Hidden process and recovery (with code) and Process Code

Hidden process and recovery (with code) and Process Code

First, we know that the process body EPROCESS is maintained by the system in a two-way linked list LIST_ENTRY. Therefore, we only need to remove the process EPROCESS from this linked list to implement process hiding, of course, this can only hide the Process Manager and zwQuerySystemInformation. The process hidden by the broken chain can still be found through brute force enumeration, because the process body is still in the memory. This will be discussed later.

 

To hide a specific process, we must traverse the entire EPROCESS linked list. When the process name of the EPROCESS is the same as that of the process we specified, we will remove the EPROCESS from the linked list.

Here. We encountered two problems ,:

1. Since we want to traverse a table, we need to know the front and back structures of each structure;

2. To compare the process name, we need to know where the process name is placed;

 

We can solve the above two problems with Windbg.

The following uses x86 as an example:

In windbg, let's take a look at the EPROCESS structure first. Input The dt _ EPROCESS command to find that there is a variable ActiveProcessLinks at the offset 0x88, which is of the type LIST_ENTRY.

 

 

Enter the dt _ LIST_ENTRY command to view the LIST_ENTRY structure. The variables FLink and BLink are displayed. FLink points to the ActiveProcessLinks address of the next node of the current node, the ActiveProcessLinks address that BLink points to the previous node of the current node.

 

 

Continue, we can see that the ImageFileName is displayed at the offset 0x174. Here, the process name we are looking for is stored.

 

 

Next, let's take a look at the input command in a process! Process 0 0. All process information is displayed.

 

 

Then, enter the dt _ EPROCESS 895d6da0command to switch to smss.exe.

 

 

The ActiveProcessLinks of the last node of smss.exe is placed in address 0x89a6d778. Run dd 0x89a6d778 to view the content in address 0x89a6d778,

 

 

Note: Because FLink points to the ActiveProcessLinks address of the next node of the current node, the EPROCESS address of the next node is ActiveProcessLinks address minus FLink offset 0x88.

Bytes

 

 

In this way, we solve the problem we encountered. For x64, the method is the same, and readers can practice it on their own. The Code is as follows:

1 # ifndef CXX_HIDEPROCESS_H 2 # include "HideProcess. h "3 # endif 4 5 6 ULONG_PTR ActiveOffsetPre = 0; 7 ULONG_PTR ActiveOffsetNext = 0; 8 ULONG_PTR ImageName = 0; 9 WIN_VERSION WinVersion = WINDOWS_UNKNOW; 10 11 PLIST_ENTRY Temp = NULL; 12 PLIST_ENTRY HeadEntry = NULL; 13 NTSTATUS 14 DriverEntry (IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegisterPath) 15 {16 17 18 dbuplint ("DriverEntry \ r \ n "); 19 20 DriverObject-> DriverUnload = UnloadDriver; 21 22 23 WinVersion = GetWindowsVersion (); 24 25 26 switch (WinVersion) 27 {28 case WINDOWS_XP: // 32 Bits 29 {30 31 ActiveOffsetPre = 0x8c; 32 ActiveOffsetNext = 0x88; 33 ImageName = 0x174; 34 break; 35} 36 37 case WINDOWS_7: // 64 Bits 38 {39 ActiveOffsetPre = 0x190; 40 ActiveOffsetNext = 0x188; 41 ImageName = 0x2e0; 42 break; 43} 44} 45 46 4 7 HideProcess ("notepad.exe"); 48 49 HeadEntry = (PLIST_ENTRY) (ULONG_PTR) PsGetCurrentProcess () + ActiveOffsetNext ); // In DriverEntry, the result is the System process 50 51 return STATUS_SUCCESS; 52 53} 54 VOID HideProcess (char * ProcessName) 56 {57 PEPROCESS EProcessCurrent = NULL; 58 PEPROCESS EProcessPre = NULL; 59 60 61 EProcessCurrent = PsGetCurrentProcess (); // System EProcess 62 63 64 65 EProcessPre = (PEPROC ESS) (ULONG_PTR) (* (ULONG_PTR *) (ULONG_PTR) EProcessCurrent + ActiveOffsetPre)-ActiveOffsetNext); 66 67 // dbuplint ("EProcessCurrent: 0x % p \ r \ n ", EProcessCurrent); 68 69 // dbuplint (" EProcessNext: 0x % p \ r \ n ", EProcessNext ); 70 71 72 73 while (EProcessCurrent! = EProcessPre) 74 {75 // dbuplint ("% s \ r \ n", (char *) (ULONG_PTR) EProcessCurrent + ImageName )); 76 77 78 if (strcmp (char *) (ULONG_PTR) EProcessCurrent + ImageName), ProcessName) = 0) 79 {80 81 82 Temp = (PLIST_ENTRY) (ULONG_PTR) EProcessCurrent + ActiveOffsetNext); 83 84 if (MmIsAddressValid (Temp) 85 {86 // Temp-> Blink-> Flink = Temp-> Flink; 87 // Temp-> Flink-> Blink = Temp-> Blink; // The data structure is unstable. 88 89 90 RemoveEn TryList (Temp); 91 92 93} 94 95 96 break; 97} 98 99 EProcessCurrent = (PEPROCESS) (ULONG_PTR) (* (ULONG_PTR *) (ULONG_PTR) EProcessCurrent + ActiveOffsetNext)-ActiveOffsetNext); 100 101 102} 103} 104 105 VOID UnloadDriver (PDRIVER_OBJECT DriverObject) 106 {107 ResumeProcess (); 108 dbuplint ("UnloadDriver \ r \ n"); 109} 110 111 VOID ResumeProcess () 112 {113 114 if (Temp! = NULL) 115 {116 InsertHeadList (HeadEntry, Temp); 117} 118 119 120 121 122 123 124 125 126 WIN_VERSION GetWindowsVersion () 128 {129 RTL_OSVERSIONINFOEXW osverInfo = {sizeof (osverInfo)}; 130 pfnRtlGetVersion RtlGetVersion = NULL; 131 WIN_VERSION WinVersion; 132 WCHAR wzRtlGetVersion [] = L "RtlGetVersion "; 133 134 RtlGetVersion = GetFunctionAddressByName (wzRtlGetVersion); // Ntoskrnl.exe exports the Table 135 if (RtlGetVersion) 136 {137 RtlGetVersion (PRTL_OSVERSIONINFOW) & osverInfo ); 138} 139 else 140 {141 PsGetVersion (& osverInfo. dwMajorVersion, & osverInfo. dwMinorVersion, & osverInfo. dwBuildNumber, NULL); // Documet142} 143 144 dbuplint ("Build Number: % d \ r \ n", osverInfo. dwBuildNumber); 145 146 if (osverInfo. dwMajorVersion = 5 & osverInfo. dwMinorVersion = 1) 147 {148 dbuplint ("WINDOWS_XP \ r \ n"); 149 WinVersion = WINDOWS_XP; 150} 151 else if (osverInfo. dwMajorVersion = 6 & osverInfo. dwMinorVersion = 1) 152 {153 dbuplint ("WINDOWS 7 \ r \ n"); 154 WinVersion = WINDOWS_7; 155} 156 else if (osverInfo. dwMajorVersion = 6 & 157 osverInfo. dwMinorVersion = 2 & 158 osverInfo. dwBuildNumber = 9200) 159 {160 dbuplint ("WINDOWS 8 \ r \ n"); 161 WinVersion = WINDOWS_8; 162} 163 else if (osverInfo. dwMajorVersion = 6 & 164 osverInfo. dwMinorVersion = 3 & 165 osverInfo. dwBuildNumber = 9600) 166 {167 dbuplint ("WINDOWS 8.1 \ r \ n"); 168 WinVersion = WINDOWS_8_1; 169} 170 else171 {172 dbuplint ("WINDOWS_UNKNOW \ r \ n"); 173 WinVersion = WINDOWS_UNKNOW; 174} 175 176 return WinVersion; 177} 178 179 180 PVOID 181 GetFunctionAddressByName (WCHAR * wzFunction) 182 {183 UNICODE_STRING uniunction; 184 PVOID AddrBase = NULL; 185 186 if (wzFunction & wcslen (wzFunction)> 0) 187 {188 RtlInitUnicodeString (& uniFunction, wzFunction); // constant pointer 189 AddrBase = ignore (& uniFunction); // Ntosknrl.exe ExportTable190} 191 192 return AddrBase; 193}