如何调试AppInit DLL [英] How to debug an AppInit DLL
问题描述
对于学术人员(计算机安全课程),我正试图找到一种方法来隐藏win7 / 10任务管理器的进程。没有必要隐藏任何cmd命令或第三方实用程序的进程,这是一个概念证明。
Hi, for academic porpouses (a Computer Security class) I'm trying to find a way to hide a process from win7/10 task manager. There is no need to hide the process from any cmd commands or third party utilities, it's a proof of concept.
我几周都在苦苦挣扎,我尝试了几种方法,没有任何作用。我正在尝试使用AppInit_DLLs注册表项。
I'm struggling in weeks with this, I tried several ways and nothing works. I'm trying now using AppInit_DLLs registry key.
https://www.codeproject.com/Articles/49319/Easy-way-to-set-up-global-API-hooks
https://www.codeproject.com/Articles/49319/Easy-way-to-set-up-global-API-hooks
那篇文章指的是winXP,我在Win7 x64上试过,使用了文章的确切代码,但是当我启动calc.exe时,我在任务管理器中看到它。
That article refers to winXP, I tried that on Win7 x64, using the exact code of the article, yet when I launch calc.exe I see it in task manager.
所以,我真的没有进入这个低级别的winAPI,但我想我需要调试dll(我怀疑代码利用了win7任务管理器中未使用的旧API)。我尝试从源代码调试VS2017中的dll,附加一个临时进程(Debug-> Attach
to process),没有触发任何断点。我很确定我在如何调试这种dll时犯了错误(例如我有疑问:VS调试器如何知道源代码是AppInit注册表项?AppInit注册表项包含已编译的
dll)。
So, I'm really not into this low-level winAPI, but I guess I need to debug the dll (I suspect the code exploits old APIs not used in win7 task manager). I tried to debug the dll from VS2017, from the source code, attaching it a casual process (Debug->Attach to process), none of my breakpoints are triggered. I'm pretty sure I'm making mistake on how debugging this kind of dll (for example I've a doubt: how can VS debugger knows that source code is an AppInit registry key? AppInit registry key contains the compiled dll).
推荐答案
如果您是系统的所有者或者是所有者的法定代理人(代理人),那么有些事情可以完成并记录在案。说你出于教育目的这样做是恶意开发人员说他们没有恶意的意图。我们无法确定您的真实意图。
If you are the owner of the system or are a legal representative (agent) for the owner then there are things that can be done and they are documented. Saying that you are doing it for educational purposes is an easy way for malicious developers to say they have no malicious intent. We cannot be sure what your real intentions are.
这个问题应该被忽略; y 您不需要出于教育目的。
The question should be ignored; you do not need to do it for educational purposes.
这篇关于如何调试AppInit DLL的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
