从任务管理器中隐藏进程
Posted
技术标签:
【中文标题】从任务管理器中隐藏进程【英文标题】:Hide a process from Task Manager 【发布时间】:2015-11-06 17:06:55 【问题描述】:我试图向任务管理器隐藏一个进程,但它不起作用。 我不明白为什么...
提前感谢您的帮助...!
这是我注入 hider_dll.dll 的函数:
int Inject(char* dll)
int pid = getpid();
HANDLE hProc=OpenProcess(PROCESS_ALL_ACCESS,false,pid);
if(hProc)
cout<<"OpenProcess success"<<endl;
else
cout<<"OpenProcess failed..."<<endl;
return 0;
LPVOID Vmem=VirtualAllocEx(hProc,0,strlen(dll)+1,MEM_COMMIT|MEM_RESERVE,PAGE_READWRITE);
DWORD wrt;
WriteProcessMemory(hProc,Vmem,dll,strlen(dll),(SIZE_T*)&wrt);
stringstream sstr;
sstr << wrt;
string str = sstr.str();
cout<<"Writed "+str+" bytes"<<endl;
FARPROC LoadLib=GetProcAddress(LoadLibrary(L"kernel32.dll"),"LoadLibraryA");
HANDLE h=CreateRemoteThread(hProc,0,0,(LPTHREAD_START_ROUTINE)LoadLib,Vmem,0,0);
if(h)
cout<<"CreateRemoteThread success"<<endl;
else
cout<<"CreateRemoteThread failed\r\nError:"<<GetLastError()<<endl;
return 0;
WaitForSingleObject(h,INFINITE);
DWORD exit;
GetExitCodeThread(h,&exit);
cout<<"Dll loaded to "<<exit<<endl;
return 1;
【问题讨论】:
一方面,您没有复制dll 指向的字符串末尾的终止符。尝试将其设为strlen(dll)+1。
【参考方案1】:
这是一个合适的注射器:
#include <iostream>
#include <Windows.h>
#include <TlHelp32.h>
DWORD GetProcId(const char* procName)
DWORD procId = 0;
HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnap != INVALID_HANDLE_VALUE)
PROCESSENTRY32 procEntry;
procEntry.dwSize = sizeof(procEntry);
if (Process32First(hSnap, &procEntry))
do
if (!_stricmp(procEntry.szExeFile, procName))
procId = procEntry.th32ProcessID;
break;
while (Process32Next(hSnap, &procEntry));
CloseHandle(hSnap);
return procId;
int main()
const char* dllPath = "C:\\Users\\'%USERNAME%'\\Desktop\\dll.dll"; //
const char* procName = "processname.exe"; //
DWORD procId = 0;
while (!procId)
procId = GetProcId(procName);
Sleep(30);
HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, 0, procId);
if (hProc && hProc != INVALID_HANDLE_VALUE)
void* loc = VirtualAllocEx(hProc, 0, MAX_PATH, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
WriteProcessMemory(hProc, loc, dllPath, strlen(dllPath) + 1, 0);
HANDLE hThread = CreateRemoteThread(hProc, 0, 0, (LPTHREAD_START_ROUTINE)LoadLibraryA, loc, 0, 0);
if (hThread)
CloseHandle(hThread);
if (hProc)
CloseHandle(hProc);
return 0;
要从任务管理器中隐藏进程,您需要挂钩 NtQuerySystemInformation(),如果使用参数 SYSTEM_PROCESS_INFORMATION,则需要从进程链接列表中删除您的进程。
这就是你的钩子的样子:
// Hooked function
NTSTATUS WINAPI HookedNtQuerySystemInformation(
__in SYSTEM_INFORMATION_CLASS SystemInformationClass,
__inout PVOID SystemInformation,
__in ULONG SystemInformationLength,
__out_opt PULONG ReturnLength
)
NTSTATUS status = OriginalNtQuerySystemInformation(SystemInformationClass,
SystemInformation,
SystemInformationLength,
ReturnLength);
if (SystemProcessInformation == SystemInformationClass && STATUS_SUCCESS == status)
// Loop through the list of processes
PMY_SYSTEM_PROCESS_INFORMATION pCurrent = NULL;
PMY_SYSTEM_PROCESS_INFORMATION pNext = (PMY_SYSTEM_PROCESS_INFORMATION)
SystemInformation;
do
pCurrent = pNext;
pNext = (PMY_SYSTEM_PROCESS_INFORMATION)((PUCHAR)pCurrent + pCurrent->
NextEntryOffset);
if (!wcsncmp(pNext->ImageName.Buffer, L"notepad.exe", pNext->ImageName.Length))
if (!pNext->NextEntryOffset)
pCurrent->NextEntryOffset = 0;
else
pCurrent->NextEntryOffset += pNext->NextEntryOffset;
pNext = pCurrent;
while (pCurrent->NextEntryOffset != 0);
return status;
【讨论】:
PS:你也可以通过操作 EPROCESS 的 Flink 和 Blink 字段来启动 DKOM(从驱动程序),尽管 PatchGuard 会捕获它以上是关于从任务管理器中隐藏进程的主要内容,如果未能解决你的问题,请参考以下文章