总结一下NT下ActiveProcessLink进程隐藏的方法
作者:lysoft 日期:2006-08-21
hide process under NT by remove node in ActiveProcessLink(APL, kernel mode data)
is one of the popular way used by backdoor service application.
first, we use OpenProcess to obtain an handle to target process.
then, NtQuerySystemInformation by parameter SystemHandleInformation to
is one of the popular way used by backdoor service application.
first, we use OpenProcess to obtain an handle to target process.
then, NtQuerySystemInformation by parameter SystemHandleInformation to
