|
[求助]DLL隐藏, 64位操作系统,需要做哪些变更?
是的, 那些基本是多余的, 只是直接粘贴过来的. |
|
[求助]DLL隐藏, 64位操作系统,需要做哪些变更?
再次搜索了些资料, 发现PROCESS_BASIC_INFORMATION这个结构体中的关键成员: PPEB PebBaseAddress; 在32位和64位下的PVOID指针的长度不同. 拼命搜索并更新后一些关键的64位书记结构体如下: typedef unsigned __int64 HANDLE64; typedef unsigned __int64 PVOID64_; typedef unsigned __int64 PPROCESS_PARAMETERS64; typedef PVOID64_ PPEB_FREE_BLOCK64; typedef struct _PEB64 { BOOLEAN InheritedAddressSpace; HANDLE64 Mutant; PVOID64_ ImageBaseAddress; PVOID64_ Ldr; PPROCESS_PARAMETERS64 ProcessParameters; PVOID64_ SubSystemData; PVOID64_ ProcessHeap; PVOID64_ FastPebLock; PVOID64_ FastPebLockRoutine; PVOID64_ FastPebUnlockRoutine; PVOID64_ Spare[4]; PPEB_FREE_BLOCK64 FreeList; ULONG TlsExpansionCounter; PVOID64_ TlsBitmap; ULONG TlsBitmapBits[2]; PVOID64_ ReadOnlySharedMemoryBase; PVOID64_ ReadOnlySharedMemoryHeap; PVOID64_ *ReadOnlyStaticServerData; PVOID64_ AnsiCodePageData; PVOID64_ OemCodePageData; PVOID64_ UnicodeCaseTableData; LARGE_INTEGER CriticalSectionTimeout; } PEB64,*PPEB64; typedef struct _PROCESS_BASIC_INFORMATION64 { PVOID64 Reserved1; PVOID64 PebBaseAddress; PVOID64 Reserved2[2]; PVOID64 UniqueProcessId; PVOID64 Reserved3; } PROCESS_BASIC_INFORMATION64,*PPROCESS_BASIC_INFORMATION64; 然后, 依然是依葫芦画瓢, 用X86的流程处理纯粹的64位的DLL隐藏过程代码如下: if(Is64BitOS()&&B_IsWow64Process==FALSE) { PROCESS_BASIC_INFORMATION64 stInfo = {0}; DWORD dwRetnLen = 0; DWORD dw = p( GetCurrentProcess(), 0, &stInfo, sizeof(stInfo), &dwRetnLen); PPEB64 pPeb = (PEB64 *)stInfo.PebBaseAddress; PLIST_ENTRY ListHead, Current; PLDR_DATA_TABLE_ENTRY pstEntry = NULL; ListHead = &((PPEB_LDR_DATA)(pPeb->Ldr))->InLoadOrderModuleList; Current = ListHead->Flink; while ( Current != ListHead) { pstEntry = CONTAINING_RECORD( Current, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks); //DebugOutW( L"Module:%s, base:0x%X\r\n", pstEntry->FullDllName.Buffer, pstEntry->EntryPoint); memset(cModuleName,0,sizeof(cModuleName)); w2c(cModuleName,pstEntry->FullDllName.Buffer,sizeof(cModuleName)); sprintf(SendBuf,"Module:%s, base:0x%X\r\n", cModuleName, pstEntry->EntryPoint); if ( pstEntry->DllBase == hHideMod) { pstEntry->InLoadOrderLinks.Flink->Blink = pstEntry->InLoadOrderLinks.Blink; pstEntry->InLoadOrderLinks.Blink->Flink = pstEntry->InLoadOrderLinks.Flink; //DebugOut( _T( "Hide injected dll.")); sprintf(SendBuf,"\r\nHide dll '%s' In InLoadOrderList.\r\n\r\n",cModuleName); break; } Current = pstEntry->InLoadOrderLinks.Flink; } ListHead = &((PPEB_LDR_DATA)(pPeb->Ldr))->InMemoryOrderModuleList; Current = ListHead->Flink; while ( Current != ListHead) { pstEntry = CONTAINING_RECORD( Current, LDR_DATA_TABLE_ENTRY, InMemoryOrderModuleList); //DebugOutW( L"Module:%s, base:0x%X\r\n", pstEntry->FullDllName.Buffer, pstEntry->EntryPoint); memset(cModuleName,0,sizeof(cModuleName)); w2c(cModuleName,pstEntry->FullDllName.Buffer,sizeof(cModuleName)); sprintf(SendBuf,"Module:%s, base:0x%X\r\n", cModuleName, pstEntry->EntryPoint); if ( pstEntry->DllBase == hHideMod) { pstEntry->InMemoryOrderModuleList.Flink->Blink = pstEntry->InMemoryOrderModuleList.Blink; pstEntry->InMemoryOrderModuleList.Blink->Flink = pstEntry->InMemoryOrderModuleList.Flink; //DebugOut( _T( "Hide injected dll.")); sprintf(SendBuf,"\r\nHide dll '%s' In InMemoryOrderList.\r\n\r\n",cModuleName); break; } Current = pstEntry->InMemoryOrderModuleList.Flink; } //DebugOutW( L"\r\n"); ListHead = &((PPEB_LDR_DATA)(pPeb->Ldr))->InInitializationOrderModuleList; Current = ListHead->Flink; while ( Current != ListHead) { pstEntry = CONTAINING_RECORD( Current, LDR_DATA_TABLE_ENTRY, InInitializationOrderModuleList); //DebugOutW( L"Module:%s, base:0x%X\r\n", pstEntry->FullDllName.Buffer, pstEntry->EntryPoint); memset(cModuleName,0,sizeof(cModuleName)); w2c(cModuleName,pstEntry->FullDllName.Buffer,sizeof(cModuleName)); sprintf(SendBuf,"Module:%s, base:0x%X\r\n", cModuleName, pstEntry->EntryPoint); if ( pstEntry->DllBase == hHideMod) { pstEntry->InInitializationOrderModuleList.Flink->Blink = pstEntry->InInitializationOrderModuleList.Blink; pstEntry->InInitializationOrderModuleList.Blink->Flink = pstEntry->InInitializationOrderModuleList.Flink; //DebugOut( _T( "Hide injected dll.")); sprintf(SendBuf,"\r\nHide dll '%s' In InInitializationOrderList.\r\n\r\n",cModuleName); break; } Current = pstEntry->InInitializationOrderModuleList.Flink; } //DebugOut( _T("Out HideMyself\r\n")); } 特意在64位环境编写了一个TEST64.EXE , 并隐藏自己进程的kernel32.dll, 用辅助工具观察也正常实现了. 现在问题在于, 32位平台的DLL隐藏后, 功能一切正常. 而64位平台,一旦调用该处代码,功能立刻无效. 奇妙的64位OS,到底做了什么事情? |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值