frida隐藏进程小试

Hook NtQuerySystemInformation

NtQuerySystemInformation

1
2
3
4
5
6
NTSTATUS NTAPI NtQuerySystemInformation(
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength OPTIONAL
);

该函数位于ntdll.dll中,第一个参数指定要查询的类型,若指定SystemProcessInformation(0x5)时,则会得到系统中所有进程的信息,第二个参数则返回一个SYSTEM_PROCESS_INFORMATION结构数组

SYSTEM_PROCESS_INFORMATION.NextEntryOffset是数组中下一个成员的相对本成员的偏移值(每个成员的大小不固定),若此结构为0,则是最后一个节点,例如以下获取进程列表名

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
typedef NTSTATUS ( NTAPI *NT_QUERY_SYSTEM_INFOMATION)(
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength OPTIONAL
);


int main(void)
{
SYSTEM_PROCESS_INFORMATION *spi = new SYSTEM_PROCESS_INFORMATION[0x1000];
ULONG leng;
NT_QUERY_SYSTEM_INFOMATION nt_query_system_infomation = (NT_QUERY_SYSTEM_INFOMATION)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtQuerySystemInformation");
nt_query_system_infomation(SystemProcessInformation, spi, sizeof(SYSTEM_PROCESS_INFORMATION) * 0x1000, &leng);

auto ptr = spi;
while(ptr->NextEntryOffset != 0) {
if(ptr->ImageName.Length) {
wprintf(L"%s\n", ptr->ImageName.Buffer);
}
ptr = (SYSTEM_PROCESS_INFORMATION *)((BYTE *)ptr + ptr->NextEntryOffset);
}

system("pause");
return 0;
}

隐藏进程也就是修改SYSTEM_PROCESS_INFORMATION.NextEntryOffset来跳过需要被隐藏的进程节点

frida js

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
var query_info_func = Module.findExportByName('ntdll.dll', 'NtQuerySystemInformation');
Interceptor.attach(query_info_func, {
onEnter : function(args) {
if(args[0] == 5) {
this.work = true;
this.si = args[1];
}
},
onLeave : function(retval) {
if(this.work) {
var si_ptr = this.si;
var next_offset = Memory.readU32(si_ptr);
var pre_offset = next_offset;
while(next_offset != 0) {
pre_offset = next_offset;
next_offset = Memory.readU32(si_ptr);
// 偏移值64,针对win10 x64
var image_name = Memory.readUtf16String(Memory.readPointer(si_ptr.add(64)));
// console.log(image_name);
// 隐藏powershell
if(image_name == "powershell.exe") {
var next_node = si_ptr.add(next_offset);
var pre_node = si_ptr.sub(pre_offset);
Memory.writeU32(pre_node, next_offset + pre_offset);
}

si_ptr = si_ptr.add(next_offset);
}
}
}
});

参考

https://www.fuzzysecurity.com/tutorials/29.html

打赏
  • 版权声明: 本博客所有文章除特别声明外,著作权归作者所有。转载请注明出处!
  • Copyrights © 2021 lzeroyuee
  • 访问人数: | 浏览次数:

请我喝杯咖啡吧~

支付宝
微信