青青草原综合久久大伊人导航_色综合久久天天综合_日日噜噜夜夜狠狠久久丁香五月_热久久这里只有精品

S.l.e!ep.¢%

像打了激速一樣,以四倍的速度運轉,開心的工作
簡單、開放、平等的公司文化;尊重個性、自由與個人價值;
posts - 1098, comments - 335, trackbacks - 0, articles - 1
  C++博客 :: 首頁 :: 新隨筆 :: 聯系 :: 聚合  :: 管理

HOOK SSDT Hide Process (五)

Posted on 2009-10-26 13:41 S.l.e!ep.¢% 閱讀(726) 評論(0)  編輯 收藏 引用 所屬分類: RootKit
HOOK SSDT Hide Process (四) 的code改進了一下,支持Display Process's Owner
在 XP 下進行測試沒發現問題,但在 Win7 下只能顯示當前用戶的 Process, 其它用戶還有一些 NETWORK SERVICE
的進程無法顯示出來

Code:
#include?<stdlib.h>
#include?<stdio.h>
#include?<windows.h>

typedef?long?NTSTATUS;

#define?ULONG_PTR?ULONG

#define?STATUS_INFO_LENGTH_MISMATCH?((NTSTATUS)0xC0000004L)

#define?NT_SUCCESS(Status)?((NTSTATUS)(Status)>=0)?

//
//?Unicode?strings?are?counted?16-bit?character?strings.?If?they?are
//?NULL?terminated,?Length?does?not?include?trailing?NULL.
//

typedef?struct?_UNICODE_STRING
{
????USHORT?Length;
????USHORT?MaximumLength;
????PWSTR??Buffer;

}?UNICODE_STRING,?*PUNICODE_STRING;

//
//?Thread?priority
//

typedef?LONG?KPRIORITY;

//-----------------------------------------------------------------------------
//?Query?system?information

typedef?enum?_SYSTEM_INFORMATION_CLASS
{
????SystemBasicInformation,?????????????????//?0x00?SYSTEM_BASIC_INFORMATION
????SystemProcessorInformation,?????????????//?0x01?SYSTEM_PROCESSOR_INFORMATION
????SystemPerformanceInformation,???????????//?0x02
????SystemTimeOfDayInformation,?????????????//?0x03
????SystemPathInformation,??????????????????//?0x04
????SystemProcessInformation,???????????????//?0x05
????SystemCallCountInformation,?????????????//?0x06
????SystemDeviceInformation,????????????????//?0x07
????SystemProcessorPerformanceInformation,??//?0x08
????SystemFlagsInformation,?????????????????//?0x09
????SystemCallTimeInformation,??????????????//?0x0A
????SystemModuleInformation,????????????????//?0x0B?SYSTEM_MODULE_INFORMATION
????SystemLocksInformation,?????????????????//?0x0C
????SystemStackTraceInformation,????????????//?0x0D
????SystemPagedPoolInformation,?????????????//?0x0E
????SystemNonPagedPoolInformation,??????????//?0x0F
????SystemHandleInformation,????????????????//?0x10
????SystemObjectInformation,????????????????//?0x11
????SystemPageFileInformation,??????????????//?0x12
????SystemVdmInstemulInformation,???????????//?0x13
????SystemVdmBopInformation,????????????????//?0x14
????SystemFileCacheInformation,?????????????//?0x15
????SystemPoolTagInformation,???????????????//?0x16
????SystemInterruptInformation,?????????????//?0x17
????SystemDpcBehaviorInformation,???????????//?0x18
????SystemFullMemoryInformation,????????????//?0x19
????SystemLoadGdiDriverInformation,?????????//?0x1A
????SystemUnloadGdiDriverInformation,???????//?0x1B
????SystemTimeAdjustmentInformation,????????//?0x1C
????SystemSummaryMemoryInformation,?????????//?0x1D
????SystemNextEventIdInformation,???????????//?0x1E
????SystemEventIdsInformation,??????????????//?0x1F
????SystemCrashDumpInformation,?????????????//?0x20
????SystemExceptionInformation,?????????????//?0x21
????SystemCrashDumpStateInformation,????????//?0x22
????SystemKernelDebuggerInformation,????????//?0x23
????SystemContextSwitchInformation,?????????//?0x24
????SystemRegistryQuotaInformation,?????????//?0x25
????SystemExtendServiceTableInformation,????//?0x26
????SystemPrioritySeperation,???????????????//?0x27
????SystemPlugPlayBusInformation,???????????//?0x28
????SystemDockInformation,??????????????????//?0x29
????//SystemPowerInformation,???????????????//?0x2A
????//SystemProcessorSpeedInformation,??????//?0x2B
????//SystemCurrentTimeZoneInformation,?????//?0x2C
????//SystemLookasideInformation????????????//?0x2D

}?SYSTEM_INFORMATION_CLASS,?*PSYSTEM_INFORMATION_CLASS;

//
//?Process?information
//?NtQuerySystemInformation?with?SystemProcessInformation
//

typedef?struct?_SYSTEM_PROCESS_INFORMATION?{
????ULONG?NextEntryOffset;
????ULONG?NumberOfThreads;
????LARGE_INTEGER?SpareLi1;
????LARGE_INTEGER?SpareLi2;
????LARGE_INTEGER?SpareLi3;
????LARGE_INTEGER?CreateTime;
????LARGE_INTEGER?UserTime;
????LARGE_INTEGER?KernelTime;
????UNICODE_STRING?ImageName;
????KPRIORITY?BasePriority;
????ULONG_PTR?UniqueProcessId;
????ULONG_PTR?InheritedFromUniqueProcessId;
????ULONG?HandleCount;
????//?Next?part?is?platform?dependent

}?SYSTEM_PROCESS_INFORMATION,?*PSYSTEM_PROCESS_INFORMATION;

typedef?NTSTATUS?
?(NTAPI?*PNFNtQuerySystemInformation)(
????IN?SYSTEM_INFORMATION_CLASS?SystemInformationClass,
????OUT?PVOID?SystemInformation,
????IN?ULONG?SystemInformationLength,
????OUT?PULONG?ReturnLength
????);

PNFNtQuerySystemInformation?pNtQuerySystemInformation;

//???
//?GetProcessUsername()???
//???
/*
While?I?have?not?yet?had?time?to?thoroughly?test?this?solution,?
it's?working?well?for?me?so?far?(I?just?finished?this?initial?version?in?the?last?couple?of?hours).?Posting?here?because?I?searched?all?over?before?deciding?to?try?a?different?approach,?and?could?not?find?one.?It?seems?that?the?DEBUG?privilege?will?allow?you?to?open?a?process?handle,?but?not?necessairly?the?process?tokens.?No?back?door?for?that!
I?have?been?able?to?use?GetUserObjectSecurity()?from?an?Admin?account?to?get?the?Owner?SID?for?the?process,?and?that?generally?turns?out?to?be?the?user?who?started?the?process.?Several?system?processes?show?"Builtin\Administrators"?for?their?owner?for?my?purposes?I?return?NULL?for?those?(other?code?then?defaults?the?user?to?"SYSTEM"?to?match?TaskMgr).?You?will?still?need?the?DEBUG?privilege?for?this?to?work?(else?OpenProcess?could?fail).
I?adapted?this?code?from?another?post?I?found?that?used?the?well-known?OpenProcessToken?pathway.?It?isn't?very?pretty,?but?as?I?said?I?just?got?it?working.?Note?the?need?for?STANDARD_RIGHTS_READ?on?the?hProcess.?I?also?have?PROCESS_QUERY_INFORMATION?and?PROCESS_VM_READ?included?in?my?calling?code?(for?access?to?other?process?information)?and?have?not?tried?calling?GetProcessUsername()?on?a?handle?without?these?set?to?see?if?that?works?or?not.
NOTE?THAT?THE?RESULT?IS?RETURNED?AS?A?STATIC!!?It?would?be?cleaner?to?let?the?caller?pass?in?a?buffer?(in?fact?there?are?lots?of?things?that?should?be?cleaned?up?in?this?sample).?It?nonetheless?demonstrates?the?concept.
Since?I?just?came?up?with?this?and?have?had?limited?time?to?test?it,?if?you?use?it?please?let?me?know?if?it?works?(or?doesn't)?for?your?application:
*/
//?Get?username?and?domain?from?a?supplied?process?handle.???
//???
//?hProcess?:?is?the?process?handle?of?which???
//???to?get?the?username?from.???
//???
//?bIncDomain?:?if?true?will?prepend?the?DOMAIN?and??to????
//???the?returned?string.???
//???
//?Returns?a?reference?to?a?static?string?containing?the????
//?username?or?NULL?on?error.???
//????
//???
char*?GetProcessUsername(HANDLE?hProcess,?BOOL?bIncDomain)???
{???
????static?char?sname[300];???
????char?name[300],?dom[300],?*pret?=?0;???
????SECURITY_DESCRIPTOR?*psd?=?NULL;???
????BOOL?b;???
????int?iUse,?rc;???
????DWORD?d;???
????SECURITY_INFORMATION?SecInfo?=?OWNER_SECURITY_INFORMATION;???
????
????//?This?Is?a?round-about?method?I?discovered.?Instead?of?OpenProcessToken?and?GetTokenInformation?use?GetUserObjectSecurity?and?pull???
????//?the?OWNER?information.?Ignore?BUILTIN?Administrators?group?as?an?owner?(we?want?that?to?show?up?as?SYSTEM).?Using?the?tokens?is???
????//?subject?to?ACCESS?DENIED?errors?on?OpenProcessToken,?even?for?administrators.?This?work?around?seems?to?work?regardless.?Unclear????
????//?what?the?diff?between?GetUserObjectSecurity?and?GetKernelObjectSecurity?is.?So?stick?with?GetUserObjectSecurity?for?now.???
????//?Requires?STANDARD_RIGHTS_READ?on?hProcess?(in?OpenProcess?call).???
????
????//b?=?GetKernelObjectSecurity(hProcess,?SecInfo,?psd,?0,?&d);???
????b?=?GetUserObjectSecurity(hProcess,?&SecInfo,?psd,?0,?&d);???
????rc?=?GetLastError();???
????psd?=?(SECURITY_DESCRIPTOR?*)malloc(d);???
????if?(psd?!=?NULL)???
????{???
????????memset?(psd,?0,?d);???
????????//b?=?GetKernelObjectSecurity(hProcess,?SecInfo,?psd,?d,?&d);???
????????b?=?GetUserObjectSecurity(hProcess,?&SecInfo,?psd,?d,?&d);???
????????if?(b)???
????????{???
????????????PSID?psidOwner;???
????????????BOOL?bDefaulted;???
????????????b?=?GetSecurityDescriptorOwner(psd,?&psidOwner,?&bDefaulted);???
????????????if?(IsValidSid(psidOwner)?)???
????????????{???
????????????????//?We?have?a?valid?Owner?SID.?Decode?it???
????????????????DWORD?dlen?=?sizeof(dom);???
????????????????DWORD?nlen?=?sizeof(name);???
????????????????b?=?LookupAccountSid(0,?psidOwner,?name,?&nlen,?dom,?&dlen,?(PSID_NAME_USE)&iUse);???
????????????????if?(b?&&?lstrcmpi(dom,?"Builtin")?!=?0?&&?lstrcmpi(dom,?"Administrators")?!=?0)???
????????????????{???
????????????????????//copy?info?to?our?static?buffer???
????????????????????if?(dlen?&&?bIncDomain)???
????????????????????{???
????????????????????????lstrcpy(sname,dom);???
????????????????????????lstrcat(sname,"\\");???
????????????????????????lstrcat(sname,name);???
????????????????????}????
????????????????????else???
????????????????????????lstrcpy(sname,name);???
????????????????????//set?our?return?variable???
????????????????????pret?=?sname;???
????????????????}???
????????????????else???
????????????????????rc?=?GetLastError();???
????????????}???
????????}???
????????else???
????????????rc?=?GetLastError();???
????}???
????
????if?(psd?!=?NULL)???
????????free?(psd);???
????return?pret;???
}???

BOOL?QueryThreadInfo()
{
????HMODULE?hMod?=?GetModuleHandle("ntdll.dll");

????if?(hMod?==?NULL)
????{
????????hMod?=?LoadLibrary("ntdll.dll");
????????if?(hMod?==?NULL)
????????{
????????????printf("LoadLibrary?Error:?%d\n",?GetLastError());
????????????return?FALSE;
????????}
????}

????pNtQuerySystemInformation?=?(PNFNtQuerySystemInformation)GetProcAddress(hMod,?"NtQuerySystemInformation");

????if(?pNtQuerySystemInformation?==?NULL?)
????{
????????printf("GetProcAddress?for?NtQuerySystemInformation?Error:?%d\n",?GetLastError());
????????return?FALSE;
????}

//?????ULONG?dwNumberBytes?=?0x8000;
//?????char*?pBuf?=?(char*)malloc(dwNumberBytes);
//?????PSYSTEM_PROCESS_INFORMATION?pProcessInfo?=?(PSYSTEM_PROCESS_INFORMATION)pBuf;
????ULONG?nNeedSize?=?0;
????
????NTSTATUS?nStatus?=?pNtQuerySystemInformation(SystemProcessInformation,?NULL,?NULL,?&nNeedSize);
????
????if?(STATUS_INFO_LENGTH_MISMATCH?!=?nStatus)
????{
????????return?FALSE;
????}

????PVOID?lpBuffer?=?LocalAlloc(LPTR,?nNeedSize);

????if?(NULL?==?lpBuffer)
????{
????????return?FALSE;
????}

????nStatus?=?pNtQuerySystemInformation(SystemProcessInformation,?lpBuffer,?nNeedSize,?0);

????if?(NT_SUCCESS(nStatus))
????{
????????PSYSTEM_PROCESS_INFORMATION?ProcessInfo?=?(PSYSTEM_PROCESS_INFORMATION)lpBuffer;

????????while(?NULL?!=?ProcessInfo?)?
????????{????????
????????????char?szANSIString[MAX_PATH];???
????????????memset(szANSIString,?0,?MAX_PATH);
????????????WideCharToMultiByte(CP_ACP,?
????????????????WC_COMPOSITECHECK,
????????????????ProcessInfo->ImageName.Buffer,
????????????????-1,?
????????????????szANSIString,?
????????????????sizeof(szANSIString),?
????????????????NULL,
????????????????NULL);

????????????printf("%d??",?ProcessInfo->UniqueProcessId);
????????????printf("%s??",?szANSIString);

????????????HANDLE?hProcess?=?::OpenProcess(PROCESS_ALL_ACCESS,?FALSE,?ProcessInfo->UniqueProcessId);
????????????printf("%s??",?GetProcessUsername(hProcess,?FALSE));
????????????CloseHandle(hProcess);
????????????printf("\n");

????????????if?(?ProcessInfo->NextEntryOffset?)
????????????{
????????????????ProcessInfo?=??(PSYSTEM_PROCESS_INFORMATION)
????????????????????((DWORD)ProcessInfo?+?(DWORD)(ProcessInfo->NextEntryOffset));
????????????}
????????????else
????????????{
????????????????ProcessInfo?=?NULL;
????????????}
????????}

????????return?TRUE;
????}
????else
????{
????????LocalFree(lpBuffer);
????????return?FALSE;
????}

????return?FALSE;
}

int?main()
{
????if(?!QueryThreadInfo()?)
????{
????????printf("QueryThreadInfo?Error!\n");
????????return?0;
????}

????return?0;
}
青青草原综合久久大伊人导航_色综合久久天天综合_日日噜噜夜夜狠狠久久丁香五月_热久久这里只有精品

    • <ins id="pjuwb"></ins>
    <blockquote id="pjuwb"><pre id="pjuwb"></pre></blockquote>

    <noscript id="pjuwb"></noscript>
          <sup id="pjuwb"><pre id="pjuwb"></pre></sup>

            <dd id="pjuwb"></dd>
            <abbr id="pjuwb"></abbr>
            
亚洲一二三四久久|
久久噜噜亚洲综合|
亚洲大胆在线|
欧美成人午夜激情视频|
亚洲国产午夜|
日韩亚洲欧美在线观看|
国产精品地址|
久久婷婷综合激情|
欧美国产激情|
亚洲欧美日韩国产一区二区|
亚洲香蕉伊综合在人在线视看|
国产欧美日韩综合精品二区|
久久一区激情|
欧美日韩一区二区在线观看|
亚久久调教视频|
久久综合九色综合欧美狠狠|
亚洲片国产一区一级在线观看|
一本色道久久综合狠狠躁篇的优点
|
亚洲视频中文|
国产一区二区高清不卡|
免费黄网站欧美|
欧美激情精品久久久久久免费印度|
亚洲私人影院在线观看|
新狼窝色av性久久久久久|
亚洲国产成人在线|
亚洲一区二区在线|
亚洲国产日韩欧美在线动漫|
亚洲视频一二三|
亚洲国产你懂的|
亚洲午夜激情网页|
亚洲精品美女在线|
亚洲欧美清纯在线制服|
亚洲人成人77777线观看|
亚洲免费在线观看|
亚洲精品一区二区三区樱花|
欧美一区二区日韩一区二区|
亚洲精品一区二区网址|
久久久久久网站|
亚洲欧美一区二区原创|
免费观看日韩|
久久激情五月丁香伊人|
欧美日韩在线电影|
亚洲第一伊人|
韩日精品在线|
亚洲免费在线视频|
亚洲欧美日韩国产中文在线|
欧美成人一区二区三区|
巨乳诱惑日韩免费av|
国产欧美日韩麻豆91|
欧美日韩成人在线播放|
久久免费视频网站|
国产精品青草久久|
99精品国产在热久久下载|
亚洲日本电影|
久久亚裔精品欧美|
久久精品噜噜噜成人av农村|
国产精品日韩一区|
亚洲视频专区在线|
亚洲一区二区在|
欧美日韩国产999|
亚洲人成在线观看网站高清|
亚洲激情在线视频|
久久手机精品视频|
免费在线亚洲欧美|
亚洲第一区在线|
久久夜色精品|
你懂的国产精品永久在线|
一区在线影院|
久热精品在线视频|
欧美大片第1页|
日韩视频中文|
欧美日韩精品免费看|
亚洲乱码国产乱码精品精可以看|
99精品99|
国产精品久久久久久模特|
在线亚洲观看|
久久久久久久综合|
伊人婷婷久久|
欧美高清视频在线|
夜夜嗨av一区二区三区四季av|
亚洲天堂久久|
国产免费观看久久|
久久精品久久综合|
亚洲国产91|
中文精品一区二区三区|
国产农村妇女精品|
欧美91福利在线观看|
亚洲乱码国产乱码精品精天堂
|
在线观看日韩精品|
欧美刺激午夜性久久久久久久|
狠狠v欧美v日韩v亚洲ⅴ|
久久riav二区三区|
亚洲高清中文字幕|
亚洲自拍偷拍视频|
激情欧美一区二区三区|
欧美电影在线观看完整版|
一区二区三区欧美在线|
久久久久欧美精品|
99ri日韩精品视频|
国产亚洲a∨片在线观看|
久久综合伊人77777尤物|
亚洲免费电影在线观看|
久久国产精品久久国产精品|
亚洲国产精品久久久久|
国产美女精品视频|
欧美ed2k|
欧美专区日韩专区|
99精品久久久|
欧美成人精品高清在线播放|
一二三四社区欧美黄|
一区二区视频免费完整版观看|
欧美久久久久久久|
久久av在线看|
亚洲一区二区三区视频播放|
欧美3dxxxxhd|
久久精品一区二区|
亚洲视频一区二区|
亚洲经典在线看|
国产一区二区激情|
欧美视频精品在线|
美女久久网站|
久久成年人视频|
亚洲一区二区三区四区五区午夜|
免费视频一区|
久久精品国产亚洲高清剧情介绍|
亚洲三级色网|
最新亚洲一区|
在线欧美不卡|
红桃视频国产精品|
国产视频一区三区|
国产精品久久久久免费a∨大胸
|
美女性感视频久久久|
亚洲一区二区精品|
最近中文字幕mv在线一区二区三区四区|
国产精品久99|
欧美jizz19hd性欧美|
久久国产视频网|
欧美亚洲尤物久久|
亚洲欧美日韩一区二区在线
|
久久久精品国产免大香伊|
香蕉尹人综合在线观看|
亚洲欧美日韩综合国产aⅴ|
亚洲一区二区三区免费在线观看|
亚洲精品日韩久久|
亚洲免费观看在线视频|
亚洲免费精品|
亚洲视频 欧洲视频|
亚洲丝袜av一区|
午夜精品福利一区二区三区av|
亚洲综合电影|
香蕉成人伊视频在线观看|
小嫩嫩精品导航|
欧美专区18|
久久在线91|
亚洲成色999久久网站|
亚洲福利小视频|
亚洲美女电影在线|
亚洲欧美日本日韩|
欧美一级淫片播放口|
久久在线免费|
欧美日韩一区二区三|
国产精品日韩久久久|
国产一级精品aaaaa看|
亚洲第一精品夜夜躁人人躁|
亚洲另类视频|
亚洲欧美日韩天堂一区二区|
久久精品视频在线播放|
欧美国产综合|
一区二区三区.www|
欧美在线播放一区二区|
免费在线成人av|
欧美午夜片在线免费观看|
国产视频欧美|
亚洲另类视频|
久久久99久久精品女同性|
欧美岛国激情|
亚洲天堂av在线免费观看|
久久精品国产99国产精品澳门|
欧美国产成人在线|
国产日韩av在线播放|
亚洲毛片播放|
久久九九免费|
99精品福利视频|
一本色道综合亚洲|
欧美在线观看你懂的|
欧美激情一区二区久久久|
亚洲中字黄色|
欧美激情亚洲一区|
国产日韩精品电影|
一本色道久久综合亚洲精品不卡|
久久精品二区三区|
亚洲精品视频啊美女在线直播|
欧美在线观看一区|
国产精品成人播放|
在线欧美不卡|
久久久综合免费视频|
一区二区欧美国产|
欧美激情在线狂野欧美精品|
狠狠色伊人亚洲综合网站色|
午夜精彩国产免费不卡不顿大片|