   : Pos 2, 1 Bit          // 进程是否在退出中
   +0x270 ProcessDelete    : Pos 3, 1 Bit          // 进程内存是否全部删除
   +0x270 Wow64SplitPages  : Pos 4, 1 Bit
   +0x270 VmDeleted        : Pos 5, 1 Bit
   +0x270 OutswapEnabled   : Pos 6, 1 Bit
   +0x270 Outswapped       : Pos 7, 1 Bit
   +0x270 ForkFailed       : Pos 8, 1 Bit
   +0x270 Wow64VaSpace4Gb  : Pos 9, 1 Bit
   +0x270 AddressSpaceInitialized : Pos 10, 2 Bits
   +0x270 SetTimerResolution : Pos 12, 1 Bit
   +0x270 BreakOnTermination : Pos 13, 1 Bit
   +0x270 DeprioritizeViews : Pos 14, 1 Bit
   +0x270 WriteWatch       : Pos 15, 1 Bit
   +0x270 ProcessInSession : Pos 16, 1 Bit
   +0x270 OverrideAddressSpace : Pos 17, 1 Bit
   +0x270 HasAddressSpace  : Pos 18, 1 Bit
   +0x270 LaunchPrefetched : Pos 19, 1 Bit
   +0x270 InjectInpageErrors : Pos 20, 1 Bit
   +0x270 VmTopDown        : Pos 21, 1 Bit         // 置1代表申请内存时从最后开始申请
   +0x270 ImageNotifyDone  : Pos 22, 1 Bit
   +0x270 PdeUpdateNeeded  : Pos 23, 1 Bit
   +0x270 VdmAllowed       : Pos 24, 1 Bit
   +0x270 CrossSessionCreate : Pos 25, 1 Bit
   +0x270 ProcessInserted  : Pos 26, 1 Bit         // 设置为0将进程保护起来,打开不了句柄
   +0x270 DefaultIoPriority : Pos 27, 3 Bits
   +0x270 ProcessSelfDelete : Pos 30, 1 Bit
   +0x270 SetTimerResolutionLink : Pos 31, 1 Bit
   +0x274 ExitStatus       : Int4B              // 进程退出状态码(通常创建时为259或0x103)
   +0x278 VadRoot          : _MM_AVL_TABLE
   +0x298 AlpcContext      : _ALPC_PROCESS_CONTEXT
   +0x2a8 TimerResolutionLink : _LIST_ENTRY
   +0x2b0 RequestedTimerResolution : Uint4B
   +0x2b4 ActiveThreadsHighWatermark : Uint4B
   +0x2b8 SmallestTimerResolution : Uint4B
   +0x2bc TimerResolutionStackRecord : Ptr32 _PO_DIAG_STACK_RECORD
   +0x2c0 SequenceNumber   : Uint8B
   +0x2c8 CreateInterruptTime : Uint8B
   +0x2d0 CreateUnbiasedInterruptTime : Uint8B
   +0x2d8 SecurityDomain   : Uint8B

作业: ActiveProcessLinks 断链

KPROCESS(内核结构)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
kd> dt _KPROCESS
ntdll!_KPROCESS
   +0x000 Header           : _DISPATCHER_HEADER
   +0x010 ProfileListHead  : _LIST_ENTRY        // 性能分析
   +0x018 DirectoryTableBase : Uint4B           // 当前进程的cr3
   +0x01c LdtDescriptor    : _KGDTENTRY
   +0x024 Int21Descriptor  : _KIDTENTRY
   +0x02c ThreadListHead   : _LIST_ENTRY    
   +0x034 ProcessLock      : Uint4B
   +0x038 Affinity         : _KAFFINITY_EX      // 亲核性
   +0x044 ReadyListHead    : _LIST_ENTRY        // 就绪链表
   +0x04c SwapListEntry    : _SINGLE_LIST_ENTRY
   +0x050 ActiveProcessors : _KAFFINITY_EX
   +0x05c AutoAlignment    : Pos 0, 1 Bit       // 进程是否是对齐的
   +0x05c DisableBoost     : Pos 1, 1 Bit       // 
   +0x05c DisableQuantum   : Pos 2, 1 Bit       // 进程关闭线程时间碎片的设置
   +0x05c ActiveGroupsMask : Pos 3, 1 Bit       // 
   +0x05c ReservedFlags    : Pos 4, 28 Bits
   +0x05c ProcessFlags     : Int4B
   +0x060 BasePriority     : Char               // 线程继承的优先级
   +0x061 QuantumReset     : Char               // 时间碎片
   +0x062 Visited          : UChar              
   +0x063 Unused3          : UChar
   +0x064 ThreadSeed       : [1] Uint4B
   +0x068 IdealNode        : [1] Uint2B
   +0x06a IdealGlobalNode  : Uint2B
   +0x06c Flags            : _KEXECUTE_OPTIONS
   +0x06d AddressPolicy    : UChar
   +0x06e IopmOffset       : Uint2B
   +0x070 Unused4          : Uint4B
   +0x074 StackCount       : _KSTACK_COUNT
   +0x078 ProcessListEntry : _LIST_ENTRY
   +0x080 CycleTime        : Uint8B
   +0x088 KernelTime       : Uint4B
   +0x08c UserTime         : Uint4B
   +0x090 VdmTrapcHandler  : Ptr32 Void

保护进程

通过将设置OBJECT_HEADER中的Flags为4, 保护进程不被打开;

实验代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
#include <ntifs.h>

EXTERN_C UCHAR * PsGetProcessImageFileName(__in PEPROCESS Process);

/*
#define OB_FLAG_NEW_OBJECT              0x01
#define OB_FLAG_KERNEL_OBJECT           0x02
#define OB_FLAG_CREATOR_INFO            0x04	// 表示进程刚被创建, 还未创建ObjectCreateInfo,不让打开
#define OB_FLAG_EXCLUSIVE_OBJECT        0x08
#define OB_FLAG_PERMANENT_OBJECT        0x10
#define OB_FLAG_DEFAULT_SECURITY_QUOTA  0x20
#define OB_FLAG_SINGLE_HANDLE_ENTRY     0x40
#define OB_FLAG_DELETED_INLINE          0x80
*/

VOID SetProcessFlag(PEPROCESS pEProcess)
{
	PUCHAR pObjectHeader = NULL;
#ifdef _WIN64
	pObjectHeader = ((PUCHAR)pEProcess - 0x30);
	*(pObjectHeader + 0x1b) |= 4;
#else
	pObjectHeader = ((PUCHAR)pEProcess - 0x18);
	*(pObjectHeader + 0x0f) |= 4;
#endif // _WIN64
}

VOID ReSetProcessFlag(PEPROCESS pEProcess)
{
	PUCHAR pObjectHeader = NULL;
#ifdef _WIN64
	pObjectHeader = ((PUCHAR)pEProcess - 0x30);
	*(pObjectHeader + 0x1b) &= ~4;
#else
	pObjectHeader = ((PUCHAR)pEProcess - 0x18);
	*(pObjectHeader + 0x0f) &= ~4;
#endif // _WIN64
}

PEPROCESS FindProcessByName(char * szName)
{
	PEPROCESS pFindEProcess = NULL;
	for (int i = 4; i < 0x1000000; i+=4)
	{
		PEPROCESS pEProcess = NULL;
		NTSTATUS status = PsLookupProcessByProcessId((HANDLE)i, &pEProcess);
		if (!NT_SUCCESS(status))
		{
			continue;
		}
		// PsGetProcessImageFileName函数返回的名称有长度限制(15个字节)
		PUCHAR pszProcessName = PsGetProcessImageFileName(pEProcess);
		DbgPrintEx(77, 0, "[+] FindProcessByName: %s\r\n", pszProcessName);
		if (pszProcessName && _stricmp(szName, pszProcessName) == 0)
		{
			pFindEProcess = pEProcess;
			break;
		}
		// 引用计数减一
		ObDereferenceObject(pEProcess);
	}
	return pFindEProcess;
}

VOID DriverUnload(PDRIVER_OBJECT pDriver)
{
	DbgPrintEx(77, 0, "-------------DriverUnload-------------");
	PEPROCESS pEProcess = FindProcessByName("Dbgview.exe");
	if (!pEProcess)
	{
		return;
	}
	ReSetProcessFlag(pEProcess);
	ObDereferenceObject(pEProcess);
}

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING pReg)
{
	DbgPrintEx(77, 0, "-------------DriverEntry-------------");

	PEPROCESS pEProcess = FindProcessByName("Dbgview.exe");
	if (!pEProcess)
	{
		return STATUS_UNSUCCESSFUL;
	}
	DbgPrintEx(77, 0, "FindProcessByName Done.");
	SetProcessFlag(pEProcess);

	// PsLookupProcessByProcessId((HANDLE)3824, &pEProcess);
	// 32位:0x18
	// 64位:0x30
	/*PUCHAR pObjectHeader = ((PUCHAR)pEProcess + 0x18);
	*(pObjectHeader + 0xf) |= 4;*/

	ObDereferenceObject(pEProcess);

	pDriver->DriverUnload = DriverUnload;
	return STATUS_SUCCESS;
}

进程断链(ActiveProcessLinks)

获取ActiveProcessLinks偏移

在内核文件中存在PsGetProcessId函数, 代码中存在eax+0B4h(代表EPROCESS中0x0b4 UniqueProcessId进程ID), 通过此处再加4得到ActiveProcessLinks偏移;

1
2
3
4
5
6
7
8
9
10
11
12
13
14
.text:004B87D6 ; HANDLE __stdcall PsGetProcessId(PEPROCESS Process)
.text:004B87D6                 public _PsGetProcessId@4
.text:004B87D6 _PsGetProcessId@4 proc near             ; CODE XREF: EtwpNotifyGuid(x,x)+13E↓p
.text:004B87D6
.text:004B87D6 Process         = dword ptr  8
.text:004B87D6
.text:004B87D6                 mov     edi, edi
.text:004B87D8                 push    ebp
.text:004B87D9                 mov     ebp, esp
.text:004B87DB                 mov     eax, [ebp+Process]
.text:004B87DE                 mov     eax, [eax+0B4h]
.text:004B87E4                 pop     ebp
.text:004B87E5                 retn    4
.text:004B87E5 _PsGetProcessId@4 endp

实验代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
#include <ntifs.h>

// FindProcessByName 暴力枚举进程
PEPROCESS FindProcessByName(PWCH wcProcessName)
{
	PEPROCESS pEProcess = NULL;
	PEPROCESS pFindEProcess = NULL;
	for (int i = 8; i < 0x10000000; i+=4)
	{
		NTSTATUS status = PsLookupProcessByProcessId((HANDLE)i, &pEProcess);
		if (!NT_SUCCESS(status))
		{
			continue;
		}
		PUNICODE_STRING usProcessName = NULL;
      // SeLocateProcessImageName 获取进程全路径, PsGetProcessImageFileName函数获取的进程名称只有15字节, 进程名称过长会导致截断, 无法正确判断
		status = SeLocateProcessImageName(pEProcess, &usProcessName);
		if (!NT_SUCCESS(status))
		{
			ObDereferenceObject(pEProcess);
			continue;
		}
		if (usProcessName->Length)
		{
			_wcsupr(usProcessName->Buffer);
			if (wcsstr(usProcessName->Buffer, wcProcessName) != 0)
			{
				pFindEProcess = pEProcess;
            // ExFreePoolWithTag 释放内存
				ExFreePoolWithTag(usProcessName, 0);
				break;
			}
		}
		ExFreePoolWithTag(usProcessName, 0);
		ObDereferenceObject(pEProcess);
	}
	return pFindEProcess;
}

// GetActiveProcessLinksOffset 获取ActiveProcessLinks偏移
ULONG GetActiveProcessLinksOffset()
{
	static ULONG offset = 0;
	if (offset) return offset;
	UNICODE_STRING usFuncName;
	RtlInitUnicodeString(&usFuncName, L"PsGetProcessId");
	PUCHAR pFunc = (PUCHAR)MmGetSystemRoutineAddress(&usFuncName);
	for (int i = 0; i < 100; i++)
	{
		if (pFunc[i] == 0x8b && pFunc[i+1] == 0x80)
		{
			offset = *(PUCHAR)(pFunc + i + 2);
			offset += 4;
			break;
		}
	}

	return offset;
}

VOID DriverUnload(PDRIVER_OBJECT pDriver)
{
	DbgPrintEx(77, 0, "[db]: DriverUnload Running.");
}

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriver, PUNICODE_STRING pReg)
{
	DbgPrintEx(77, 0, "[db]: DriverEntry Running.");

	PEPROCESS pEProcess = FindProcessByName(L"DBGVIEW.EXE");
	DbgPrintEx(77, 0, "[db]: FindProcessByName Done.");
	// 断链
	ULONG offset = GetActiveProcessLinksOffset();
	DbgPrintEx(77, 0, "[db]: GetActiveProcessLinksOffset Done.");
	RemoveEntryList((PUCHAR)pEProcess + offset);
	// 初始化进程链表(防止退出进程后随机出现蓝屏)
	InitializeListHead((PUCHAR)pEProcess + offset);

	ObDereferenceObject(pEProcess);
	pDriver->DriverUnload = DriverUnload;
	return STATUS_SUCCESS;
}

更新于:2024年11月18日

Windows内核

评论