显示被EncryptPE隐藏的进程,附源代码,EncryptPE,Win32/64编程 2008年06月23日 星期一 下午 09:43 只要运行 ShowProcess.exe就可显示隐藏的进程。。 比如,先运行ImportREC.exe再运行ShowProcess.exe,就可以找到隐藏的进程 #include #include #pragma comment (lib,"Psapi.lib") int ShowProcess(HANDLE hd,DWORD address); void main_() { DWORD dll; DWORD aProcesses[1024], cbNeeded; int cProcesses,i; HANDLE hProcess; dll =(DWORD)GetProcAddress(LoadLibrary("ntdll.dll"),"ZwOpenProcess"); if( !EnumProcesses(aProcesses,sizeof(aProcesses), &cbNeeded)) { return; } cProcesses = cbNeeded / sizeof(DWORD); for(i=0;i { hProcess=OpenProcess( PROCESS_VM_WRITE| PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION| PROCESS_QUERY_INFORMATION|PROCESS_VM_READ, FALSE, aProcesses[i]); if(hProcess==NULL) continue; ShowProcess(hProcess,dll); } } int ShowProcess(HANDLE hd,DWORD address) { DWORD old; SIZE_T read; char befor[10]; ReadProcessMemory(hd,(LPCVOID)address,befor,5,&read); if((UCHAR)*befor!=0xb8 && (UCHAR)*(befor 1)!=0x80) { ZeroMemory(befor,10); *befor=0xb8; *(befor 1)=0x80; VirtualProtectEx((HANDLE)hd,(LPVOID)address,5,PAGE_EXECUTE_READWRITE,&old); WriteProcessMemory((HANDLE)hd,(LPVOID)address,befor,5,&read); VirtualProtectEx((HANDLE)hd,(LPVOID)address,5,old,&old); } return 0; } |
|小黑屋|最新主题|手机版|微赢网络技术论坛
( 苏ICP备08020429号 )
GMT+8, 2024-9-29 13:16 , Processed in 0.142233 second(s), 12 queries , Gzip On, MemCache On.
Powered by Discuz! X3.5
© 2001-2023 Discuz! Team.
