只要运行 ShowProcess.exe就可显示隐藏的进程。。
比如,先运行ImportREC.exe再运行ShowProcess.exe,就可以找到隐藏的进程
#include <Windows.h>
#include <Psapi.h>
#pragma comment (lib,"Psapi.lib")
int ShowProcess(HANDLE hd,DWORD address);
void main_()
{
DWORD dll;
DWORD aProcesses[1024], cbNeeded;
int cProcesses,i;
HANDLE hProcess;
dll =(DWORD)GetProcAddress(LoadLibrary("ntdll.dll"),"ZwOpenProcess");
if( !EnumProcesses(aProcesses,sizeof(aProcesses), &cbNeeded))
{
return;
}
cProcesses = cbNeeded / sizeof(DWORD);
for(i=0;i<cProcesses;i++)
{
hProcess=OpenProcess( PROCESS_VM_WRITE| PROCESS_CREATE_THREAD |
PROCESS_VM_OPERATION| PROCESS_QUERY_INFORMATION|PROCESS_VM_READ,
FALSE, aProcesses[i]);
if(hProcess==NULL)
continue;
ShowProcess(hProcess,dll);
}
}
int ShowProcess(HANDLE hd,DWORD address)
{
DWORD old;
SIZE_T read;
char befor[10];
ReadProcessMemory(hd,(LPCVOID)address,befor,5,&read);
if((UCHAR)*befor!=0xb8 && (UCHAR)*(befor+1)!=0x80)
{
ZeroMemory(befor,10);
*befor=0xb8;
*(befor+1)=0x80;
VirtualProtectEx((HANDLE)hd,(LPVOID)address,5,PAGE_EXECUTE_READWRITE,&old);
WriteProcessMemory((HANDLE)hd,(LPVOID)address,befor,5,&read);
VirtualProtectEx((HANDLE)hd,(LPVOID)address,5,old,&old);
}
return 0;
}
[CTF入门培训]顶尖高校博士及硕士团队亲授《30小时教你玩转CTF》,视频+靶场+题目!助力进入CTF世界
编译为DLL挂到importrem或者lordpe 上不是更好。
