• 【转】MFC隐藏进程自身(任务管理器不可见,wSysCheck等工具可见)


    只要把cpp和h加入工程,include就可以了。

    代码地址:

    //------------------HideProcess.h--------------------

    //加入MFC工程调用即可
    BOOL HideProcess();

    //------------------HideProcess.cpp------------------

    #include "stdafx.h"
    #include<windows.h>
    #include<Accctrl.h>
    #include<Aclapi.h>
    #include"HideProcess.h"
    
    #define NT_SUCCESS(Status)((NTSTATUS)(Status) >= 0)
    #define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
    #define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L)
    
    typedef LONG NTSTATUS;
    
    typedef struct _IO_STATUS_BLOCK 
    {
        NTSTATUS Status;
        ULONG Information;
    } IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
    
    typedef struct _UNICODE_STRING 
    {
        USHORT Length;
        USHORT MaximumLength;
        PWSTR Buffer;
    } UNICODE_STRING, *PUNICODE_STRING;
    
    #define OBJ_INHERIT				0x00000002L
    #define OBJ_PERMANENT			0x00000010L
    #define OBJ_EXCLUSIVE			0x00000020L
    #define OBJ_CASE_INSENSITIVE	0x00000040L
    #define OBJ_OPENIF				0x00000080L
    #define OBJ_OPENLINK			0x00000100L
    #define OBJ_KERNEL_HANDLE		0x00000200L
    #define OBJ_VALID_ATTRIBUTES	0x000003F2L
    
    typedef struct _OBJECT_ATTRIBUTES 
    {
        ULONG Length;
        HANDLE RootDirectory;
        PUNICODE_STRING ObjectName;
        ULONG Attributes;
        PVOID SecurityDescriptor;
        PVOID SecurityQualityOfService;
    } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
    
    typedef NTSTATUS (CALLBACK* ZWOPENSECTION)(
        OUT PHANDLE SectionHandle,
        IN ACCESS_MASK DesiredAccess,
        IN POBJECT_ATTRIBUTES ObjectAttributes
        );
    
    typedef VOID (CALLBACK* RTLINITUNICODESTRING)(
        IN OUT PUNICODE_STRING DestinationString,
        IN PCWSTR SourceString
        );
    
    RTLINITUNICODESTRING RtlInitUnicodeString;
    ZWOPENSECTION ZwOpenSection;
    HMODULE g_hNtDLL = NULL;
    PVOID g_pMapPhysicalMemory = NULL;
    HANDLE g_hMPM = NULL;
    OSVERSIONINFO g_osvi;
    
    //---------------------------------------------------------------------------
    BOOL InitNTDLL()
    {
        g_hNtDLL = LoadLibrary("ntdll.dll");
    
        if (NULL == g_hNtDLL)
            return FALSE;
    
        RtlInitUnicodeString = (RTLINITUNICODESTRING)GetProcAddress(g_hNtDLL, "RtlInitUnicodeString");
        ZwOpenSection = (ZWOPENSECTION)GetProcAddress(g_hNtDLL, "ZwOpenSection");
    
        return TRUE;
    }
    
    //---------------------------------------------------------------------------
    VOID CloseNTDLL()
    {
        if(NULL != g_hNtDLL)
    	{
            FreeLibrary(g_hNtDLL);
    	}
    
        g_hNtDLL = NULL;
    }
    //---------------------------------------------------------------------------
    VOID SetPhyscialMemorySectionCanBeWrited(HANDLE hSection) 
    { 
        PACL pDacl = NULL; 
        PSECURITY_DESCRIPTOR pSD = NULL; 
        PACL pNewDacl = NULL; 
        
        DWORD dwRes = GetSecurityInfo(hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION,
    								NULL, NULL, &pDacl, NULL, &pSD);
        if(ERROR_SUCCESS != dwRes)
        {
    		if(pSD) 
    		{
    			LocalFree(pSD); 
    		}
    		
    		if(pNewDacl)
    		{
    			LocalFree(pNewDacl); 
    		}
        }
    
        EXPLICIT_ACCESS ea; 
        RtlZeroMemory(&ea, sizeof(EXPLICIT_ACCESS)); 
        ea.grfAccessPermissions = SECTION_MAP_WRITE; 
        ea.grfAccessMode = GRANT_ACCESS; 
        ea.grfInheritance = NO_INHERITANCE; 
        ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME; 
        ea.Trustee.TrusteeType = TRUSTEE_IS_USER; 
        ea.Trustee.ptstrName = "CURRENT_USER";
    
        dwRes = SetEntriesInAcl(1, &ea, pDacl, &pNewDacl);
        
        if(ERROR_SUCCESS != dwRes)
        {
    		if(pSD)
    		{
    			LocalFree(pSD); 
    		}
    		if(pNewDacl) 
    		{
    			LocalFree(pNewDacl); 
    		}
        }
        dwRes = SetSecurityInfo(hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, pNewDacl, NULL);
        
        if(ERROR_SUCCESS != dwRes)
        {
    		if(pSD) 
    		{
    			LocalFree(pSD); 
    		}
    		if(pNewDacl) 
    		{
    			LocalFree(pNewDacl); 
    		}
        }
    } 
    
    //---------------------------------------------------------------------------
    HANDLE OpenPhysicalMemory()
    {
        NTSTATUS status;
        UNICODE_STRING physmemString;
        OBJECT_ATTRIBUTES attributes;
        ULONG PhyDirectory;
    
        g_osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
        GetVersionEx (&g_osvi);
    
        if (5 != g_osvi.dwMajorVersion)
    	{
            return NULL;
    	}
    
        switch(g_osvi.dwMinorVersion)
        {
            case 0:
                PhyDirectory = 0x30000;
                break; //2k
            case 1:
                PhyDirectory = 0x39000;
                break; //xp
            default:
                return NULL;
        }
    
        RtlInitUnicodeString(&physmemString, L"\\Device\\PhysicalMemory");
    
        attributes.Length = sizeof(OBJECT_ATTRIBUTES);
        attributes.RootDirectory = NULL;
        attributes.ObjectName = &physmemString;
        attributes.Attributes = 0;
        attributes.SecurityDescriptor = NULL;
        attributes.SecurityQualityOfService = NULL;
    
        status = ZwOpenSection(&g_hMPM, SECTION_MAP_READ|SECTION_MAP_WRITE, &attributes);
    
        if(status == STATUS_ACCESS_DENIED)
        { 
            status = ZwOpenSection(&g_hMPM, READ_CONTROL|WRITE_DAC, &attributes); 
            SetPhyscialMemorySectionCanBeWrited(g_hMPM); 
            CloseHandle(g_hMPM);
            status = ZwOpenSection(&g_hMPM, SECTION_MAP_READ|SECTION_MAP_WRITE, &attributes); 
        }
    
        if(!NT_SUCCESS(status)) 
    	{
            return NULL;
    	}
    
        g_pMapPhysicalMemory = MapViewOfFile(g_hMPM, FILE_MAP_READ|FILE_MAP_WRITE, 0, PhyDirectory, 0x1000);
    
        if( g_pMapPhysicalMemory == NULL )
    	{
            return NULL;
    	}
    
        return g_hMPM;
    }
    
    //---------------------------------------------------------------------------
    PVOID LinearToPhys(PULONG BaseAddress, PVOID addr)
    {
        ULONG VAddr = (ULONG)addr, PGDE, PTE, PAddr;
        PGDE = BaseAddress[VAddr>>22];
    
        if (0 == (PGDE&1))
    	{
            return 0;
    	}
    
        ULONG tmp = PGDE & 0x00000080;
    
        if (0 != tmp)
        {
            PAddr = (PGDE & 0xFFC00000) + (VAddr & 0x003FFFFF);
        }
        else
        {
            PGDE = (ULONG)MapViewOfFile(g_hMPM, 4, 0, PGDE & 0xfffff000, 0x1000);
            PTE = ((PULONG)PGDE)[(VAddr&0x003FF000)>>12];
            
            if (0 == (PTE&1))
    		{
                return 0;
    		}
    
            PAddr = (PTE&0xFFFFF000)+(VAddr&0x00000FFF);
            UnmapViewOfFile((PVOID)PGDE);
        }
    
        return (PVOID)PAddr;
    }
    
    //---------------------------------------------------------------------------
    ULONG GetData(PVOID addr)
    {
        ULONG phys = (ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory, (PVOID)addr);
        PULONG tmp = (PULONG)MapViewOfFile(g_hMPM, FILE_MAP_READ|FILE_MAP_WRITE, 0, phys&0xfffff000, 0x1000);
        
        if (0 == tmp)
    	{
            return 0;
    	}
    
        ULONG ret = tmp[(phys & 0xFFF)>>2];
        UnmapViewOfFile(tmp);
    
        return ret;
    }
    //---------------------------------------------------------------------------
    BOOL SetData(PVOID addr,ULONG data)
    {
        ULONG phys = (ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory, (PVOID)addr);
        PULONG tmp = (PULONG)MapViewOfFile(g_hMPM, FILE_MAP_WRITE, 0, phys & 0xfffff000, 0x1000);
    
        if (0 == tmp)
    	{
            return FALSE;
    	}
    
        tmp[(phys & 0xFFF)>>2] = data;
        UnmapViewOfFile(tmp);
    
        return TRUE;
    }
    
    //---------------------------------------------------------------------------
    long __stdcall exeception(struct _EXCEPTION_POINTERS *tmp)
    {
       ExitProcess(0);
       return 1;
    }
    //---------------------------------------------------------------------------
    BOOL YHideProcess()
    {
    //    SetUnhandledExceptionFilter(exeception);
    
        if (FALSE == InitNTDLL())
    	{
            return FALSE;
    	}
    
        if (0 == OpenPhysicalMemory())
    	{
            return FALSE;
    	}
    
        ULONG thread = GetData((PVOID)0xFFDFF124); //kteb
        ULONG process = GetData(PVOID(thread + 0x44)); //kpeb
    
        ULONG fw, bw;
        if (0 == g_osvi.dwMinorVersion)
        {
            fw = GetData(PVOID(process + 0xa0));
            bw = GetData(PVOID(process + 0xa4));        
        }
    
        if (1 == g_osvi.dwMinorVersion)
        {
            fw = GetData(PVOID(process + 0x88));
            bw = GetData(PVOID(process + 0x8c));
        }
            
        SetData(PVOID(fw + 4), bw);
        SetData(PVOID(bw), fw);
    
        CloseHandle(g_hMPM);
        CloseNTDLL();
    
        return TRUE;
    }
    
    BOOL HideProcess()
    {
    	static BOOL b_hide = false;
    	if (!b_hide)
    	{
    		b_hide = true;
    		YHideProcess();
    		return TRUE;
    	}
    	return TRUE;
    }
    

    这样在Example的Example.h中加入

    #include <HideProcess.h>
    

    在xample的Example.cpp中

    BOOL CExampleApp::InitInstance()
    

    加入

    HideProcess();
    

    即可。

    ---------------------------------------------------------------------

    这个网上找了半天,结果一开始找到的代码要么不完整,要么有错误。然后自己就改啊改,总算改好了,呵呵。

  • 相关阅读:
    mongodb 添加用户
    mongo 安装
    python 操作redis
    python 安装 redis
    redis 命令文档网址
    redis 事务
    Redis key命令
    手动卸载的vs2010
    个人封装JavaScript函数
    女学-温砚如老师的人生女学
  • 原文地址:https://www.cnblogs.com/ZzzZzz/p/2310080.html
Copyright © 2020-2023  润新知