18
Powershell tricks::Hide Process by kd.exe
source link: https://3gstudent.github.io/3gstudent.github.io/Powershell-tricks-Hide-Process-by-kd.exe/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
0x02 相关概念
PCB(process control block):
进程控制块,是系统为了管理进程专门设置的一个数据结构
PCB的组织方式:
不同操作系统的PCB结构不同
Windows下的PCB是EPROCESS结构
进程链表是一个双向环链表
EPROCESS结构:
每个进程都有一个EPROCESS结构,里面保存着进程的各种信息和相关结构的指针
注:
Windows各版本的EPROCESS结构存在差异
EPROCESS结构位于系统地址空间,所以访问这个结构需要有ring0的权限
注:
Windows开启Local kernel debugging模式后,可进入ring0,使用内核态调试器
基本的内核态调试器有以下两种:
通过kd.exe可以查看EPROCESS结构,命令行参数如下:
kd -kl -y "srv*c:\symbols*http://msdl.microsoft.com/download/symbols" -c "dt nt!_eprocess"
回显如下:
lkd> kd: Reading initial command 'dt nt!_eprocess;Q'
+0x000 Pcb : _KPROCESS
+0x2d8 ProcessLock : _EX_PUSH_LOCK
+0x2e0 RundownProtect : _EX_RUNDOWN_REF
+0x2e8 UniqueProcessId : Ptr64 Void
+0x2f0 ActiveProcessLinks : _LIST_ENTRY
+0x300 Flags2 : Uint4B
+0x300 JobNotReallyActive : Pos 0, 1 Bit
+0x300 AccountingFolded : Pos 1, 1 Bit
+0x300 NewProcessReported : Pos 2, 1 Bit
+0x300 ExitProcessReported : Pos 3, 1 Bit
+0x300 ReportCommitChanges : Pos 4, 1 Bit
+0x300 LastReportMemory : Pos 5, 1 Bit
+0x300 ForceWakeCharge : Pos 6, 1 Bit
+0x300 CrossSessionCreate : Pos 7, 1 Bit
+0x300 NeedsHandleRundown : Pos 8, 1 Bit
+0x300 RefTraceEnabled : Pos 9, 1 Bit
+0x300 DisableDynamicCode : Pos 10, 1 Bit
+0x300 EmptyJobEvaluated : Pos 11, 1 Bit
+0x300 DefaultPagePriority : Pos 12, 3 Bits
+0x300 PrimaryTokenFrozen : Pos 15, 1 Bit
+0x300 ProcessVerifierTarget : Pos 16, 1 Bit
+0x300 StackRandomizationDisabled : Pos 17, 1 Bit
+0x300 AffinityPermanent : Pos 18, 1 Bit
+0x300 AffinityUpdateEnable : Pos 19, 1 Bit
+0x300 PropagateNode : Pos 20, 1 Bit
+0x300 ExplicitAffinity : Pos 21, 1 Bit
+0x300 ProcessExecutionState : Pos 22, 2 Bits
+0x300 DisallowStrippedImages : Pos 24, 1 Bit
+0x300 HighEntropyASLREnabled : Pos 25, 1 Bit
+0x300 ExtensionPointDisable : Pos 26, 1 Bit
+0x300 ForceRelocateImages : Pos 27, 1 Bit
+0x300 ProcessStateChangeRequest : Pos 28, 2 Bits
+0x300 ProcessStateChangeInProgress : Pos 30, 1 Bit
+0x300 DisallowWin32kSystemCalls : Pos 31, 1 Bit
+0x304 Flags : Uint4B
+0x304 CreateReported : Pos 0, 1 Bit
+0x304 NoDebugInherit : Pos 1, 1 Bit
+0x304 ProcessExiting : Pos 2, 1 Bit
+0x304 ProcessDelete : Pos 3, 1 Bit
+0x304 ControlFlowGuardEnabled : Pos 4, 1 Bit
+0x304 VmDeleted : Pos 5, 1 Bit
+0x304 OutswapEnabled : Pos 6, 1 Bit
+0x304 Outswapped : Pos 7, 1 Bit
+0x304 FailFastOnCommitFail : Pos 8, 1 Bit
+0x304 Wow64VaSpace4Gb : Pos 9, 1 Bit
+0x304 AddressSpaceInitialized : Pos 10, 2 Bits
+0x304 SetTimerResolution : Pos 12, 1 Bit
+0x304 BreakOnTermination : Pos 13, 1 Bit
+0x304 DeprioritizeViews : Pos 14, 1 Bit
+0x304 WriteWatch : Pos 15, 1 Bit
+0x304 ProcessInSession : Pos 16, 1 Bit
+0x304 OverrideAddressSpace : Pos 17, 1 Bit
+0x304 HasAddressSpace : Pos 18, 1 Bit
+0x304 LaunchPrefetched : Pos 19, 1 Bit
+0x304 Background : Pos 20, 1 Bit
+0x304 VmTopDown : Pos 21, 1 Bit
+0x304 ImageNotifyDone : Pos 22, 1 Bit
+0x304 PdeUpdateNeeded : Pos 23, 1 Bit
+0x304 VdmAllowed : Pos 24, 1 Bit
+0x304 ProcessRundown : Pos 25, 1 Bit
+0x304 ProcessInserted : Pos 26, 1 Bit
+0x304 DefaultIoPriority : Pos 27, 3 Bits
+0x304 ProcessSelfDelete : Pos 30, 1 Bit
+0x304 SetTimerResolutionLink : Pos 31, 1 Bit
+0x308 CreateTime : _LARGE_INTEGER
+0x310 ProcessQuotaUsage : [2] Uint8B
+0x320 ProcessQuotaPeak : [2] Uint8B
+0x330 PeakVirtualSize : Uint8B
+0x338 VirtualSize : Uint8B
+0x340 SessionProcessLinks : _LIST_ENTRY
+0x350 ExceptionPortData : Ptr64 Void
+0x350 ExceptionPortValue : Uint8B
+0x350 ExceptionPortState : Pos 0, 3 Bits
+0x358 Token : _EX_FAST_REF
+0x360 WorkingSetPage : Uint8B
+0x368 AddressCreationLock : _EX_PUSH_LOCK
+0x370 PageTableCommitmentLock : _EX_PUSH_LOCK
+0x378 RotateInProgress : Ptr64 _ETHREAD
+0x380 ForkInProgress : Ptr64 _ETHREAD
+0x388 CommitChargeJob : Ptr64 _EJOB
+0x390 CloneRoot : _RTL_AVL_TREE
+0x398 NumberOfPrivatePages : Uint8B
+0x3a0 NumberOfLockedPages : Uint8B
+0x3a8 Win32Process : Ptr64 Void
+0x3b0 Job : Ptr64 _EJOB
+0x3b8 SectionObject : Ptr64 Void
+0x3c0 SectionBaseAddress : Ptr64 Void
+0x3c8 Cookie : Uint4B
+0x3d0 WorkingSetWatch : Ptr64 _PAGEFAULT_HISTORY
+0x3d8 Win32WindowStation : Ptr64 Void
+0x3e0 InheritedFromUniqueProcessId : Ptr64 Void
+0x3e8 LdtInformation : Ptr64 Void
+0x3f0 OwnerProcessId : Uint8B
+0x3f8 Peb : Ptr64 _PEB
+0x400 Session : Ptr64 Void
+0x408 AweInfo : Ptr64 Void
+0x410 QuotaBlock : Ptr64 _EPROCESS_QUOTA_BLOCK
+0x418 ObjectTable : Ptr64 _HANDLE_TABLE
+0x420 DebugPort : Ptr64 Void
+0x428 WoW64Process : Ptr64 _EWOW64PROCESS
+0x430 DeviceMap : Ptr64 Void
+0x438 EtwDataSource : Ptr64 Void
+0x440 PageDirectoryPte : Uint8B
+0x448 ImageFilePointer : Ptr64 _FILE_OBJECT
+0x450 ImageFileName : [15] UChar
+0x45f PriorityClass : UChar
+0x460 SecurityPort : Ptr64 Void
+0x468 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
+0x470 JobLinks : _LIST_ENTRY
+0x480 HighestUserAddress : Ptr64 Void
+0x488 ThreadListHead : _LIST_ENTRY
+0x498 ActiveThreads : Uint4B
+0x49c ImagePathHash : Uint4B
+0x4a0 DefaultHardErrorProcessing : Uint4B
+0x4a4 LastThreadExitStatus : Int4B
+0x4a8 PrefetchTrace : _EX_FAST_REF
+0x4b0 LockedPagesList : Ptr64 Void
+0x4b8 ReadOperationCount : _LARGE_INTEGER
+0x4c0 WriteOperationCount : _LARGE_INTEGER
+0x4c8 OtherOperationCount : _LARGE_INTEGER
+0x4d0 ReadTransferCount : _LARGE_INTEGER
+0x4d8 WriteTransferCount : _LARGE_INTEGER
+0x4e0 OtherTransferCount : _LARGE_INTEGER
+0x4e8 CommitChargeLimit : Uint8B
+0x4f0 CommitCharge : Uint8B
+0x4f8 CommitChargePeak : Uint8B
+0x500 Vm : _MMSUPPORT
+0x5f8 MmProcessLinks : _LIST_ENTRY
+0x608 ModifiedPageCount : Uint4B
+0x60c ExitStatus : Int4B
+0x610 VadRoot : _RTL_AVL_TREE
+0x618 VadHint : Ptr64 Void
+0x620 VadCount : Uint8B
+0x628 VadPhysicalPages : Uint8B
+0x630 VadPhysicalPagesLimit : Uint8B
+0x638 AlpcContext : _ALPC_PROCESS_CONTEXT
+0x658 TimerResolutionLink : _LIST_ENTRY
+0x668 TimerResolutionStackRecord : Ptr64 _PO_DIAG_STACK_RECORD
+0x670 RequestedTimerResolution : Uint4B
+0x674 SmallestTimerResolution : Uint4B
+0x678 ExitTime : _LARGE_INTEGER
+0x680 InvertedFunctionTable : Ptr64 _INVERTED_FUNCTION_TABLE
+0x688 InvertedFunctionTableLock : _EX_PUSH_LOCK
+0x690 ActiveThreadsHighWatermark : Uint4B
+0x694 LargePrivateVadCount : Uint4B
+0x698 ThreadListLock : _EX_PUSH_LOCK
+0x6a0 WnfContext : Ptr64 Void
+0x6a8 Spare0 : Uint8B
+0x6b0 SignatureLevel : UChar
+0x6b1 SectionSignatureLevel : UChar
+0x6b2 Protection : _PS_PROTECTION
+0x6b3 HangCount : UChar
+0x6b4 Flags3 : Uint4B
+0x6b4 Minimal : Pos 0, 1 Bit
+0x6b4 ReplacingPageRoot : Pos 1, 1 Bit
+0x6b4 DisableNonSystemFonts : Pos 2, 1 Bit
+0x6b4 AuditNonSystemFontLoading : Pos 3, 1 Bit
+0x6b4 Crashed : Pos 4, 1 Bit
+0x6b4 JobVadsAreTracked : Pos 5, 1 Bit
+0x6b4 VadTrackingDisabled : Pos 6, 1 Bit
+0x6b4 AuxiliaryProcess : Pos 7, 1 Bit
+0x6b4 SubsystemProcess : Pos 8, 1 Bit
+0x6b4 IndirectCpuSets : Pos 9, 1 Bit
+0x6b4 InPrivate : Pos 10, 1 Bit
+0x6b4 ProhibitRemoteImageMap : Pos 11, 1 Bit
+0x6b4 ProhibitLowILImageMap : Pos 12, 1 Bit
+0x6b4 SignatureMitigationOptIn : Pos 13, 1 Bit
+0x6b8 DeviceAsid : Int4B
+0x6c0 SvmData : Ptr64 Void
+0x6c8 SvmProcessLock : _EX_PUSH_LOCK
+0x6d0 SvmLock : Uint8B
+0x6d8 SvmProcessDeviceListHead : _LIST_ENTRY
+0x6e8 LastFreezeInterruptTime : Uint8B
+0x6f0 DiskCounters : Ptr64 _PROCESS_DISK_COUNTERS
+0x6f8 PicoContext : Ptr64 Void
+0x700 TrustletIdentity : Uint8B
+0x708 KeepAliveCounter : Uint4B
+0x70c NoWakeKeepAliveCounter : Uint4B
+0x710 HighPriorityFaultsAllowed : Uint4B
+0x718 EnergyValues : Ptr64 _PROCESS_ENERGY_VALUES
+0x720 VmContext : Ptr64 Void
+0x728 SequenceNumber : Uint8B
+0x730 CreateInterruptTime : Uint8B
+0x738 CreateUnbiasedInterruptTime : Uint8B
+0x740 TotalUnbiasedFrozenTime : Uint8B
+0x748 LastAppStateUpdateTime : Uint8B
+0x750 LastAppStateUptime : Pos 0, 61 Bits
+0x750 LastAppState : Pos 61, 3 Bits
+0x758 SharedCommitCharge : Uint8B
+0x760 SharedCommitLock : _EX_PUSH_LOCK
+0x768 SharedCommitLinks : _LIST_ENTRY
+0x778 AllowedCpuSets : Uint8B
+0x780 DefaultCpuSets : Uint8B
+0x778 AllowedCpuSetsIndirect : Ptr64 Uint8B
+0x780 DefaultCpuSetsIndirect : Ptr64 Uint8B
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK