转载 修改进程名

先总结一下,一个进程的名字有可能从以下部位获取(参考小伟同学的《伪造进程初探》一文):
一、EPROCESS中:
    1、EPROCESS-->ImageFileName(很常用,冰刃获取进程名的地方)
    2、EPROCESS-->SeAuditProcessCreationInfo->ImageFileName(任务管理器获取进程名的地方,NtQueryInformationProcess就是从这里获取进程名的)
    3、EPROCESS->SectionObject->Segment->ControlArea->FileObject->FileName(RKU获取进程名的方法)
    4、VAD(记录用户空间内存分配情况的数据结构,里面当然有进程的exe模块)
 
二、PEB中:
    1、PEB-->ProcessParameters-->ImagePathName
    2、PEB-->ProcessParameters-->CommandLine
    3、PEB-->ProcessParameters-->WindowTitle(这个地方比较奇怪,如果双击的是exe的快捷方式,则记录的是快捷方式的路径,还是一并改掉的好)
    4、PEB-->LDR-->InLoadOrderModuleList->第一个结构->FullDllName
    5、PEB-->LDR-->InLoadOrderModuleList->第一个结构->BaseDllName
    6、PEB-->LDR-->InMemoryOrderModuleList->第一个结构->FullDllName(此处的BaseDllName貌似为NULL,就不管它了)
    (PEB-->LDR-->InInitializationOrderModuleList这个表里貌似没有exe模块,也不管它了)
 
把这些地方都改掉即可彻底改掉进程名(如果不够彻底,谢谢补充!)。
示例代码如下(示例代码中以winmine.exe做测试,平台为XP SP3。代码中硬编码很多,通用性不强。囧):

//Fypher

//http://hi.baidu.com/nmn714

VOID ChangeName(ULONG pProcess){

    ULONG peb,ProcessParameters,ldr;

    ULONG InLoadOrderModuleList;

    ULONG InMemoryOrderModuleList;

    ULONG tmp;

    KAPC_STATE kapc;

    PUCHAR str;

    PWCHAR wstr;

 

    //get PEB

    peb=*(PULONG)(pProcess + 0x1b0);

 

    KeStackAttachProcess((PEPROCESS)pProcess,&kapc);

    __try{

        ProcessParameters = *(PULONG)(peb + 0x010);

        //ImagePathName

        FindAndChangeUni(ProcessParameters+0x038);

        //CommandLine

        FindAndChangeUni(ProcessParameters+0x040);

        //WindowTitle

        FindAndChangeUni(ProcessParameters+0x070);

        //Ldr

        ldr = *(PULONG)(peb + 0x00c);

        //InLoadOrderModuleList->FullDllName

        InLoadOrderModuleList = *(PULONG)(ldr+0x00c);

        FindAndChangeUni(InLoadOrderModuleList+0x024);

        //InLoadOrderModuleList->BaseDllName

        FindAndChangeUni(InLoadOrderModuleList+0x02c);

        //InMemoryOrderModuleList->FullDllName

        InMemoryOrderModuleList = *(PULONG)(ldr+0x014);

        FindAndChangeUni(InMemoryOrderModuleList+0x024);

    }__except(1){

        KdPrint(("exception occured!"));

    }

    KeUnstackDetachProcess (&kapc);

    //EPROCESS-->ImageFileName

    FindAndChangeA(pProcess+0x174,16);

    //EPROCESS-->SeAuditProcessCreationInfo->ImageFileName

    FindAndChangeUni(*(PULONG)(pProcess + 0x1F4));

    //EPROCESS->SectionObject->Segment->ControlArea->FileObject->FileName

    //should use MmIsAddressValid to verify

    tmp=*(PULONG)(pProcess+0x138);

    tmp=*(PULONG)(tmp+0x14);

    tmp=*(PULONG)tmp;

    tmp=*(PULONG)(tmp+0x024);

    FindAndChangeUni(tmp+0x030);

 

    //VAD

    //should use MmIsAddressValid to verify

    tmp=*(PULONG)(pProcess+0x11c);

    tmp=*(PULONG)(tmp+0x10);

    tmp=*(PULONG)(tmp+0x018);

    tmp=*(PULONG)(tmp+0x024);

    FindAndChangeUni(tmp+0x030);

}

 

其中,FindAndChangeUni和FindAndChangeA的作用是在一个字符串(UNICODE_STRING或CHAR)中定位“winmine.exe”并改成"winxxoo.exe"。代码如下:

//Fypher

//http://hi.baidu.com/nmn714

VOID FindAndChangeUni(ULONG strAddr){

    PUNICODE_STRING uniStr = (PUNICODE_STRING)strAddr;

    ULONG len = uniStr->Length / 2;

    ULONG maxLen = uniStr->MaximumLength / 2;

    PWCHAR str = uniStr->Buffer;

    ULONG i=0;

    if(!str || len<11|| maxLen<11 )

        return;

    for(i=0;i<= len - 11;++i){

        if(!_wcsnicmp(str+i,L"winmine.exe",11))

            break;

    }

    if(i>len - 11)

        return;

 

    _asm{

        cli

            mov eax, cr0

            and eax, not 0x10000

            mov cr0, eax

    }

    //str可能是PEB中的,故try之

    __try{

        str[i+3]=L‘x‘;

        str[i+4]=L‘x‘;

        str[i+5]=L‘o‘;

        str[i+6]=L‘o‘;

    }__except(1){

    }   

    _asm{

        mov eax, cr0

            or eax,0x10000

            mov cr0,eax

            sti

    }

}

VOID FindAndChangeA(ULONG strAddr,ULONG len){

    PUCHAR str = (PUCHAR)strAddr;

    ULONG i=0;

    if(!str || len<11 )

        return;

    for(i=0;i<= len - 11;++i){

        if(!_strnicmp(str+i,"winmine.exe",11))

            break;

    }

    if(i>len - 11)

        return;

 

    _asm{

        cli

            mov eax, cr0

            and eax, not 0x10000

            mov cr0, eax

    }

    //str可能是PEB中的,故try之

    __try{

        str[i+3]=‘x‘;

        str[i+4]=‘x‘;

        str[i+5]=‘o‘;

        str[i+6]=‘o‘;

    }__except(1){

    }   

 

    _asm{

        mov eax, cr0

            or eax,0x10000

            mov cr0,eax

            sti

    }

}

 

截图效果:
 

郑重声明:本站内容如果来自互联网及其他传播媒体,其版权均属原媒体及文章作者所有。转载目的在于传递更多信息及用于网络分享,并不代表本站赞同其观点和对其真实性负责,也不构成任何其他建议。