[讨论]DKOM断链的恢复问题(已解决!)-编程技术-看雪-安全社区|安全招聘|kanxue.com

[讨论]DKOM断链的恢复问题(已解决!)

发表于: 2008-8-6 00:13 5748

[讨论]DKOM断链的恢复问题(已解决!)

qpSmallBoy 活跃值

活跃值

1

2008-8-6 00:13

5748

DKOM参见<Rootkits: Subverting the Windows Kernel>一书的第7章的"Hiding with DKOM "一节
断链隐藏进程无非就是将此进程的EPROCESS从链中分离出来:

[B]pList_Org = pList_Current;//pList_Org 是存放要隐藏进程的PLIST_ENTRY的全局变量用于以后恢复[/B]
 *( (DWORD*)pList_Current->Blink )     = (DWORD)pList_Current->Flink;
 *( (DWORD*)pList_Current->Flink + 1 ) = (DWORD)pList_Current->Blink;
 pList_Current->Flink = (PLIST_ENTRY)&( pList_Current->Flink );
 pList_Current->Blink = (PLIST_ENTRY)&( pList_Current->Flink );

如果我想再吧这个进程插入到这个双向链表中!这时我随便找个进程的EPROCESS
想把原来已经分离出去的进程插进来.
如下:

 *( (DWORD*)pList_Org->Flink )         = (DWORD)pList_Current->Flink;
 *( (DWORD*)pList_Current->Flink + 1)  = (DWORD)pList_Org;
 *( (DWORD*)pList_Org->Blink )         = (DWORD)pList_Current;
 *( (DWORD*)pList_Current->Flink )     = (DWORD)pList_Org;

蓝了!!!!
可不可以这样做?到底能还是不能插入到链表中?
大家看一下
已经解决,方法:

[COLOR=#808000][FONT='Times New Roman'][/FONT][/COLOR][COLOR=#808000][FONT='Times New Roman'][/FONT][/COLOR]
[COLOR=#808000][FONT='Times New Roman'][/FONT][/COLOR][COLOR=#808000][FONT='Times New Roman']*( ([/FONT][/COLOR][COLOR=#0000FF][FONT='Times New Roman']DWORD[/FONT][/COLOR][COLOR=#808000][FONT='Times New Roman']*)[/FONT][/COLOR][COLOR=#00FFFF][FONT='Times New Roman']pList_Org[/FONT][/COLOR][COLOR=#808000][FONT='Times New Roman']->[/FONT][/COLOR][COLOR=#00FFFF][FONT='Times New Roman']Flink[/FONT][/COLOR][COLOR=#808000][FONT='Times New Roman'] )           = ([/FONT][/COLOR][COLOR=#0000FF][FONT='Times New Roman']DWORD[/FONT][/COLOR][COLOR=#808000][FONT='Times New Roman'])[/FONT][/COLOR][COLOR=#00FFFF][FONT='Times New Roman']pList_Current[/FONT][/COLOR][COLOR=#808000][FONT='Times New Roman']->[/FONT][/COLOR][COLOR=#00FFFF][FONT='Times New Roman']Flink[/FONT][/COLOR][COLOR=#808000][FONT='Times New Roman'];[/FONT][/COLOR][COLOR=#808000][FONT='Times New Roman'][/FONT][/COLOR]
[COLOR=#808000][FONT='Times New Roman'][/FONT][/COLOR][COLOR=#008000][FONT='Times New Roman']//*( (DWORD*)pList_Org->Blink )           = (DWORD)pList_Current;[/FONT][/COLOR][COLOR=#808000][FONT='Times New Roman'][/FONT][/COLOR]
[COLOR=#808000][FONT='Times New Roman'][/FONT][/COLOR][COLOR=#00FFFF][FONT='Times New Roman']pList_Org[/FONT][/COLOR][COLOR=#808000][FONT='Times New Roman']->[/FONT][/COLOR][COLOR=#00FFFF][FONT='Times New Roman']Blink[/FONT][/COLOR][COLOR=#808000][FONT='Times New Roman'] = ([/FONT][/COLOR][COLOR=#0000FF][FONT='Times New Roman']PLIST_ENTRY[/FONT][/COLOR][COLOR=#808000][FONT='Times New Roman'])[/FONT][/COLOR][COLOR=#00FFFF][FONT='Times New Roman']pList_Current[/FONT][/COLOR][COLOR=#808000][FONT='Times New Roman'];[/FONT][/COLOR][COLOR=#808000][FONT='Times New Roman'][/FONT][/COLOR]
[COLOR=#808000][FONT='Times New Roman'][/FONT][/COLOR][COLOR=#808000][FONT='Times New Roman']*( ([/FONT][/COLOR][COLOR=#0000FF][FONT='Times New Roman']DWORD[/FONT][/COLOR][COLOR=#808000][FONT='Times New Roman']*)[/FONT][/COLOR][COLOR=#00FFFF][FONT='Times New Roman']pList_Current[/FONT][/COLOR][COLOR=#808000][FONT='Times New Roman']->[/FONT][/COLOR][COLOR=#00FFFF][FONT='Times New Roman']Flink[/FONT][/COLOR][COLOR=#808000][FONT='Times New Roman'] + [/FONT][/COLOR][COLOR=#808080][FONT='Times New Roman']1[/FONT][/COLOR][COLOR=#808000][FONT='Times New Roman'])     = ([/FONT][/COLOR][COLOR=#0000FF][FONT='Times New Roman']DWORD[/FONT][/COLOR][COLOR=#808000][FONT='Times New Roman'])[/FONT][/COLOR][COLOR=#00FFFF][FONT='Times New Roman']pList_Org[/FONT][/COLOR][COLOR=#808000][FONT='Times New Roman'];[/FONT][/COLOR][COLOR=#808000][FONT='Times New Roman'][/FONT][/COLOR]
[COLOR=#808000][FONT='Times New Roman'][/FONT][/COLOR][COLOR=#008000][FONT='Times New Roman']//*( (DWORD*)pList_Current->Flink )        = (DWORD)pList_Org;[/FONT][/COLOR][COLOR=#808000][FONT='Times New Roman'][/FONT][/COLOR]

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入！

收藏・1

免费・0

支持

分享

最新回复 (3)
TGOS 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 69 粉丝 0 关注私信	TGOS 2 楼保存好原来的信息,恢复的时候往链表里多加一个节点,把信息写回去,应该可以恢复的. 2008-8-6 10:07 0
qpSmallBoy 雪币： 21 活跃值： (12) 能力值： ( LV4，RANK：50 ) 在线值：发帖 12 回帖 34 粉丝 0 关注私信	qpSmallBoy 1 3 楼吃了好几回蓝玻璃了!好像恢复不了 2008-8-6 11:01 0
ezme 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 4 回帖 35 粉丝 0 关注私信	ezme 4 楼真是asm式的c语言，看的我要吐血了 pList_Org->Flink = pList_Current->Flink; pList_Org->Blink = pList_Current; pList_Current->Flink = pList_Org; pList_Org->Flink->Blink = pList_Org; 2008-8-31 17:00 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

返回

qpSmallBoy

发帖

回帖

RANK

他的文章

看雪公众号

专注于PC、移动、智能设备安全研究及逆向工程的开发者社区

//