网站 › 『编程语言区』 › 3环进程混淆思路

Panel 发表于 2023-12-18 17:06

3环进程混淆思路

## 一定程度上能起到点混淆作用，纯思路分享

```cpp
#include <iostream>
#include <windows.h>
#include <winternl.h>

#defineFAKE_CMDLINEL"C:\\Windows\\explorer.exe"
#defineFAKE_PATH L"C:\\Windows\\explorer.exe"

typedef NTSTATUS
(*MyNtQueryInformationProcess)(
        IN HANDLE ProcessHandle,
        IN PROCESSINFOCLASS ProcessInformationClass,
        OUT PVOID ProcessInformation,
        IN ULONG ProcessInformationLength,
        OUT PULONG ReturnLength OPTIONAL
);


int main()
{
        PPEB pebProcess = { 0 };
        PROCESS_BASIC_INFORMATION pbiProcess = { 0 };
        HANDLE hProcess = 0;
        ULONG Infolen = 1024;
        ULONG Retlen = 0;
        NTSTATUS status = 0;
        HMODULE hNtdll = 0;
        UNICODE_STRING unCmdline;
        UINT64 fakepid = 4;
        ULONG fakesession = 0;
        MyNtQueryInformationProcess ntQueryProcess = NULL;

        hNtdll = LoadLibraryA("ntdll.dll");

        if (hNtdll<=0)
        {
                return 0;
        }

        ntQueryProcess = (MyNtQueryInformationProcess)GetProcAddress(hNtdll, "NtQueryInformationProcess");

        if (ntQueryProcess<=0)
        {
                return 0;
        }

        hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, GetCurrentProcessId());

        if (!hProcess)
        {
                return 0;
        }

        status = ntQueryProcess(hProcess, ProcessBasicInformation, &pbiProcess, sizeof(PROCESS_BASIC_INFORMATION), &Retlen);

        if (!NT_SUCCESS(status))
        {
                return 0;
        }
       
        if (pbiProcess.PebBaseAddress == NULL)
        {
                return 0;
        }

        pebProcess = pbiProcess.PebBaseAddress;


        //修改cmdline
        RtlZeroMemory((pebProcess->ProcessParameters->CommandLine).Buffer, wcslen((pebProcess->ProcessParameters->CommandLine).Buffer) * 2);

        RtlCopyMemory((pebProcess->ProcessParameters->CommandLine).Buffer, FAKE_CMDLINE,wcslen(FAKE_CMDLINE)*2);

        //修改路径
        RtlZeroMemory((pebProcess->ProcessParameters->ImagePathName).Buffer, wcslen((pebProcess->ProcessParameters->ImagePathName).Buffer) * 2);

        RtlCopyMemory((pebProcess->ProcessParameters->ImagePathName).Buffer, FAKE_PATH, wcslen(FAKE_PATH) * 2);

        //修改进程id
        RtlCopyMemory(&(pbiProcess.UniqueProcessId), &fakepid, sizeof(UINT64));

        //修改会话层
        RtlCopyMemory(&(pebProcess->SessionId), &fakesession, sizeof(ULONG));

        //断链
        (pebProcess->Ldr->InMemoryOrderModuleList.Blink)->Flink = pebProcess->Ldr->InMemoryOrderModuleList.Flink;
        (pebProcess->Ldr->InMemoryOrderModuleList.Flink)->Blink = pebProcess->Ldr->InMemoryOrderModuleList.Blink;

        getchar();

}
```

查看完整版本: 3环进程混淆思路