网上很多隐藏进程的代码
例如,我要隐藏记事本。。我开6个就有3个隐藏不了,代码如下
NTSTATUS HookZwQuerySystemInformation(
IN ULONG SystemInformationClass,
IN PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength
)
{
NTSTATUS ntStatus;
UNICODE_STRING _ProName;
ntStatus = (RealZwQuerySystemInformation)(
SystemInformationClass,
SystemInformation,
SystemInformationLength,
ReturnLength );
RtlInitUnicodeString(&_ProName,L"notepad.exe");
if( NT_SUCCESS(ntStatus))
{
if(SystemInformationClass == 5)
{
struct _SYSTEM_PROCESSES *curr = (struct _SYSTEM_PROCESSES *)SystemInformation;
struct _SYSTEM_PROCESSES *prev = NULL;
while(curr)
{
if (curr->ProcessName.Buffer != NULL /*&& ProName != NULL*/)
{
//if(0 == memcmp(curr->ProcessName.Buffer,ProName, wcslen(ProName)))
if(RtlCompareUnicodeString(&_ProName, &curr->ProcessName, 1) == 0)
{
if(prev)
{
if(curr->NextEntryDelta) //要删除的信息在中间
prev->NextEntryDelta += curr->NextEntryDelta;
else //要删除的信息在末尾
prev->NextEntryDelta = 0;
}
else
{
if(curr->NextEntryDelta) ////要删除的信息在开头
(char *)SystemInformation += curr->NextEntryDelta;
else
SystemInformation = NULL;
}
if(curr->NextEntryDelta) //如果链下一个还有其他的进程信息,指针往后移
((char*)curr+=curr->NextEntryDelta);
else
{
curr = NULL;
break;
}
}
}
if (curr!=NULL)
{
prev = curr;
if(curr->NextEntryDelta) ((char *)curr += curr->NextEntryDelta);
else curr = NULL;
}
}
}
}
return ntStatus;
}
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
