windows 在任务管理器中隐藏进程

wmtdaxz3 于 2023-03-31 发布在 Windows

关注(0)|答案(2)|浏览(190)

我试图向任务管理器隐藏一个进程，但没有成功。我不明白为什么...
提前感谢您的帮助...！
这是我的函数注入hider_dll.dll：

int Inject(char* dll)
{
    int pid = getpid();

    HANDLE hProc=OpenProcess(PROCESS_ALL_ACCESS,false,pid);
    if(hProc)
    {
        cout<<"OpenProcess success"<<endl;
    }
    else
    {
        cout<<"OpenProcess failed..."<<endl;
        return 0;
    }
    LPVOID Vmem=VirtualAllocEx(hProc,0,strlen(dll)+1,MEM_COMMIT|MEM_RESERVE,PAGE_READWRITE);
    DWORD wrt;
    WriteProcessMemory(hProc,Vmem,dll,strlen(dll),(SIZE_T*)&wrt);


    stringstream sstr;
    sstr << wrt;
    string str = sstr.str();

    cout<<"Writed "+str+" bytes"<<endl;

    FARPROC LoadLib=GetProcAddress(LoadLibrary(L"kernel32.dll"),"LoadLibraryA");
    HANDLE h=CreateRemoteThread(hProc,0,0,(LPTHREAD_START_ROUTINE)LoadLib,Vmem,0,0);
    if(h)
    {
        cout<<"CreateRemoteThread success"<<endl;
    }
    else
    {
        cout<<"CreateRemoteThread failed\r\nError:"<<GetLastError()<<endl;
        return 0;
    }
    WaitForSingleObject(h,INFINITE);
    DWORD exit;
    GetExitCodeThread(h,&exit);
    cout<<"Dll loaded to "<<exit<<endl;
    return 1;
    }

windows

来源：https://stackoverflow.com/questions/33573292/hide-a-process-from-task-manager

2条答案

按热度按时间

lg40wkob1#

下面是一个合适的注射器：

#include <iostream>
#include <Windows.h>
#include <TlHelp32.h>

DWORD GetProcId(const char* procName)
{
    DWORD procId = 0;
    HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);

    if (hSnap != INVALID_HANDLE_VALUE)
    {
        PROCESSENTRY32 procEntry;
        procEntry.dwSize = sizeof(procEntry);

        if (Process32First(hSnap, &procEntry))
        {
            do
            {
                if (!_stricmp(procEntry.szExeFile, procName))
                {
                    procId = procEntry.th32ProcessID;
                    break;
                }
            } while (Process32Next(hSnap, &procEntry));
        }
    }
    CloseHandle(hSnap);
    return procId;
}

int main()
{
    const char* dllPath = "C:\\Users\\'%USERNAME%'\\Desktop\\dll.dll"; //
    const char* procName = "processname.exe"; //
    DWORD procId = 0;

    while (!procId)
    {
        procId = GetProcId(procName);
        Sleep(30);
    }

    HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, 0, procId);

    if (hProc && hProc != INVALID_HANDLE_VALUE)
    {
        void* loc = VirtualAllocEx(hProc, 0, MAX_PATH, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);

        WriteProcessMemory(hProc, loc, dllPath, strlen(dllPath) + 1, 0);

        HANDLE hThread = CreateRemoteThread(hProc, 0, 0, (LPTHREAD_START_ROUTINE)LoadLibraryA, loc, 0, 0);

        if (hThread)
        {
            CloseHandle(hThread);
        }
    }

    if (hProc)
    {
        CloseHandle(hProc);
    }
    return 0;
}

要从任务管理器中隐藏进程，您需要挂接NtQuerySystemInformation（），如果使用参数SYSTEM_PROCESS_INFORMATION，则需要从进程的链接列表中删除进程。
这就是你的钩子看起来的样子：

// Hooked function
NTSTATUS WINAPI HookedNtQuerySystemInformation(
    __in       SYSTEM_INFORMATION_CLASS SystemInformationClass,
    __inout    PVOID                    SystemInformation,
    __in       ULONG                    SystemInformationLength,
    __out_opt  PULONG                   ReturnLength
)
{
    NTSTATUS status = OriginalNtQuerySystemInformation(SystemInformationClass,
        SystemInformation,
        SystemInformationLength,
        ReturnLength);
    if (SystemProcessInformation == SystemInformationClass && STATUS_SUCCESS == status)
    {
        // Loop through the list of processes
        PMY_SYSTEM_PROCESS_INFORMATION pCurrent = NULL;
        PMY_SYSTEM_PROCESS_INFORMATION pNext = (PMY_SYSTEM_PROCESS_INFORMATION)
            SystemInformation;

        do
        {
            pCurrent = pNext;
            pNext = (PMY_SYSTEM_PROCESS_INFORMATION)((PUCHAR)pCurrent + pCurrent->
                NextEntryOffset);
            if (!wcsncmp(pNext->ImageName.Buffer, L"notepad.exe", pNext->ImageName.Length))
            {
                if (!pNext->NextEntryOffset)
                {
                    pCurrent->NextEntryOffset = 0;
                }
                else
                {
                    pCurrent->NextEntryOffset += pNext->NextEntryOffset;
                }
                pNext = pCurrent;
            }
        } while (pCurrent->NextEntryOffset != 0);
    }
    return status;
}

赞(0）回复(0）举报 2023-03-31

qco9c6ql2#

我喜欢这个答案。只是我会使用EnumProcesses来检查任务管理器是否正在运行，而不是使用CreateToolhelp32Snapshot和朋友（在函数DWORD GetProcId(const char* procName)内）

赞(0）回复(0）举报 2023-03-31