徹底改掉進程名
寫了個改進程名的東西，跟大家分享！技術含量不高，大牛飄過。

先總結一下，一個進程的名字有可能從以下部位獲取（參考小偉同學的《偽造進程初探》一文）：

一、EPROCESS中：
??? 1、EPROCESS-->ImageFileName（很常用，冰刃獲取進程名的地方）
??? 2、EPROCESS-->SeAuditProcessCreationInfo->ImageFileName（任務管理器獲取進程名的地方，NtQueryInformationProcess就是從這里獲取進程名的）
??? 3、EPROCESS->SectionObject->Segment->ControlArea->FileObject->FileName（RKU獲取進程名的方法）
??? 4、VAD（記錄用戶空間內存分配情況的數據結構，里面當然有進程的exe模塊）
二、PEB中：
??? 1、PEB-->ProcessParameters-->ImagePathName
??? 2、PEB-->ProcessParameters-->CommandLine
??? 3、PEB-->ProcessParameters-->WindowTitle（這個地方比較奇怪，如果雙擊的是exe的快捷方式，則記錄的是快捷方式的路徑，還是一并改掉的好）
??? 4、PEB-->LDR-->InLoadOrderModuleList->第一個結構->FullDllName
??? 5、PEB-->LDR-->InLoadOrderModuleList->第一個結構->BaseDllName
??? 6、PEB-->LDR-->InMemoryOrderModuleList->第一個結構->FullDllName（此處的BaseDllName貌似為NULL，就不管它了）
??? （PEB-->LDR-->InInitializationOrderModuleList這個表里貌似沒有exe模塊，也不管它了）

把這些地方都改掉即可徹底改掉進程名（如果不夠徹底，謝謝補充！）。

示例代碼如下（示例代碼中以winmine.exe做測試）： //Fypher

//http://hi.baidu.com/nmn714

?

VOID ChangeName(ULONG pProcess){

??? ULONG peb,ProcessParameters,ldr;

??? ULONG InLoadOrderModuleList;

??? ULONG InMemoryOrderModuleList;

??? ULONG tmp;

?

??? KAPC_STATE kapc;

??? PUCHAR str;

??? PWCHAR wstr;

???

??? //get PEB

??? peb=*(PULONG)(pProcess + 0x1b0);

???

??? KeStackAttachProcess((PEPROCESS)pProcess,&kapc);

??? __try{

??????? ProcessParameters = *(PULONG)(peb + 0x010);

??????? //ImagePathName

??????? FindAndChangeUni(ProcessParameters+0x038);

??????? //CommandLine

??????? FindAndChangeUni(ProcessParameters+0x040);

??????? //WindowTitle

??????? FindAndChangeUni(ProcessParameters+0x070);

?

??????? //Ldr

??????? ldr = *(PULONG)(peb + 0x00c);

??????? InLoadOrderModuleList = *(PULONG)(ldr+0x00c);

??????? //InLoadOrderModuleList->FullDllName

??????? FindAndChangeUni(InLoadOrderModuleList+0x024);

??????? //InLoadOrderModuleList->BaseDllName

??????? FindAndChangeUni(InLoadOrderModuleList+0x02c);

??????? InMemoryOrderModuleList = *(PULONG)(ldr+0x014);

??????? //InMemoryOrderModuleList->FullDllName

??????? FindAndChangeUni(InMemoryOrderModuleList+0x024);

??? }__except(1){

??????? KdPrint(("exception occured!"));

??? }

??? KeUnstackDetachProcess (&kapc);

?

??? //EPROCESS-->ImageFileName

??? FindAndChangeA(pProcess+0x174,16);

??? //EPROCESS-->SeAuditProcessCreationInfo->ImageFileName

??? FindAndChangeUni(*(PULONG)(pProcess + 0x1F4));

??? //EPROCESS->SectionObject->Segment->ControlArea->FileObject->FileName

??? //should use MmIsAddressValid to verify

??? tmp=*(PULONG)(pProcess+0x138);

??? tmp=*(PULONG)(tmp+0x14);

??? tmp=*(PULONG)tmp;

??? tmp=*(PULONG)(tmp+0x024);

??? FindAndChangeUni(tmp+0x030);

???

??? //VAD

??? //should use MmIsAddressValid to verify

??? tmp=*(PULONG)(pProcess+0x11c);

??? tmp=*(PULONG)(tmp+0x10);

??? tmp=*(PULONG)(tmp+0x018);

??? tmp=*(PULONG)(tmp+0x024);

??? FindAndChangeUni(tmp+0x030);

}
復制代碼其中，FindAndChangeUni和FindAndChangeA的作用是在一個字符串（UNICODE_STRING或CHAR）中定位“winmine.exe”并改成"winxxoo.exe"。代碼如下: //Fypher

//http://hi.baidu.com/nmn714

?

VOID FindAndChangeUni(ULONG strAddr){

??? PUNICODE_STRING uniStr = (PUNICODE_STRING)strAddr;

??? ULONG len = uniStr->Length / 2;

??? ULONG maxLen = uniStr->MaximumLength / 2;

??? PWCHAR str = uniStr->Buffer;

??? ULONG i=0;

?

??? if(!str || len<11|| maxLen<11 )

??????? return;

?

??? for(i=0;i<= len - 11;++i){

??????? if(!_wcsnicmp(str+i,L"winmine.exe",11))

??????????? break;

??? }

?

??? if(i>len - 11)

??????? return;

???

??? _asm{

??????? cli

??????? mov eax, cr0

??????? and eax, not 0x10000

??????? mov cr0, eax

??? }

??? //str可能是PEB中的，故try之

??? __try{

??????? str[i+3]=L'x';

??????? str[i+4]=L'x';

??????? str[i+5]=L'o';

??????? str[i+6]=L'o';

??? }__except(1){

??? }???

??? _asm{

??????? mov eax, cr0

??????? or eax,0x10000

??????? mov cr0,eax

??????? sti

??? }

}

?

VOID FindAndChangeA(ULONG strAddr,ULONG len){

??? PUCHAR str = (PUCHAR)strAddr;

??? ULONG i=0;

?

??? if(!str || len<11 )

??????? return;

?

??? for(i=0;i<= len - 11;++i){

??????? if(!_strnicmp(str+i,"winmine.exe",11))

??????????? break;

??? }

?

??? if(i>len - 11)

??????? return;

???

??? _asm{

??????? cli

??????? mov eax, cr0

??????? and eax, not 0x10000

??????? mov cr0, eax

??? }

??? //str可能是PEB中的，故try之

??? __try{

??????? str[i+3]='x';

??????? str[i+4]='x';

??????? str[i+5]='o';

??????? str[i+6]='o';

??? }__except(1){

??? }???

???

??? _asm{

??????? mov eax, cr0

??????? or eax,0x10000

??????? mov cr0,eax

??????? sti

??? }

}
復制代碼截圖效果：

參考：《偽造進程初探》——小偉同學（膜拜一下）
附件: 抱歉，您暫時不能下載或查看此附件