Shulou(Shulou.com)06/02 Report--

I. on:

  went on to talk about the previous article, the process can be hidden, why hide a thread in the process alone?

Second, demand:

  demand source power, that is, there is demand, in addition to serious love like specialized research friends, nameless, no food and do not think about school days, really make people very respectable.

Third, let's take an example:

  what are you probably doing when you want to implement hidden threads? Make a tool? Or study? Can you gain a deeper understanding of the inner principles of windows by hiding threads? What is the relationship between processes and threads? Does a normal process contain malicious threads? It's a great way to learn. Maybe you will use it to do something. You want to write a tool similar to ARK before, so you have the need and motivation to learn. But there is no actual environment to apply hidden threads, there is no demand, but still write the code seriously, share some knowledge, knowledge lies in sharing.

Fourth, it is still those structures:

  sometimes I wonder, what can I do without winAPI? Maybe I can do a lot of things, because I don't panic if I have enough structures, but what can I do without structures? It's hard to say. In fact, I prefer the freedom of Linux to windows.

  introduces the protagonists _ ETHREAD and _ KTHREAD:

   1, _ EPROCESS.ThreadListHead-> _ ETHREAD

   2, _ KPROCESS.ThreadListHead-> _ KTHREAD

  threads belong to processes, a process consists of multiple threads, then multiple threads of the same process use the same process space, and threads are also called lightweight processes. Thread attachment technology, this thread can also use the space of other processes.

Under   windows, a thread is the minimum execution unit, and each process has at least one main thread to respond to execution. Similarly, _ ETHREAD belongs to the executive layer, embedded offset 0 is _ KTHREAD (micro-kernel layer), the same, windows management has to be said to be excellent, can be described as art.

There will be a member in   _ KPROCESS called the ThreadListHead field that is a linked list of all threads in the process. The location that points to is _ KTHREAD.ThreadListEntry, this place has been XOR for a long time, why? In fact, I am also very confused about why this linked list points to this position of this structure.

  _ KPROCESS.ThreadListHead points to-> _ KTHREAD.ThreadListEntry

This is the case with  . This is how the kernel traverses all threads that belong to a certain process space. Details or reference: https://bbs.pediy.com/thread-223858.htm personally feels that the quality of the translated article is well received by five stars.

5. Paste the source code

Note:

  user layer and header file source code and hidden line layer routines, the code can be reused (just change the macro definition of the control code)

The following test code does not communicate with the third ring, but is tested in the 0 ring (the chain-breaking part of the main code is the same as the process-breaking part, and the pseudo code and ideas are given here)

Driver layer:

# include "HideThreadHeader.h" VOID UnLoad (PDRIVER_OBJECT pDriverObj) {UNICODE_STRING DeleteSymbolicLinkName; RtlInitUnicodeString (& DeleteSymbolicLinkName, L "\\ DosDevices\\ SymbolicLinkName"); IoDeleteSymbolicLink (& DeleteSymbolicLinkName); IoDeleteDevice (pDriverObj- > DeviceObject); KdPrint (("UnLoad Sucess"));} NTSTATUS DefaultFun (DEVICE_OBJECT* pDeviceObj, IRP* irp) {UNREFERENCED_PARAMETER (pDeviceObj); irp- > IoStatus.Information = 0; irp- > IoStatus.Status = STATUS_SUCCESS; IoCompleteRequest (irp, IO_NO_INCREMENT) Return STATUS_SUCCESS;} NTSTATUS onCreate (DEVICE_OBJECT* pDeviceObj, IRP* irp) {UNREFERENCED_PARAMETER (pDeviceObj); irp- > IoStatus.Information = 0; irp- > IoStatus.Status = STATUS_SUCCESS; IoCompleteRequest (irp, IO_NO_INCREMENT); return STATUS_SUCCESS;} NTSTATUS onClose (DEVICE_OBJECT* pDeviceObj, IRP* irp) {UNREFERENCED_PARAMETER (pDeviceObj); irp- > IoStatus.Information = 0; irp- > IoStatus.Status = STATUS_SUCCESS; IoCompleteRequest (irp, IO_NO_INCREMENT) Return STATUS_SUCCESS;} / / traversal belongs to a process all threads hide thread VOID HideThreadListLink () {CLIENT_ID* ThreadId = NULL; PEPROCESS pkProcess = NULL; PKTHREAD pkThread = NULL; PETHREAD pEthread = NULL; LIST_ENTRY* pEthreadNext = NULL; LIST_ENTRY* pEthreadCurrent = NULL; pkProcess = PsGetCurrentProcess () by breaking the chain / / get _ KPROCESS- > ThreadListHead (_ LIST_ENTRY) pEthreadCurrent = (LIST_ENTRY *) ((ULONG_PTR) pkProcess + 0x02c); / * Note: 1. _ KPROCESS.ThreadListHead- > Flink points to a _ KTHREAD.ThreadListEntry 2. _ KTHREAD.ThreadListEntry-offset ThreadListEntry to get the KTHREAD address, which is actually the ETHREAD address. * / KdPrint (("ThreadListHead.Flink =% p\ n", pEthreadCurrent- > Flink)); KdPrint (("ThreadListHead.blink =% p\ n", pEthreadCurrent- > Blink)); / / this (PETHREAD) (PEPROCESS + 0x2c) pEthreadNext = pEthreadCurrent- > Flink; DbgBreakPoint (); while (pEthreadCurrent! = pEthreadNext) {pkThread = (PKTHREAD) ((ULONG_PTR) pEthreadNext-0x1e0) / / pKthread- > Teb offset 0x88 / / KdPrint (("pKThread- > Teb =% p,% s\ n", (ULONG_PTR) pkThread + 0x88, ((ULONG_PTR) pKThread + 0x88) = = NULL | pkThread- > Teb > 0x80000000? "System Thread": "Non System Thread"); / / convert to EPROCESS pEthread = (PETHREAD) pkThread; DbgBreakPoint (); / / pEthread- > Cid offset 0x22c ThreadId = (CLIENT_ID *) ((ULONG_PTR) pEthread + 0x22c); KdPrint (("ThreadId =% d, ProcessId =% d\ n\ n", ThreadId- > UniqueThread, ThreadId- > UniqueProcess)) / / the pseudocode if (ThreadId- > UniqueThread = = "Hidden Thread id") can also be used in this place {/ / in the same way as the process hides the link} pEthreadNext = pEthreadNext- > Flink;}} / / drives the object entry point NTSTATUS DriverEntry (DRIVER_OBJECT* pDriverObj, UNICODE_STRING* RegistryPath) {UNREFERENCED_PARAMETER (irp); DbgBreakPoint () For (int I = 0; I

MajorFunction [I] = DefaultFun;} pDriverObj- > DriverUnload = UnLoad; pDriverObj- > MajorFunction [IRP _ MJ_CREATE] = onCreate; pDriverObj- > MajorFunction [IRP _ MJ_CLOSE] = onClose; UNICODE_STRING DeviceName; UNICODE_STRING SymbolicLinkName; DEVICE_OBJECT* DeviceObj; NTSTATUS nStatus = STATUS_SUCCESS; RtlInitUnicodeString (& DeviceName, L "\\ Device\\ DeviceName"); RtlInitUnicodeString (& SymbolicLinkName, L "\\ DosDevices\\ SymbolicLinkName") NStatus = IoCreateDevice (pDriverObj, 0, & DeviceName, FILE_DEVICE_UNKNOWN, 0,0, & DeviceObj); if (! NT_SUCCESS (nStatus)) return nStatus; nStatus = IoCreateSymbolicLink (& SymbolicLinkName, & DeviceName); if (! NT_SUCCESS (nStatus)) return nStatus; DbgBreakPoint (); / / No pseudo code such as control code is used to test HideThreadListLink (); return STATUS_SUCCESS;}

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.