通过暴力枚举进行隐藏进程的恢复(利用进程ID全为4的倍数)
EnumProcessByForce
Ring3层程序:
首先要进行提权:
1 BOOL EnableDebugPrivilege() //Debug 2 { 3 4 HANDLE hToken = NULL; 5 TOKEN_PRIVILEGES TokenPrivilege; 6 LUID uID; 7 8 9 //打开权限令牌 10 if (!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken)) 11 { 12 return FALSE; 13 } 14 15 if (!LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&uID)) 16 { 17 18 CloseHandle(hToken); 19 hToken = NULL; 20 return FALSE; 21 } 22 23 24 TokenPrivilege.PrivilegeCount = 1; 25 TokenPrivilege.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; 26 TokenPrivilege.Privileges[0].Luid = uID; 27 28 29 //在这里我们进行调整权限 30 if (!AdjustTokenPrivileges(hToken,false,&TokenPrivilege,sizeof(TOKEN_PRIVILEGES),NULL,NULL)) 31 { 32 CloseHandle(hToken); 33 hToken = NULL; 34 return FALSE; 35 } 36 37 CloseHandle(hToken); 38 return TRUE; 39 40 }
并且将UAC执行级别调到 requireAdministrator (/level='requireAdministrator')
在链接器中可以找到
在EnumProcessByForce函数中暴力枚举 调用OpenProcess检测进程ID是否有效
1 VOID EnumProcessByForce() 2 { 3 int i = 0; 4 HANDLE hProcess = NULL; 5 DWORD dwReturn = 0; 6 7 char szProcessImageName[MAX] = {0}; 8 for (i=0;i<10000000;i+=4) 9 { 10 hProcess = OpenProcess(PROCESS_QUERY_INFORMATION,FALSE,i); 11 12 if (hProcess==NULL) 13 { 14 continue; 15 } 16 17 else 18 { 19 //向驱动发送请求 20 if(SendIoControl(&i,sizeof(ULONG32),szProcessImageName,&dwReturn)==TRUE) 21 { 22 szProcessImageName[dwReturn] = '