驱动——线程断链和信息获取

向你扔鸡爪2024-10-31 19:12

实验环境:win7 x32

断链:

cpp 复制代码 
#include <ntifs.h>

NTSTATUS EnumThread(ULONG ulPid, ULONG ulTid)
{
	PEPROCESS pProcessAddr = PsGetCurrentProcess();
	PLIST_ENTRY pHeadlink = (PLIST_ENTRY)((ULONG)pProcessAddr + 0xb8);
	PLIST_ENTRY pNextlink = pHeadlink->Flink;
	while (pHeadlink != pNextlink)
	{
		pProcessAddr = (PEPROCESS)((ULONG)pNextlink - 0xb8);
		ULONG pProcessID = *(PULONG)((ULONG)pProcessAddr + 0xb4);
		if (pProcessID == ulPid)
		{
			PLIST_ENTRY pThreadlink = (PLIST_ENTRY)((ULONG)pProcessAddr + 0x188);//pThreadlink是线程链表头节点
			PLIST_ENTRY pNextThreadlink = pThreadlink->Flink;					 //pNextThreadlink才是第一个真正的线程节点,指向ETHREAD的0x268的位置
			while (pThreadlink != pNextThreadlink)
			{
				PETHREAD peThread = (PETHREAD)((ULONG)pNextThreadlink - 0x268);
				PCLIENT_ID pCid = (PCLIENT_ID)((ULONG)peThread + 0x22c);
				if (pCid->UniqueThread == ulTid)
				{
					RemoveEntryList(pNextThreadlink);//尽量使用MiProcessLoaderEntry进行断链
					return STATUS_SUCCESS;
				}
				pNextThreadlink = pNextThreadlink->Flink;
			}
		}
		pNextlink = pNextlink->Flink;
	}
}

VOID DriverUnload(PDRIVER_OBJECT pDriverObject)
{
	DbgPrint("Unload Success!\n");
}

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegPath)
{
	pDriverObject->DriverUnload = DriverUnload;

	EnumThread(3148,3160);

	DbgPrint("Load Success!\n");
	return STATUS_SUCCESS;
}

获取信息:

cpp 复制代码 
#include <ntifs.h>

NTSTATUS EnumThread(ULONG ulPid)
{
	PEPROCESS pProcessAddr = PsGetCurrentProcess();
	PLIST_ENTRY pHeadlink = (PLIST_ENTRY)((ULONG)pProcessAddr + 0xb8);
	PLIST_ENTRY pNextlink = pHeadlink->Flink;
	while (pHeadlink != pNextlink)
	{
		pProcessAddr = (PEPROCESS)((ULONG)pNextlink - 0xb8);
		ULONG pProcessID = *(PULONG)((ULONG)pProcessAddr + 0xb4);
		if (pProcessID == ulPid)
		{
			PLIST_ENTRY pThreadlink = (PLIST_ENTRY)((ULONG)pProcessAddr + 0x188);
			PLIST_ENTRY pNextThreadlink = pThreadlink->Flink;
			while (pThreadlink != pNextThreadlink)
			{
				PETHREAD peThread = (PETHREAD)((ULONG)pNextThreadlink - 0x268);
				PCLIENT_ID pCid = (PCLIENT_ID)((ULONG)peThread + 0x22c);
				ULONG teb = *(PULONG)((ULONG)peThread + 0x88);
				DbgPrint("ID:%d  EThread:0x%x  Tbe:0x%x\n", pCid->UniqueThread, peThread, teb);
				pNextThreadlink = pNextThreadlink->Flink;
			}
			return STATUS_SUCCESS;
		}
		pNextlink = pNextlink->Flink;
	}
}

VOID DriverUnload(PDRIVER_OBJECT pDriverObject)
{
	DbgPrint("Unload Success!\n");
}

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegPath)
{
	pDriverObject->DriverUnload = DriverUnload;

	EnumThread(3148);

	DbgPrint("Load Success!\n");
	return STATUS_SUCCESS;
}
相关推荐
大道戏8 小时前
如何本地部署DeepSeek
windows·ai·deepseek
skywalk816310 小时前
在Windows下安装Ollama并体验DeepSeek r1大模型
人工智能·windows·ollama·deepseek
康世行15 小时前
Windows环境下MaxKB大模型 Docker部署图文指南
windows·docker·容器
遗落凡尘的萤火-生信小白1 天前
单细胞-第四节 多样本数据分析,下游画图
windows·数据挖掘·数据分析
西农小陈1 天前
Python-基于PyQt5,json和playsound的通用闹钟
开发语言·windows·python·pycharm·pyqt
字节全栈_OYI2 天前
在Windows中 基于Oracle GoldenGate (OGG)进行MySQL-&gt;MySQL数据库同步配置(超详细)_ogg-15146
数据库·windows·oracle
Inori_3332 天前
Windows11暂停自动更新
windows·win11·暂停更新·windows update·windows更新
HilariousDog2 天前
clean code阅读笔记——如何命名?
windows·笔记
Blue.ztl3 天前
菜鸟之路Day11-12一一集合进阶(四)
java·windows
热门推荐
01DeepSeek r1本地安装全指南02【deepseek】deepseek-r1本地部署-第一步:下载LM Studio03将DeepSeek接入Word,打造AI办公助手04使用Ollama 在Ubuntu运行deepseek大模型:以DeepSeek-coder为例05新鲜速递:DeepSeek-R1开源大模型本地部署实战—Ollama + MaxKB 搭建RAG检索增强生成应用06Dell服务器升级ubuntu 22.04失败解决07DeepSeek学术写作测评第一弹:论文润色,中译英效果如何?08如何解压7z文件?8种方法(Win/Mac/手机/网页端)09半导体应用系统一些小知识收集(strip&wafer mapping,EAP&scada)10DeepSeek 云端部署,释放无限 AI 潜力!