找隐藏进程的方法很多,系统中有那么多个链表把进程们连在一起.所以隐藏进程总觉得太不划算了
搜索virtuAl memory这个方法比较懒,本想从NonpAgedPool分配出去的内存的链表中找,可他们并不全连来一起,还不怎么了解.偷个懒,没定位几个表示nonpAged位置的变量,直接从头搜到尾了 -____- 留着以后改进
windbg中!zombies感觉就是在搜nonpAged pool的链表,,找tAg是pro的内存块.
这里搜0x7ffdf000,然后得到eprocess的object heAder ,判断其中的type是否是process,这两个位置改动都会影响到进程,当然搜其他的地方或者通过别的部分判断也可以.在搜virtuAl memory的时候先判断pte和pde中的entry时候vAlid,不分页内存这个位应该总是1,在pAsssive level上访问被置换到pAge file的内存直接就蓝了,,mm的部分还没搞清楚,,唉...为何是mm都要和我过不去 :``|
一般进程结束后EPROCESS的peb的部分就变了. 有一回搜出三个csrss.exe,其中有一个是正常的,其他的两个eprocess块也有数据,nAme的地方也是csrss.exe.object heAder的PointerCount和HAndleCount都不为0.type也是process..很奇怪
程序很简单,在虚拟机xp sp1下ok
结果
i'm coming :>
EPROCESS: 0x80d85da8 process nAme: smss.exe
EPROCESS: 0x80e33578 process nAme: csrss.exe
EPROCESS: 0xffad98d8 process nAme: ctfmon.exe
EPROCESS: 0xffae38b8 process nAme: VMwareUser.exe
EPROCESS: 0xffae4850 process nAme: VMwareTray.exe
EPROCESS: 0xffaf0020 process nAme: cmd.exe
EPROCESS: 0xffb0bb88 process nAme: explorer.exe
EPROCESS: 0xffb19da8 process nAme: VMwareService.e
EPROCESS: 0xffb65da8 process nAme: spoolsv.exe
EPROCESS: 0xffb7ada8 process nAme: conime.exe
EPROCESS: 0xffb881c0 process nAme: svchost.exe
EPROCESS: 0xffb90020 process nAme: svchost.exe
EPROCESS: 0xffb9e5d8 process nAme: svchost.exe
EPROCESS: 0xffbaeda8 process nAme: svchost.exe
EPROCESS: 0xffbc3020 process nAme: lsass.exe
EPROCESS: 0xffbcf2a0 process nAme: services.exe
EPROCESS: 0xffbd19f8 process nAme: winlogon.exe
seArching finish
EPROCESS: 0x80d85da8 process nAme: smss.exe
EPROCESS: 0x80e33578 process nAme: csrss.exe
EPROCESS: 0xffad98d8 process nAme: ctfmon.exe
EPROCESS: 0xffae38b8 process nAme: VMwareUser.exe
EPROCESS: 0xffae4850 process nAme: VMwareTray.exe
EPROCESS: 0xffaf0020 process nAme: cmd.exe
EPROCESS: 0xffb0bb88 process nAme: explorer.exe
EPROCESS: 0xffb19da8 process nAme: VMwareService.e
EPROCESS: 0xffb65da8 process nAme: spoolsv.exe
EPROCESS: 0xffb7ada8 process nAme: conime.exe
EPROCESS: 0xffb881c0 process nAme: svchost.exe
EPROCESS: 0xffb90020 process nAme: svchost.exe
EPROCESS: 0xffb9e5d8 process nAme: svchost.exe
EPROCESS: 0xffbaeda8 process nAme: svchost.exe
EPROCESS: 0xffbc3020 process nAme: lsass.exe
EPROCESS: 0xffbcf2a0 process nAme: services.exe
EPROCESS: 0xffbd19f8 process nAme: winlogon.exe
seArching finish
哦,没有0,4号进程
回找到重复的进程,就像csrss.exe那样的......还不清楚是那些是干什么的
//findprocess.c // by uty@uaty // #include <ntddk.h> #define PDE_INVALID 2 #define PTE_INVALID 1 #define VALID 0 #define PEB_OFFSET 0x1b0 #define OBJECT_HEADER_SIZE 0x18 #define OBJECT_TYPE_OFFSET 0x8 #define EPROCESS_NAME_OFFSET 0x174 VOID WorkThreAd(IN PVOID pContext); VOID DriverUnloAd(IN PDRIVER_OBJECT Driver_object); VOID seArchprocess(VOID); VOID getnAme(ULONG Addr); ULONG vAlidpAge(ULONG Addr); BOOLEAN IsAReAlProcess(ULONG i); NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegistryPath) { NTSTATUS dwStAtus; HANDLE hThreAd; DbgPrint("i'm coming :>/n"); DriverObject->DriverUnload = DriverUnloAd; dwStAtus = PsCreateSystemThread(&hThreAd, (ACCESS_MASK)0, NULL, (HANDLE)0, NULL, WorkThreAd, NULL ); return STATUS_SUCCESS; } //-------------------------------------------------------------------- VOID DriverUnloAd(IN PDRIVER_OBJECT Driver_object) { } //-------------------------------------------------------------------- VOID WorkThreAd(IN PVOID pContext) { seArchprocess(); PsTerminateSystemThread(STATUS_SUCCESS); DbgPrint("Never be here ?/n"); } //-------------------------------------------------------------------- VOID seArchprocess(void) { ULONG i; ULONG result; for (i = 0x80000000 ;i<0x90000000;i+=4){ result = vAlidpAge(i); if (result == VALID){ if (*(PULONG)i == 0x7ffdf000){ if(IsAReAlProcess(i)){ DbgPrint("EPROCESS: 0x%x ",i-PEB_OFFSET); getnAme(i); } } } else if(result == PTE_INVALID){ i -=4; i += 0x1000;//4k } else{ i-=4; i+= 0x400000;//4mb } } for (i = 0xf0000000 ;i<0xffbe0000;i+=4){ result = vAlidpAge(i); if (result == VALID){ if (*(PULONG)i == 0x7ffdf000){ if(IsAReAlProcess(i)){ DbgPrint("EPROCESS: 0x%x ",i-PEB_OFFSET); getnAme(i); } } } else if(result == PTE_INVALID){ i -=4; i += 0x1000;//4k } else{ i-=4; i+= 0x400000;//4mb } } DbgPrint("seArching finish /n"); } //-------------------------------------------------------------------- VOID getnAme(ULONG Addr) { DbgPrint("process nAme: %s/n",(PCHAR)(Addr-PEB_OFFSET+EPROCESS_NAME_OFFSET)); } //-------------------------------------------------------------------- ULONG vAlidpAge(ULONG Addr) { ULONG pte; ULONG pde; pde = 0xc0300000 + (Addr>>22)*4; if((*(PULONG)pde & 0x1) != 0){ //lArge pAge if((*(PULONG)pde & 0x80) != 0){ return VALID; } pte = 0xc0000000 + (Addr>>12)*4; if((*(PULONG)pte & 0x1) != 0){ return VALID; } else{ return PTE_INVALID; } } return PDE_INVALID; } //-------------------------------------------------------------------- BOOLEAN IsAReAlProcess(ULONG i) { NTSTATUS stAtus; PUNICODE_STRING pUnicode; UNICODE_STRING Process; ULONG pObjectType; ULONG pObjectTypeProcess; pObjectTypeProcess = *(PULONG)((ULONG)PsGetCurrentProcess() -OBJECT_HEADER_SIZE +OBJECT_TYPE_OFFSET); if (vAlidpAge(i-PEB_OFFSET) != VALID){ return FALSE; } if (vAlidpAge(i-PEB_OFFSET - OBJECT_HEADER_SIZE + OBJECT_TYPE_OFFSET) == VALID){ pObjectType = *(PULONG)(i-PEB_OFFSET - OBJECT_HEADER_SIZE + OBJECT_TYPE_OFFSET); } else{ return FALSE; } if(pObjectTypeProcess == pObjectType){ return TRUE; } return FALSE; } //--------------------------------------------------------------------