驱动——线程断链和信息获取

向你扔鸡爪2024-10-31 19:12

实验环境:win7 x32

断链:

cpp 复制代码 
#include <ntifs.h>

NTSTATUS EnumThread(ULONG ulPid, ULONG ulTid)
{
	PEPROCESS pProcessAddr = PsGetCurrentProcess();
	PLIST_ENTRY pHeadlink = (PLIST_ENTRY)((ULONG)pProcessAddr + 0xb8);
	PLIST_ENTRY pNextlink = pHeadlink->Flink;
	while (pHeadlink != pNextlink)
	{
		pProcessAddr = (PEPROCESS)((ULONG)pNextlink - 0xb8);
		ULONG pProcessID = *(PULONG)((ULONG)pProcessAddr + 0xb4);
		if (pProcessID == ulPid)
		{
			PLIST_ENTRY pThreadlink = (PLIST_ENTRY)((ULONG)pProcessAddr + 0x188);//pThreadlink是线程链表头节点
			PLIST_ENTRY pNextThreadlink = pThreadlink->Flink;					 //pNextThreadlink才是第一个真正的线程节点,指向ETHREAD的0x268的位置
			while (pThreadlink != pNextThreadlink)
			{
				PETHREAD peThread = (PETHREAD)((ULONG)pNextThreadlink - 0x268);
				PCLIENT_ID pCid = (PCLIENT_ID)((ULONG)peThread + 0x22c);
				if (pCid->UniqueThread == ulTid)
				{
					RemoveEntryList(pNextThreadlink);//尽量使用MiProcessLoaderEntry进行断链
					return STATUS_SUCCESS;
				}
				pNextThreadlink = pNextThreadlink->Flink;
			}
		}
		pNextlink = pNextlink->Flink;
	}
}

VOID DriverUnload(PDRIVER_OBJECT pDriverObject)
{
	DbgPrint("Unload Success!\n");
}

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegPath)
{
	pDriverObject->DriverUnload = DriverUnload;

	EnumThread(3148,3160);

	DbgPrint("Load Success!\n");
	return STATUS_SUCCESS;
}

获取信息:

cpp 复制代码 
#include <ntifs.h>

NTSTATUS EnumThread(ULONG ulPid)
{
	PEPROCESS pProcessAddr = PsGetCurrentProcess();
	PLIST_ENTRY pHeadlink = (PLIST_ENTRY)((ULONG)pProcessAddr + 0xb8);
	PLIST_ENTRY pNextlink = pHeadlink->Flink;
	while (pHeadlink != pNextlink)
	{
		pProcessAddr = (PEPROCESS)((ULONG)pNextlink - 0xb8);
		ULONG pProcessID = *(PULONG)((ULONG)pProcessAddr + 0xb4);
		if (pProcessID == ulPid)
		{
			PLIST_ENTRY pThreadlink = (PLIST_ENTRY)((ULONG)pProcessAddr + 0x188);
			PLIST_ENTRY pNextThreadlink = pThreadlink->Flink;
			while (pThreadlink != pNextThreadlink)
			{
				PETHREAD peThread = (PETHREAD)((ULONG)pNextThreadlink - 0x268);
				PCLIENT_ID pCid = (PCLIENT_ID)((ULONG)peThread + 0x22c);
				ULONG teb = *(PULONG)((ULONG)peThread + 0x88);
				DbgPrint("ID:%d  EThread:0x%x  Tbe:0x%x\n", pCid->UniqueThread, peThread, teb);
				pNextThreadlink = pNextThreadlink->Flink;
			}
			return STATUS_SUCCESS;
		}
		pNextlink = pNextlink->Flink;
	}
}

VOID DriverUnload(PDRIVER_OBJECT pDriverObject)
{
	DbgPrint("Unload Success!\n");
}

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegPath)
{
	pDriverObject->DriverUnload = DriverUnload;

	EnumThread(3148);

	DbgPrint("Load Success!\n");
	return STATUS_SUCCESS;
}
相关推荐
武藤一雄4 小时前
C# 引用传递:深度解析 ref 与 out
windows·microsoft·c#·.net·.netcore
qiuyuyiyang9 小时前
MySQL 实验1:Windows 环境下 MySQL5.5 安装与配置
windows·mysql·adb
桌面运维家9 小时前
Windows下VHD虚拟磁盘启动U盘制作指南
windows
资源分享【用爱发电】9 小时前
Windows DLL 文件丢失怎么办?2026一键修复工具 + 图文教程
windows·经验分享
极客小X10 小时前
一键解决dll缺失修复工具+安装使用+修复教程 2026最新版
windows·经验分享
肖恭伟12 小时前
QtCreator Linux ubuntu24.04问题集合
linux·windows·qt
九天轩辕12 小时前
跨平台符号表生成规则详解:Windows/Linux/macOS/OHOS
linux·windows·macos
盘古工具13 小时前
一刷即用:Excel格式刷的多种妙用场景
windows·excel
sc_爬坑之路14 小时前
redis windows环境配置读写分离:一主一从 + Sentinel 完整实战
windows·redis·sentinel
河铃旅鹿14 小时前
在windows电脑上用虚拟机--ubuntu系统部署openclaw并在主机用飞书连接对话的一站式教程
windows·ubuntu·飞书
热门推荐
01GitHub 镜像站点02OpenClaw 使用和管理 MCP 完全指南03Qwen3.5 开源全解析:从 0.8B 到 397B,代际升级 + 全场景选型指南04本地部署 OpenClaw + DeepSeek-R1 完全指南05OpenClaw macOS 完整安装与本地模型配置教程(实战版)06OpenClaw 飞书机器人不回复消息?3 小时踩坑总结07得物前端部门,没了08UV安装并设置国内源09“wsl --install -d Ubuntu-22.04”下载慢,中国地区离线安装 Ubuntu 22.04 WSL方法(亲测2025年5月6日)10OpenClaw 连接飞书完整指南:插件安装、配置与踩坑记录