Win11 进程隐藏（转载） - 快跑，这里啥都没有

谢谢大佬分享

参考

https://www.bilibili.com/video/BV1sH4y1Z7PF/
https://www.paneldemo.cn/index.php/archives/31/

R0 代码

#include <ntifs.h>
#include <stdlib.h>
#define  _DEVICE_NAME L"\\device\\mydevice"
#define  _SYB_NAME     L"\\??\\sysmblicname"

NTSTATUS DisPatchCreate(PDEVICE_OBJECT pDevice, PIRP pIrp)
{
    DbgPrintEx(77,0,"创建成功\n");
    IoCompleteRequest(pIrp, 0);
    return STATUS_SUCCESS;
}


NTSTATUS DispatchWrite(PDEVICE_OBJECT pDevice, PIRP pIrp)
{
    ULONG retlen = 0;
    int pid = 0;
    PVOID pMes = pIrp->AssociatedIrp.SystemBuffer;
    pid = atol(pMes);
    PEPROCESS pEprocess;
    NTSTATUS status = STATUS_SUCCESS;
    int id = 4;
    status = PsLookupProcessByProcessId(pid, &pEprocess);
    if (NT_SUCCESS(status))
    {
        RtlCopyMemory((PUCHAR)pEprocess + 0x440, &id, sizeof(int));
    }
    pIrp->IoStatus.Information = retlen;
    pIrp->IoStatus.Status = STATUS_SUCCESS;
    //表示调用者已经完成了给定I/O请求的所有处理，并将给定的IRP返回给I/O管理器
    IoCompleteRequest(pIrp, IO_NO_INCREMENT);
    return STATUS_SUCCESS;
}




VOID  UnloadDriver(PDRIVER_OBJECT pDriver)
{
    DbgPrint("卸载成功\n");
    if (pDriver->DeviceObject)
    {
        UNICODE_STRING uSymblicLinkname;
        RtlInitUnicodeString(&uSymblicLinkname, _SYB_NAME);
        IoDeleteSymbolicLink(&uSymblicLinkname);
        IoDeleteDevice(pDriver->DeviceObject);
    }
}

NTSTATUS DriverEntry(
    IN OUT PDRIVER_OBJECT   DriverObject,
    IN PUNICODE_STRING      RegistryPath
)
{
    DriverObject->DriverUnload = UnloadDriver;
    UNICODE_STRING uDeviceName;
    UNICODE_STRING uSymbliclinkname;
    PDEVICE_OBJECT pDevice;
    RtlInitUnicodeString(&uDeviceName, _DEVICE_NAME);
    RtlInitUnicodeString(&uSymbliclinkname, _SYB_NAME);
    IoCreateDevice(DriverObject, 0, &uDeviceName, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, FALSE, &pDevice);
    IoCreateSymbolicLink(&uSymbliclinkname, &uDeviceName);
    pDevice->Flags &= ~DO_DEVICE_INITIALIZING;
    pDevice->Flags |= DO_BUFFERED_IO;
    DriverObject->MajorFunction[IRP_MJ_CREATE] = DisPatchCreate;
    DriverObject->MajorFunction[IRP_MJ_WRITE] = DispatchWrite;
    return STATUS_SUCCESS;
}

R3 代码

#define     _CRT_SECURE_NO_WARNINGS
#include <stdio.h>
#include <windows.h>
#define  _SYB_NAME     "\\\\.\\sysmblicname"
int main()
{
    HANDLE hDevice = CreateFile(_SYB_NAME, FILE_ALL_ACCESS, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
    if (!hDevice)
    {
        printf("%x", GetLastError());
    }
    else
    {
        do 
        {
            char buf[10] = { 0 };
            printf("ID:");
            scanf("%s", buf);
            DWORD retlen = 0;
            int ret = WriteFile(hDevice, buf, strlen(buf), &retlen, NULL);
            if (ret)
            {
                printf("成功\n");
            }
        } while (1);
        
    }
    getchar();
}