Posted on 2009-10-28 14:38
S.l.e!ep.¢% 閱讀(336)
評論(0) 編輯 收藏 引用 所屬分類:
RootKit
繼
HOOK SSDT Hide Process (七)用
HOOK SSDT Hide Process (七)? 的代碼雖然隱藏了進程,但會導致在 taskmgr.exe 全部進程看不到
而且運行一段時間后, taskmgr.exe 就會非法關閉
Q:
今天突然發現,如果 taskmgr.exe 中選中了 'Show processes from all users' 選項,還是可以看到其它進程的(taskmgr.exe成功隱藏),但為什么不選中就所以進程看不到?這么鬼異的問題估計要OD下 taskmgr.exe 才知道
為了一查究竟,我把 MyZwQuerySystemInformation 修改成如下的代碼
NTSTATUS?MyZwQuerySystemInformation(IN?ULONG?SystemInformationClass,?
????????????????????????IN?PVOID?SystemInformation,?
????????????????????IN?ULONG?SystemInformationLength,?
????????????????????OUT?PULONG?ReturnLength)?//定義自己的Hook函數
{?
????
????NTSTATUS?rc;?
????UNICODE_STRING?process_name;
????
????RtlInitUnicodeString(&process_name,?L"taskmgr.exe");
????
????rc?=?(OldZwQuerySystemInformation)?(?
????????SystemInformationClass,?
????????SystemInformation,?
????????SystemInformationLength,?
????????ReturnLength);?
????
????if(NT_SUCCESS(rc))?
????{
????????
????????if(5?==?SystemInformationClass)
????????{?
????????????
????????????struct?_SYSTEM_PROCESSES?*curr?=?(struct?_SYSTEM_PROCESSES?*)SystemInformation;?
????????????struct?_SYSTEM_PROCESSES?*prev?=?NULL;?
????????????
????????????//if(curr->NextEntryDelta)
????????????//????curr?=?(_SYSTEM_PROCESSES?*)((ULONG)curr?+?curr->NextEntryDelta);?
????????????
????????????while(curr)
????????????{
????????????????????????????????KdPrint(("ProcessName:%wZ?NextEntryDelta:%d?\n",?&curr->ProcessName,?curr->NextEntryDelta));
????????
????????????????if(curr->NextEntryDelta)
????????????????????curr?=?(_SYSTEM_PROCESSES?*)((ULONG)curr?+?curr->NextEntryDelta);
????????????????else
????????????????????curr?=?NULL;
????????????????????
????????????????
????????????}//?while(curr)?
????????????????????????
????????????????????????????????UnHook();????????????
????????}//?if(5?==?SystemInformationClass)
????????
????}//?if(NT_SUCCESS(rc))
????
????//?KdPrint(("HookZwQuerySystemInformation?is?Succeessfully
.?\n"));
????return?rc;
}
在 DebugView 中顯示的內容如下:
Entry?Hook?Function!
Entry?Hook()
KeServiceDescriptorTable->ServiceTableBase?is?:0x804e2d20
OldZwQuerySystemInformation?is?:0x8057cc27
MyZwQuerySystemInformation?is?:0xf8f0c080
Leave?DriverEntry!
ProcessName:(null)?NextEntryDelta:248?
ProcessName:System?NextEntryDelta:3528?
ProcessName:smss.exe?NextEntryDelta:400?
ProcessName:csrss.exe?NextEntryDelta:912?
ProcessName:winlogon.exe?NextEntryDelta:1304?
ProcessName:services.exe?NextEntryDelta:1176?
ProcessName:lsass.exe?NextEntryDelta:1360?
ProcessName:vmacthlp.exe?NextEntryDelta:280?
ProcessName:svchost.exe?NextEntryDelta:1360?
ProcessName:svchost.exe?NextEntryDelta:656?
ProcessName:svchost.exe?NextEntryDelta:3664?
ProcessName:svchost.exe?NextEntryDelta:464?
ProcessName:svchost.exe?NextEntryDelta:1104?
ProcessName:explorer.exe?NextEntryDelta:920?
ProcessName:spoolsv.exe?NextEntryDelta:848?
ProcessName:VMwareService.exe?NextEntryDelta:416?
ProcessName:VMwareTray.exe?NextEntryDelta:280?
ProcessName:VMwareUser.exe?NextEntryDelta:536?
ProcessName:ctfmon.exe?NextEntryDelta:272?
ProcessName:wscntfy.exe?NextEntryDelta:272?
ProcessName:alg.exe?NextEntryDelta:584?
ProcessName:cmd.exe?NextEntryDelta:264?
ProcessName:conime.exe?NextEntryDelta:272?
ProcessName:DriverMonitor.exe?NextEntryDelta:608?
ProcessName:notepad.exe?NextEntryDelta:272?
ProcessName:taskmgr.exe?NextEntryDelta:400?
ProcessName:Dbgview.exe?NextEntryDelta:0?
Unhook?leave!
接著再做一個嘗試,如果直接把第二個線程的信息的 NextEntryDelta 改為0 , 是不是 taskmgr.exe 就會只顯示一條線程?
NTSTATUS?MyZwQuerySystemInformation(IN?ULONG?SystemInformationClass,?
????????????????????????IN?PVOID?SystemInformation,?
????????????????????IN?ULONG?SystemInformationLength,?
????????????????????OUT?PULONG?ReturnLength)?//定義自己的Hook函數
{?
????
????NTSTATUS?rc;?
????UNICODE_STRING?process_name;
????
????RtlInitUnicodeString(&process_name,?L"taskmgr.exe");
????
????rc?=?(OldZwQuerySystemInformation)?(?
????????SystemInformationClass,?
????????SystemInformation,?
????????SystemInformationLength,?
????????ReturnLength);?
????
????if(NT_SUCCESS(rc))?
????{
????????
????????if(5?==?SystemInformationClass)
????????{?
????????????
????????????struct?_SYSTEM_PROCESSES?*curr?=?(struct?_SYSTEM_PROCESSES?*)SystemInformation;?
????????????struct?_SYSTEM_PROCESSES?*prev?=?NULL;?
????????????
????????????if(curr->NextEntryDelta)
????????????????????????{
??????????????????????????curr->NextEntryDelta?=?0;
????????????}
????????????????????????
????????????????????????//????curr?=?(_SYSTEM_PROCESSES?*)((ULONG)curr?+?curr->NextEntryDelta);?
????????????
????????????????????????/*
????????????while(curr)
????????????{
????????????????????????????????KdPrint(("ProcessName:%wZ?NextEntryDelta:%d?\n",?&curr->ProcessName,?curr->NextEntryDelta));
????????
????????????????if(curr->NextEntryDelta)
????????????????????curr?=?(_SYSTEM_PROCESSES?*)((ULONG)curr?+?curr->NextEntryDelta);
????????????????else
????????????????????curr?=?NULL;
????????????????????
????????????????
????????????}//?while(curr)?
????????????????*/????????
?????????????????//???????????????UnHook();????????????
????????}//?if(5?==?SystemInformationClass)
????????
????}//?if(NT_SUCCESS(rc))
????
????//?KdPrint(("HookZwQuerySystemInformation?is?Succeessfully.?\n"));
????return?rc;
}
情況還是?taskmgr.exe 中選中了 'Show processes from all users' 選項,就會顯示一條 System Idle Process 線程,如果不選中
'Show processes from all users' 這個選項,那么 Taskmgr.exe 的列表就會顯示為空
curr
->NextEntryDelta?=?0; 那為何不把 curr 之后的數全部置為 0x00 ?
于是,加多幾句代碼
??????????????if(curr->NextEntryDelta)
????????????{
??????????????????????????KdPrint(("SystemInformationLength:%d?\n",?SystemInformationLength));
??????????????????????????curr->NextEntryDelta?=?0;
??????????????????????????memset((void*)((ULONG)curr?+?curr->NextEntryDelta),?0x00,?SystemInformationLength?-?curr->NextEntryDelta);
????????????}
此時,無論有無選中 'Show Process From all users'選項,所有進程都不顯示在 taskmgr.exe 了
另外還發現兩個現象
Q1. taskmgr.exe 調用 ZwQuerySystemInformation 時,ReturnLength?指針總是傳 NULL
Q2. taskmgr.exe 調用 ZwQuerySystemInformation 時,SystemInformationLength 總是傳 0x6000
難道 taskmgr.exe 并不是通過 NextEntryData 這個值來定位到下個進程的信息的?
?