通过暴力枚举进行隐藏进程的恢复(利用进程ID全为4的倍数)
EnumProcessByForce
Ring3层程序:
首先要进行提权:
1 BOOL EnableDebugPrivilege() //Debug 2 { 3 4 HANDLE hToken = NULL; 5 TOKEN_PRIVILEGES TokenPrivilege; 6 LUID uID; 7 8 9 //打开权限令牌 10 if (!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken)) 11 { 12 return FALSE; 13 } 14 15 if (!LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&uID)) 16 { 17 18 CloseHandle(hToken); 19 hToken = NULL; 20 return FALSE; 21 } 22 23 24 TokenPrivilege.PrivilegeCount = 1; 25 TokenPrivilege.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; 26 TokenPrivilege.Privileges[0].Luid = uID; 27 28 29 //在这里我们进行调整权限 30 if (!AdjustTokenPrivileges(hToken,false,&TokenPrivilege,sizeof(TOKEN_PRIVILEGES),NULL,NULL)) 31 { 32 CloseHandle(hToken); 33 hToken = NULL; 34 return FALSE; 35 } 36 37 CloseHandle(hToken); 38 return TRUE; 39 40 }
并且将UAC执行级别调到 requireAdministrator (/level='requireAdministrator')
在链接器中可以找到
在EnumProcessByForce函数中暴力枚举 调用OpenProcess检测进程ID是否有效
1 VOID EnumProcessByForce() 2 { 3 int i = 0; 4 HANDLE hProcess = NULL; 5 DWORD dwReturn = 0; 6 7 char szProcessImageName[MAX] = {0}; 8 for (i=0;i<10000000;i+=4) 9 { 10 hProcess = OpenProcess(PROCESS_QUERY_INFORMATION,FALSE,i); 11 12 if (hProcess==NULL) 13 { 14 continue; 15 } 16 17 else 18 { 19 //向驱动发送请求 20 if(SendIoControl(&i,sizeof(ULONG32),szProcessImageName,&dwReturn)==TRUE) 21 { 22 szProcessImageName[dwReturn] = '�'; 23 cout<<"进程ID: "<<i<<" "<<szProcessImageName<<endl; 24 memset(szProcessImageName,0,MAX); 25 } 26 } 27 } 28 }
Ring3与Ring0数据交互两种方法:
1.IoControl码 Ring3--->Ring0 BufferIO Ring0---->Ring3(BufferIO UserIO OtherIO) Io管理器 Irp请求针对设备对象
2.ReadFile WriteFile Ring3--->Ring0(BufferIO UserIO OtherIO) Ring0---->Ring3(BufferIO UserIO OtherIO)
这里使用第一种方法
1 BOOL SendIoControl(int* InputData,ULONG InputSize,char* OutputData,DWORD* dwReturn) 2 { 3 //打开设备 4 5 HANDLE hDevice = NULL; 6 7 BOOL bOk = FALSE; 8 9 hDevice = CreateFile(L"\\.\EnumProcessByForceLinkName",GENERIC_READ | GENERIC_WRITE, 10 FILE_SHARE_READ | FILE_SHARE_WRITE, 11 NULL, 12 OPEN_EXISTING, 13 FILE_ATTRIBUTE_NORMAL, 14 NULL); 15 16 if (hDevice==INVALID_HANDLE_VALUE) 17 { 18 return FALSE; 19 } 20 21 22 bOk = DeviceIoControl(hDevice,CTL_GETPROCESSIMAGNAMEBYID, 23 InputData, 24 InputSize, 25 OutputData, 26 MAX, 27 dwReturn, 28 NULL); 29 30 31 if (bOk==FALSE) 32 { 33 CloseHandle(hDevice); 34 hDevice = NULL; 35 36 return FALSE; 37 } 38 CloseHandle(hDevice); 39 hDevice = NULL; 40 return TRUE; 41 }
BOOL WINAPI DeviceIoControl(
_In_ HANDLE hDevice,
_In_ DWORD dwIoControlCode,
_In_opt_ LPVOID lpInBuffer,
_In_ DWORD nInBufferSize,
_Out_opt_ LPVOID lpOutBuffer,
_In_ DWORD nOutBufferSize,
_Out_opt_ LPDWORD lpBytesReturned,
_Inout_opt_ LPOVERLAPPED lpOverlapped);
hDevice Long,设备句柄
dwIoControlCode Long,应用程序调用驱动程序的控制命令,就是IOCTL_XXX IOCTLs。
lpInBuffer Any,应用程序传递给驱动程序的数据缓冲区地址。
nInBufferSize Long,应用程序传递给驱动程序的数据缓冲区大小,字节数。
lpOutBuffer Any,驱动程序返回给应用程序的数据缓冲区地址。
nOutBufferSize Long,驱动程序返回给应用程序的数据缓冲区大小,字节数。
lpBytesReturned Long,驱动程序实际返回给应用程序的数据字节数地址。
lpOverlapped OVERLAPPED,这个结构用于重叠操作。针对同步操作,请用ByVal As Long传递零值
发送控制代码直接到指定的设备驱动程序,使相应的移动设备以执行相应的操作
1 // EnumProcessByForce应用程序.cpp : 定义控制台应用程序的入口点。 2 // 3 4 #include "stdafx.h" 5 6 7 #include <iostream> 8 #include <Windows.h> 9 #include <WinIoCtl.h> 10 using namespace std; 11 12 13 14 #define CTL_CODE( DeviceType, Function, Method, Access ) ( 15 ((DeviceType) << 16) | ((Access) << 14) | ((Function) << 2) | (Method) ) 16 #define CTL_GETPROCESSIMAGNAMEBYID 17 CTL_CODE(FILE_DEVICE_UNKNOWN,0x830,METHOD_BUFFERED,FILE_ANY_ACCESS) 18 #define MAX 64 19 BOOL EnableDebugPrivilege(); 20 VOID EnumProcessByForce(); 21 22 BOOL SendIoControl(int* InputData,ULONG InputSize,char* OutputData,DWORD* dwReturn); 23 int _tmain(int argc, _TCHAR* argv[]) 24 { 25 26 if (EnableDebugPrivilege()==FALSE) 27 { 28 return 0; 29 } 30 31 32 EnumProcessByForce(); 33 34 35 printf("Input AnyKey To Exit Hello 10.8 "); 36 37 getchar(); 38 return 0; 39 } 40 41 42 VOID EnumProcessByForce() 43 { 44 int i = 0; 45 HANDLE hProcess = NULL; 46 DWORD dwReturn = 0; 47 48 char szProcessImageName[MAX] = {0}; 49 for (i=0;i<10000000;i+=4) 50 { 51 hProcess = OpenProcess(PROCESS_QUERY_INFORMATION,FALSE,i); 52 53 if (hProcess==NULL) 54 { 55 continue; 56 } 57 58 else 59 { 60 //向驱动发送请求 61 if(SendIoControl(&i,sizeof(ULONG32),szProcessImageName,&dwReturn)==TRUE) 62 { 63 szProcessImageName[dwReturn] = '�'; 64 cout<<"进程ID: "<<i<<" "<<szProcessImageName<<endl; 65 memset(szProcessImageName,0,MAX); 66 } 67 } 68 } 69 } 70 71 72 BOOL SendIoControl(int* InputData,ULONG InputSize,char* OutputData,DWORD* dwReturn) 73 { 74 //打开设备 75 76 HANDLE hDevice = NULL; 77 78 BOOL bOk = FALSE; 79 80 hDevice = CreateFile(L"\\.\EnumProcessByForceLinkName",GENERIC_READ | GENERIC_WRITE, 81 FILE_SHARE_READ | FILE_SHARE_WRITE, 82 NULL, 83 OPEN_EXISTING, 84 FILE_ATTRIBUTE_NORMAL, 85 NULL); 86 87 if (hDevice==INVALID_HANDLE_VALUE) 88 { 89 return FALSE; 90 } 91 92 93 bOk = DeviceIoControl(hDevice,CTL_GETPROCESSIMAGNAMEBYID, 94 InputData, 95 InputSize, 96 OutputData, 97 MAX, 98 dwReturn, 99 NULL); 100 101 102 if (bOk==FALSE) 103 { 104 CloseHandle(hDevice); 105 hDevice = NULL; 106 107 return FALSE; 108 } 109 CloseHandle(hDevice); 110 hDevice = NULL; 111 return TRUE; 112 } 113 114 115 116 BOOL EnableDebugPrivilege() //Debug 117 { 118 119 HANDLE hToken = NULL; 120 TOKEN_PRIVILEGES TokenPrivilege; 121 LUID uID; 122 123 124 //打开权限令牌 125 if (!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken)) 126 { 127 return FALSE; 128 } 129 130 if (!LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&uID)) 131 { 132 133 CloseHandle(hToken); 134 hToken = NULL; 135 return FALSE; 136 } 137 138 139 TokenPrivilege.PrivilegeCount = 1; 140 TokenPrivilege.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; 141 TokenPrivilege.Privileges[0].Luid = uID; 142 143 144 //在这里我们进行调整权限 145 if (!AdjustTokenPrivileges(hToken,false,&TokenPrivilege,sizeof(TOKEN_PRIVILEGES),NULL,NULL)) 146 { 147 CloseHandle(hToken); 148 hToken = NULL; 149 return FALSE; 150 } 151 152 CloseHandle(hToken); 153 return TRUE; 154 155 }
Ring0层:
Windows驱动开发—派遣函数详解:
传送门:http://blog.csdn.net/sunweizhong1024/article/details/7780552
在处理IRP 时 获取进程信息
1 #ifndef CXX_ENUMPROCESSBYFORCE_H 2 # include "EnumProcessByForce.h" 3 #endif 4 5 6 7 NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject,PUNICODE_STRING RegisterPath) 8 { 9 10 11 12 13 NTSTATUS Status; 14 UNICODE_STRING uniDeviceName; 15 UNICODE_STRING uniLinkName; 16 PDEVICE_OBJECT DeviceObject = NULL; 17 int i = 0; 18 19 20 21 22 RtlInitUnicodeString(&uniDeviceName,DEVICE_NAME); 23 24 DbgPrint("Hello 10.8 "); 25 26 27 Status = IoCreateDevice(DriverObject,0,&uniDeviceName,FILE_DEVICE_UNKNOWN,0,FALSE,&DeviceObject); 28 29 if (!NT_SUCCESS(Status)) 30 { 31 return STATUS_UNSUCCESSFUL; 32 } 33 34 35 //创建一个LinkName 36 RtlInitUnicodeString(&uniLinkName,LINK_NAME); 37 38 39 Status = IoCreateSymbolicLink(&uniLinkName,&uniDeviceName); 40 41 if (!NT_SUCCESS(Status)) 42 { 43 44 IoDeleteDevice(DeviceObject); 45 DeviceObject = NULL; 46 return STATUS_UNSUCCESSFUL; 47 } 48 49 50 DriverObject->DriverUnload = UnloadDriver; 51 for (i=0;i<=IRP_MJ_MAXIMUM_FUNCTION;i++) 52 { 53 DriverObject->MajorFunction[i] = DefaultPassDispatch; 54 } 55 56 DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = ControlPassDispatch; 57 return STATUS_SUCCESS; 58 } 59 60 61 NTSTATUS ControlPassDispatch(PDEVICE_OBJECT DeviceObject,PIRP Irp) 62 { 63 64 PIO_STACK_LOCATION IrpSp = NULL; 65 ULONG_PTR ulIoControlCode = 0; 66 PVOID InputData = NULL; 67 PVOID OutputData = NULL; 68 ULONG_PTR ulInputSize = 0; 69 ULONG_PTR ulOutputSize = 0; 70 char szProcessImageName[MAX] = {0}; 71 ULONG32 ulProcessImageNameLength = 0; 72 ULONG32 ulProcessID = 0; 73 IrpSp = IoGetCurrentIrpStackLocation(Irp); 74 ulIoControlCode = IrpSp->Parameters.DeviceIoControl.IoControlCode; 75 76 switch(ulIoControlCode) 77 { 78 case CTL_GETPROCESSIMAGNAMEBYID : 79 { 80 //InputData 81 //OutputData 82 InputData = OutputData = Irp->AssociatedIrp.SystemBuffer; 83 ulInputSize = IrpSp->Parameters.DeviceIoControl.InputBufferLength; 84 ulOutputSize = IrpSp->Parameters.DeviceIoControl.OutputBufferLength; 85 86 if (InputData!=NULL&&ulInputSize==sizeof(ULONG32)) 87 { 88 memcpy(&ulProcessID,InputData,sizeof(ULONG32)); 89 if (GetProcessImageNameByProcessID(ulProcessID,szProcessImageName,&ulProcessImageNameLength)==TRUE) 90 { 91 memcpy(OutputData,szProcessImageName,ulProcessImageNameLength); 92 93 Irp->IoStatus.Status = STATUS_SUCCESS; 94 Irp->IoStatus.Information = ulProcessImageNameLength; 95 96 IoCompleteRequest(Irp,IO_NO_INCREMENT); 97 98 return STATUS_SUCCESS; 99 } 100 } 101 102 103 break; 104 } 105 } 106 107 Irp->IoStatus.Status = STATUS_UNSUCCESSFUL; 108 Irp->IoStatus.Information = 0; 109 110 IoCompleteRequest(Irp,IO_NO_INCREMENT); 111 112 return STATUS_SUCCESS; 113 114 } 115 116 117 BOOLEAN GetProcessImageNameByProcessID(ULONG32 ulProcessID,char* szProcessImageName,ULONG32* ulProcessImageNameLength) 118 { 119 120 NTSTATUS Status; 121 PEPROCESS EProcess = NULL; 122 Status = PsLookupProcessByProcessId((HANDLE)ulProcessID,&EProcess); 123 124 if (!NT_SUCCESS(Status)) 125 { 126 return FALSE; 127 } 128 129 130 if (EProcess==NULL) 131 { 132 return FALSE; 133 } 134 135 ObDereferenceObject(EProcess); 136 137 138 139 140 if (strlen(PsGetProcessImageFileName(EProcess))>MAX) 141 { 142 *ulProcessImageNameLength = MAX-1; 143 } 144 145 else 146 { 147 *ulProcessImageNameLength = strlen(PsGetProcessImageFileName(EProcess)); 148 } 149 150 151 memcpy(szProcessImageName,PsGetProcessImageFileName(EProcess),*ulProcessImageNameLength); 152 153 154 return TRUE; 155 156 157 158 159 } 160 161 162 163 NTSTATUS DefaultPassDispatch(PDEVICE_OBJECT DeviceObject,PIRP Irp) 164 { 165 166 167 Irp->IoStatus.Status = STATUS_SUCCESS; 168 Irp->IoStatus.Information = 0; 169 IoCompleteRequest(Irp,IO_NO_INCREMENT); 170 171 return STATUS_SUCCESS; 172 } 173 174 175 VOID UnloadDriver(PDRIVER_OBJECT DriverObject) 176 { 177 178 179 //销毁链接名称 180 UNICODE_STRING uniLinkName; 181 182 183 184 //销毁所有DriverObject中的DeviceObject 185 186 PDEVICE_OBJECT CurrentDeviceObject = NULL; 187 PDEVICE_OBJECT NextDeviceObject = NULL; 188 189 190 RtlInitUnicodeString(&uniLinkName,LINK_NAME); 191 IoDeleteSymbolicLink(&uniLinkName); 192 if (DriverObject->DeviceObject!=NULL) 193 { 194 CurrentDeviceObject = DriverObject->DeviceObject; 195 while (CurrentDeviceObject!=NULL) 196 { 197 NextDeviceObject = CurrentDeviceObject->NextDevice; 198 IoDeleteDevice(CurrentDeviceObject); 199 200 CurrentDeviceObject = NextDeviceObject; 201 } 202 } 203 204 CurrentDeviceObject = NULL; 205 NextDeviceObject = NULL; 206 }
1 #ifndef CXX_ENUMPROCESSBYFORCE_H 2 #define CXX_ENUMPROCESSBYFORCE_H 3 4 5 6 #include <ntifs.h> 7 8 9 #define MAX 64 10 11 #define CTL_CODE( DeviceType, Function, Method, Access ) ( 12 ((DeviceType) << 16) | ((Access) << 14) | ((Function) << 2) | (Method) ) 13 #define CTL_GETPROCESSIMAGNAMEBYID 14 CTL_CODE(FILE_DEVICE_UNKNOWN,0x830,METHOD_BUFFERED,FILE_ANY_ACCESS) 15 16 17 #define DEVICE_NAME L"\Device\EnumProcessByForceDeviceName" //常量指针字符串 18 19 #define LINK_NAME L"\DosDevices\EnumProcessByForceLinkName" 20 21 VOID UnloadDriver(PDRIVER_OBJECT DriverObject); 22 23 extern 24 char* PsGetProcessImageFileName(PEPROCESS EProcess); 25 BOOLEAN GetProcessImageNameByProcessID(ULONG32 ulProcessID,char* szProcessImageName,ULONG32* ulProcessImageNameLength); 26 NTSTATUS DefaultPassDispatch(PDEVICE_OBJECT DeviceObject,PIRP Irp); 27 NTSTATUS ControlPassDispatch(PDEVICE_OBJECT DeviceObject,PIRP Irp); 28 #endif