-
-
显示被EncryptPE 隐藏的进程,附源代码
-
发表于:
2006-5-27 16:47
9560
-
只要运行 ShowProcess.exe就可显示隐藏的进程。。
比如,先运行ImportREC.exe再运行ShowProcess.exe,就可以找到隐藏的进程
#include <Windows.h>
#include <Psapi.h>
#pragma comment (lib,"Psapi.lib")
int ShowProcess(HANDLE hd,DWORD address);
void main_()
{
DWORD dll;
DWORD aProcesses[1024], cbNeeded;
int cProcesses,i;
HANDLE hProcess;
dll =(DWORD)GetProcAddress(LoadLibrary("ntdll.dll"),"ZwOpenProcess");
if( !EnumProcesses(aProcesses,sizeof(aProcesses), &cbNeeded))
{
return;
}
cProcesses = cbNeeded / sizeof(DWORD);
for(i=0;i<cProcesses;i++)
{
hProcess=OpenProcess( PROCESS_VM_WRITE| PROCESS_CREATE_THREAD |
PROCESS_VM_OPERATION| PROCESS_QUERY_INFORMATION|PROCESS_VM_READ,
FALSE, aProcesses[i]);
if(hProcess==NULL)
continue;
ShowProcess(hProcess,dll);
}
}
int ShowProcess(HANDLE hd,DWORD address)
{
DWORD old;
SIZE_T read;
char befor[10];
ReadProcessMemory(hd,(LPCVOID)address,befor,5,&read);
if((UCHAR)*befor!=0xb8 && (UCHAR)*(befor+1)!=0x80)
{
ZeroMemory(befor,10);
*befor=0xb8;
*(befor+1)=0x80;
VirtualProtectEx((HANDLE)hd,(LPVOID)address,5,PAGE_EXECUTE_READWRITE,&old);
WriteProcessMemory((HANDLE)hd,(LPVOID)address,befor,5,&read);
VirtualProtectEx((HANDLE)hd,(LPVOID)address,5,old,&old);
}
return 0;
}
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课