驱动——线程断链和信息获取

向你扔鸡爪2024-10-31 19:12

实验环境:win7 x32

断链:

cpp 复制代码 
#include <ntifs.h>

NTSTATUS EnumThread(ULONG ulPid, ULONG ulTid)
{
	PEPROCESS pProcessAddr = PsGetCurrentProcess();
	PLIST_ENTRY pHeadlink = (PLIST_ENTRY)((ULONG)pProcessAddr + 0xb8);
	PLIST_ENTRY pNextlink = pHeadlink->Flink;
	while (pHeadlink != pNextlink)
	{
		pProcessAddr = (PEPROCESS)((ULONG)pNextlink - 0xb8);
		ULONG pProcessID = *(PULONG)((ULONG)pProcessAddr + 0xb4);
		if (pProcessID == ulPid)
		{
			PLIST_ENTRY pThreadlink = (PLIST_ENTRY)((ULONG)pProcessAddr + 0x188);//pThreadlink是线程链表头节点
			PLIST_ENTRY pNextThreadlink = pThreadlink->Flink;					 //pNextThreadlink才是第一个真正的线程节点,指向ETHREAD的0x268的位置
			while (pThreadlink != pNextThreadlink)
			{
				PETHREAD peThread = (PETHREAD)((ULONG)pNextThreadlink - 0x268);
				PCLIENT_ID pCid = (PCLIENT_ID)((ULONG)peThread + 0x22c);
				if (pCid->UniqueThread == ulTid)
				{
					RemoveEntryList(pNextThreadlink);//尽量使用MiProcessLoaderEntry进行断链
					return STATUS_SUCCESS;
				}
				pNextThreadlink = pNextThreadlink->Flink;
			}
		}
		pNextlink = pNextlink->Flink;
	}
}

VOID DriverUnload(PDRIVER_OBJECT pDriverObject)
{
	DbgPrint("Unload Success!\n");
}

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegPath)
{
	pDriverObject->DriverUnload = DriverUnload;

	EnumThread(3148,3160);

	DbgPrint("Load Success!\n");
	return STATUS_SUCCESS;
}

获取信息:

cpp 复制代码 
#include <ntifs.h>

NTSTATUS EnumThread(ULONG ulPid)
{
	PEPROCESS pProcessAddr = PsGetCurrentProcess();
	PLIST_ENTRY pHeadlink = (PLIST_ENTRY)((ULONG)pProcessAddr + 0xb8);
	PLIST_ENTRY pNextlink = pHeadlink->Flink;
	while (pHeadlink != pNextlink)
	{
		pProcessAddr = (PEPROCESS)((ULONG)pNextlink - 0xb8);
		ULONG pProcessID = *(PULONG)((ULONG)pProcessAddr + 0xb4);
		if (pProcessID == ulPid)
		{
			PLIST_ENTRY pThreadlink = (PLIST_ENTRY)((ULONG)pProcessAddr + 0x188);
			PLIST_ENTRY pNextThreadlink = pThreadlink->Flink;
			while (pThreadlink != pNextThreadlink)
			{
				PETHREAD peThread = (PETHREAD)((ULONG)pNextThreadlink - 0x268);
				PCLIENT_ID pCid = (PCLIENT_ID)((ULONG)peThread + 0x22c);
				ULONG teb = *(PULONG)((ULONG)peThread + 0x88);
				DbgPrint("ID:%d  EThread:0x%x  Tbe:0x%x\n", pCid->UniqueThread, peThread, teb);
				pNextThreadlink = pNextThreadlink->Flink;
			}
			return STATUS_SUCCESS;
		}
		pNextlink = pNextlink->Flink;
	}
}

VOID DriverUnload(PDRIVER_OBJECT pDriverObject)
{
	DbgPrint("Unload Success!\n");
}

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegPath)
{
	pDriverObject->DriverUnload = DriverUnload;

	EnumThread(3148);

	DbgPrint("Load Success!\n");
	return STATUS_SUCCESS;
}
相关推荐
SamHou02 小时前
从 UEFI 启动到双系统——记一次双系统 Linux 分区迁移
linux·windows·grub
小彭律师13 小时前
使用VSCode在Windows 11上编译运行项目
ide·windows·vscode
sunshineine16 小时前
jupyter notebook运行简单程序
linux·windows·python
开开心心_Every17 小时前
手机隐私数据彻底删除工具:回收或弃用手机前防数据恢复
android·windows·python·搜索引擎·智能手机·pdf·音视频
CodeClimb18 小时前
【ThinkBook 16+ 电脑重做系统type-c接口部分功能失效解决方案】
windows·经验分享·电脑·远程工作
love530love1 天前
好消息!PyCharm 社区版现已支持直接选择 WSL 终端为默认终端
linux·ide·人工智能·windows·python·pycharm
課代表1 天前
Windows (可永久)暂停更新用以解决兼容性、性能与稳定性问题
windows·更新·regedit
檀越剑指大厂1 天前
Windows系统安装Cursor与远程调用本地模型QWQ32B实现AI辅助开发
人工智能·windows
小毛驴8501 天前
Windows环境,Python实现对本机处于监听状态的端口,打印出端口,进程ID,程序名称
开发语言·windows·python
MyhEhud1 天前
Kotlin zip 函数的作用和使用场景
开发语言·windows·kotlin
热门推荐
01从零安装 LLaMA-Factory 微调 Qwen 大模型成功及所有的坑02KGG转MP3工具|非KGM文件|解密音频03YOLOv8入门 | 重要性能衡量指标、训练结果评价及分析及影响mAP的因素【发论文关注的指标】04【SpeedAI科研小助手】2分钟极速解决知网维普重复率、AIGC率过高,一键全文降!文件格式不变,公式都保留的!05苍穹外卖面试总结06西电B测-计算机网络综合实验(含验收问题)07Coze扣子平台完整体验和实践(附国内和国际版对比)08yolov8,yolo11,yolo12 服务器训练到部署全流程 笔记09DeepSeek各版本说明与优缺点分析10YOLOv5改进 | 添加CA注意力机制 + 增加预测层 + 更换损失函数之GIoU