hookfile.cpp

在驱动下实现进程隐藏,在驱动下实现进程隐藏.

#include "HookFile.h"
#include "CommonFunc.h"
/////////////////////////////////////////////////////////////////////////////////////////
extern "C"
{
	/*Pointer to NtQueryDirectoryFile function*/
	NtQueryDirFile TrueNtQueryDirectoryFile;
	/*NewNtQueryDirectoryFile: hooking version of NtQueryDirectoryFile function*/
	NTSTATUS NewNtQueryDirectoryFile(
		IN HANDLE FileHandle,
		IN HANDLE Event OPTIONAL,
		IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
		IN PVOID ApcContext OPTIONAL,
		OUT PIO_STATUS_BLOCK IoStatusBlock,
		OUT PVOID FileInformation,
		IN ULONG FileInformationLength,
		IN FILE_INFORMATION_CLASS FileInformationClass,
		IN BOOLEAN ReturnSingleEntry,
		IN PUNICODE_STRING FileName OPTIONAL,
		IN BOOLEAN RestartScan
		);
	/*defined in main.cpp*/
	NTSTATUS CompleteIrp( PIRP Irp, NTSTATUS status, ULONG info);
};

// Synchronization object
static wrSync sFileWRSync;

struct _FilesInfo
{
	UNICODE_STRING FileName;
	UNICODE_STRING FilePath;
	UNICODE_STRING User;
	UNICODE_STRING Proc;
	void Clear()
	{
		RtlFreeUnicodeString(&FileName);
		RtlFreeUnicodeString(&FilePath);
		RtlFreeUnicodeString(&User);
		RtlFreeUnicodeString(&Proc);
	}
};

// Process names to hide

typedef std::vector<_FilesInfo> vFilesInfo;
static vFilesInfo sFilesInfo;

/////////////////////////////////////////////////////////////////////////////////////////


NTSTATUS SplitFileNameAndPath(WCHAR* pBuf,PUNICODE_STRING pFileName,PUNICODE_STRING pFilePath)
/*++

Routine Description:

Arguments:

Return Value:

--*/
{
	// Finding position of last '\\' symbol in string
	WCHAR *pInFileName = wcsrchr(pBuf,L'\\');
	if(pInFileName == NULL)
		return STATUS_INVALID_PARAMETER;
	if(pInFileName!=NULL)
	{
		// Move to next symbol
		pInFileName++;

		// Copying file name
		WCHAR *BufFileName = new WCHAR[wcslen(pInFileName)+1];
		memcpy(BufFileName,pInFileName,wcslen(pInFileName)*2+2);

		// Copying file path
		int PathSize = wcslen(pBuf)-wcslen(pInFileName);
		if(wcsrchr(pBuf,L'\\') != wcschr(pBuf,L'\\')) 
			--PathSize;
		WCHAR *BufFilePath = new WCHAR[PathSize+1];
		memcpy(BufFilePath,pBuf,PathSize*2);
		// Adding end of the string
		memcpy((char*)BufFilePath + PathSize*2,L"\0",2);

		RtlInitUnicodeString(pFileName,BufFileName);
		RtlInitUnicodeString(pFilePath,BufFilePath);
		return STATUS_SUCCESS;
	}
	else
		return STATUS_INVALID_PARAMETER;
}
NTSTATUS AddFileName(WCHAR* pBuf,ULONG buf_size,ULONG out_buf_size,PULONG BytesTxd)
/*++

Routine Description:

Arguments:

Return Value:

--*/
{
	DbgPrint("-HideDriver- Add File Name - Input string: %ws\n",pBuf);
	if(out_buf_size< 2 || buf_size==0)
		return STATUS_BUFFER_TOO_SMALL;
	
	UNICODE_STRING FileName;
	UNICODE_STRING FilePath;
	
	UNICODE_STRING Name;
	UNICODE_STRING User;
	UNICODE_STRING Proc;

	if(!PackadgeParser(pBuf,&Name,&User,&Proc))
	{
		*pBuf=HOOK_FAIL_PARAMETER; 
		*BytesTxd = 2;

		RtlFreeUnicodeString(&Name);
		RtlFreeUnicodeString(&User);
		RtlFreeUnicodeString(&Proc);
		return STATUS_SUCCESS;
	}


	NTSTATUS ret = SplitFileNameAndPath(Name.Buffer,&FileName,&FilePath);

	if(ret == STATUS_SUCCESS)
	{
		sFileWRSync.WaitToWrite();
		// Saving copied file name and file path to vector 

		sFilesInfo.push_back(_FilesInfo());

		size_t nIndex = sFilesInfo.size() - 1;


		sFilesInfo[nIndex].FileName = FileName;
		sFilesInfo[nIndex].FilePath = FilePath;
		sFilesInfo[nIndex].User = User;
		sFilesInfo[nIndex].Proc = Proc;	

		sFileWRSync.Done();

		*pBuf= HOOK_SUCCESS; 
		*BytesTxd = 2;

		RtlFreeUnicodeString(&Name);
		return STATUS_SUCCESS;

	}
	else
	{
		*pBuf= HOOK_FAIL_PARAMETER; 
		*BytesTxd = 2;
		RtlFreeUnicodeString(&Name);
		return STATUS_SUCCESS;
	}
}
NTSTATUS DelFileName(WCHAR* pBuf,ULONG buf_size,ULONG out_buf_size,PULONG BytesTxd)
/*++

Routine Description:

Arguments:

Return Value:

--*/
{
	DbgPrint("-HideDriver- Del File Name - Input string: %ws\n",pBuf);
	if(out_buf_size< 2 || buf_size==0)
		return STATUS_BUFFER_TOO_SMALL;

	UNICODE_STRING FileName;
	UNICODE_STRING FilePath;

	NTSTATUS ret = SplitFileNameAndPath(pBuf,&FileName,&FilePath);
	if(ret != STATUS_SUCCESS)
	{
		*pBuf= HOOK_FAIL_PARAMETER;
		*BytesTxd = 2;
		return STATUS_SUCCESS;
	}


	sFileWRSync.WaitToWrite();

	vFilesInfo::iterator it = sFilesInfo.begin();
	for(;sFilesInfo.end() != it;++it)
	{
		// Check file name
		if(!RtlEqualUnicodeString(&FileName,&((*it).FileName),FALSE))
			continue; // Check next record
		// Check file path
		if(!RtlEqualUnicodeString(&FilePath,&((*it).FilePath),FALSE))
			continue; // Check next record
		
		// Cleanup buffers
		(*it).Clear();

		// Delete from array
		sFilesInfo.erase(it);

		sFileWRSync.Done();

		*pBuf= HOOK_SUCCESS;
		*BytesTxd = 2;

		return STATUS_SUCCESS;
	}

	sFileWRSync.Done();
	*pBuf= HOOK_FAIL_PARAMETER;
	*BytesTxd = 2;
	return STATUS_SUCCESS;
}
NTSTATUS ClearFilesInfo(WCHAR* pBuf,ULONG buf_size,ULONG out_buf_size,PULONG BytesTxd)
/*++

Routine Description:

Arguments:

Return Value:

--*/
{
	DbgPrint("-HideDriver- Clear File Names\n");
	if(out_buf_size< 2)
		return STATUS_BUFFER_TOO_SMALL;

	sFileWRSync.WaitToWrite();

	vFilesInfo::iterator it = sFilesInfo.begin();
	while(sFilesInfo.end() != it)
	{
		// Cleanup buffers;
		(*it).Clear();
		++it;
	}
	sFilesInfo.clear();

	sFileWRSync.Done();	

	*pBuf = HOOK_SUCCESS;
	*BytesTxd = 2;

	return STATUS_SUCCESS;
}
NTSTATUS QueryFilesInfo(WCHAR* pBuf,ULONG buf_size,ULONG out_buf_size,PULONG BytesTxd)
/*++

Routine Description:

Arguments:

Return Value:

--*/
{
	DbgPrint("-HideDriver- Query File Names\n");
	if(out_buf_size< 2 || buf_size==0)
		return STATUS_BUFFER_TOO_SMALL;

	sFileWRSync.WaitToRead();
	ULONG nIndex=0;

	vFilesInfo::iterator it = sFilesInfo.begin();
	while(sFilesInfo.end() != it)
	{
		size_t Name_size = (*it).FileName.Length;
		size_t Path_size = (*it).FilePath.Length;
		size_t User_size = (*it).User.Length;
		size_t Proc_size = (*it).Proc.Length;
		size_t Total_size = Name_size+Path_size+User_size+Proc_size;

		if((Total_size+ nIndex) > out_buf_size)
		{
			sFileWRSync.Done();
			*BytesTxd = 0;
			return STATUS_SUCCESS;
		}
		WCHAR* pPath = (*it).FilePath.Buffer;
		// Copying path
		memcpy((char*)pBuf + nIndex,pPath,Path_size);
		nIndex+=Path_size;

		if(wcsrchr(pPath,L'\\') == wcschr(pPath,L'\\')) 
		{
			memcpy((char*)pBuf + nIndex,L"\\",2);
			nIndex+=2;
		}
		// Copying name
		memcpy((char*)pBuf + nIndex,(*it).FileName.Buffer,Name_size);
		nIndex+=Name_size;

		memcpy((char*)pBuf + nIndex,L";",2);
		nIndex+=2;
		// Access User Name
		memcpy((char*)pBuf + nIndex,(*it).User.Buffer,User_size);
		nIndex+=User_size;

		memcpy((char*)pBuf + nIndex,L";",2);
		nIndex+=2;
		// Access Process Name
		memcpy((char*)pBuf + nIndex,(*it).Proc.Buffer,Proc_size);
		nIndex+=Proc_size;

		memcpy((char*)pBuf + nIndex,L";",2);
		nIndex+=2;

		// Packet end
		memcpy((char*)pBuf + nIndex,L"\n",2);
		nIndex+=2;


		// Adding end symbol
		memcpy((char*)pBuf + nIndex,L"\n",2);
		nIndex+=2;

		++it;
	}
	sFileWRSync.Done();

	memcpy((char*)pBuf + nIndex,L"\0",2);
	nIndex+=2;

	*BytesTxd = nIndex;
	return STATUS_SUCCESS;
}

NTSTATUS HookFileIrpRoutine(PIRP pIrp)
/*++

Routine Description:

Arguments:

Return Value:

--*/
{
	NTSTATUS status = STATUS_SUCCESS;
	ULONG BytesTxd =0; // Number of transmitted,received bytes
	PIO_STACK_LOCATION IrpStack=IoGetCurrentIrpStackLocation(pIrp);

	// Getting the IOCTL code
	ULONG ControlCode =
		IrpStack->Parameters.DeviceIoControl.IoControlCode;
	// Getting the exchange method
	//selection of the first two bits
	ULONG method = ControlCode & 0x03;

	if(method!=METHOD_BUFFERED)
		return CompleteIrp(pIrp,STATUS_INVALID_PARAMETER,BytesTxd); 

	ULONG InputLength = 
		IrpStack->Parameters.DeviceIoControl.InputBufferLength;