大理寺少卿 发表于 2025-5-5 11:55:23

驱动开发与系统原理-保护进程不被访问

在EPORCESS结构体中,偏移0x26c的地方是一个标志位

![](https://raw.githubusercontent.com/Whitebird0/tuchuang/main/QQ%E6%88%AA%E5%9B%BE20211224162531.png)

在标志位中第12位为进程保护位,当该位为1时,调试器无法附加该进程

没设置保护位:
-------------

![](https://raw.githubusercontent.com/Whitebird0/tuchuang/main/QQ%E6%88%AA%E5%9B%BE20211224162925.png)

![](https://raw.githubusercontent.com/Whitebird0/tuchuang/main/QQ%E6%88%AA%E5%9B%BE20211224162948.png)

PCHUNTER没显示拒绝且OD可以附加该进程

设置保护位:
------------

![](https://raw.githubusercontent.com/Whitebird0/tuchuang/main/QQ%E6%88%AA%E5%9B%BE20211224163301.png)

现在我们PCHUNTER显示拒绝访问,OD也找不到该进程,无法进行附加.

原理
----

我们遍历进程,取出该进程的偏移0x26c的标志位,或上0x800,置第12位2保护位为1,然后再放回去

代码实现
--------

#include<ntifs.h>
VOID DriverUnload(PDRIVER_OBJECT pDriverObject) {
DbgPrint("Unload Driver Success! ");
}

NTSTATUS ProtectedProcess(ULONG ulPid) {
DWORD_PTR pEprocess = NULL;
ULONG ulProcessID = 0;
ULONG ulProtectedFlag = 0;
pEprocess = (DWORD_PTR)PsGetCurrentProcess();
PLIST_ENTRY pActiveProcessLinks = (PLIST_ENTRY*)(pEprocess + 0xb8);
PLIST_ENTRY pNextLinks = pActiveProcessLinks->Flink;
while (pNextLinks->Flink!= pActiveProcessLinks->Flink)
{
pEprocess = (DWORD_PTR)pNextLinks - 0xb8;
ulProcessID = *((ULONG*)(pEprocess + 0xb4));
if (ulProcessID == ulPid)
{
//主要操作代码
ulProtectedFlag = *((ULONG*)(pEprocess + 0x26c));
DbgPrint("OLD FLAGS: 0x%X", ulProtectedFlag);
*((ULONG*)(pEprocess + 0x26c))= 0x800| ulProtectedFlag;
ulProtectedFlag= *((ULONG*)(pEprocess + 0x26c));
DbgPrint("NEW FLAGS: 0x%X", ulProtectedFlag);
return STATUS_SUCCESS;
}
pNextLinks = pNextLinks->Flink;
}
DbgPrint("Failed!");
return STATUS_SUCCESS;

}

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegPath) {
DbgPrint("Load Driver Success!");
pDriverObject->DriverUnload = DriverUnload;
ProtectedProcess(836);
return STATUS_SUCCESS;
}
页: [1]
查看完整版本: 驱动开发与系统原理-保护进程不被访问