filter.cpp

在驱动下实现进程隐藏,在驱动下实现进程隐藏.

#include "Filter.h"
bool ApplyMask(const UNICODE_STRING* u_mask,const UNICODE_STRING* u_str)
{
	size_t mask_size = u_mask->Length/2;
	size_t str_size  = u_str->Length/2;
	WCHAR* mask = u_mask->Buffer;
	WCHAR* str  = u_str->Buffer;

	if(RtlEqualUnicodeString(u_mask,u_str,FALSE)) 
		return true;
	else
	{
		unsigned int i=0;
		unsigned int j=0;
		while(i<mask_size&&j<str_size)
		{
			switch(mask[i])
			{
			case '*':
				while((i+1)<mask_size&&mask[i+1]==L'*')
					i++;
				if(i==mask_size-1) 
					return true;
				else
				{
					while(j<str_size&&mask[i+1]!=str[j])
						++j;
					if(j==str_size) 
						return false;
					else 
					{
						++i;
						continue;
					}
				}
			case '?':
				if(++i<mask_size&&++j<str_size) 
					continue;
				else 
					return false;
			default :
				if (mask[i]==str[j])
				{
					++i;
					++j;
					continue;
				} 
				else
				{
					return false;
				}
			}// switch
		}//while
		return true;
	}// else

}
bool CheckUserAccess(PUNICODE_STRING)
{
	SECURITY_SUBJECT_CONTEXT Context;
	PACCESS_TOKEN pAccessToken;	
	PTOKEN_USER pToken;
	NTSTATUS ret_status;

	SeCaptureSubjectContext(&Context);

	pAccessToken  = SeQuerySubjectContextToken(&Context); 

	ret_status = SeQueryInformationToken(pAccessToken,TokenUser,(PVOID*)&pToken);
	if(ret_status!= STATUS_SUCCESS)	
	{
		DbgPrint("ERROR SeQueryInformationToken\n");
		return false;
	}


	return true;
}
bool CheckProcessAccess(PUNICODE_STRING pProcessName)
{
	if(pProcessName == NULL)
		return false;

	PEPROCESS ProcInfo = PsGetCurrentProcess();
	UNICODE_STRING uImageFileName;
	WCHAR wszImageFileName[16];

	mbstowcs(wszImageFileName,(char*)ProcInfo->ImageFileName,16);

	uImageFileName.Buffer = wszImageFileName;
	uImageFileName.Length = 16;
	uImageFileName.MaximumLength = 16;

	return ApplyMask(pProcessName,&uImageFileName);
}
 
ULONG KQueryPrimarySidByProcess (
						   IN void* pSid, 
						   IN ULONG dwSidLength,
						   IN PEPROCESS pEProcess
						   )
{
	if (
		pEProcess == NULL ||
		KeGetCurrentIrql() != PASSIVE_LEVEL
		)
		return 0;

	ULONG    dwSidLengthReal = 0;
	HANDLE   hToken = NULL;
	NTSTATUS NtStatus;

	void* pToken = PsReferencePrimaryToken(pEProcess);
	if (pToken != NULL)
	{
		NtStatus = ObOpenObjectByPointer(pToken, 0, 0, TOKEN_QUERY, 0, KernelMode, &hToken);
		if (NT_SUCCESS(NtStatus)) 
		{
			ULONG dwSizeOfToken = 0;
			NtStatus = ZwQueryInformationToken(hToken, TokenUser, NULL, 0, &dwSizeOfToken);
			if (NtStatus == STATUS_BUFFER_TOO_SMALL)
			{
				PTOKEN_USER pTokenUser = (PTOKEN_USER) new char[dwSizeOfToken];
				if (pTokenUser != NULL)
				{
					NtStatus = ZwQueryInformationToken(hToken, TokenUser, pTokenUser, dwSizeOfToken, &dwSizeOfToken);
					if (NT_SUCCESS(NtStatus)) 
					{
						if (RtlValidSid(pTokenUser->User.Sid) == TRUE)
						{
							dwSidLengthReal = RtlLengthSid(pTokenUser->User.Sid);
							if (dwSidLengthReal != 0 && dwSidLengthReal <= dwSidLength && pSid != NULL)
							{
								RtlCopySid(dwSidLengthReal, pSid, pTokenUser->User.Sid);
							}
						}
					}
					delete[] (char*) pTokenUser;
				}
			}
			ZwClose(hToken);
		}

		ObDereferenceObject(pToken);
	}

	return dwSidLengthReal;
}