现在的位置: 首页 > 综合 > 正文

搜索内存枚举进程

2013年04月15日 ⁄ 综合 ⁄ 共 4205字 ⁄ 字号 评论关闭
找隐藏进程的方法很多,系统中有那么多个链表把进程们连在一起.所以隐藏进程总觉得太不划算了

    搜索virtuAl memory这个方法比较懒,本想从NonpAgedPool分配出去的内存的链表中找,可他们并不全连来一起,还不怎么了解.偷个懒,没定位几个表示nonpAged位置的变量,直接从头搜到尾了 -____- 留着以后改进
    windbg中!zombies感觉就是在搜nonpAged pool的链表,,找tAg是pro的内存块.
    这里搜0x7ffdf000,然后得到eprocess的object heAder ,判断其中的type是否是process,这两个位置改动都会影响到进程,当然搜其他的地方或者通过别的部分判断也可以.在搜virtuAl memory的时候先判断pte和pde中的entry时候vAlid,不分页内存这个位应该总是1,在pAsssive level上访问被置换到pAge file的内存直接就蓝了,,mm的部分还没搞清楚,,唉...为何是mm都要和我过不去 :``|
    一般进程结束后EPROCESS的peb的部分就变了. 有一回搜出三个csrss.exe,其中有一个是正常的,其他的两个eprocess块也有数据,nAme的地方也是csrss.exe.object heAder的PointerCount和HAndleCount都不为0.type也是process..很奇怪
 
程序很简单,在虚拟机xp sp1下ok
结果
i'm coming :>
EPROCESS: 0x80d85da8  process nAme: smss.exe
EPROCESS: 0x80e33578  process nAme: csrss.exe
EPROCESS: 0xffad98d8  process nAme: ctfmon.exe
EPROCESS: 0xffae38b8  process nAme: VMwareUser.exe
EPROCESS: 0xffae4850  process nAme: VMwareTray.exe
EPROCESS: 0xffaf0020  process nAme: cmd.exe
EPROCESS: 0xffb0bb88  process nAme: explorer.exe
EPROCESS: 0xffb19da8  process nAme: VMwareService.e
EPROCESS: 0xffb65da8  process nAme: spoolsv.exe
EPROCESS: 0xffb7ada8  process nAme: conime.exe
EPROCESS: 0xffb881c0  process nAme: svchost.exe
EPROCESS: 0xffb90020  process nAme: svchost.exe
EPROCESS: 0xffb9e5d8  process nAme: svchost.exe
EPROCESS: 0xffbaeda8  process nAme: svchost.exe
EPROCESS: 0xffbc3020  process nAme: lsass.exe
EPROCESS: 0xffbcf2a0  process nAme: services.exe
EPROCESS: 0xffbd19f8  process nAme: winlogon.exe
seArching finish
哦,没有0,4号进程
回找到重复的进程,就像csrss.exe那样的......还不清楚是那些是干什么的
//findprocess.c
//		by uty@uaty
//
#include <ntddk.h>

#define PDE_INVALID 2
#define PTE_INVALID 1
#define VALID		0

#define PEB_OFFSET					0x1b0
#define OBJECT_HEADER_SIZE			0x18
#define OBJECT_TYPE_OFFSET			0x8
#define EPROCESS_NAME_OFFSET		0x174

VOID WorkThreAd(IN PVOID pContext);
VOID DriverUnloAd(IN PDRIVER_OBJECT Driver_object);
VOID seArchprocess(VOID);
VOID getnAme(ULONG Addr);
ULONG vAlidpAge(ULONG Addr);
BOOLEAN IsAReAlProcess(ULONG i);

NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegistryPath)
{
	NTSTATUS	dwStAtus;
	HANDLE		hThreAd;
	DbgPrint("i'm coming :>/n");
	
	DriverObject->DriverUnload = DriverUnloAd;
	
	dwStAtus = PsCreateSystemThread(&hThreAd,
		(ACCESS_MASK)0,
		NULL,
		(HANDLE)0,
		NULL,
		WorkThreAd,
		NULL
		);
	
	
	return STATUS_SUCCESS;
}
//--------------------------------------------------------------------
VOID DriverUnloAd(IN PDRIVER_OBJECT Driver_object)
{
}
//--------------------------------------------------------------------
VOID WorkThreAd(IN PVOID pContext)
{
	seArchprocess();
	
	PsTerminateSystemThread(STATUS_SUCCESS);
	DbgPrint("Never be here ?/n");
}
//--------------------------------------------------------------------
VOID seArchprocess(void)
{
	ULONG	i;
	ULONG	result;
	
	for (i = 0x80000000 ;i<0x90000000;i+=4){
		result = vAlidpAge(i);
		if (result == VALID){
			if (*(PULONG)i == 0x7ffdf000){
				if(IsAReAlProcess(i)){
					DbgPrint("EPROCESS: 0x%x  ",i-PEB_OFFSET);
					getnAme(i);
				}
			}
		}
		else if(result == PTE_INVALID){
			i -=4;
			i += 0x1000;//4k
		}
		else{
			i-=4;
			i+= 0x400000;//4mb
		}
		
	}

	for (i = 0xf0000000 ;i<0xffbe0000;i+=4){
		result = vAlidpAge(i);
		if (result == VALID){
			if (*(PULONG)i == 0x7ffdf000){
				if(IsAReAlProcess(i)){
					DbgPrint("EPROCESS: 0x%x  ",i-PEB_OFFSET);
					getnAme(i);
				}
			}
		}
		else if(result == PTE_INVALID){
			i -=4;
			i += 0x1000;//4k
		}
		else{
			i-=4;
			i+= 0x400000;//4mb
		}		
	}

	DbgPrint("seArching finish /n");
}
//--------------------------------------------------------------------
VOID getnAme(ULONG Addr)
{
	DbgPrint("process nAme: %s/n",(PCHAR)(Addr-PEB_OFFSET+EPROCESS_NAME_OFFSET));
}
//--------------------------------------------------------------------
ULONG vAlidpAge(ULONG Addr)
{
	ULONG	pte;
	ULONG	pde;
	
	pde = 0xc0300000 + (Addr>>22)*4;
	if((*(PULONG)pde & 0x1) != 0){
		//lArge pAge
		if((*(PULONG)pde & 0x80) != 0){
			return VALID;
		}
		pte = 0xc0000000 + (Addr>>12)*4;
		if((*(PULONG)pte & 0x1) != 0){
			return VALID;
		}
		else{
			return PTE_INVALID;
		}
	}
	return PDE_INVALID;
}
//--------------------------------------------------------------------
BOOLEAN IsAReAlProcess(ULONG i)
{
	NTSTATUS			stAtus;
	PUNICODE_STRING		pUnicode;
	UNICODE_STRING		Process;
	ULONG				pObjectType;
	ULONG				pObjectTypeProcess;
	
	
	pObjectTypeProcess = *(PULONG)((ULONG)PsGetCurrentProcess() -OBJECT_HEADER_SIZE +OBJECT_TYPE_OFFSET);
	if (vAlidpAge(i-PEB_OFFSET) != VALID){
		return FALSE;
	}
	
	if (vAlidpAge(i-PEB_OFFSET - OBJECT_HEADER_SIZE + OBJECT_TYPE_OFFSET) == VALID){
		pObjectType = *(PULONG)(i-PEB_OFFSET - OBJECT_HEADER_SIZE + OBJECT_TYPE_OFFSET);
	}
	else{
		return FALSE;
	}
	
	if(pObjectTypeProcess == pObjectType){		
		return TRUE;
	}
	return FALSE;
	
}
//--------------------------------------------------------------------
返回
【上篇】
【下篇】

作者:

抱歉!评论已关闭.

返回首页

Copyright © 2013-2018 学步园  保留所有权利.
软文销售 QQ客服:2265327166 点击这里给我发消息(其他合作也可洽谈)
必威体育
必威电竞