[讨论]利用修改EPROCESS隐藏进程 NtQuerySystemInformation 还能查到吗?-软件逆向-看雪-安全社区|安全招聘|kanxue.com

最新回复 (2)
phpskycn 雪币： 110 活跃值： (34) 能力值： (RANK：50 ) 在线值：发帖 29 回帖 395 粉丝 0 关注私信	phpskycn 1 2 楼在WRK中，NtQuerySystemInformation()通过ExpGetProcessInformation()来取进程快照，其中又是不断调用PsGetNextProcess()枚举进程列表。PsGetNextProcess()的代码如下： PEPROCESS PsGetNextProcess ( IN PEPROCESS Process ) /++ Routine Description: This function allows code to enumerate all the active processes in the system. The first process (if Process is NULL) or subsequent process (if process not NULL) is returned on each call. If process is not NULL then this process must have previously been obtained by a call to PsGetNextProcess. Enumeration may be terminated early by calling PsQuitNextProcess on the last non-NULL process returned by PsGetNextProcess. Processes may be referenced and used later safely. For example, to enumerate all system processes in a loop use this code fragment: for (Process = PsGetNextProcess (NULL); Process != NULL; Process = PsGetNextProcess (Process)) { ... ... // // Early terminating conditions are handled like this: // if (NeedToBreakOutEarly) { PsQuitNextProcess (Process); break; } } Arguments: Process - Process to get the next process from or NULL for the first process Return Value: PEPROCESS - Next process or NULL if no more processes available --/ { PEPROCESS NewProcess = NULL; PETHREAD CurrentThread; PLIST_ENTRY ListEntry; CurrentThread = PsGetCurrentThread (); PspLockProcessList (CurrentThread); for (ListEntry = (Process == NULL) ? PsActiveProcessHead.Flink : Process->ActiveProcessLinks.Flink; ListEntry != &PsActiveProcessHead; ListEntry = ListEntry->Flink) { NewProcess = CONTAINING_RECORD (ListEntry, EPROCESS, ActiveProcessLinks); // // Processes are removed from this list during process objected deletion (object reference count goes // to zero). To prevent double deletion of the process we need to do a safe reference here. // if (ObReferenceObjectSafe (NewProcess)) { break; } NewProcess = NULL; } PspUnlockProcessList (CurrentThread); if (Process != NULL) { ObDereferenceObject (Process); } return NewProcess; } 所以断ActiveProcessLinks是可以阻止RING3层通过NtQuerySystemInformation()发现目标进程，具体表现为可以在任务管理器中隐藏进程，但是无法对付RING3层枚举PID之类猥琐的方法 2014-5-11 23:03 0
大胖胖雪币： 52 活跃值： (12) 能力值： ( LV2，RANK：10 ) 在线值：发帖 25 回帖 102 粉丝 0 关注私信	大胖胖 3 楼 phpskycn 感谢你的热心^ ^ 经过实验发现的确如你所说! 2014-5-13 21:31 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

最新回复 (2)

phpskycn

雪币： 110

活跃值： (34)

能力值： (RANK：50 )

在线值：

发帖

回帖

395

粉丝

关注

私信

phpskycn 1: 2 楼

在WRK中，NtQuerySystemInformation()通过ExpGetProcessInformation()来取进程快照，其中又是不断调用PsGetNextProcess()枚举进程列表。PsGetNextProcess()的代码如下：

PEPROCESS
PsGetNextProcess (
    IN PEPROCESS Process
    )
/*++

Routine Description:

    This function allows code to enumerate all the active processes in the system.
    The first process (if Process is NULL) or subsequent process (if process not NULL) is returned on
    each call.
    If process is not NULL then this process must have previously been obtained by a call to PsGetNextProcess.
    Enumeration may be terminated early by calling PsQuitNextProcess on the last non-NULL process
    returned by PsGetNextProcess.

    Processes may be referenced and used later safely.

    For example, to enumerate all system processes in a loop use this code fragment:

    for (Process = PsGetNextProcess (NULL);
         Process != NULL;
         Process = PsGetNextProcess (Process)) {
         ...
         ...
         //
         // Early terminating conditions are handled like this:
         //
         if (NeedToBreakOutEarly) {
             PsQuitNextProcess (Process);
             break;
         }
    }
    

Arguments:

    Process - Process to get the next process from or NULL for the first process

Return Value:

    PEPROCESS - Next process or NULL if no more processes available

--*/
{
    PEPROCESS NewProcess = NULL;
    PETHREAD CurrentThread;
    PLIST_ENTRY ListEntry;

    CurrentThread = PsGetCurrentThread ();

    PspLockProcessList (CurrentThread);

    for (ListEntry = (Process == NULL) ? PsActiveProcessHead.Flink : Process->ActiveProcessLinks.Flink;
         ListEntry != &PsActiveProcessHead;
         ListEntry = ListEntry->Flink) {

        NewProcess = CONTAINING_RECORD (ListEntry, EPROCESS, ActiveProcessLinks);

        //
        // Processes are removed from this list during process objected deletion (object reference count goes
        // to zero). To prevent double deletion of the process we need to do a safe reference here.
        //
        if (ObReferenceObjectSafe (NewProcess)) {
            break;
        }
        NewProcess = NULL;
    }
    PspUnlockProcessList (CurrentThread);

    if (Process != NULL) {
        ObDereferenceObject (Process);
    }

    return NewProcess;
}

所以断ActiveProcessLinks是可以阻止RING3层通过NtQuerySystemInformation()发现目标进程，具体表现为可以在任务管理器中隐藏进程，但是无法对付RING3层枚举PID之类猥琐的方法

2014-5-11 23:03