刺激战场
  • 1586阅读
  • 3回复

记录一下 关于进程隐藏摘链操作的问题 [复制链接]

上一主题 下一主题
在线啊冲
 

只看楼主 倒序阅读 使用道具 楼主  发表于: 2016-02-04

隐藏进程有好多方法,抹除句柄表,抹除csrss中的注册进程信息,摘除Active链等等,今天来记录一下摘链注意的问题。


网上有很多摘链的DEMO,至于稳定性。。。。时不时的蓝~~


原因为什么,很多代码都只是一味的拆除了相应进程的链表,但是却没有考虑到系统在操作动态链表的一系列问题,先看一下WRK中的销毁进程的操作,


目录:WRK-v1.2\base\ntos\ps\psdelete.c 中的PspProcessDelete函数




[cpp] view plain copy

  1. VOID  
  2. PspProcessDelete(  
  3.     IN PVOID Object  
  4.     )  
  5. {  
  6.     PEPROCESS Process;  
  7.     PETHREAD CurrentThread;  
  8.     KAPC_STATE ApcState;  
  9.   
  10.     PAGED_CODE();  
  11.   
  12.     Process = (PEPROCESS)Object;  
  13.   
  14.     //  
  15.     // Zero the GrantedAccess field so the system will not panic  
  16.     // when this process is missing from the PsActiveProcess list  
  17.     // but is still found in the CID table.  
  18.     //  
  19.   
  20. #if defined(_AMD64_)  
  21.   
  22.     Process->GrantedAccess = 0;  
  23.   
  24. #endif  
  25.   
  26.     //  
  27.     // Remove the process from the global list  
  28.     //  
  29.     if (Process->ActiveProcessLinks.Flink != NULL) {  
  30.         CurrentThread = PsGetCurrentThread ();  
  31.   
  32.         PspLockProcessList (CurrentThread);  
  33.         RemoveEntryList (&Process->ActiveProcessLinks);  
  34.         PspUnlockProcessList (CurrentThread);  
  35.     }  
  36.   
  37.     if (Process->SeAuditProcessCreationInfo.ImageFileName != NULL) {  
  38.         ExFreePool (Process->SeAuditProcessCreationInfo.ImageFileName);  
  39.         Process->SeAuditProcessCreationInfo.ImageFileName = NULL;  
  40.     }  
  41.   
  42.     if (Process->Job != NULL) {  
  43.         PspRemoveProcessFromJob (Process->Job, Process);  
  44.         ObDereferenceObjectDeferDelete (Process->Job);  
  45.         Process->Job = NULL;  
  46.     }  
  47.   
  48.     KeTerminateProcess (&Process->Pcb);  
  49.   
  50.   
  51.     if (Process->DebugPort != NULL) {  
  52.         ObDereferenceObject (Process->DebugPort);  
  53.         Process->DebugPort = NULL;  
  54.     }  
  55.     if (Process->ExceptionPort != NULL) {  
  56.         ObDereferenceObject (Process->ExceptionPort);  
  57.         Process->ExceptionPort = NULL;  
  58.     }  
  59.   
  60.     if (Process->SectionObject != NULL) {  
  61.         ObDereferenceObject (Process->SectionObject);  
  62.         Process->SectionObject = NULL;  
  63.     }  
  64.   
  65.     PspDeleteLdt (Process );  
  66.     PspDeleteVdmObjects (Process);  
  67.   
  68.     if (Process->ObjectTable != NULL) {  
  69.         KeStackAttachProcess (&Process->Pcb, &ApcState);  
  70.         ObKillProcess (Process);  
  71.         KeUnstackDetachProcess (&ApcState);  
  72.     }  
  73.   
  74.   
  75.     if (Process->Flags&PS_PROCESS_FLAGS_HAS_ADDRESS_SPACE) {  
  76.   
  77.         //  
  78.         // Clean address space of the process  
  79.         //  
  80.   
  81.         KeStackAttachProcess (&Process->Pcb, &ApcState);  
  82.   
  83.         PspExitProcess (FALSE, Process);  
  84.   
  85.         KeUnstackDetachProcess (&ApcState);  
  86.   
  87.         MmDeleteProcessAddressSpace (Process);  
  88.     }  
  89.   
  90.     if (Process->UniqueProcessId) {  
  91.         if (!(ExDestroyHandle (PspCidTable, Process->UniqueProcessId, NULL))) {  
  92.             KeBugCheck (CID_HANDLE_DELETION);  
  93.         }  
  94.     }  
  95.   
  96.     PspDeleteProcessSecurity (Process);  
  97.   
  98.   
  99.     if (Process->WorkingSetWatch != NULL) {  
  100.         ExFreePool (Process->WorkingSetWatch);  
  101.         PsReturnProcessNonPagedPoolQuota (Process, WS_CATCH_SIZE);  
  102.     }  
  103.   
  104.     ObDereferenceDeviceMap (Process);  
  105.     PspDereferenceQuota (Process);  
  106.   
  107. #if !defined(_X86_) && !defined(_AMD64_)  
  108.     {  
  109.         //  
  110.         // Free any alignment exception tracking structures that might  
  111.         // have been around to support a user-mode debugger.  
  112.         //  
  113.   
  114.         PALIGNMENT_EXCEPTION_TABLE ExceptionTable;  
  115.         PALIGNMENT_EXCEPTION_TABLE NextExceptionTable;  
  116.   
  117.         ExceptionTable = Process->Pcb.AlignmentExceptionTable;  
  118.         while (ExceptionTable != NULL) {  
  119.   
  120.             NextExceptionTable = ExceptionTable->Next;  
  121.             ExFreePool( ExceptionTable );  
  122.             ExceptionTable = NextExceptionTable;  
  123.         }  
  124.     }  
  125. #endif  
  126.   
  127. }  

在RemoveEntryList 的前后分别有锁进程的操作PspLockProcessList的代码在psp.h中



[cpp] view plain copy

  1. VOID  
  2. FORCEINLINE  
  3. PspLockProcessList (  
  4.     IN PETHREAD CurrentThread  
  5.     )  
  6. {  
  7.     KeEnterGuardedRegionThread (&CurrentThread->Tcb);  
  8.     KeAcquireGuardedMutexUnsafe (&PspActiveProcessMutex);  
  9. }  

KeEnterGuardedRegionThread定义在WRK-v1.2\base\ntos\inc\kx.h中 这里就不一一列出来了,可以自己查看




就一个移除链表的操作需要做这么多处理,原因就是解决在多核CPU下同步的问题。所以在操作系统链表的时候要记得加上此类似操作,避免产生不必要的麻烦。


本文也没啥技术含量,主要是我个人记忆力差,图个方便,做下记录~
善者 慈悲心常在 无怨无恨 以苦为乐
默认压缩密码www.hifyl.com
文件分享密码问题:http://www.hifyl.com/read-htm-tid-4444.html
离线v2680267313

只看该作者 沙发  发表于: 2016-04-30
用户被禁言,该主题自动屏蔽!
离线etfg000

只看该作者 板凳  发表于: 2016-06-10
学习来了
离线a168747

只看该作者 地板  发表于: 2017-08-01
ffffffffff11
快速回复
限100 字节
如果您提交过一次失败了,可以用”恢复数据”来恢复帖子内容
 
上一个 下一个