震惊支持XP-win10的进程隐藏居然是

blmk · 发表于 2019-10-30 13:27

先上图

,驱动执行完毕以后

任务管理器和工具上的进程都不见了,那么他到底去哪里了呢

对没错把名字抹掉了，别人都是写个别的进程的名字因为我懒所以直接写空
上代码

[C++] 纯文本查看 复制代码

BOOLEAN PathSeAuditProcessCreationInfo(PEPROCESS Process, WCHAR* ProcessName){
	PUNICODE_STRING Name ;
	PUNICODE_STRING SelocateName;


SeLocateProcessImageName(Process, &SelocateName);

	ExFreePool(SelocateName);

	Name = (PUNICODE_STRING)(*(PULONG_PTR)((ULONG_PTR)Process + 0x468));//+0x468 SeAuditProcessCreationInfo

	if ((wcslen(ProcessName) * 2) > Name->Length)
	{
		return FALSE;
	}

	RtlZeroMemory(Name->Buffer, Name->MaximumLength);
	RtlCopyMemory(Name->Buffer, ProcessName, wcslen(ProcessName) * 2);
	Name->Length = wcslen(ProcessName) * 2;
	return TRUE;
}

对应结构体中

[C++] 纯文本查看 复制代码

BOOLEAN PathImageFileName(PEPROCESS Process, char* cName)
{
	char    szNameBuff[15] = { 0 };
	UCHAR* szProcessBuff = NULL;
	size_t  cNamelen = 0;


	cNamelen = strlen(cName);

	RtlZeroMemory(szNameBuff, sizeof(szNameBuff));
	if (cNamelen > 15)
		RtlCopyMemory(szNameBuff, cName, sizeof(szNameBuff));
	else
		RtlCopyMemory(szNameBuff, cName, cNamelen);
	szProcessBuff = PsGetProcessImageFileName(Process);
	RtlZeroMemory(szProcessBuff, sizeof(szNameBuff));
	RtlCopyMemory(szProcessBuff, szNameBuff, sizeof(szNameBuff));

	return TRUE;
}

[C++] 纯文本查看 复制代码

bool Win10ImageNamePoint(PEPROCESS Process, WCHAR* szFullName)
{
	BOOLEAN bRet ;
	PFILE_OBJECT pFileObject ;
	WCHAR* szNewFullName = NULL;

	
	szNewFullName = static_cast<WCHAR*>( ExAllocatePool(NonPagedPool, MAX_PATH * 2));

	RtlZeroMemory(szNewFullName, MAX_PATH * 2);

	pFileObject = (PFILE_OBJECT)(*(PULONG_PTR)((ULONG_PTR)Process + 0x448)); //+0x448 ImageFilePointer 


	if (pFileObject->FileName.Length >= wcslen(szFullName) * 2)
	{
		RtlZeroMemory(pFileObject->FileName.Buffer, pFileObject->FileName.MaximumLength);
		RtlCopyMemory(pFileObject->FileName.Buffer, szFullName, wcslen(szFullName) * 2);
		pFileObject->FileName.Length = wcslen(szFullName) * 2;
		ExFreePool(szNewFullName);
		bRet = TRUE;
	}
	else
	{
		RtlCopyMemory(szNewFullName, szFullName, wcslen(szFullName) * 2);
		pFileObject->FileName.Buffer = szNewFullName;
		pFileObject->FileName.Length = wcslen(szFullName) * 2;
		pFileObject->FileName.MaximumLength = MAX_PATH * 2;
		bRet = TRUE;
	}

	return bRet;
}

这个结构体成员似乎只有win10 才有

还有很重要的一步

[C++] 纯文本查看 复制代码

VOID modifyProcessUniqueProcessId(PEPROCESS Process)
{
	PVOID64 UnProcessID;
	PVOID64 InFromUnProceesID;
	ULONGLONG Upid = 4;
	ULONGLONG InFromPid = 0;
	UnProcessID =(PULONG_PTR)((ULONGLONG)Process + 0x2e8);//+0x2e8 UniqueProcessId
	RtlCopyMemory(UnProcessID, &Upid, sizeof(ULONGLONG));
	InFromUnProceesID = (PULONG_PTR)((ULONGLONG)Process + 0x3e8); //+0x3e8 InheritedFromUniqueProcessId
	RtlCopyMemory(InFromUnProceesID, &InFromPid, sizeof(ULONGLONG));
	return ;
}

[C++] 纯文本查看 复制代码

BOOLEAN checkProcessModify(HANDLE pid)
{
	PEPROCESS Process = NULL;
	NTSTATUS status = PsLookupProcessByProcessId((HANDLE)pid, &Process);
	if (!NT_SUCCESS(status))
	{
		return FALSE;
	}
	PathImageFileName(Process, "svchost.exe");
	PathWin10ImageNamePoint(Process, L" ");
	PathSeAuditProcessCreationInfo(Process, L" ");
	modifyProcessUniqueProcessId(Process);
	ObDereferenceObject(Process);
	return TRUE;
}

附上windbg的效果图

对了似乎还有3环的PEB结构中的三个链条没断，那个三环就可以做.

qingjie2010 · 发表于 2019-10-30 13:45

学习学习了，吾爱油腻更精彩~

ZuiShuai-Song · 发表于 2019-10-30 13:50

建议你去UC震惊部上班

wgy1213 · 发表于 2019-10-30 13:53

真厉害这么牛

逝去的流梦 · 发表于 2019-10-30 14:13

你好，你已经被UC震惊部录取了，工资随便开，明天上午8点到我们总部报到。如有疑问，请拨打110，谢谢合作。

p6858446 · 发表于 2019-10-30 14:18

用hidetoolz隐藏了CE还是会被游戏检测出来提示我不要打开与游戏无关的软件，然后闪退~~

mokson · 发表于 2019-10-30 21:27

大师级技术，看不懂。

TL90 · 发表于 2019-10-31 10:29

还是会被检测吧

kz丶cn · 发表于 2019-10-31 14:06

https://github.com/zhuhuibeishadiao/PathModification/blob/master/PathModification.c 请注明出处

A学习的小菜鸟 · 发表于 2021-9-15 20:01

这就是利用内核api进行进程隐藏啊，标题搞得这么吓人，还以为是新一代打的隐藏技术呢

帐号		自动登录	找回密码
密码			注册[Register]

[其他原创] 震惊支持XP-win10的进程隐藏居然是

免费评分

个人中心