隐藏进程有好多方法,抹除句柄表,抹除csrss中的注册进程信息,摘除Active链等等,今天来记录一下摘链注意的问题。
网上有很多摘链的DEMO,至于稳定性。。。。时不时的蓝~~
原因为什么,很多代码都只是一味的拆除了相应进程的链表,但是却没有考虑到系统在操作动态链表的一系列问题,先看一下WRK中的销毁进程的操作,
目录:WRK-v1.2\base\ntos\ps\psdelete.c 中的PspProcessDelete函数
VOID
PspProcessDelete(
IN PVOID Object
)
{
PEPROCESS Process;
PETHREAD CurrentThread;
KAPC_STATE ApcState;
PAGED_CODE();
Process = (PEPROCESS)Object;
//
// Zero the GrantedAccess field so the system will not panic
// when this process is missing from the PsActiveProcess list
// but is still found in the CID table.
//
#if defined(_AMD64_)
Process->GrantedAccess = 0;
#endif
//
// Remove the process from the global list
//
if (Process->ActiveProcessLinks.Flink != NULL) {
CurrentThread = PsGetCurrentThread ();
PspLockProcessList (CurrentThread);
RemoveEntryList (&Process->ActiveProcessLinks);
PspUnlockProcessList (CurrentThread);
}
if (Process->SeAuditProcessCreationInfo.ImageFileName != NULL) {
ExFreePool (Process->SeAuditProcessCreationInfo.ImageFileName);
Process->SeAuditProcessCreationInfo.ImageFileName = NULL;
}
if (Process->Job != NULL) {
PspRemoveProcessFromJob (Process->Job, Process);
ObDereferenceObjectDeferDelete (Process->Job);
Process->Job = NULL;
}
KeTerminateProcess (&Process->Pcb);
if (Process->DebugPort != NULL) {
ObDereferenceObject (Process->DebugPort);
Process->DebugPort = NULL;
}
if (Process->ExceptionPort != NULL) {
ObDereferenceObject (Process->ExceptionPort);
Process->ExceptionPort = NULL;
}
if (Process->SectionObject != NULL) {
ObDereferenceObject (Process->SectionObject);
Process->SectionObject = NULL;
}
PspDeleteLdt (Process );
PspDeleteVdmObjects (Process);
if (Process->ObjectTable != NULL) {
KeStackAttachProcess (&Process->Pcb, &ApcState);
ObKillProcess (Process);
KeUnstackDetachProcess (&ApcState);
}
if (Process->Flags&PS_PROCESS_FLAGS_HAS_ADDRESS_SPACE) {
//
// Clean address space of the process
//
KeStackAttachProcess (&Process->Pcb, &ApcState);
PspExitProcess (FALSE, Process);
KeUnstackDetachProcess (&ApcState);
MmDeleteProcessAddressSpace (Process);
}
if (Process->UniqueProcessId) {
if (!(ExDestroyHandle (PspCidTable, Process->UniqueProcessId, NULL))) {
KeBugCheck (CID_HANDLE_DELETION);
}
}
PspDeleteProcessSecurity (Process);
if (Process->WorkingSetWatch != NULL) {
ExFreePool (Process->WorkingSetWatch);
PsReturnProcessNonPagedPoolQuota (Process, WS_CATCH_SIZE);
}
ObDereferenceDeviceMap (Process);
PspDereferenceQuota (Process);
#if !defined(_X86_) && !defined(_AMD64_)
{
//
// Free any alignment exception tracking structures that might
// have been around to support a user-mode debugger.
//
PALIGNMENT_EXCEPTION_TABLE ExceptionTable;
PALIGNMENT_EXCEPTION_TABLE NextExceptionTable;
ExceptionTable = Process->Pcb.AlignmentExceptionTable;
while (ExceptionTable != NULL) {
NextExceptionTable = ExceptionTable->Next;
ExFreePool( ExceptionTable );
ExceptionTable = NextExceptionTable;
}
}
#endif
}
在RemoveEntryList 的前后分别有锁进程的操作PspLockProcessList的代码在psp.h中
VOID
FORCEINLINE
PspLockProcessList (
IN PETHREAD CurrentThread
)
{
KeEnterGuardedRegionThread (&CurrentThread->Tcb);
KeAcquireGuardedMutexUnsafe (&PspActiveProcessMutex);
}
KeEnterGuardedRegionThread定义在WRK-v1.2\base\ntos\inc\kx.h中 这里就不一一列出来了,可以自己查看
就一个移除链表的操作需要做这么多处理,原因就是解决在多核CPU下同步的问题。所以在操作系统链表的时候要记得加上此类似操作,避免产生不必要的麻烦。
本文也没啥技术含量,主要是我个人记忆力差,图个方便,做下记录~
![2017年团体程序设计天梯赛-决赛小结[图]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)