如何检测隐藏的进程 [英] How to Detect Hidden Processes

问题描述

想知道怎么样的Process Explorer或二合一修复的应用程序检测隐藏的进程？我假设这必须以C或C ++来完成。它足够的访问，即使在.NET中的进程列表轻松然而，这并不总是准确的，我知道，根工具包可以从任务管理器掩盖自己。它是通过内存访问和IO？好奇，如果任何人都知道这是如何实现的。

Wondering how does an application like "Process Explorer" or "Combo Fix" detect hidden process ??? I'm assuming this must be done in C or C++. Its easy enough to access the process list even in .NET however this is not always accurate, I know root kits can mask themselves from task manager. Is it through memory access and IO ? Curious if anyone knows how this is accomplished.

推荐答案

这个问题不能回答。这取决于怎样的过程中一直隐藏在首位。例如，有人可以通过注入DLL用户模式于鱼钩 EnumProcesses ， Process32Next 等所有进程隐藏进程和所有其他的API相关处理枚举。这将与跳过钩蹦床被绕过。

This question can't be answered. It depends how the process has been hidden in the first place. For example, someone can hide a process by injecting a usermode DLL to all processes which hooks EnumProcesses, Process32Next, etc. and all the other APIs related to process enumeration. This would be bypassed with a trampoline which skips the hook.

但是，如果这个过程是通过修改内核 EPROCESS 持有的进程列表链表隐藏的，那么就需要另一种方法来颠覆code其中进行隐藏。如果你定义你是怎么想的过程被隐藏，也许我们可以建议如何检测到它。什么样的过程你觉得被隐藏，但仍然Process Explorer中被发现的？

However, if the process was hidden through modifying the kernel EPROCESS linked list which holds a list of processes, then another method would be needed to subvert the code which performed the hiding. If you define how you think a process is being 'hidden', maybe we can suggest how to detect it. What processes do you think are being hidden but still being discovered by Process Explorer?

另外考虑你说的考虑是什么，有可能是
  多种方式来隐藏进程。有哪些常见的方法
  检测此？

Also taking what you say into consideration that there could be multiple ways to hide a process. What are some of the common ways to detect this ?

问题是，如果你不知道你在找什么，这几乎是不可能找到它。假设一个进程已经使自己隐藏到任务管理器挂钩 EnumProcesses 。你可能会认为这将是一个容易出现的情况来检测。然而，这个过程可能是挂钩 EnumProcesses 通过各种不同的方式。例如，发生在 EnumProcesses 无条件挂钩的功能，一个IAT挂钩的开始，导致访问冲突和追赶与一个VEH和修改EIP / RIP等等即使在这种简单的情况下，这是不可能保证钩的检测。这是所有假设钩子在用户模式在特定的API被执行，也使code没有试图从检测隐藏自身。

The problem is that if you have no idea what you are looking for, it's almost impossible to find it. Suppose a process has made itself hidden to the task manager by hooking EnumProcesses. You might think this would be an easy case to detect. However, the process could be hooking EnumProcesses through a variety of different ways. For example, an unconditional hook at the start of the function, an IAT hook, causing an access violation to occur at EnumProcessesand catching that with a VEH and modifying the EIP/RIP, etc. etc. Even in this simple case, it is not possible to guarantee detection of the hook. This is all assuming that the hook has been performed at usermode on a specific API and also that the code makes no attempt to hide itself from detection.

如果您正在寻找的一般准则，最好的方法可能是看普通迂回技术。一旦你知道的方法是如何工作的，这是小事写code检测操作。

If you are looking for general guidelines, the best method is probably to look at common detouring techniques. Once you know how a method works, it is trivial to write code to detect the manipulation.

或许，如果你给的动机写这类code或会起什么作用，我们将能够帮助你更好。

Perhaps if you gave the motivation to write this sort of code or what purpose it would serve, we would be able to help you better.

如果您正在寻找方案绕道其它进程的执行方式，它通常是通过两种方式之一：

If you are looking for ways that programs detour execution of other processes, it is usually through one of two means:

• 动态（运行）迂回 - 这是比较常见的方法是什么，是用于图书馆，如微软走弯路。下面是相关论文，其中一个函数的前几个字节将被覆盖无条件地转移到仪器。


• （静态）二进制重写 - 这是一个的rootkit更常见方法，但所使用的研究项目。它允许迂回到由静态分析和覆盖二进制来执行。老（不公开）封装，适用于Windows，执行这是蚀刻。 本文给出了它是如何工作的高级视图概念。

• Dynamic (Runtime) Detouring - This is the more common method and is what is used by libraries such as Microsoft Detours. Here is a relevant paper where the first few bytes of a function are overwritten to unconditionally branch to the instrumentation.
• (Static) Binary Rewriting - This is a much less common method for rootkits, but is used by research projects. It allows detouring to be performed by statically analysing and overwriting a binary. An old (not publicly available) package for Windows that performs this is Etch. This paper gives a high-level view of how it works conceptually.

虽然绕行演示动态迂回的一种方法中，有在工业中使用的无数方法，特别是在反向工程和黑客竞技场。这些措施包括IAT和我上面提到的断点的方法。要'点你在正确的方向对于这些，你应该看看在研究项目领域进行研究和逆向工程。

Although Detours demonstrates one method of dynamic detouring, there are countless methods used in the industry, especially in the reverse engineering and hacking arenas. These include the IAT and breakpoint methods I mentioned above. To 'point you in the right direction' for these, you should look at 'research' performed in the fields of research projects and reverse engineering.

这篇关于如何检测隐藏的进程的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！