驱动——线程断链和信息获取

向你扔鸡爪2024-10-31 19:12

实验环境:win7 x32

断链:

cpp 复制代码 
#include <ntifs.h>

NTSTATUS EnumThread(ULONG ulPid, ULONG ulTid)
{
	PEPROCESS pProcessAddr = PsGetCurrentProcess();
	PLIST_ENTRY pHeadlink = (PLIST_ENTRY)((ULONG)pProcessAddr + 0xb8);
	PLIST_ENTRY pNextlink = pHeadlink->Flink;
	while (pHeadlink != pNextlink)
	{
		pProcessAddr = (PEPROCESS)((ULONG)pNextlink - 0xb8);
		ULONG pProcessID = *(PULONG)((ULONG)pProcessAddr + 0xb4);
		if (pProcessID == ulPid)
		{
			PLIST_ENTRY pThreadlink = (PLIST_ENTRY)((ULONG)pProcessAddr + 0x188);//pThreadlink是线程链表头节点
			PLIST_ENTRY pNextThreadlink = pThreadlink->Flink;					 //pNextThreadlink才是第一个真正的线程节点,指向ETHREAD的0x268的位置
			while (pThreadlink != pNextThreadlink)
			{
				PETHREAD peThread = (PETHREAD)((ULONG)pNextThreadlink - 0x268);
				PCLIENT_ID pCid = (PCLIENT_ID)((ULONG)peThread + 0x22c);
				if (pCid->UniqueThread == ulTid)
				{
					RemoveEntryList(pNextThreadlink);//尽量使用MiProcessLoaderEntry进行断链
					return STATUS_SUCCESS;
				}
				pNextThreadlink = pNextThreadlink->Flink;
			}
		}
		pNextlink = pNextlink->Flink;
	}
}

VOID DriverUnload(PDRIVER_OBJECT pDriverObject)
{
	DbgPrint("Unload Success!\n");
}

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegPath)
{
	pDriverObject->DriverUnload = DriverUnload;

	EnumThread(3148,3160);

	DbgPrint("Load Success!\n");
	return STATUS_SUCCESS;
}

获取信息:

cpp 复制代码 
#include <ntifs.h>

NTSTATUS EnumThread(ULONG ulPid)
{
	PEPROCESS pProcessAddr = PsGetCurrentProcess();
	PLIST_ENTRY pHeadlink = (PLIST_ENTRY)((ULONG)pProcessAddr + 0xb8);
	PLIST_ENTRY pNextlink = pHeadlink->Flink;
	while (pHeadlink != pNextlink)
	{
		pProcessAddr = (PEPROCESS)((ULONG)pNextlink - 0xb8);
		ULONG pProcessID = *(PULONG)((ULONG)pProcessAddr + 0xb4);
		if (pProcessID == ulPid)
		{
			PLIST_ENTRY pThreadlink = (PLIST_ENTRY)((ULONG)pProcessAddr + 0x188);
			PLIST_ENTRY pNextThreadlink = pThreadlink->Flink;
			while (pThreadlink != pNextThreadlink)
			{
				PETHREAD peThread = (PETHREAD)((ULONG)pNextThreadlink - 0x268);
				PCLIENT_ID pCid = (PCLIENT_ID)((ULONG)peThread + 0x22c);
				ULONG teb = *(PULONG)((ULONG)peThread + 0x88);
				DbgPrint("ID:%d  EThread:0x%x  Tbe:0x%x\n", pCid->UniqueThread, peThread, teb);
				pNextThreadlink = pNextThreadlink->Flink;
			}
			return STATUS_SUCCESS;
		}
		pNextlink = pNextlink->Flink;
	}
}

VOID DriverUnload(PDRIVER_OBJECT pDriverObject)
{
	DbgPrint("Unload Success!\n");
}

NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegPath)
{
	pDriverObject->DriverUnload = DriverUnload;

	EnumThread(3148);

	DbgPrint("Load Success!\n");
	return STATUS_SUCCESS;
}
相关推荐
非凡ghost8 小时前
猫眼浏览器(Chrome内核增强版浏览器)官方便携版
前端·网络·chrome·windows·软件需求
熊文豪13 小时前
Windows安装RabbitMQ保姆级教程
windows·分布式·rabbitmq·安装rabbitmq
搬砖的小码农_Sky14 小时前
Windows操作系统上`ping`命令的用法详解
运维·网络·windows
Kiri霧21 小时前
Rust模式匹配详解
开发语言·windows·rust
程序设计实验室1 天前
使用命令行删除 Windows 网络映射驱动器
windows
用户31187945592181 天前
Windows 电脑安装 XTerminal 1.25.1 x64 版(带安装包下载关键词)
windows
Logintern091 天前
windows如何设置mongodb的副本集
数据库·windows·mongodb
Chandler241 天前
一图掌握 操作系统 核心要点
linux·windows·后端·系统
ajassi20001 天前
开源 C# 快速开发(十七)进程--消息队列MSMQ
windows·开源·c#
Python私教1 天前
5分钟上手 MongoDB:从零安装到第一条数据插入(Windows / macOS / Linux 全平台图解)
windows·mongodb·macos
热门推荐
01BongoCat - 跨平台键盘猫动画工具02两千字总结:Codex 国内如何安装和使用的教程,以及如何设置中文回答03GitHub 镜像站点04智能库存管理的需求预测模型:从业务痛点到落地代码的完整实践05UV安装并设置国内源06Cursor Plan Mode:AI 终于知道先想后做了0746个Nano-banana 精选提示词,持续更新中08Linux下V2Ray安装配置指南09GitLab 零基础入门指南:从安装到项目管理全流程10一文了解国产算子编程语言 TileLang,TileLang 对国产开源生态的影响与启示