大神论坛

找回密码
快速注册
上一页 1 下一页
发新帖 回复
查看: 237 | 回复: 0

[其他] 3环进程混淆方法思路

mmortalyi

主题

帖子

0

积分

初入江湖

UID
675
积分
0
精华
威望
0 点
违规
大神币
68 枚
注册时间
2023-10-14 10:52
发表于 2023-12-23 21:29
本帖最后由 mmortalyi 于 2023-12-23 21:29 编辑

3环进程混淆思路

一定程度上能起到点混淆作用,纯思路分享


#include <iostream>
#include <windows.h>
#include <winternl.h>

#define  FAKE_CMDLINE  L"C:\\Windows\\explorer.exe"
#define  FAKE_PATH L"C:\\Windows\\explorer.exe"

typedef NTSTATUS
(*MyNtQueryInformationProcess)(
    IN HANDLE ProcessHandle,
    IN PROCESSINFOCLASS ProcessInformationClass,
    OUT PVOID ProcessInformation,
    IN ULONG ProcessInformationLength,
    OUT PULONG ReturnLength OPTIONAL
);

int main()
{
    PPEB pebProcess = { 0 };
    PROCESS_BASIC_INFORMATION pbiProcess = { 0 };
    HANDLE hProcess = 0;
    ULONG Infolen = 1024;
    ULONG Retlen = 0;
    NTSTATUS status = 0;
    HMODULE hNtdll = 0;
    UNICODE_STRING unCmdline;
    UINT64 fakepid = 4;
    ULONG fakesession = 0;
    MyNtQueryInformationProcess ntQueryProcess = NULL;

    hNtdll = LoadLibraryA("ntdll.dll");

    if (hNtdll<=0)
    {
        return 0;
    }

    ntQueryProcess = (MyNtQueryInformationProcess)GetProcAddress(hNtdll, "NtQueryInformationProcess");

    if (ntQueryProcess<=0)
    {
        return 0;
    }

    hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, GetCurrentProcessId());

    if (!hProcess)
    {
        return 0;
    }

    status = ntQueryProcess(hProcess, ProcessBasicInformation, &pbiProcess, sizeof(PROCESS_BASIC_INFORMATION), &Retlen);

    if (!NT_SUCCESS(status))
    {
        return 0;
    }

    if (pbiProcess.PebBaseAddress == NULL)
    {
        return 0;
    }

    pebProcess = pbiProcess.PebBaseAddress;

    //修改cmdline
    RtlZeroMemory((pebProcess->ProcessParameters->CommandLine).Buffer, wcslen((pebProcess->ProcessParameters->CommandLine).Buffer) * 2);

    RtlCopyMemory((pebProcess->ProcessParameters->CommandLine).Buffer, FAKE_CMDLINE,wcslen(FAKE_CMDLINE)*2);

    //修改路径
    RtlZeroMemory((pebProcess->ProcessParameters->ImagePathName).Buffer, wcslen((pebProcess->ProcessParameters->ImagePathName).Buffer) * 2);

    RtlCopyMemory((pebProcess->ProcessParameters->ImagePathName).Buffer, FAKE_PATH, wcslen(FAKE_PATH) * 2);

    //修改进程id
    RtlCopyMemory(&(pbiProcess.UniqueProcessId), &fakepid, sizeof(UINT64));

    //修改会话层
    RtlCopyMemory(&(pebProcess->SessionId), &fakesession, sizeof(ULONG));

    //断链
    (pebProcess->Ldr->InMemoryOrderModuleList.Blink)->Flink = pebProcess->Ldr->InMemoryOrderModuleList.Flink;
    (pebProcess->Ldr->InMemoryOrderModuleList.Flink)->Blink = pebProcess->Ldr->InMemoryOrderModuleList.Blink;

    getchar();

}
回复

举报

上一页 1 下一页
发新帖 回复


免责声明:
大神论坛所发布的一切破解补丁、注册机和注册信息及软件的解密分析文章仅限用于学习和研究目的;不得将上述内容用于商业或者非法用途,否则,一切后果请用户自负。本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑中彻底删除上述内容。如果您喜欢该程序,请支持正版软件,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。

Mail To: dashenforum@163.com
返回顶部