安全进阶9其他13ring0检测隐藏进程

标题:【】ring0检测隐藏进程作者:天才2007-05-链接: //网上得到一篇好文章Ring0EProcess（PID//作者:天//时间:2007510//参考: XPSP2 0x25C//EPROCESS#definePDE_INVALID#definePTE_INVALID#defineVALID VALIDpage(ULONGaddr) //该函数直接自Ring0下搜索内存枚举隐藏进BOOLEANIsaRealProcess(ULONGi);//该函数自Ring0下搜索内存枚举隐藏进 WorkThread(INPVOID ShowProcess(ULONGpEProcess);//显示结果 OnUnload(INPDRIVER_OBJECT{}NTSTATUSDriverEntry(INPDRIVER_OBJECTDriverObject,INPUNICODE_STRING{HANDLEDriverObject->DriverUnload=OnUnload; =PsGetCurrentProcess();pebAddress=pObjectTypeProcess=*(PULONG)((ULONG)pSystem-OBJECT_HEADER_SIZE+OBJECT_TYPE_OFFSENULL);return}VOIDWorkThread(INPVOIDpContext){} {ULONGPEPROCESSsystempebpEProcess=(PEPROCESS)((ULONG)((PLIST_ENTRY)((ULONG)pSystem+->Flink- =*(PULONG)((ULONG)pEProcess+return(Address&}VOIDEnumProcess(){ uSystemAddress=(ULONG)pSystem;

for(i=0x ;i<uSystemAddress;i+=4){//systemEPROCESSret=VALIDpage(i);if(ret==Address=if((Address&0xFFFF0000)==pebAddress)PEBShowProcess(i-PEB_OFFSET);i+=}}}elseif(ret==PTE_INVALID){i-=4;i+=i+=}}ShowProcess(uSystemAddress);//systemPEB总是零上面的方法是枚举不到的 } ShowProcess(ULONGpEProcess){RGE_INTEGERExitTime;ULONGPID;PUCHARExitTime=(RGE_INTEGER)(pEProcess+EXIT_TIME_OFFSET);if(ExitTime->QuadPart!=0)ExitTimereturnPID=*(PULONG)(pEProcess+pFileName=(PUCHAR)(pEProcess+ }ULONGVALIDpage(ULONGaddr){ULONGULONGpde=0xc +(addr>>22)*4;if((*(PULONG)pde&0x1)!=0){//largeif((*(PULONG)pde&0x80)!=return}pte=0xc +(addr>>12)*4;if((*(PULONG)pte&0x1)!=0){returnreturn}}return}BOOLEANIsaRealProcess(ULONGi){NTSTATUSPUNICODE_STRINGpUnicode;UNICODE_STRINGProcess;ULONGULONGif(VALIDpage(i-PEB_OFFSET)!=return}ObjectTypeAddress=i-PEB_OFFSET-OBJECT_HEADER_SIZE+OBJECT_TYPE_OFFSETif(VALIDpage(ObjectTypeAddress)==VALID){pObjectType=*(PULONG