ASM 启动进程隐藏
我有一个已经编译的 C++ 控制台应用程序,它显示为一个黑色的小窗口。 现在我想反汇编应用程序并添加代码以隐藏进程启动。也许你可以帮我找到 api 调用,或者你可以向我解释一下它是如何工作的。我当前使用的调试器是 OllyDBG,但我也了解 IDA 和 WDASM32。
感谢转发!
I have a already compiled C++ console application wich is shown as a little black window.
Now i want to disassemble the app and add code to get the Process start hidden. Maybe you can help me finding the api call or if you can explain me how that works. The current Debuger I use is OllyDBG but I also have knowledge in IDA and WDASM32.
Thanks forward!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
有两种方法可以做到这一点。您可以执行代码注入以在创建窗口后隐藏窗口,也可以更改 PE 标头中定义的子系统。
PE 标头有一个标志,定义代码编译所针对的子系统。当前为
WINDOWS_CUI,您希望将其更改为WINDOWS_GUI。要进行代码注入,请找到一个 codecave,然后在该 codecave 的入口点 (EP) 修补
JMP。在 codecave 中,写入被JMP覆盖的指令,然后调用FreeConsole,然后JMP返回到JMP之后的指令>JMP 您之前在 EP 中修补过。让我举个例子。我在 VC++ 中编译了一个 C 程序:
如果我们在 OllyDbg 中打开结果二进制文件,我们会得到如下内容:
按顶部的大 M 获取内存映射:
因为我们的主模块是 Some_console_App,所以双击那里的 PE 头这将我们带到这个:
向下滚动一点找到子系统:
如您所见,它设置为 IMAGE_SUBSYSTEM_WINDOWS_CUI,定义为 3。我们希望将其设置为IMAGE_SUBSYSTEM_WINDOWS_GUI 为 2。返回 CPU 窗口并在十六进制转储中,转到设置子系统标志的地址。在本例中为 0x0136013C:
选择要更改的字节,按 Ctrl-E 并将 3 更改为 2。然后右键>>复制到可执行文件。在弹出的文件窗口中,右键单击并选择保存文件。
田田!完毕。抱歉图片分辨率太高。
There are two ways to do this. You can do a code injection to hide the window after it's created or you can change the subsystem that is defined in the PE header.
The PE header has a flag defining the subsystem the code was compiled against. This will currently be
WINDOWS_CUIand you want to change it toWINDOWS_GUI.To do the code injection, find a codecave, then patch a
JMPat entry point (EP) to this codecave. In the codecave, write the instruction that was overwritten by theJMPthen make a call toFreeConsolethenJMPback to the instruction after theJMPyou patched in at the EP earlier.Let me give you an example. I compiled a C program in VC++:
If we open up the result binary in OllyDbg, we get something like this:
Press the big M at the top to get the Memory Map:
Since our main module is Some_console_App then double click the PE header there which takes us to this:
Scroll down a bit to find the subsystem:
As you can see it's set to IMAGE_SUBSYSTEM_WINDOWS_CUI which is defined as 3. We want to set it to IMAGE_SUBSYSTEM_WINDOWS_GUI which is 2. Go back to the CPU window and in the hex dump, go to the address that the subsystem flag was set on. In this case it's 0x0136013C:
Select the byte you want to change, hit Ctrl-E and change the 3 to 2. Then right-click >> Copy to Executable File. In the File window that pops up, right-click and select Save File.
Tada! Done. Sorry for large resolutions of pictures.