驱动——线程断链和信息获取

向你扔鸡爪2024-10-31 19:12

实验环境:win7 x32

断链:

cpp 复制代码 
#include <ntifs.h>

NTSTATUS EnumThread(ULONG ulPid, ULONG ulTid)
{
	PEPROCESS pProcessAddr = PsGetCurrentProcess();
	PLIST_ENTRY pHeadlink = (PLIST_ENTRY)((ULONG)pProcessAddr + 0xb8);
	PLIST_ENTRY pNextlink = pHeadlink->Flink;
	while (pHeadlink != pNextlink)
	{
		pProcessAddr = (PEPROCESS)((ULONG)pNextlink - 0xb8);
		ULONG pProcessID = *(PULONG)((ULONG)pProcessAddr + 0xb4);
		if (pProcessID == ulPid)
		{
			PLIST_ENTRY pThreadlink = (PLIST_ENTRY)((ULONG)pProcessAddr + 0x188);//pThreadlink是线程链表头节点
			PLIST_ENTRY pNextThreadlink = pThreadlink->Flink;					 //pNextThreadlink才是第一个真正的线程节点,指向ETHREAD的0x268的位置
			while (pThreadlink != pNextThreadlink)
			{
				PETHREAD peThread = (PETHREAD)((ULONG)pNextThreadlink - 0x268);
				PCLIENT_ID pCid = (PCLIENT_ID)((ULONG)peThread + 0x22c);
				if (pCid->UniqueThread == ulTid)
				{
					RemoveEntryList(pNextThreadlink);//尽量使用MiProcessLoaderEntry进行断链
					return STATUS_SUCCESS;
				}
				pNextThreadlink = pNextThreadlink->Flink;
			}
		}
		pNextlink = pNextlink->Flink;
	}
}

VOID DriverUnload(PDRIVER_OBJECT pDriverObject)
{
	DbgPrint("Unload Success!\n");
}

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegPath)
{
	pDriverObject->DriverUnload = DriverUnload;

	EnumThread(3148,3160);

	DbgPrint("Load Success!\n");
	return STATUS_SUCCESS;
}

获取信息:

cpp 复制代码 
#include <ntifs.h>

NTSTATUS EnumThread(ULONG ulPid)
{
	PEPROCESS pProcessAddr = PsGetCurrentProcess();
	PLIST_ENTRY pHeadlink = (PLIST_ENTRY)((ULONG)pProcessAddr + 0xb8);
	PLIST_ENTRY pNextlink = pHeadlink->Flink;
	while (pHeadlink != pNextlink)
	{
		pProcessAddr = (PEPROCESS)((ULONG)pNextlink - 0xb8);
		ULONG pProcessID = *(PULONG)((ULONG)pProcessAddr + 0xb4);
		if (pProcessID == ulPid)
		{
			PLIST_ENTRY pThreadlink = (PLIST_ENTRY)((ULONG)pProcessAddr + 0x188);
			PLIST_ENTRY pNextThreadlink = pThreadlink->Flink;
			while (pThreadlink != pNextThreadlink)
			{
				PETHREAD peThread = (PETHREAD)((ULONG)pNextThreadlink - 0x268);
				PCLIENT_ID pCid = (PCLIENT_ID)((ULONG)peThread + 0x22c);
				ULONG teb = *(PULONG)((ULONG)peThread + 0x88);
				DbgPrint("ID:%d  EThread:0x%x  Tbe:0x%x\n", pCid->UniqueThread, peThread, teb);
				pNextThreadlink = pNextThreadlink->Flink;
			}
			return STATUS_SUCCESS;
		}
		pNextlink = pNextlink->Flink;
	}
}

VOID DriverUnload(PDRIVER_OBJECT pDriverObject)
{
	DbgPrint("Unload Success!\n");
}

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegPath)
{
	pDriverObject->DriverUnload = DriverUnload;

	EnumThread(3148);

	DbgPrint("Load Success!\n");
	return STATUS_SUCCESS;
}
相关推荐
qq_3692243313 天前
Windows全系通用!ntdll.dll文件丢失、报错、闪退问题的完整排查与修复教程
windows·dll·dll修复·dll丢失·dll错误
阿米亚波14 天前
【Windows】QEMU 启动 openEuler aarch64/arm64 架构系统 + 离线软件源
linux·windows·经验分享·笔记·架构·arm
caimouse14 天前
Reactos 第 10 章 网络操作 — 10.3.1 NIC驱动
网络·windows
初圣魔门首席弟子14 天前
Node.js 详细介绍(知识库版)
windows·qt·node.js·知识库
CHENG-JustDoIt14 天前
AI工具 | 爆火开源项目Odysseus AI 工作台:从项目介绍、部署情况及其使用等多方位分析指南(含详细步骤)
大数据·人工智能·windows·python·ai·开源·github
kingbal14 天前
Windows:flutter环境搭建
windows·flutter
未若君雅裁14 天前
Python 数据容器详解,list、tuple、str、set、dict 到底怎么选
windows·python·list
CodeKwang14 天前
Windows 环境 OCCT 8.0 编译构建及与 Qt6 项目集成
windows·qt·opencascade
我是伪码农14 天前
小兔鲜1-25
linux·服务器·windows
vx-Biye_Design14 天前
springboot安阳地区研学旅游服务小程序-计算机毕业设计源码12785
java·vue.js·windows·spring boot·tomcat·maven·mybatis
热门推荐
012026年6月AI大模型全景报告:GPT-5.6、Claude Opus 4.8、Gemini 3.5,中美AI三足鼎立谁主沉浮?022026年6月AI行业全景:从百模大战到Agent元年,这30天发生了什么?032026 年 AI 编程工具终极横评:Cursor vs Claude Code vs Copilot vs Windsurf04Trae国际版与国内版深度测评:AI原生IDE的双生花05飞书长连接_事件订阅(接收消息,审批任务状态变更)06【AI】2026 年具身智能模型和世界模型总结07Claude Code、Codex、Cursor三分天下:2026年AI编程Agent生态全景剖析08GitHub 镜像站点092026 AI 编程工具终极实战指南:Cursor vs Claude Code vs Copilot,开发者该怎么选?102026年AI架构实战:彻底解决OpenAI接口超时与封号,Python调用GPT-5.2/Sora2企业级架构详解(附源码+压测报告)